Quick Read
This whitepaper provides a month-by-month implementation roadmap for CSOs deploying SPK CSMS1000:2026 in year one, beginning with a gap assessment to identify existing capabilities versus standard requirements, then sequencing obligations mapping, scope definition, and IRO assessment across the first four months. The guide assumes organizations have baseline sustainability programmes in place and prioritizes work based on specific gap profiles rather than a one-size-fits-all approach, with outputs including a complete obligations register and governing body-approved scope statement by month two.
Executive Summary
This paper is written for the CSO or sustainability director who has decided to implement SPK CSMS1000:2026 and needs a practical, sequenced roadmap for year one. It assumes a starting point of some existing sustainability programme — some reporting, some ISO certifications, some governance structure — but no existing CSMS designed against the standard. It provides a realistic assessment of what can be accomplished in twelve months and what the priorities should be to build toward Speeki Meridian™ certification readiness.
Year one is not about achieving everything. It is about building the foundation correctly. The organisations that achieve clean first-time certification are those that spent year one building genuine systems, not those that spent year one producing documentation for an audit.
1. Before You Start — The Gap Assessment
The first step in any implementation is a genuine gap assessment: an honest evaluation of where the organisation's current sustainability management stands against the requirements of SPK CSMS1000:2026. The gap assessment tool is available from speeki.com. Use it before doing anything else.
The gap assessment will reveal three categories of finding. Things that already exist and meet the standard's requirements — typically elements covered by existing ISO certifications, if any, and well-established sustainability processes. Things that exist but need development — documented but inadequate, or adequate but not connected to the standard's requirements. And things that do not exist at all — the genuine gaps that require building from scratch.
Use the gap assessment to prioritise. The implementation roadmap below provides a logical sequencing — but your specific gap profile will determine where you need to invest most heavily. If the gap assessment reveals that your governing body governance is seriously inadequate, that becomes a priority even if it appears later in the standard. If your ICSR controls are essentially non-existent, they need more implementation time than the roadmap below allocates.
2. The Year One Roadmap
Months 1–2: Obligations and Scope
Start where the standard starts — with obligations. Compile the obligations register: every mandatory and voluntary sustainability obligation the organisation has across every jurisdiction of material operation. This requires engaging legal, compliance, and finance as well as the sustainability function. The register tells you what you must achieve and what materiality type applies.
Simultaneously, define the CSMS scope. Which entities, operations, and activities are included? Are there existing ISO certifications that will reduce assessment scope? Document the scope clearly — and get governing body sign-off on the scope decision before proceeding.
Outputs by month 2: obligations register (complete, owned, with materiality types identified); CSMS scope statement (governing body approved).
Months 2–4: IRO Assessment
With obligations established, begin the IRO assessment. Stakeholder analysis first — who must be engaged and why, based on the obligations. Then IRO identification — work through the standard's three IRO types (negative impacts, positive impacts, financial risks and opportunities) across operations and value chain. Use established taxonomies (ESRS sustainability matters, GRI material topics) as a starting structure.
The IRO assessment is the most resource-intensive element of year one for most organisations. Do not rush it. A quick materiality survey dressed up as an IRO assessment will not withstand Stage 1 document review. Take the time to conduct genuine stakeholder engagement, genuinely map the value chain impacts, and genuinely assess significance with documented criteria.
End with the importance and materiality determination — the two-list output requiring governing body approval. Schedule this as a formal governing body agenda item. The governing body discussion of the lists is itself evidence of active governance.
Outputs by month 4: stakeholder analysis; IRO identification record; IRO assessment with documented criteria; topic grouping rationale; importance and materiality lists with governing body approval record.
Months 3–5: Controls and Risk Assessment
Alongside the IRO assessment (these can run in parallel), conduct the controls and risk assessment (Clause 6.7): for each important topic, evaluate existing controls, adequacy, gaps, and residual risk. This assessment requires honest input from the functions that own the relevant controls — finance, procurement, HR, operations.
The controls assessment output feeds directly into the Section 8 objectives and action plan. The gaps identified here become the priority actions.
Months 4–6: Governance and Section 7
Governance improvements often take longer than technical CSMS elements because they require governing body engagement, remuneration committee involvement, and cultural change. Start early. By month 4, you should be working on: the direct access mechanism (if it does not exist, design and document it; if it exists, test and evidence it); the governing body competence development plan; and remuneration alignment.
The sustainability culture assessment should also begin in this period — conduct the diagnostic interview programme described in WP04 to understand where the culture currently is. Use the results to design the culture-building programme.
Months 5–7: Objectives, SMART Goals, and Action Plan
With the IRO assessment, controls assessment, and governance baseline established, build Section 8: objectives for each important topic, SMART goals with documented baselines and targets, success criteria, and the annual action plan. The action plan is the operational blueprint for year two — it converts everything you have learned in months one through six into specific commitments with owners, resources, and timelines.
Get the action plan formally approved by senior leadership. Present it to the governing body. This is the moment where the CSMS stops being a sustainability function project and becomes an organisational commitment.
Months 6–9: Controls Framework
Build the controls framework systematically across all six categories (Clause 10.4). ICSR controls are typically the most significant gap and require the most time. Begin with your most material KPIs — trace the data chain from source to report, identify the missing controls, and build them.
For supply chain controls, the risk assessment comes first. Without it, the due diligence programme cannot be designed. Commission the supply chain risk assessment in month 6 and build the due diligence programme from its outputs.
Months 8–11: Review Architecture
Build the six review mechanisms (Section 12). Most organisations already have elements — management reviews, some form of KPI tracking — but typically not all six, not with the right inputs and outputs, and not connected to each other. Build the missing elements, connect the existing ones, and establish the annual review calendar.
The internal audit programme (Clause 12.5) requires planning before it can be conducted. By month 9, the audit programme for year two should be documented, auditors selected and briefed, and the first audit scheduled.
Month 10–12: Policy Layer, Section 11, and First Function Review
Complete the policy framework (Section 10.1–10.3), awareness and training programme (Section 11), and speak-up channel review (Clause 10.9–10.13). Conduct the first sustainability function review (Clause 12.6) — this is the function's own honest assessment of CSMS readiness. Its findings feed into the year two action plan and the pre-certification gap closure programme.
End year one with a management review (Clause 12.3) that assesses year one implementation against the action plan and sets the priorities for year two.
3. The Path to Certification
First-time Speeki Meridian™ certification typically occurs in year two or year three of a well-executed implementation, depending on starting maturity. Year one builds the foundation. The gap assessment conducted at the end of year one (using the function review and management review outputs) tells you what remains for the pre-certification period.
When you believe the CSMS is ready, contact Speeki to initiate the scoping process. The gap assessment tool will be administered again — this time by Speeki — to confirm readiness and scope the Stage 1 engagement. Stage 1 typically occurs three to six months before Stage 2. Stage 2 is the on-site assessment. The certification decision follows within four weeks of Stage 2.
Organisations that use the Speeki Engage® platform for implementation find the Stage 1 process significantly more efficient — the documentation is organised, version-controlled, and accessible, reducing the document request and review cycle. The platform is available at no charge for SPK CSMS1000:2026 implementation.
Speeki Meridian™ — Auditor Expectations
The implementation approach described in this paper is designed to produce a CSMS that will pass a Speeki Meridian™ Stage 2 assessment because it is genuine — not because it has been optimised for audit. The distinction matters. Organisations that build for the audit — producing documentation in the weeks before Stage 1, conducting governance exercises for the assessor's benefit — almost always receive major non-conformities. The Stage 2 assessment is designed to find the difference between a genuine operating system and a documentation exercise. Interviews with operational personnel, data walk-throughs, and governance record examination all expose that difference. Build the system. The certification follows from that.
About Speeki
Speeki is an accredited certification body operating across more than 100 countries. Speeki certifies organisations against SPK CSMS1000:2026 through the Speeki Meridian™ certification programme. Speeki is a certification body — it does not provide sustainability consulting or advisory services of any kind.
For current details of Speeki's accreditations, scope of certification, and service offerings, visit speeki.com. You can also ask Nicole AI on the Speeki website to find the information you need.
speeki.com | © Speeki Pte Ltd 2026