Back

Monitor compliance with the Quality Control system.


CONTROL ID
01023
CONTROL TYPE
Actionable Reports or Measurements
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a metrics policy., CC ID: 01654

This Control has the following implementation support Control(s):
  • Report on the percentage of complaints received about products or delivered services., CC ID: 07199
  • Report on the percentage of Quality Assurance attained by Quality Improvement practices., CC ID: 07202


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The information system performance must meet the requirement definitions. This is a control item that constitutes a greater risk to financial information. This is an IT general control. (App 2-1 Item Number III.2(7), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be exploited. Evaluating policies, procedures, standards, training, physical security, quality control and technical security in this regard (Critical components of information security 2) 3) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization, as part of its quality management program, must provide written documentation of identification and tracking and trending of performance measures relevant to the scope of the accreditation including, but not limited to access to services. (CORE - 21(b)(i), URAC Health Utilization Management Standards, Version 6)
  • Define, plan and implement measurements to monitor continuing compliance to the QMS, as well as the value the QMS provides. Measurement, monitoring and recording of information should be used by the process owner to take appropriate corrective and preventive actions. (PO8.6 Quality Measurement, Monitoring and Review, CobiT, Version 4.1)
  • Establish a general monitoring framework and approach to define the scope, methodology and process to be followed for measuring IT's solution and service delivery, and monitor IT's contribution to the business. Integrate the framework with the corporate performance management system. (ME1.1 Monitoring Approach, CobiT, Version 4.1)
  • A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all software developed by the organization. (RM-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Quality evaluation and acceptance criteria for Information Systems, upgrades, and new versions shall be established, documented and tests of the system(s) shall be carried out both during development and prior to acceptance to maintain security. (RM-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • § 5.4.1: Top management shall establish quality objectives to meet the product's requirements at relevant functions and levels within the organization. These objectives shall be consistent and measurable. § 8.4: The organization shall establish procedures to determine, collect, and analyze data to… (§ 5.4.1, § 8.4, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall compare the project status against the project plans to determine variations of schedules, quality, and between actual and projected costs. (§ 6.3.2.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall use measured achievement and milestone completion to assess the progress of the project. (§ 6.3.2.3(a)(5), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall develop information products and analyze data that is used to perform measurements. (§ 6.3.7.3(b)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall reference or include in the software development plan the procedures for how to coordinate software development and how to validate the design and development of the software… (§ 5.1.3(b), ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • be monitored; (6.2.1 ¶ 2(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Strategies for service and process improvement and methods to measure the results of those improvement efforts. (VI.D Action Summary ¶ 2 Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)