QualityMentors Blog

This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.

Monthly Archives: March 2014

Auditing Top Management

I have seen auditors being nervous while planning and conducting audits of top/ senior management executives. While auditing and reporting findings of such audits may be a sensitive issue, seasoned auditors get considerable professional satisfaction by adding value through this mechanism. If conducted in a planned and professional manner, the auditee also gets new insights into their organizational processes and appreciate time invested in auditing.

Confidentiality must be maintained at all costs during and after top management audits. ‘Non attribution’ of audit findings, specially the negative ones, to any person or department should be avoided to the extent possible.

Planning, based on organizational process maturity, cultural and  social aspects plays a vital role in such audits. Rather than throwing closed and leading questions to senior people in the auditee organization, the auditor must ensure most of the questions are open ones (example: would you please tell me the highlights of the organizational policy on project management?). The duration of the audit, its venue and who all will participate from the auditee & auditor’s side must be worked out prior to the audit and communicated to all concerned. Some of the initial questions may be about organizational strengths, weaknesses, opportunities for improvement, current management concerns, and management goals in measurable terms. All the questions, follow-up questions and their responses  should be recorded. Later on, audit trails should be used to corroborate the responses received from top management.

Auditors must ensure no one gets insulted while presenting the audit findings during closing meeting or otherwise, especially those in the top management. At the same time, nothing worth mentioning, positive or negative, should be avoided.

See this article from the ISO site:  http://www.gsprogress.us/Resources/Auditingguidance/Annex_9_AuditTopManagement.pdf .

Why is management review important for ISO 27001 and ISO 22301?

My post on this topic in LinkedIn ISO 27001 Forum:

Famous quality Guru Joseph Juran says quality does not come a company without management commitment. He says he didn’t see a single exception to this rule in his entire career (and his career spanned over 80 yrs). While earlier, ‘management commitment’ used to be a requirement of process improvement standards, off late it has been ‘Leadership and its commitment’…see MBNQA, EFQM, ISO 27001:2013 etc. Effective and planned management review at pre-defined intervals is one such act of demonstrating management and/ or leadership commitment.

Why is it important?
Management in any company is at the driving seat. Unless they review various aspects of business performance, it will not be able to achieve defined objectives.

Alternative approaches:
In very large corporations, 2 or 3 tiered management reviews may be planned and conducted with top management reviewing only with a few senior managers who have conducted their respective management reviews. Some of the companies conduct management reviews on video conferences while in a few smaller ones, such reviews are conducted by top manager going to different locations or different lines of business, one by one.
Inputs and outputs:
All those specified in the standards (e.g clause 9.3 of ISO 27001:2013) and BUSINESS DEVELOPMENTS/ EVENTS/ INCIDENTS/ POLITICAL OR SOCIAL SCENARIO/ EMPLOYEE ISSUES etc-etc.

Clarification on ISO 27001:2013

Read more of this post

%d bloggers like this: