QualityMentors Blog

This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.

Category Archives: Risk Management

Project implementation by implementation partners

Meena Sharma has written to me about a situation in one of the companies she knows. She says: “A company has a software product. The product was being customized for individual customers and implemented by the delivery team. Now the company wants the implementation work right from gap analysis to final delivery done by the implementation partners instead of their own resources. What new processes will have to be evolved and implemented in this changed scenario ?

Under the circumstances you explained, I don’t think the company need to have any additional processes. If I understood your problem correctly, the situation is simple. This company’s project delivery processes have to be effectively transferred to selected implementation partners. This is to be done so effectively that the partners’ team works just like your own team. This will need a series of trainings right from your  mission, vision, policies, core values, quality processes, measurement framework and finally the project delivery processes. Same monitoring and control processes will now be applicable to the employees from the partners through their project managers. Monthly (or at whatever frequency) project progress reports should flow from the partners’ implementation team to company’s delivery management and PMO.

Only additional process steps I can envisage is  about signing a non-disclosure agreement between your company and each of your partner employees and a performance appraisal for them- based on  their performance in the projects.

Don’t forget, the onus of delivery within customer specified quality, cost and schedule parameters still remains with the company and not with their implementation partners. Your monitoring and control mechanism should be able to match this expectation under the new circumstances. Any risks anticipated on account of the said partnership must be identified and processes as per company’s existing processes…

I will welcome any clarifications on this issues.

Risk Management Guidelines

Alex Dali from The Global Institute for Risk Management Standards posted this question on LinkedIn group ISO 27001:

"ISO 27001:2013 aligns its risk assessment & treatment with ISO 31000 (see clause 6.1.3) but ISO 27002:2013, clause 0.2 says such guidelines are provided by ISO 27005. Which one should be followed?"

Here is my response:

Answer to this question lies  in the titles of the two standards referred by you. ISO 31000 is "Risk Management- Principles and Guidelines" while ISO 27005 is "IT-Security Techniques- Info Security Risk management". So which one is  more appropriate for implementing information security? Obviously, ISO 27005.                                                               Alex, please let me know if you have different views. Thanks!


Risk based auditing

My friend AKM Desai (desaiakm@hotmail.com ) wants me to comment on this topic.

ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…

ISO 19011:2011 introduced the concept of risk in auditing. It included  both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.

Specific requirements for managing an effective risk management is provided  in Annex SL standards like  ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits  conforming to  ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined  as ‘Risk based auditing’. Such internal and external audits  should be conducted in a seemliness  manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible  and with full conformance to the requirements in clause 4, 6 and 8  of above requirements standards.


%d bloggers like this: