One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 5850532 |
| Date de publication | 2022-07-21 19:13:52 (vue: 2022-07-21 09:05:36) |
| Titre | ISO management systems assurance |
| Texte |  In the context of the ISO management systems standards, the internal audit process and accredited certification systems as a whole, are assurance controls primarily intended to confirm that organisations' management systems conform to the explicit requirements formally expressed in the respective ISO standards.A conformant management system, in turn, is expected to manage (design, direct, control, monitor, maintain …) something: for ISO/IEC 27001, that 'something-being-managed' is the suite of information security controls and other means of addressing the organisation's information risks (called 'information security risks' or 'cybersecurity risks' in the standards). For ISO 9001, it is the quality assurance activities designed to ensure that the organisation's products (goods and services) are fit for purpose. For ISO 14001, it is the controls and activities necessary to minimise environmental damage.My point is that the somethings-being-managed are conceptually distinct from the 'management systems' through which managers exert their direction and control. This is a fundamental part of the ISO management systems approach, allowing ISO to specify systems required to manage a wide variety of somethings in a similar way - a governance approach in fact.Management system certification auditors, whose sole purpose is to audit clients' management systems' conformity with the requirements expressed in the standards, have only a passing interest in those somethings-being-managed, essentially checking that they are indeed being actively managed through the management system, thereby proving that the management system is in fact operational and not just a nice neat set of policies and procedures on paper.Management system internal auditors, in contrast, may be given a wider brief by management which may include probing further into the somethings being managed ... but that's down to management's decision about the scope and purpose of the internal audits, not a formal requirement of the standards. Management may just as easily decide to have the internal auditors stick to the management system standard conformity aspects, just the same as the certification auditors. |
| Envoyé | Oui |
| Condensat | 14001 27001 9001 about accredited actively activities addressing all allowing alongside approach are aspects assurance audit auditors audits being brief but called certification checking clients conceivably conceptually confirm conform conformant conformity context contrast control controls cybersecurity damage decide decision design designed direct direction distinct down easily ensure environmental essentially exert expected explicit expressed fact fit formal formally from fundamental further given goods governance have hopefully include indeed information intended interest internal iso iso/iec just likewise maintain manage managed management managers may means measured metrics might minimise monitor neat necessary nice not objectives one only operational organisation organisations other paper part passing point policies possible primarily probing procedures process products proving purpose quality required requirement requirements respective review reviewed reviewing reviews risks same scope security services set several short similar sole something something: somethings specify specifying standard standards stick stop suite system systems systems: that the thereby things those through turn variety want way well which whole whose wide wider |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.