Quality Management sYSTEM INTERVIEW PREPARATION

Quality & Risk

FEBRUARY 18, 2024

Riyadh
Table of Contents
1 What is Quality Management System (QMS) w.r.t. IT?........................................................................................... 1
1.1 Standards and Compliance................................................................................................................................... 2
1.2 Process Documentation......................................................................................................................................... 2
1.3 Continuous Improvement..................................................................................................................................... 2
1.4 Customer Focus....................................................................................................................................................... 2
1.5 Risk Management................................................................................................................................................... 2
1.6 Performance Measurement.................................................................................................................................. 2
1.7 Training and Competence..................................................................................................................................... 3
1.8 Supplier Management............................................................................................................................................ 3
1.9 Incident and Problem Management................................................................................................................... 3
1.10 Audit and Review.................................................................................................................................................... 3
2 QMS Implementation in any organization................................................................................................................. 4
2.1 Phase 1: Planning and Preparation..................................................................................................................... 4
2.1.1 Establish a QMS Committee........................................................................................................................ 4
2.1.2 Define QMS Objective & Scope................................................................................................................. 4
2.1.3 Leadership Commitment and Support..................................................................................................... 4
2.1.4 Select a QMS Framework............................................................................................................................ 4
2.1.5 Conduct Gap Analysis................................................................................................................................... 5
2.1.6 Develop QMS Documentation................................................................................................................... 5
2.1.7 Resource Allocation...................................................................................................................................... 5
2.2 Phase 2: Implementation and Deployment...................................................................................................... 5
2.2.1 Awareness and Training............................................................................................................................... 5
2.2.2 Process Implementation............................................................................................................................... 5

P a g e 1 | 24

Quality & Risk Management

 2.2.3 Document Control......................................................................................................................................... 5
2.2.4 Record Keeping.............................................................................................................................................. 5
2.3 Phase 3: Operation and Maintenance................................................................................................................ 5
2.3.1 Internal Audits................................................................................................................................................ 5
2.3.2 Management Review.................................................................................................................................... 6
2.3.3 Continual Improvement............................................................................................................................... 6
3 Quality Policy.................................................................................................................................................................. 6
3.1 Customer Focus....................................................................................................................................................... 7
3.2 Continuous Improvement..................................................................................................................................... 7
3.3 Compliance and Security....................................................................................................................................... 7
3.4 Effective Communication...................................................................................................................................... 7
3.5 Professionalism and Integrity............................................................................................................................... 7
3.6 Risk Management................................................................................................................................................... 7
3.7 Employee Development........................................................................................................................................ 7
4 GOSI Regulatory Requirements.................................................................................................................................. 8
4.1 National Regulations:............................................................................................................................................. 8
4.1.1 National Information Security Standards (NISS).................................................................................... 8
4.1.2 Data Privacy Regulations............................................................................................................................. 8
4.1.3 Government Electronic Services Regulations.......................................................................................... 8
4.2 International Standards......................................................................................................................................... 8
4.2.1 ISO/IEC 27001................................................................................................................................................ 8
4.3 GOSI-Specific Regulations.................................................................................................................................... 9
4.3.1 GOSI Internal Policies and Procedures..................................................................................................... 9
4.4 Additional Considerations..................................................................................................................................... 9

P a g e 2 | 24

Quality & Risk Management

 4.4.1 Emerging Regulations................................................................................................................................... 9
4.4.2 Regular Reviews............................................................................................................................................. 9
5 Difference Between Quality Policy & Quality Management Policy...................................................................9
5.1 Quality Policy........................................................................................................................................................... 9
5.2 Quality Management Policy............................................................................................................................... 10
6 IT Quality Management Policy................................................................................................................................. 10
6.1 IT Service Management Policy........................................................................................................................... 10
6.2 IT Security Policy................................................................................................................................................... 10
6.3 IT Governance Policy........................................................................................................................................... 11
6.4 IT Risk Management Policy................................................................................................................................ 11
6.5 IT Change Management Policy.......................................................................................................................... 11
6.6 IT Incident Management Policy......................................................................................................................... 11
6.7 IT Asset Management Policy.............................................................................................................................. 11
6.8 IT Disaster Recovery and Business Continuity Policy................................................................................... 11
6.9 IT Quality Assurance Policy................................................................................................................................ 12
6.10 IT Compliance Policy............................................................................................................................................ 12
6.11 IT Service Management Policy:.......................................................................................................................... 12
7 KPIs of Quality Management System (QMS)........................................................................................................ 12
7.1 Process Improvement:......................................................................................................................................... 12
7.2 Service Delivery:.................................................................................................................................................... 13
7.3 Information Security:........................................................................................................................................... 14
7.4 Compliance:........................................................................................................................................................... 15
7.5 Additional Considerations:................................................................................................................................. 15
8 IT Quality Management Tools.................................................................................................................................. 15

P a g e 3 | 24

Quality & Risk Management

 8.1 Defect Tracking System:...................................................................................................................................... 15
8.2 Test Management Tool:....................................................................................................................................... 16
8.3 Static Code Analysis Tool:................................................................................................................................... 16
8.4 Document Management System:..................................................................................................................... 16
8.5 Process Mapping Tool:........................................................................................................................................ 16
8.6 Service Delivery:.................................................................................................................................................... 16
8.6.1 IT Service Management (ITSM) Tool:..................................................................................................... 16
8.6.2 Monitoring and Alerting Tool:.................................................................................................................. 16
8.6.3 Customer Satisfaction Survey Tool:........................................................................................................ 16
8.7 Information Security:........................................................................................................................................... 17
8.7.1 Vulnerability Scanner:................................................................................................................................ 17
8.7.2 Security Information and Event Management (SIEM) Tool:..............................................................17
8.7.3 Penetration Testing Tool:........................................................................................................................... 17
8.8 Compliance:........................................................................................................................................................... 17
8.8.1 Compliance Management Software:...................................................................................................... 17
8.8.2 Risk Management Tool:............................................................................................................................. 17

P a g e 4 | 24

Quality & Risk Management

1 What is Quality Management System (QMS) w.r.t. IT?
In the context of an IT department within an organization, a Quality Management System (QMS) refers to
a set of policies, processes, and procedures implemented to ensure that IT services and products meet the
organization's quality standards and objectives. The primary goal of a QMS in IT is to consistently deliver
high-quality IT services, systems, and solutions that meet or exceed customer expectations while adhering to
industry best practices and standards.

Key aspects of a Quality Management System in the IT department may include:

1.1 Standards and Compliance
Ensuring compliance with relevant quality standards such as ISO 9001, ISO/IEC 20000 (IT service
management), ISO/IEC 27001 (information security management), and other industry-specific standards.

1.2 Process Documentation

Documenting IT processes and procedures to ensure consistency, repeatability, and traceability in service
delivery and product development.

1.3 Continuous Improvement

Implementing mechanisms for ongoing review, evaluation, and improvement of IT processes, services, and
products based on feedback, metrics, and performance indicators.

1.4 Customer Focus

Placing a strong emphasis on understanding and meeting the needs and expectations of internal and external
customers, stakeholders, and end-users.

1.5 Risk Management

Identifying, assessing, and mitigating risks that may impact the quality, reliability, and security of IT services
and systems.

1.6 Performance Measurement

Establishing key performance indicators (KPIs) and metrics to measure the effectiveness, efficiency, and
performance of IT processes and services.
P a g e 5 | 24

Quality & Risk Management

1.7 Training and Competence
Providing training and development opportunities to IT staff to ensure they possess the necessary skills,
knowledge, and competencies to perform their roles effectively and contribute to quality improvement
efforts.

1.8 Supplier Management

Managing relationships with external suppliers and vendors to ensure they adhere to quality standards and
deliver products and services that meet organizational requirements.

1.9 Incident and Problem Management

Implementing processes for timely identification, resolution, and prevention of incidents and problems that
may impact IT service quality and availability.

1.10 Audit and Review

Conducting regular internal audits, reviews, and assessments to ensure compliance with QMS requirements,
identify areas for improvement, and drive corrective and preventive actions.

Overall, a Quality Management System in the IT department helps ensure that IT services and products are
delivered efficiently, reliably, and securely, contributing to the organization's overall success and
competitiveness.

P a g e 6 | 24

Quality & Risk Management

2 QMS Implementation in any organization
Implementing a Quality Management System (QMS) in GOSI's IT Department: A Phased Approach

Implementing a QMS in GOSI's IT department requires a structured and phased approach to ensure
successful integration and continuous improvement. Here's a detailed breakdown of the steps involved:

2.1 Phase 1: Planning and Preparation

2.1.1 Establish a QMS Committee
Form a dedicated committee comprising representatives from IT leadership, management, and staff. This
committee will oversee the implementation process, set goals, and ensure stakeholder engagement.

2.1.2 Define QMS Objective & Scope

 Identify the objectives of implementing a QMS in the IT Department, such as improving service
quality, enhancing efficiency, ensuring compliance with regulations, and meeting customer
expectations.
 Define the scope of the QMS implementation where we’ll determine the specific areas of the IT
department where the QMS will be applied. This could include software development, IT
operations, service delivery, process, services, systems or all of the above.

2.1.3 Leadership Commitment and Support

 Obtain commitment and support from senior management and IT leadership for the QMS
implementation initiative.
 Appoint a dedicated QMS implementation team with representatives from different IT functions
and levels of the organization.

2.1.4 Select a QMS Framework

Choose a recognized QMS framework like ISO 9001, Six Sigma, Total Quality Management (TMQ), Lean
management, Deming Cycle (PDCA), COBIT or ITIL that aligns with GOSI's overall quality objectives and
industry best practices.

P a g e 7 | 24

Quality & Risk Management

2.1.5 Conduct Gap Analysis
Assess the current state of the IT department's practices against the chosen QMS framework. Identify
gaps and areas needing improvement.

2.1.6 Develop QMS Documentation

Create essential documents like a Quality Policy, Quality Manual, and operational procedures aligned
with the chosen framework.

2.1.7 Resource Allocation

Allocate necessary resources, including budget, personnel, and training, to support the QMS
implementation and ongoing maintenance.

2.2 Phase 2: Implementation and Deployment

2.2.1 Awareness and Training
Conduct training sessions for all IT staff on the QMS framework, its principles, and their roles and
responsibilities within the system.

2.2.2 Process Implementation

Implement the documented processes, procedures, and controls outlined in the QMS across the defined
scope of the IT department.

2.2.3 Document Control

Establish a system for managing and controlling all QMS-related documents, ensuring their
accuracy, accessibility, and timely updates.

2.2.4 Record Keeping

Implement a system for capturing and maintaining quality-related records, such as non-conformance
reports, corrective actions, and audit findings.

2.3 Phase 3: Operation and Maintenance

2.3.1 Internal Audits
Conduct regular internal audits to assess the effectiveness of the QMS implementation and identify areas for
improvement.

P a g e 8 | 24

Quality & Risk Management

2.3.2 Management Review
Conduct periodic management reviews to evaluate the overall performance of the QMS, address identified
issues, and set continuous improvement goals.

2.3.3 Continual Improvement

Foster a culture of continuous improvement by encouraging staff to identify and suggest process
enhancements, implement corrective actions, and actively participate in QMS improvement initiatives.

Additional Considerations for GOSI:

 Alignment with GOSI's overall quality strategy: Ensure the QMS implementation aligns with
GOSI's broader organizational quality objectives and integrates seamlessly with existing quality
management practices.
 Compliance with relevant regulations: Consider any specific regulations or compliance
requirements applicable to GOSI's IT operations and ensure the QMS addresses them effectively.
 Stakeholder engagement: Proactively engage stakeholders, including GOSI
management, customers, and IT staff, throughout the implementation process to address
concerns, gather feedback, and ensure buy-in.

By following these steps and considering the specific context of GOSI, you can effectively implement a QMS
in the IT department, promoting quality, efficiency, and continuous improvement in its operations.
Remember, this is a general framework, and specific details may need to be adapted based on GOSI's unique
needs and priorities.

3 Quality Policy
Quality Policy for GOSI IT Department

At GOSI IT Department, we are dedicated to ensuring the highest standards of quality in all aspects of our
operations. Our commitment to quality is paramount as we strive to support GOSI's mission of providing
efficient and reliable social insurance services to the citizens of Saudi Arabia.

Our quality policy is centered around the following principles:

P a g e 9 | 24

Quality & Risk Management

3.1 Customer Focus
We prioritize the needs and expectations of our internal and external stakeholders, striving to deliver IT
solutions and services that align with their requirements and contribute to their success.
3.2 Continuous Improvement
We are committed to a culture of continuous improvement, where every member of our team is empowered
to identify opportunities for enhancement and innovation in our IT processes, systems, and services.
3.3 Compliance and Security
We adhere to the highest standards of compliance and security in all IT operations, ensuring the
confidentiality, integrity, and availability of data and systems while complying with relevant regulations and
standards.
3.4 Effective Communication
We foster open and transparent communication within our department and with our stakeholders,
promoting collaboration, accountability, and shared understanding to achieve common goals.
3.5 Professionalism and Integrity
We conduct ourselves with the utmost professionalism and integrity, upholding ethical standards and
demonstrating honesty, respect, and fairness in all interactions and decisions.
3.6 Risk Management
We proactively identify, assess, and mitigate risks associated with IT operations, ensuring the resilience and
reliability of our systems and services in the face of potential threats and disruptions.
3.7 Employee Development
We invest in the development and training of our IT staff, equipping them with the skills, knowledge, and
resources needed to excel in their roles and contribute effectively to our department's objectives.

By adhering to these principles, we aim to continuously enhance the quality, reliability, and efficiency of our
IT solutions and services, thereby supporting GOSI's mission and delivering value to our stakeholders."

This quality policy statement aligns with the objectives and values of GOSI and provides a framework for
ensuring quality in the IT Department's operations and services.

P a g e 10 | 24

Quality & Risk Management

4 GOSI Regulatory Requirements
GOSI, as a government entity in Saudi Arabia, needs to comply with several regulations impacting its IT
operations. Here are some potential regulations GOSI's QMS should address:

4.1 National Regulations:

4.1.1 National Information Security Standards (NISS)
These standards, issued by the National Cybersecurity Authority (NCA), outline various technical and
organizational controls for securing information systems and protecting sensitive data. GOSI's QMS should
ensure IT processes and procedures align with relevant NISS requirements.

4.1.2 Data Privacy Regulations

Saudi Arabia's Personal Data Protection Law (PDPL) governs the collection, processing, and storage of
personal data. The QMS should ensure GOSI's IT systems comply with PDPL requirements regarding data
security, breach notification, and individual rights.

4.1.3 Government Electronic Services Regulations

These regulations establish standards for government agencies' online services, including
accessibility, security, and user experience. GOSI's QMS should ensure its IT systems delivering online
services adhere to these regulations.

4.2 International Standards

4.2.1 ISO/IEC 27001
This international standard provides a framework for implementing an information security management
system (ISMS). While not mandatory, incorporating elements of ISO 27001 within the QMS can significantly
enhance GOSI's IT security posture.

P a g e 11 | 24

Quality & Risk Management

4.3 GOSI-Specific Regulations
4.3.1 GOSI Internal Policies and Procedures
GOSI might have internal policies and procedures regarding IT security, data management, and other
relevant areas. The QMS should ensure compliance with these internal regulations alongside national and
international standards.

4.4 Additional Considerations

4.4.1 Emerging Regulations
Stay updated on any emerging regulations or amendments to existing regulations that could impact GOSI's IT
operations and incorporate them into the QMS accordingly.

4.4.2 Regular Reviews

Conduct periodic reviews of relevant regulations to ensure the QMS remains compliant and adapts to any
changes in the regulatory landscape.

5 Difference Between Quality Policy & Quality Management Policy

The quality policy and quality management policy are related concepts but not exactly the same. Let's
distinguish between the two:

5.1 Quality Policy

 The quality policy is a high-level statement that outlines an organization's commitment to quality and
its guiding principles.
 It typically addresses the organization's overall approach to quality, its goals, and its commitment to
meeting customer requirements and continuously improving its processes and products/services.
 The quality policy is often brief and concise, focusing on key principles and objectives.

P a g e 12 | 24

Quality & Risk Management

5.2 Quality Management Policy
 The quality management policy is a more detailed document that elaborates on how the
organization intends to implement its quality policy.
 It provides specific guidelines, procedures, and responsibilities for managing quality throughout the
organization.
 The quality management policy may cover areas such as quality planning, quality assurance, quality
control, process improvement, and compliance with quality standards and regulations.
 It serves as a framework for establishing and maintaining a quality management system (QMS)
within the organization.

In summary, while the quality policy sets the overarching principles and objectives related to quality, the
quality management policy translates those principles into actionable guidelines and procedures for
managing quality within the organization.

6 IT Quality Management Policy

To develop a comprehensive set of IT quality management policies for GOSI's IT department, you would
typically include policies covering various aspects of IT service delivery, operations, security, and governance.
Here's a list of suggested IT quality management policies for GOSI's IT department:
6.1 IT Service Management Policy
 Defines the principles and practices for delivering IT services to meet business needs.
 Includes policies on incident management, problem management, change management, service desk
operations, and service level management.
6.2 IT Security Policy
 Establishes the organization's approach to information security to protect data, systems, and
networks from unauthorized access, breaches, and cyber threats.
 Covers policies on access control, data protection, encryption, network security, endpoint security,
and security awareness training.

P a g e 13 | 24

Quality & Risk Management

6.3 IT Governance Policy
 Outlines the structure, roles, responsibilities, and decision-making processes for IT governance within
the organization.
 Includes policies on IT strategy, IT investment management, IT risk management, and IT compliance.
6.4 IT Risk Management Policy
 Defines the processes and procedures for identifying, assessing, mitigating, and managing IT-related
risks.
 Covers policies on risk assessment, risk treatment, risk monitoring, and incident response.
6.5 IT Change Management Policy
 Establishes the procedures for requesting, evaluating, approving, and implementing changes to IT
systems and infrastructure.
 Includes policies on change control, change review boards, change scheduling, and change
documentation.
6.6 IT Incident Management Policy
 Defines the procedures for reporting, recording, categorizing, prioritizing, and resolving IT incidents
in a timely manner.
 Covers policies on incident response, escalation, communication, and post-incident review.

6.7 IT Asset Management Policy

 Sets guidelines for managing IT assets throughout their lifecycle, including procurement, deployment,
utilization, maintenance, and disposal.
 Includes policies on asset inventory, asset tracking, software licensing, and hardware retirement.
6.8 IT Disaster Recovery and Business Continuity Policy
 Outlines the strategies and procedures for ensuring the availability and resilience of IT systems and
services in the event of disasters or disruptions.
 Covers policies on data backup, recovery planning, business impact analysis, and crisis management.

P a g e 14 | 24

Quality & Risk Management

6.9 IT Quality Assurance Policy
 Defines the processes and practices for ensuring the quality and reliability of IT deliverables,
including software applications, systems, and infrastructure.
 Includes policies on quality standards, testing methodologies, quality reviews, and performance
monitoring.
6.10 IT Compliance Policy
 Ensures that IT operations and activities comply with relevant laws, regulations, industry standards, and
organizational policies.
 Covers policies on regulatory compliance, data privacy, information governance, and audit readiness.
6.11 IT Service Management Policy:
 Defines the principles and practices for delivering IT services to meet business needs.
 Includes policies on incident management, problem management, change management, service desk
operations, and service level management.

These policies form the foundation of an effective IT quality management framework for GOSI's IT
department, helping to ensure the delivery of reliable, secure, and high-quality IT services to support the
organization's mission and objectives.

7 KPIs of Quality Management System (QMS)

Developing effective Key Performance Indicators (KPIs) is crucial for measuring the success of GOSI's QMS
implementation. These KPIs should be aligned with the organization's overall quality objectives and specific
to the chosen QMS framework. Here are some potential KPIs categorized by focus area:

7.1 Process Improvement:

 Number of process improvement initiatives implemented: Tracks the continuous improvement

efforts within the IT department.

P a g e 15 | 24

Quality & Risk Management

  Percentage of non-conformance reports resolved within a defined timeframe: Measures the
effectiveness of identifying and addressing process deviations.
 Customer satisfaction with IT service delivery processes: Evaluates the quality and efficiency of IT
service delivery based on customer feedback.
 Defect Density: Measures the number of defects identified per unit of work (e.g., lines of
code, features delivered).
 Percentage of Completed Quality Assurance Activities: Tracks the completion rate of defined
quality assurance activities within the IT development lifecycle.
 Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) Defects: Measures the
average time taken to identify and resolve defects.
 Compliance with Quality Standards and Adherence to Quality Procedures: Evaluates the IT
department's adherence to established quality standards and procedures.
 Defect Rejection Rate: Tracks the percentage of defects identified during quality assurance
activities that are rejected due to not meeting quality criteria.
 Change Success Rate: Measures the percentage of changes implemented successfully without
introducing new defects.
 Quality Improvement Initiatives Implemented: Tracks the number of initiatives undertaken to
continuously improve IT processes and quality.
 Cycle Time for Quality Assurance Activities: Measures the average time taken to complete quality
assurance activities.
7.2 Service Delivery:

 Incident resolution time: Measures the average time taken to resolve IT incidents and restore
service functionality.
 Service uptime: Tracks the percentage of time IT services are available and operational.
 Number of service requests fulfilled within agreed Service Level Agreements (SLAs): Assesses
the IT department's ability to meet established service level commitments.
 Customer Satisfaction Index (CSI): Measures customer satisfaction with the quality and
effectiveness of IT services delivered.
 Percentage of Completed Quality Assurance Activities: Tracks the completion rate of defined
quality assurance activities within the IT service delivery lifecycle.

P a g e 16 | 24

Quality & Risk Management

  Compliance with Quality Standards: Evaluates the IT department's adherence to established
quality standards for service delivery.
 Change Success Rate: Measures the percentage of changes implemented successfully without
impacting service availability or functionality.
 Regression Test Coverage: Measures the percentage of existing functionality covered by
regression testing after changes are implemented.
 Escaped Defects to Production: Tracks the number of defects that go undetected during testing
and reach production, impacting service quality.
 Training Effectiveness: Evaluates the effectiveness of training programs in equipping IT staff with
the necessary skills and knowledge to deliver quality services.
 Cost of Quality: Tracks the financial impact of quality-related activities, including
prevention, appraisal, failure, and internal failure costs.

7.3 Information Security:

 Number of security vulnerabilities identified and addressed: Measures the effectiveness of

proactive security measures in identifying and mitigating potential threats.
 Number of security incidents reported and contained: Tracks the occurrence and successful
management of security incidents.
 Completion rate of employee security awareness training: Evaluates the effectiveness of security
awareness programs within the IT department.
 Compliance with Quality Standards: Evaluates the IT department's adherence to established
information security standards and best practices.
 Risk Mitigation Effectiveness: Measures the effectiveness of implemented controls in mitigating
identified security risks.

P a g e 17 | 24

Quality & Risk Management

7.4 Compliance:

 Number of audit findings addressed within a defined timeframe: Measures the timeliness and
effectiveness of addressing identified compliance gaps.
 Percentage of IT processes compliant with relevant regulations: Tracks the overall adherence to
applicable regulations and standards.
 Number of data breaches reported: Monitors the occurrence of data security incidents and
potential compliance violations.
 Compliance with Quality Standards: Evaluates the IT department's adherence to relevant
regulations, industry standards, and internal compliance requirements.
 Risk Mitigation Effectiveness: Measures the effectiveness of controls in mitigating compliance
risks

7.5 Additional Considerations:

 KPIs should be SMART (Specific, Measurable, Achievable, Relevant, and Time-bound).

 Align KPIs with GOSI's strategic objectives and departmental goals.
 Regularly monitor and track KPIs to identify trends and areas for improvement.
 Communicate KPIs effectively to stakeholders to foster transparency and accountability.

8 IT Quality Management Tools

Process Improvement and Quality Assurance:

8.1 Defect Tracking System:

 Jira by Atlassian (Latest Version: Jira Software 8.20)
 Bugzilla by Mozilla (Latest Version: Bugzilla 6.0)
 HP ALM (Application Lifecycle Management) by Micro Focus (Latest Version: ALM Octane
15.0)

P a g e 18 | 24

Quality & Risk Management

8.2 Test Management Tool:
 HP Quality Center by Micro Focus (Latest Version: Quality Center 15.0)
 TestRail by Gurock (Latest Version: TestRail 7.0)
 PractiTest (Latest Version: PractiTest 10.3)
8.3 Static Code Analysis Tool:
 SonarQube by SonarSource (Latest Version: SonarQube 9.1)
 Checkmarx by Checkmarx (Latest Version: Checkmarx 9.2)
 Fortify by Micro Focus (Latest Version: Fortify 20.1)
8.4 Document Management System:
 SharePoint by Microsoft (Latest Version: SharePoint Server 2019)
 Confluence by Atlassian (Latest Version: Confluence 7.16)
 Documentum by OpenText (Latest Version: Documentum 21.4)
8.5 Process Mapping Tool:
 Lucidchart by Lucid Software (Latest Version: Lucidchart 4.14)
 Visio by Microsoft (Latest Version: Visio 2021)
 Bizagi Modeler by Bizagi (Latest Version: Bizagi Modeler 3.11)
8.6 Service Delivery:
8.6.1 IT Service Management (ITSM) Tool:
 ServiceNow by ServiceNow (Latest Version: Quebec)
 BMC Remedy by BMC Software (Latest Version: Remedy AR System 20.08)
 Jira Service Desk by Atlassian (Latest Version: Jira Service Management 4.20)
8.6.2 Monitoring and Alerting Tool:
 Nagios by Nagios Enterprises (Latest Version: Nagios XI 5.8)
 SolarWinds by SolarWinds (Latest Version: SolarWinds Orion Platform 2021.2)
 PRTG Network Monitor by Paessler AG (Latest Version: PRTG Network Monitor 21.4.75)
8.6.3 Customer Satisfaction Survey Tool:
 SurveyMonkey by Momentive (Latest Version: SurveyMonkey 4.11)
 Qualtrics by Qualtrics (Latest Version: Qualtrics XM Platform)
 Zoho Survey by Zoho Corporation (Latest Version: Zoho Survey 2022)

P a g e 19 | 24

Quality & Risk Management

8.7 Information Security:
8.7.1 Vulnerability Scanner:
 Nessus by Tenable (Latest Version: Nessus 8.17)
 Qualys by Qualys (Latest Version: Qualys Cloud Platform)
 OpenVAS (Open Vulnerability Assessment System) by Greenbone Networks (Latest Version:
OpenVAS 21.4)
8.7.2 Security Information and Event Management (SIEM) Tool:
 Splunk by Splunk Inc. (Latest Version: Splunk Enterprise 8.3)
 IBM QRadar by IBM (Latest Version: QRadar 7.4.3)
 LogRhythm by LogRhythm (Latest Version: LogRhythm 7.8.1)
8.7.3 Penetration Testing Tool:
 Metasploit by Rapid7 (Latest Version: Metasploit Framework 6.1)
 Burp Suite by PortSwigger (Latest Version: Burp Suite Professional 2022.2)
 Acunetix by Invicti Security (Latest Version: Acunetix 14)
8.8 Compliance:
8.8.1 Compliance Management Software:
 ZenGRC by Reciprocity (Latest Version: ZenGRC)
 Compliance360 by SAI Global (Latest Version: Compliance360)
 LogicManager by LogicManager (Latest Version: LogicManager)
8.8.2 Risk Management Tool:
 RiskWatch (Latest Version: RiskWatch)
 LogicGate by LogicGate (Latest Version: LogicGate Risk Cloud)
 Resolver by Resolver (Latest Version: Resolver)

P a g e 20 | 24

Quality & Risk Management

9 ISO 9001:2015 Implementation steps
Implementing ISO 9000:2015 in an IT organization involves several steps to establish, document, implement,
and maintain a quality management system (QMS) that aligns with the requirements of the standard. Below
is an outline of the project and a list of documents you should develop to ensure compliance with ISO
9000:2015:
9.1 1. Project Planning and Preparation
9.1.1 Project Charter
Defines the objectives, scope, timeline, and resources allocated for implementing ISO 9000:2015.
9.1.2 Stakeholder Analysis:
Identifies key stakeholders and their roles and responsibilities in the implementation process.
9.1.3 Resource Plan
Specifies the human, financial, and technological resources required for the project.

9.2 Gap Analysis

9.2.1 Gap Analysis Report
Assesses the organization's current practices against the requirements of ISO 9000:2015 and identifies areas
of non-compliance or improvement.

9.3 Quality Policy and Objectives

9.3.1 Quality Policy
A document that states the organization's commitment to quality and customer satisfaction, aligned with the
principles of ISO 9000:2015.
9.3.2 Quality Objective
Specific, measurable objectives that support the quality policy and drive continuous improvement.

P a g e 21 | 24

Quality & Risk Management

9.4 Documented Information
9.4.1 Quality Manual
Provides an overview of the organization's QMS and how it meets the requirements of ISO 9000:2015.
9.4.2 Procedures
Documented procedures for key processes, such as document control, internal audits, corrective and
preventive actions, etc.
9.4.3 Work Instructions
Detailed instructions for performing specific tasks or activities within the organization.
9.4.4 Forms and Records
Templates for recording essential information, such as audit reports, non-conformities, corrective actions, etc.

9.5 Risk-Based Thinking

9.5.1 Risk Management Plan
Defines the approach for identifying, assessing, and addressing risks and opportunities within the
organization.
9.5.2 Risk Register
Documents identified risks, their likelihood, impact, and proposed mitigation strategies.

9.6 Training and Competence

9.6.1 Training Plan
Outlines the training needs of employees involved in the QMS and how training will be conducted and
evaluated.
9.6.2 Competence Matrix
Identifies the skills and competencies required for various roles within the organization and assesses
employees' proficiency levels.

P a g e 22 | 24

Quality & Risk Management

9.7 Internal Audits and Management Review
9.7.1 Internal Audit Plan
Specifies the schedule, scope, and criteria for conducting internal audits of the QMS processes.
9.7.2 Audit Reports
Documents the findings, conclusions, and recommendations from internal audits.
9.7.3 Management Review
Meeting Minutes: Records the outcomes of management review meetings, including decisions and action
plans for improvement.

9.8 Continuous Improvement

9.8.1 Corrective Action Plan
Outlines the process for identifying, investigating, and correcting non-conformities identified within the
QMS.
9.8.2 Preventive Action Plan
Defines proactive measures to prevent the recurrence of identified non-conformities or potential issues.

By developing and implementing these documents, your organization can establish a robust QMS aligned
with the requirements of ISO 9000:2015, driving continual improvement and enhancing customer
satisfaction.

P a g e 23 | 24

Quality & Risk Management