Analysis of the Use of Common Terms (JTCG/TF3 N117) in Identical Text (JTCG/TF1/N36) Graham Watson 18/10/2010

Size: px
Start display at page:

Download "Analysis of the Use of Common Terms (JTCG/TF3 N117) in Identical Text (JTCG/TF1/N36) Graham Watson 18/10/2010"

Transcription

1 Analysis of the Use of Common Terms (JTCG/TF3 N117) in Identical Text (JTCG/TF1/N36) Graham Watson 18/10/2010 This document provides an analysis of the usage of common term in the Identical Text following the October meeting of JTCG in Vienna. The Common terms were provided in N117 Common MS terminology ( ). The Identical Text was provided in N119 JTCG-TF N36 High Level Structure and Identical Text. Annex A summarises the way in which the terms are used in the identical text and indicates the number of times each term (or derivative of the term) is used. Annex B reproduces the identical text, but highlights each term in colour. Red is used when the term is used in an unqualified manner and red is used when the term is preceded by XXX. In Annex C, each term is replaced by its [definition] in square brackets. The same colour convention is repeated from Annex B. Conclusions and recommendations 1. For the majority of cases, the definition (or derivative) can be successfully substituted into the text. 2. There are instances when both a generic term (e.g. policy) and a discipline-specific term (e.g. XXX policy) are used in the identical text. It would appear sensible to provide both a generic and discipline-specific definition to distinguish the difference in meaning, to avoid confusion and to ensure the intended meaning cannot be misinterpreted. It is possible that the use of the generic terms was accidental. 3. There are also instances when only the discipline-specific term (e.g. XXX objective) is used. In these instances, it would appear sensible to provide a discipline-specific definition. 4. If a discipline-specific definition is not provided, then it is possible that the reader may construct their own definition that does not follow ISO terminology practice. 5. However, TF3 does not provide guidance on how to construct a discipline-specific definition from the definition of the generic term. It would be useful to provide such guidance, e.g. to explain how quality objective or environmental objective should be derived from objective. A possible way to do this is as follows. Current definitions are: (ISO 14001:2004) 3.9 environmental objective overall environmental goal, consistent with the environmental policy (3.11), that an organization (3.16) sets itself to achieve (ISO 9000:2005) quality objective something sought, or aimed for, related to quality (3.1.1) 1

2 NOTE 1 Quality objectives are generally based on the organization's quality policy (3.2.4). NOTE 2 Quality objectives are generally specified for relevant functions and levels in the organization (3.3.1). If we take the new JTCG definition of objective (result to be achieved), we could come up with, for example: quality objective result to be achieved related to quality and environmental objective result to be achieved, consistent with the organization s environmental policy(, set by the organization) 6. It would perhaps be sensible to provide guidance on defining all the discipline-specific terms included in the identical text, i.e. all terms preceded by XXX. I also make the following specific comments. 7. In clause 4.2, the inclusion of the text in brackets after requirements, (i.e. their needs and expectations whether stated, implied or obligatory) is unnecessary as this paraphrases the definition. 8. The use of Persons in top management... in clause 5.1 does not work when the definition of top management is substituted it becomes Persons in person or group of people Clause 5.2 includes strategic direction, intended outcomes and purposes of the organization s existence without providing an explanation of what would be required to satisfy them. These all appear to be types of objective, but they are not all included in the notes to the definition. 10. The substitution of the definition of risk doesn t quite work. 2

3 ANNEX A Analysis of Usage of Common Terms in Identical Text Term Usage and comments 1 T.1.1 organization Used 45 times and 2 times as organizational 2 T.1.2 risk Used 4 times, always as plural (risks) 3 T.1.3 policy Used 2 times (unqualified) and 4 times as XXX policy [Are the 2 occurrences in error?] 4 T.1.4 objective Not used unqualified 5 T.1.5 top management Used 8 times but used 6 times, always plural as XXX objectives [hence the unqualified definition does not apply and XXX objective should be defined] 6 T.1.6 interested party (preferred term) Used 3 times, always plural (interested parties) stakeholder (admitted term) Not used 7 T.1.7 requirement Used 14 times 8 T.2.1 management system Used 3 times (unqualified) and 38 times as XXX management system [Are the 3 occurrences in error?] [Should XXX management system be defined?] 9 T.2.2 process Used 11 times, always plural (processes) 10 T.2.3 competence Used 4 times [Competent is used 2 times] 11 T.2.4 documented information Used 25 times 12 T.2.5 performance Used 3 times unqualified 13 T.2.6 outsource (verb) Used 1 time 14 T.3.1 monitoring Used 5 times 15 T.3.2 measurement Used 4 times 16 T.3.3 audit Used 10 times 17 T.3.4 effectiveness Used 8 times 18 T.3.5 conformity Not used and 4 times as XXX performance [Should XXX performance be defined?] [monitor (verb) is used 2 times] [Measure (verb) is used 1 time] 19 T.3.6 nonconformity Used12 times, 10 of which are plural (nonconformities) 20 T.4.1 correction Not used 21 T.4.2 corrective action Used 5 times 22 T.4.3 continual improvement Used 5 times 3

4 ANNEX B Common Terms highlighted in colour In this version, defined terms are shown in red text. Where a defined term is preceded by XXX, it is shown in blue text. 1. High Level Structure, with draft Identical text Note : In the Identical text proposals, XXX = an MSS discipline specific qualifier (e.g. energy, road traffic safety, IT security, food safety, societal security, environment, quality) needs to be inserted. Blue italicized text is given as advisory notes to standards drafters. Introduction Note: Unique to the discipline 1. Scope Note: Specific to the discipline; possibly some identical text 2. Normative references Note: Clause Title shall be used. Unique to the discipline 3. Terms and definitions Note: Clause Title shall be used. Terms and definitions may either be within the standard or in a separate document. To reference Aligned definitions + discipline specific ones 4. Context of the organization 4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its XXX management system. These issues shall be taken into account when establishing, implementing, maintaining and improving the organization s XXX management system. 4.2 Understanding the needs and expectations of interested parties When establishing its XXX management system, the organization shall determine - its relevant interested parties and - their requirements (i.e. their needs and expectations whether stated, implied or obligatory) 4.3 Determining the scope of the management system The organization shall determine the scope of the XXX management system, such that the boundaries and applicability of the XXX management system can be clearly communicated to relevant internal and external parties. When determining the scope of the management system the organization shall consider: - the external and internal issues referred to in the requirements referred to in 4.2, The organization shall retain documented information on the scope of the XXX management system 4.4 XXX management system The organization shall, establish, implement, maintain and improve an XXX management system in accordance with the requirements of this International Standard including the processes needed and their interactions. 5. Leadership 5.1 General 4

5 Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the XXX management system. Note This can be shown, for example, by motivating and empowering persons to contribute to the effectiveness of the XXX management system 5.2 Management commitment Top management shall demonstrate its commitment by - ensuring the XXX management system is compatible with the strategic direction of the organization - integrating the XXX management system requirements into the organization s business processes; - providing the resources to establish, implement, maintain and continually improve the XXX management system - communicating the importance of effective XXX management and conforming to the XXX management system requirements; - ensuring that the XXX management system achieves its intended outcomes - directing and supporting continual improvement Note reference to business in this International Standard should be interpreted broadly to mean those activities that are core to the purposes of the organization s existence. 5.3 Policy Top management shall establish a XXX policy. The policy shall: - be appropriate to the purpose of the organization, - provide the framework for setting XXX objectives; - include a commitment to satisfy applicable requirements, - include a commitment to continual improvement of the XXX management system - be communicated within the organization - be available to interested parties, as appropriate. The organization shall retain documented information on the XXX policy. 5.4 Organizational roles, responsibilities and authorities Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. Top management shall assign the responsibility and authority for a) ensuring that the XXX management system conforms to the requirements of this International Standard b) reporting on the performance of the XXX management system to top management 6 Planning 6.1 Actions to address risks and opportunities The organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - assure the management system can achieve its intended outcome(s) - prevent undesired effects - realize opportunities for improvement. The organization shall: a) evaluate the need to plan actions to address these risks and opportunities, and 5

6 b) where applicable - integrate and implement these actions into its XXX management system processes (see 8.1) - ensure information will be available to evaluate if the actions have been effective (see 9.1) 6.2 XXX objectives and plans to achieve them Top management shall ensure that XXX objectives are established and communicated for relevant functions and levels within the organization. The XXX objectives shall: - be consistent with the XXX policy - be measurable (if practicable) - take into account applicable requirements - be monitored and updated as appropriate The organization shall retain documented information on the XXX objectives. To achieve its XXX objectives, the organization shall determine: - who will be responsible - what will be done - what resources will be required - when it will be completed - how the results will be evaluated 7. Support 7.1Resources The organization shall determine and provide the resources needed for the XXX management system 7.2 Competence The organization shall: - determine the necessary competence of person(s) doing work under its control that affects its XXX performance - ensure these persons are competent on the basis of appropriate education, training, or experience, - where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken - retain appropriate documented information as evidence of competence. Note Applicable actions may include, for example: the provision of training to, the mentoring of, or the re-assignment of current employees; or the hiring or contracting of competent persons. 7.3 Awareness Persons doing work under the organization s control shall be aware of: - the XXX policy - their contribution to the effectiveness of the XXX management system, including the benefits of improved XXX performance - the implications of not conforming with the XXX management system requirements 7.4 Communication The organization shall determine the need for internal and external communications relevant to the XXX management system including 6

7 - what to communicate - when to communicate - to whom it will communicate 7.5 Documented information General The organization s XXX management system shall include: - documented information required by this International Standard - documented information determined by the organization as being required for the effectiveness of the XXX management system Create and update The process for creating and updating documented information shall ensure appropriate: - identification and description (e.g. a title, date, author, number ) - format (e.g. language, software version, graphics) and media (e.g. paper, electronic) - review and approval for adequacy Note The extent of documented information for a XXX management system can differ from one organization to another due to: - the size of organization and its type of activities, processes, products and services, - the complexity of processes and their interactions, and - the competence of persons Control of documented information Documented information required by the XXX management system and by this International Standard shall be controlled. Control of documented information shall include the following, as applicable: - Distribution - Access - Storage and preservation - Retrieval and use - Control of changes (e.g. version control) - Preservation of legibility (i.e. clear enough to read) - Prevention of the unintended use of obsolete information - Retention and disposition Documented information of external origin determined by the organization to be necessary for the planning and operation of the XXX management system shall be identified as appropriate, and controlled. When establishing control of documented information, the organization shall ensure that there is adequate protection for the documented information (e.g. protection against compromise, unauthorized modification or deletion). Note Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc. 8. Operation 8.1 Operational planning and control The organization shall determine, plan, implement and control those processes needed to address the risks and opportunities determined in 6.1 and to meet requirements, by: 7

8 - establishing criteria for those processes - implementing the control of these processes in accordance with the criteria - keeping documented information to demonstrate that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary The organization shall control processes that are contracted-out or outsourced. 9. Performance Evaluation 9.1 Monitoring, measurement, analysis and evaluation The organization shall determine: - what needs to be measured and monitored; - the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. - when the monitoring and measuring shall be performed; - when the analysis and evaluation of monitoring and measurement results shall be performed. The organization shall evaluate the XXX performance and the effectiveness of the XXX management system. Additionally, the organization shall: - take action when necessary to address adverse trends or results before a nonconformity occurs. - retain relevant documented information as evidence of the results. 9.2 Internal Audit The organization shall conduct internal audits at planned intervals to provide information to assist in the determination of whether the XXX management system a) conforms to the organization s own requirements for its XXX management system the requirements of this International Standard. b) is effectively implemented and maintained. The organization shall - plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, while taking into consideration the importance of the processes concerned and the results of previous audits. - define the audit criteria and scope for each audit - select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. - ensure that the results of the audits are reported to relevant management - retain documented information as evidence of the results. 9.3 Management review Top management shall review the organization's XXX management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: - the status of actions from previous management reviews; - changes in external and internal issues that are relevant to the XXX management system, - information on the XXX performance, including trends in: nonconformities and corrective actions monitoring and measurement evaluation results and 8

9 audit results, - opportunities for continual improvement. The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the XXX management system The organization shall retain documented information as evidence of the results of management reviews. 10. Improvement 10.1 Nonconformity and corrective action The organization shall: - identify nonconformities, - react to the nonconformities, and as applicable take action to control, contain and correct them, deal with the consequences The organization shall also evaluate the need for action to eliminate the causes of nonconformities, including: - reviewing nonconformities - determining the causes of nonconformities, - identifying if potential similar nonconformities exist elsewhere in the XXX management system - Evaluating the need for action to ensure that nonconformities do not recur or occur elsewhere - determining and implementing action needed, and - reviewing the effectiveness of any corrective action taken. - making changes to the XXX management system, if necessary Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of - the nature of the nonconformities and any subsequent actions taken, and - the results of any corrective action 10.2 Continual improvement The organization shall continually improve the suitability, adequacy or effectiveness of the XXX management system. NOTE The organization can use the processes of the XXX management system such as leadership, planning and performance evaluation, to achieve improvement 9

10 ANNEX C Common Terms substituted by their definitions and highlighted in colour In this version of the identical text, the defined terms have been replaced by their definitions in square brackets. 1. High Level Structure, with draft Identical text Note : In the Identical text proposals, XXX = an MSS discipline specific qualifier (e.g. energy, road traffic safety, IT security, food safety, societal security, environment, quality) needs to be inserted. Blue italicized text is given as advisory notes to standards drafters. Introduction Note: Unique to the discipline 1. Scope Note: Specific to the discipline; possibly some identical text 2. Normative references Note: Clause Title shall be used. Unique to the discipline 3. Terms and definitions Note: Clause Title shall be used. Terms and definitions may either be within the standard or in a separate document. To reference Aligned definitions + discipline specific ones 4. Context of the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] 4.1 Understanding the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] and its context achieve its objectives] shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives]. These issues shall be taken into account when establishing, implementing, maintaining and improving the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] s XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives]. 4.2 Understanding the needs and expectations of [persons or group of people that holds a view that can affect the organization] When establishing its XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives], the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] shall determine - its relevant [persons or group of people that holds a view that can affect the organization] and - their [obligatory need or expectation that is stated or implied]s (i.e. their needs and expectations whether stated, implied or obligatory) 4.3 Determining the scope of the [set of interrelated or interacting elements of an organization to establish policies and objectives, and [set of interrelated or interacting activities which transforms inputs into outputs]es to achieve those objectives] achieve its objectives] shall determine the scope of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives], such that the boundaries and applicability of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] can be clearly communicated to relevant internal and external parties. When determining the scope of the [set of interrelated or interacting elements of an organization to 10

11 establish policies and objectives, and [set of interrelated or interacting activities which transforms inputs into outputs]es to achieve those objectives] the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] shall consider: - the external and internal issues referred to in the [obligatory need or expectation that is stated or implied]s referred to in 4.2, achieve its objectives] shall retain [information required to be controlled and maintained by an organization] on the scope of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] 4.4 XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] achieve its objectives] shall, establish, implement, maintain and improve an XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] in accordance with the [obligatory need or expectation that is stated or implied]s of this International Standard including the [set of interrelated or interacting activities which transforms inputs into outputs]es needed and their interactions. 5. Leadership 5.1 General Persons in [person or group of people who directs and controls an organization at the highest level] and other relevant management roles throughout the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] shall demonstrate leadership with respect to the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives]. Note This can be shown, for example, by motivating and empowering persons to contribute to the [extent to which planned activities are realized and planned results achieved] of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] 5.2 Management commitment [person or group of people who directs and controls an organization at the highest level] shall demonstrate its commitment by - ensuring the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] is compatible with the strategic direction of the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] - integrating the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] [obligatory need or expectation that is stated or implied]s into the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] s business [set of interrelated or interacting activities which transforms inputs into outputs]es; - providing the resources to establish, implement, maintain and continually improve the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] - communicating the importance of effective XXX management and conforming to the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] [obligatory need or expectation that is stated or implied]s; - ensuring that the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] achieves its intended outcomes - directing and supporting [recurring activity to enhance performance] Note reference to business in this International Standard should be interpreted broadly to mean those activities that are core to the purposes of the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] s existence. 5.3 [intentions and direction of an organization (T.1.1) as formally expressed by its [person or group of people who directs and controls an organization at the highest level]] [person or group of people who directs and controls an organization at the highest level] shall establish a XXX 11

12 [intentions and direction of an organization (T.1.1) as formally expressed by its top management]. The [intentions and direction of an organization (T.1.1) as formally expressed by its [person or group of people who directs and controls an organization at the highest level]] shall: - be appropriate to the purpose of the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives], - provide the framework for setting XXX [result to be achieved]s; - include a commitment to satisfy applicable [obligatory need or expectation that is stated or implied]s, - include a commitment to [recurring activity to enhance performance] of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] - be communicated within the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] - be available to [persons or group of people that holds a view that can affect the organization], as appropriate. achieve its objectives] shall retain [information required to be controlled and maintained by an organization] on the XXX [intentions and direction of an organization (T.1.1) as formally expressed by its top management]. 5.4 Organizational roles, responsibilities and authorities [person or group of people who directs and controls an organization at the highest level] shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives]. [person or group of people who directs and controls an organization at the highest level] shall assign the responsibility and authority for a) ensuring that the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] conforms to the [obligatory need or expectation that is stated or implied]s of this International Standard b) reporting on the [measurable result] of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] to [person or group of people who directs and controls an organization at the highest level] 6 Planning 6.1 Actions to address [effect of uncertainty on objectives]s and opportunities achieve its objectives] shall consider the issues referred to in 4.1 and the [obligatory need or expectation that is stated or implied]s referred to in 4.2 and determine the [effect of uncertainty on objectives]s and opportunities that need to be addressed to - assure the [set of interrelated or interacting elements of an organization to establish policies and objectives, and [set of interrelated or interacting activities which transforms inputs into outputs]es to achieve those objectives] can achieve its intended outcome(s) - prevent undesired effects - realize opportunities for improvement. achieve its objectives] shall: a) evaluate the need to plan actions to address these [effect of uncertainty on objectives]s and opportunities, and b) where applicable - integrate and implement these actions into its XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] [set of interrelated or interacting activities which transforms inputs into outputs]es (see 8.1) - ensure information will be available to evaluate if the actions have been effective (see 9.1) 12

13 6.2 XXX [result to be achieved]s and plans to achieve them [person or group of people who directs and controls an organization at the highest level] shall ensure that XXX [result to be achieved]s are established and communicated for relevant functions and levels within the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives]. The XXX [result to be achieved]s shall: - be consistent with the XXX [intentions and direction of an organization (T.1.1) as formally expressed by its top management] - be measurable (if practicable) - take into account applicable [obligatory need or expectation that is stated or implied]s - be monitored and updated as appropriate achieve its objectives] shall retain [information required to be controlled and maintained by an organization] on the XXX [result to be achieved]s. To achieve its XXX [result to be achieved]s, the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] shall determine: - who will be responsible - what will be done - what resources will be required - when it will be completed - how the results will be evaluated 7. Support 7.1Resources achieve its objectives] shall determine and provide the resources needed for the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] 7.2 [ability to apply knowledge and skills to achieve intended results] achieve its objectives] shall: - determine the necessary [ability to apply knowledge and skills to achieve intended results] of person(s) doing work under its control that affects its XXX [measurable result] - ensure these persons are competent on the basis of appropriate education, training, or experience, - where applicable, take actions to acquire the necessary [ability to apply knowledge and skills to achieve intended results], and evaluate the [extent to which planned activities are realized and planned results achieved] of the actions taken - retain appropriate [information required to be controlled and maintained by an organization] as evidence of [ability to apply knowledge and skills to achieve intended results]. Note Applicable actions may include, for example: the provision of training to, the mentoring of, or the re-assignment of current employees; or the hiring or contracting of competent persons. 7.3 Awareness Persons doing work under the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] s control shall be aware of: - the XXX [intentions and direction of an organization (T.1.1) as formally expressed by its top management] - their contribution to the [extent to which planned activities are realized and planned results achieved] of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and 13

14 processes to achieve those objectives], including the benefits of improved XXX [measurable result] - the implications of not conforming with the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] [obligatory need or expectation that is stated or implied]s 7.4 Communication achieve its objectives] shall determine the need for internal and external communications relevant to the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] including - what to communicate - when to communicate - to whom it will communicate 7.5 [information required to be controlled and maintained by an organization] General achieve its objectives] s XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] shall include: - [information required to be controlled and maintained by an organization] required by this International Standard - [information required to be controlled and maintained by an organization] determined by the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] as being required for the [extent to which planned activities are realized and planned results achieved] of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] Create and update The process for creating and updating [information required to be controlled and maintained by an organization] shall ensure appropriate: - identification and description (e.g. a title, date, author, number ) - format (e.g. language, software version, graphics) and media (e.g. paper, electronic) - review and approval for adequacy Note The extent of [information required to be controlled and maintained by an organization] for a XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] can differ from one organization to another due to: - the size of organization and its type of activities, processes, products and services, - the complexity of processes and their interactions, and - the competence of persons Control of [information required to be controlled and maintained by an organization] [information required to be controlled and maintained by an organization] required by the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] and by this International Standard shall be controlled. Control of [information required to be controlled and maintained by an organization] shall include the following, as applicable: - Distribution - Access - Storage and preservation - Retrieval and use - Control of changes (e.g. version control) 14

15 - Preservation of legibility (i.e. clear enough to read) - Prevention of the unintended use of obsolete information - Retention and disposition [information required to be controlled and maintained by an organization] of external origin determined by the organization to be necessary for the planning and operation of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] shall be identified as appropriate, and controlled. When establishing control of [information required to be controlled and maintained by an organization], the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] shall ensure that there is adequate protection for the [information required to be controlled and maintained by an organization] (e.g. protection against compromise, unauthorized modification or deletion). Note Access implies a decision regarding the permission to view the [information required to be controlled and maintained by an organization] only, or the permission and authority to view and change the [information required to be controlled and maintained by an organization], etc. 8. Operation 8.1 Operational planning and control achieve its objectives] shall determine, plan, implement and control those [set of interrelated or interacting activities which transforms inputs into outputs]es needed to address the [effect of uncertainty on objectives]s and opportunities determined in 6.1 and to meet [obligatory need or expectation that is stated or implied]s, by: - establishing criteria for those [set of interrelated or interacting activities which transforms inputs into outputs]es - implementing the control of these [set of interrelated or interacting activities which transforms inputs into outputs]es in accordance with the criteria - keeping [information required to be controlled and maintained by an organization] to demonstrate that the [set of interrelated or interacting activities which transforms inputs into outputs]es have been carried out as planned. achieve its objectives] shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary achieve its objectives] shall control [set of interrelated or interacting activities which transforms inputs into outputs]es that are contracted-out or [make an arrangement where an external organization performs part of an organization s function or process]d. 9. [measurable result] Evaluation 9.1 [determining the status of a system, a process or an activity], [process to determine a value], analysis and evaluation achieve its objectives] shall determine: - what needs to be measured and monitored; - the methods for [determining the status of a system, a process or an activity], [process to determine a value], analysis and evaluation, as applicable, to ensure valid results. - when the [determining the status of a system, a process or an activity] and measuring shall be performed; - when the analysis and evaluation of [determining the status of a system, a process or an activity] and [process to determine a value] results shall be performed. achieve its objectives] shall evaluate the XXX [measurable result] and the [extent to which planned activities are realized and planned results achieved] of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives]. Additionally, the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] shall: - take action when necessary to address adverse trends or results before a [non-fulfilment of a requirement] 15

16 occurs. - retain relevant [information required to be controlled and maintained by an organization] as evidence of the results. 9.2 Internal [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled] achieve its objectives] shall conduct internal [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled]s at planned intervals to provide information to assist in the determination of whether the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] a) conforms to the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] s own [obligatory need or expectation that is stated or implied]s for its XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] the [obligatory need or expectation that is stated or implied]s of this International Standard. b) is effectively implemented and maintained. achieve its objectives] shall - plan, establish, implement and maintain an [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled] programme(s), including the frequency, methods, responsibilities, planning [obligatory need or expectation that is stated or implied]s and reporting, while taking into consideration the importance of the [set of interrelated or interacting activities which transforms inputs into outputs]es concerned and the results of previous [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled]s. - define the [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled] criteria and scope for each [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled] - select auditors and conduct [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled]s to ensure objectivity and the impartiality of the [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled] [set of interrelated or interacting activities which transforms inputs into outputs]. - ensure that the results of the [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled]s are reported to relevant management - retain [information required to be controlled and maintained by an organization] as evidence of the results. 9.3 Management review [person or group of people who directs and controls an organization at the highest level] shall review the [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives]'s XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives], at planned intervals, to ensure its continuing suitability, adequacy and [extent to which planned activities are realized and planned results achieved]. The management review shall include consideration of: - the status of actions from previous management reviews; - changes in external and internal issues that are relevant to the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives], - information on the XXX [measurable result], including trends in: [non-fulfilments of a requirement] and [action to eliminate the cause of a nonconformity and to 16

17 prevent recurrence]s [determining the status of a system, a process or an activity] and [process to determine a value] evaluation results and [systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled] results, - opportunities for [recurring activity to enhance performance]. The outputs of the management review shall include decisions related to [recurring activity to enhance performance] opportunities and the possible need for changes to the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] achieve its objectives] shall retain [information required to be controlled and maintained by an organization] as evidence of the results of management reviews. 10. Improvement 10.1 [non-fulfilment of a requirement] and [action to eliminate the cause of a nonconformity and to prevent recurrence] achieve its objectives] shall: - identify [non-fulfilments of a requirement], - react to the [non-fulfilments of a requirement], and as applicable take action to control, contain and correct them, deal with the consequences achieve its objectives] shall also evaluate the need for action to eliminate the causes of [non-fulfilments of a requirement], including: - reviewing [non-fulfilments of a requirement] - determining the causes of [non-fulfilments of a requirement], - identifying if potential similar [non-fulfilments of a requirement] exist elsewhere in the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] - Evaluating the need for action to ensure that [non-fulfilments of a requirement] do not recur or occur elsewhere - determining and implementing action needed, and - reviewing the [extent to which planned activities are realized and planned results achieved] of any [action to eliminate the cause of a nonconformity and to prevent recurrence] taken. - making changes to the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives], if necessary [action to eliminate the cause of a nonconformity and to prevent recurrence]s shall be appropriate to the effects of the [non-fulfilments of a requirement] encountered. achieve its objectives] shall retain [information required to be controlled and maintained by an organization] as evidence of - the nature of the [non-fulfilments of a requirement] and any subsequent actions taken, and - the results of any [action to eliminate the cause of a nonconformity and to prevent recurrence] 10.2 [recurring activity to enhance performance] achieve its objectives] shall continually improve the suitability, adequacy or [extent to which planned activities are realized and planned results achieved] of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives]. NOTE The [person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives] can use the [set of interrelated or interacting activities which transforms inputs into outputs]es of the XXX [set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives] such as leadership, planning and 17

18 [measurable result] evaluation, to achieve improvement 18