Back

Establish, implement, and maintain a Quality Management standard.


CONTROL ID
01006
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Quality Management framework., CC ID: 07196

This Control has the following implementation support Control(s):
  • Document the measurements used by Quality Assurance and Quality Control testing., CC ID: 07200


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • App 2-1 Item Number VI.3.2(1): Performance results must be analyzed and evaluated against the quality management plan at the completion of each phase to verify the operations are performed as planned and the objectives were achieved. The analysis and evaluation results must be approved by the projec… (App 2-1 Item Number VI.3.2(1), App 2-1 Item Number VI.3.2(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization, as part of its quality mangangent program, should provide written documentation of objectives and approaches utilized in the quality management activities. (CORE- 21(a), URAC Health Utilization Management Standards, Version 6)
  • Establish and maintain a QMS that provides a standard, formal and continuous approach regarding quality management that is aligned with business requirements. The QMS should identify quality requirements and criteria; key IT processes and their sequence and interaction; and the policies, criteria an… (PO8.1 Quality Management System, CobiT, Version 4.1)
  • Maintain and regularly communicate an overall quality plan that promotes continuous improvement. (PO8.5 Continuous Improvement, CobiT, Version 4.1)
  • The high-level working group, committee, or equivalent body should support the chief information security officer (or equivalent) in establishing the organization's overall approach to information security by promoting continuous improvement in information security throughout the organization. (SG.01.02.06b, The Standard of Good Practice for Information Security)
  • Quality Assurance of the system under development should be performed from the beginning, and throughout each stage, of the development process. (CF.17.03.03, The Standard of Good Practice for Information Security)
  • Quality Assurance of the system under development should be performed from the beginning, and throughout each stage, of the development process. (CF.17.03.03, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group, committee, or equivalent body should support the chief information security officer (or equivalent) in establishing the organization's overall approach to information security by promoting continuous improvement in information security throughout the organization. (SG.01.02.06c, The Standard of Good Practice for Information Security, 2013)
  • Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper… (2.2.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • The organization shall establish and maintain a quality manual that includes the procedures, or a reference to them, for the quality management system; the scope, including details and justification for exclusions and/or non-applications; and a description of the process interactions. The manual sha… (§ 4.2.2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Top management shall ensure the quality management system planning is carried out and the quality management system integrity is maintained when changes are planned and implemented. (§ 5.4.2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall develop a quality plan for the project. (§ 6.3.1.3(c)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall reference or include the following verification information in the software development plan: which deliverables require verification; for each lifecycle activity, the requir… (§ 5.1.6, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • ensuring that the quality policy and quality objectives are established for the quality management system and are compatible with the context and strategic direction of the organization; (5.1.1 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • determine and apply the criteria and methods (including monitoring, measurements, and related performance indicators) needed to ensure the effective operation and control of these processes; (4.4.1 ¶ 2(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall establish quality objectives at relevant functions, levels and processes needed for the quality management system. (6.2.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • A medical device manufacturer shall establish a quality plan defining the quality resources, practices, and activities for the devices it designs and manufactures. They shall establish how the quality requirements will be met. (§ 820.20(d), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • When a single QMS was used for applicable capabilities, it would only need to be identified once. (§ 170.315 (g) (4) (ii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • The QMS used is established by the Federal government or a standards developing organization. (§ 170.315 (g) (4) (i) (A), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • When a single QMS was used for applicable capabilities, it would only need to be identified once. (§ 170.315 (g) (4) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The QMS used is established by the Federal government or a standards developing organization. (§ 170.315 (g) (4) (i) (A), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The quality assurance procedures should be applied to internal and external programs. (Pg 9, Pg 10, FFIEC IT Examination Handbook - Development and Acquisition)
  • The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: (5.74, GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021)
  • If the peer review team's evaluation of observed matters does not identify any findings (more than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards and applicable legal and regulatory requirements), or identifies f… (5.74a., GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021)
  • If the peer review team's evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report. (5.74b., GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021)
  • If the peer review team's evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report. (5.74c., GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021)
  • Implement new system design procedures, test procedures, and quality standards. (T0121, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform quality review and provide feedback on transcribed or translated materials. (T0843, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide recommendations on data structures and databases that ensure correct and quality production of reports/management information. (T0209, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Bank management should establish procedures to ensure that quality assurance efforts take place and that the results are incorporated into future planning in order to manage and limit excessive risk taking. These procedures may include, for example, internal performance measures, focus groups and cu… (¶ 44, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)