|
This part of the IMS deals with quality risk. The approach taken is based on the methodology presented by Brewer and List in their paper on "Measuring the effectiveness of an internal control system" (the "time" theory) . In this methodology an event describes how a threat agent might exploit some vulnerability to compromise the security of some asset and cause some impact. The events, threat agents, vulnerabilities, assets and impacts are considered generically in order to maximise the efficiency of the risk analysis process, as the objective of the exercise is to identify what quality controls, in particular those listed in the SOA, are required to reduce quality risk to an acceptable level. Risk is determined in the context of our particular quality objectives, which are defined as part of our IMS Policy, the infrastructure necessary to achieve product conformity and our work environment.
In the "threat agent ID" column, use some simple descriptive identifier. Use it also it as an anchor. You will refer to it from elsewhere. In the "description" column, describe briefly what the threat agent is. If the threat agent is common to other risk assessments use the same identifier. There will be just one definition in the Glossary page. Note that there is a special threat (supplier) that is identified by ISO 9001. It is labelled TA-out. Use the label T- (i.e. drop the A) for the threat agents that you define so that the list may still be put into alphabetic order (should you so wish).
Sequence and Interaction of Quality Processes Summarise here, with the aid of a diagram, the sequence and interaction of the quality processes. In practice, these should be a composite of the various quality RTPs. Ensure that these processes meet the following two ISO 9001 requirements (8.2.4):
|
||||||||||||||||||||||