3 Definitions
Terms, definitions and books related to quality and audits
The beginning of wisdom is the definition of terms. Socrates
Some terms and definitions currently used in this module:
Accident: undesired event causing death or health and environmental damages
Asset: any element of value for the organization
Audit client: everyone requesting an audit
Audit conclusions: outcome of an audit
Audit criteria: everything against which audit evidence is compared
Audit findings: every deviation from audit criteria
Auditee: everyone who is audited
Auditor: everyone who is trained to conduct audits
Competence: personal skills, knowledge and experiences
Conformity: fulfillment of a specified requirement
Continual improvement: permanent process allowing the improvement of the global performance of the organization
Control: ensure compliance with the specified criteria
Corrective action: action to eliminate the causes of nonconformity or any other undesirable event and to prevent their recurrence
Customer: anyone who receives a product
Document (documented information): any support allowing the treatment of information
Deviation: failure to meet a given threshold
Hazard: situation that could lead to a potential incident
Incident (information security): unwanted ad unexpected event that can compromise information security
Information security: controls to protect the confidentiality, integrity and availability of information
Interested party: person, group or company affected by the impacts from an organization
ISMS: Information security management system
Nonconformity: non-fulfillment of a specified requirement
Organization: a structure that satisfies a need
Product (or service): every result of a process or activity
Quality: aptitude to fulfill requirements
Quality objective: quality related, measurable goal that must be achieved
Problem: the distance that has to be overcome between real and desired situation
Procedure: set of actions to carry out a process
Record: document providing objective evidence of achieved results
Requirement: explicit or implicit need or expectation
Review: survey of a file, product, process so as to verify if pre-set objectives are achieved
Risk: likelihood of occurrence of a threat or an opportunity
Stakeholder: person, group or company that can affect or be affected by an organization
Statement of Applicability (SoA): document describing the objectives and security controls
Supplier (external provider): an entity that provides a product
Top management: group or persons in charge of the organizational control at the highest level
Work environment: set of human and physical factors in which work is carried out
Examples of interested parties: investors, customers, external providers, employees and social, public or political organizations
In the terminology of quality management systems, do not confuse the following:
- anomaly, defect, dysfunction, failure, nonconformity, reject and waste
- an anomaly is a deviation from what is expected
- defect is the non-fulfillment of a requirement related to an intended use
- dysfunction is a degraded function that can lead to a failure
- failure is when a function has become unfit
- nonconformity is the non-fulfillment of a requirement in production
- reject is a nonconforming product that will be destroyed
- waste is when there are added costs but no value
- audit and inspect
- to audit is to improve the management system
- to inspect is to verify the conformity of a process or product
- audit, auditee and auditor
- an audit is a process of evaluating and improving the quality management system
- an auditee is the one who is audited
- an auditor is the one who conducts the audit
- audit program and plan
- an audit program is the annual planning of the audits
- an audit plan is the description of the audit activities
- communicate and inform
- to communicate is to pass on a message, listen to the reaction and discuss
- to inform is to give someone meaningful data
- control and optimization
- control is meeting the objectives
- optimization is the search for the best possible results
- customer, external provider and subcontractor
- a customer receives a product
- an external provider provides a product
- a subcontractor provides a service or a product on which a specific work is done
- effectiveness and efficiency
- effectiveness is the level of achievement of planned results
- efficiency is the ratio between results and resources
- follow-up and review
- follow-up is the verification of the obtained results of an action
- review is the analysis of the effectiveness in achieving objectives
- indicator and objective
- an indicator is the information on the difference between the achieved result and the preset objective
- an objective is a sought after commitment
- organization and enterprise, society, company
- organization is the term used in the standard ISO 9001 as the entity between the supplier and the customer
- an enterprise, society and company are examples of organizations
- organizational chart and process map
- the organizational chart is the graphic display of departments and their links
- the process map is the graphic display of processes and their interaction
- procedure, process, product, activity and task
- a procedure is the description of how we should conform to the rules
- a process is how we satisfy the customer using people to achieve the objectives
- a product is the result of a process
- an activity is a set of tasks
- a task is a sequence of simple operations
Remark 1: each time you use the term "improvement opportunity" instead of nonconformity, malfunction or failure, the auditee will gain a little more confidence in you.
Remark 2: the use of ISO 19011 and ISO 27000 definitions is recommended. The most important thing is to determine a common and unequivocal vocabulary for everyone in the company.
Remark 3: the customer can also be the user, the beneficiary, the initiator, the client, the prime contractor, the consumer.
Remark 4: ISO 19011 version 2018 uses the terms procedure ( ), record ( ) and documented information together. We also use the terms procedure and record together with the term documented information.
For other definitions, comments, explanations and interpretations that you don’t find in this module and in annex 06, you can consult:
- ISO Online Browsing platform (OBP)
- IEC Electropedia
When I think of all the books still left for me to read, I am certain of further happiness. Jules Renard
Books for further reading on internal audits:
- Denis Provonost, Internal Quality Auditing, ASQ Quality Press, 2000
- J. P. Russel, The Internal Auditing Pocket Guide, ASQ Quality Press, 2002
- Dennis Arter and al, How to Audit the Process Based QMS, Quality Press, 2003
- Spencer Pickett, The Essential Handbook of Internal Auditing, John Wiley & Sons, 2005
- Karen Welch, The Process Approach Audit Checklist for Manufacturing, ASQ Quality Press, 2005
- Paul Palmes, Process Driven Comprehensive Auditing, ASQ Quality Press, 2009
- David Hoyle, John Thompson, ISO 9000 Auditor questions, Transition Support, 2009
- J. P. Russel, The Process Auditing and Techniques Guide, ASQ Quality Press, 2010
- Janet Smith, Auditing Beyond Compliance, ASQ Quality Press, 2012
- Edward Humphreys, Implementing the ISO/IEC 27001 2013 ISMS Standard, Artech House, 2016
- Douglas Landoll, Information security policies, procedures, and standards, Auerbach Publications, 2016
- Dejan Kosutic, Secure & simple, A small-business guide to implementing iso 27001 on your own, Advisera Expert Solutions, 2016
- Dejan Kosutic, ISO 27001 Risk management in plain english, step-by-step handbook for information security practitioners in small businesses, Advisera Expert Solutions, 2016
- Dejan Kosutic, ISO 27001 annex A controls in plain english, Step-by-step handbook for information security practitioners in small businesses, Advisera Expert Solutions, 2016
- Raphaël Hertzog et al, Kali Linux Revealed: Mastering the Penetration Testing Distribution, OFFSEC Press, 2017
- Bridget Kenyon, Iso 27001 Controls: A Guide to Implementing and Auditing, IT Governance Publishing, 2019
- Tamuka Maziriri, ISO/IEC 27001 Lead Auditor: Mastering ISMS Audit Techniques, Independently Published, 2019
- Cees van der Wens, ISO 27001 handbook: Implementing and auditing an 'Information Security Management System' in small and medium-sized businesses, Brave New Books, 2020
- Abhishek Chopra, Mukund Chaudary, Implementing an Information Security Management System, Apress, 2020
- Cynthia Brumfield , Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework, Wiley, 2021
- Cesare Gallotti, Information security - 2022 Edition. Risk management. Management systems. The ISO/IEC 27001:2022 standard. The ISO/IEC 27002:2022 controls, Youcanprint, 2022
- Dr David Brewer, ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability, Independently published, 2022
Minute of relaxation. Paganini's violin concert performed with facial expressions.