Back

Establish, implement, and maintain a Quality Management framework.


CONTROL ID
07196
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Include supply chain management standards in the Quality Management framework., CC ID: 13701
  • Establish, implement, and maintain a Quality Management policy., CC ID: 13694
  • Include critical Information Technology processes in the Quality Management framework., CC ID: 13645
  • Disseminate and communicate the Quality Management policy to all interested personnel and affected parties., CC ID: 13695
  • Disseminate and communicate the Quality Management framework to all stakeholders., CC ID: 13680
  • Align the quality objectives with the Quality Management policy., CC ID: 13697
  • Establish, implement, and maintain a Quality Management standard., CC ID: 01006
  • Enforce a continuous Quality Control system., CC ID: 01005
  • Establish, implement, and maintain a Quality Management program., CC ID: 07201


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should establish a general framework for management of major technology-related projects. This framework should, among other things, specify the project management methodology to be adopted and applied to these projects. The methodology should cover, at a minimum, allocation of responsibilities,… (4.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Quality assurance should be performed by an independent quality assurance function to ensure project activities and deliverables comply with the FI's policies, procedures and standards. (§ 5.8.2, Technology Risk Management Guidelines, January 2021)
  • The organization should have a written description for its quality management program that defines the scope, objectives, activities, and structure of the quality management program. (CORE - 19(b), URAC Health Utilization Management Standards, Version 6)
  • The organization should have a written description for its quality management program that is reviewed and updated by the quality management committee at least annually. (CORE - 19(c), URAC Health Utilization Management Standards, Version 6)
  • Establish and maintain a QMS that provides a standard, formal and continuous approach regarding quality management that is aligned with business requirements. The QMS should identify quality requirements and criteria; key IT processes and their sequence and interaction; and the policies, criteria an… (PO8.1 Quality Management System, CobiT, Version 4.1)
  • Define, plan and implement measurements to monitor continuing compliance to the QMS, as well as the value the QMS provides. Measurement, monitoring and recording of information should be used by the process owner to take appropriate corrective and preventive actions. (PO8.6 Quality Measurement, Monitoring and Review, CobiT, Version 4.1)
  • Prepare a quality management plan that describes the project quality system and how it will be implemented. The plan should be formally reviewed and agreed to by all parties concerned and then incorporated into the integrated project plan. (PO10.10 Project Quality Plan, CobiT, Version 4.1)
  • Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It s… (PO4.1 IT Process Framework, CobiT, Version 4.1)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following: (§ 9.3 ¶ 4, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall apply all the requirements of this International Standard if they are applicable within the determined scope of its quality management system. (4.3 ¶ 3, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall determine the boundaries and applicability of the quality management system to establish its scope. (4.3 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • ensuring that the quality management system achieves its intended results; (5.1.1 ¶ 1(g), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the integrity of the quality management system; (6.3 ¶ 2(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • ensuring that the quality policy and quality objectives are established for the quality management system and are compatible with the context and strategic direction of the organization; (5.1.1 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • review and approval for suitability and adequacy. (7.5.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall evaluate the performance and the effectiveness of the quality management system. (9.1.1 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the performance and effectiveness of the quality management system; (9.1.3 ¶ 2(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Top management shall review the organization's quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization. (9.3.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • information on the performance and effectiveness of the quality management system, including trends in: (9.3.2 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • improving the performance and effectiveness of the quality management system. (10.1 ¶ 2(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • opportunities for improvement. (9.3.2 ¶ 1(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall continually improve the suitability, adequacy and effectiveness of the quality management system. (10.3 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • make changes to the quality management system, if necessary. (10.2.1 ¶ 1(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • nonconformities and corrective actions; (9.3.2 ¶ 1(c)(4), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • improve the processes and the quality management system. (4.4.1 ¶ 2(h), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. (§ 9.3 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • At planned intervals, the effectiveness of problem resolution shall be monitored, reviewed and reported. (§ 8.6.3 ¶ 5, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The success or failure of releases shall be monitored and analysed. Measurements shall include incidents related to a release in the period following deployment of a release. The results and conclusions drawn from the analysis shall be recorded and reviewed to identify opportunities for improvement. (§8.5.3 ¶ 6, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Determine whether IT management develops satisfactory measures for defining and monitoring metrics, performance benchmarks, service level agreements, compliance with policies, effectiveness of controls, and quality assurance and control. Determine whether management developed satisfactory reporting … (App A Objective 13, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management has QA and QC procedures defined for significant IT activities and whether those procedures are performed internally or externally. Specifically, review whether management: (App A Objective 13:6, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The independence of the quality assurance function and the adequacy of controls over program changes including the: - parity of source and object programming code, - independent review of program changes, - comprehensive review of testing results, - management's approval before migration into produc… (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Develop munitions effectiveness assessment or operational assessment materials. (T0663, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • systems and application development and quality assurance; (§ 500.03 Cybersecurity Policy (i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • systems and application security and development and quality assurance; (§ 500.3 Cybersecurity Policy (i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)