Now that I’ve spent a few years working with and thinking about formal management systems like ISO 13485, ISO 27001, and others, I think I would break them down into two general tiers: the Management System Core and Domain Recommendations. In this case, I mean “domain” in the sense of: quality, information security, power systems, vulnerability disclosure, risk, etc.

The Management System Core answers the question: “What is at the heart of management?” It would be comprised of the Top Management, General Documentation, and Feedback/Improvement clauses of the typical ISO document. These are the foundation from which all others could be derived. For the most part, most of the non-core aspects of the standards seem to be little more than best practices, and they’re the parts that change the most between updates.

The Domain Recommendations (requirements) are essentially good practices for the domain — at least at the time of the publication. Quality System Domain Recommendations include things like infrastructure and engineering processes. Security Domain Recommendations include standard security controls.

If your domain doesn’t have an explicit standard, applying the core will eventually get you to a good point. Applying the core — bare — to domains with existing standards may produce a result better than the standard with time. Technologies and techniques get better.