3 Definitions

 Terms, definitions and books related to quality and audits

The beginning of wisdom is the definition of terms. Socrates

Some terms and definitions currently used in this module:

Accident: undesired event causing death or health and environmental damages

Asset: any element of value for the organization

Audit client: everyone requesting an audit

Audit conclusions: outcome of an audit

Audit criteria: everything against which audit evidence is compared

Audit findings: every deviation from audit criteria

Auditee: everyone who is audited

Auditor: everyone who is trained to conduct audits

Competence: personal skills, knowledge and experiences

Conformity: fulfillment of a specified requirement

Continual improvement: permanent process allowing the improvement of the global performance of the organization

Control: ensure compliance with the specified criteria

Corrective action: action to eliminate the causes of nonconformity or any other undesirable event and to prevent their recurrence

Customer: anyone who receives a product

Document (documented information): any support allowing the treatment of information

Deviation: failure to meet a given threshold

Hazard: situation that could lead to a potential incident

Incident (information security): unwanted ad unexpected event that can compromise information security

Information security: controls to protect the confidentiality, integrity and availability of information

Interested party: person, group or company affected by the impacts from an organization

ISMS: Information security management system

Nonconformity: non-fulfillment of a specified requirement

Organization: a structure that satisfies a need

Product (or service): every result of a process or activity

Quality: aptitude to fulfill requirements

Quality objective: quality related, measurable goal that must be achieved

Problem: the distance that has to be overcome between real and desired situation

Procedure: set of actions to carry out a process

Record: document providing objective evidence of achieved results

Requirement: explicit or implicit need or expectation

Review: survey of a file, product, process so as to verify if pre-set objectives are achieved

Risk: likelihood of occurrence of a threat or an opportunity

Stakeholder: person, group or company that can affect or be affected by an organization

Statement of Applicability (SoA): document describing the objectives and security controls

Supplier (external provider): an entity that provides a product

Top management: group or persons in charge of the organizational control at the highest level

Work environment: set of human and physical factors in which work is carried out

Examples of interested parties: investors, customers, external providers, employees and social, public or political organizations

In the terminology of quality management systems, do not confuse the following:

• anomaly, defect, dysfunction, failure, nonconformity, reject and waste
  • an anomaly is a deviation from what is expected
  • defect is the non-fulfillment of a requirement related to an intended use
  • dysfunction is a degraded function that can lead to a failure
  • failure is when a function has become unfit
  • nonconformity is the non-fulfillment of a requirement in production
  • reject is a nonconforming product that will be destroyed
  • waste is when there are added costs but no value
• audit and inspect
  • to audit is to improve the management system
  • to inspect is to verify the conformity of a process or product
• audit, auditee and auditor
  • an audit is a process of evaluating and improving the quality management system
  • an auditee is the one who is audited
  • an auditor is the one who conducts the audit
• audit program and plan
  • an audit program is the annual planning of the audits
  • an audit plan is the description of the audit activities
• communicate and inform
  • to communicate is to pass on a message, listen to the reaction and discuss
  • to inform is to give someone meaningful data
• control and optimization
  • control is meeting the objectives
  • optimization is the search for the best possible results
• customer, external provider and subcontractor
  • a customer receives a product
  • an external provider provides a product
  • a subcontractor provides a service or a product on which a specific work is done
• effectiveness and efficiency
  • effectiveness is the level of achievement of planned results
  • efficiency is the ratio between results and resources
• follow-up and review
  • follow-up is the verification of the obtained results of an action
  • review is the analysis of the effectiveness in achieving objectives
• indicator and objective
  • an indicator is the information on the difference between the achieved result and the preset objective
  • an objective is a sought after commitment
• organization and enterprise, society, company
  • organization is the term used in the standard ISO 9001 as the entity between the supplier and the customer
  • an enterprise, society and company are examples of organizations
• organizational chart and process map
  • the organizational chart is the graphic display of departments and their links
  • the process map is the graphic display of processes and their interaction
• procedure, process, product, activity and task
  • a procedure is the description of how we should conform to the rules
  • a process is how we satisfy the customer using people to achieve the objectives
  • a product is the result of a process
  • an activity is a set of tasks
  • a task is a sequence of simple operations

Remark 1: each time you use the term "improvement opportunity" instead of nonconformity, malfunction or failure, the auditee will gain a little more confidence in you.

Remark 2: the use of ISO 19011 and ISO 27000 definitions is recommended. The most important thing is to determine  a common and unequivocal vocabulary for everyone in the company.

Remark 3: the customer can also be the user, the beneficiary, the initiator, the client, the prime contractor, the consumer.
Remark 4: ISO 19011 version 2018 uses the terms procedure ( ), record ( ) and documented information together. We also use the terms procedure and record together with the term documented information.

For other definitions, comments, explanations and interpretations that you don’t find in this module and in annex 06, you can consult: 

• ISO Online Browsing platform (OBP)
• IEC Electropedia

When I think of all the books still left for me to read, I am certain of further happiness. Jules Renard

Books for further reading on internal audits:

•  Denis Provonost, Internal Quality Auditing, ASQ Quality Press, 2000
•  J. P. Russel, The Internal Auditing Pocket Guide, ASQ Quality Press, 2002
•  Dennis Arter and al, How to Audit the Process Based QMS, Quality Press, 2003
•  Spencer Pickett, The Essential Handbook of Internal Auditing, John Wiley & Sons, 2005
•  Karen Welch, The Process Approach Audit Checklist for Manufacturing, ASQ Quality Press, 2005
•  Paul Palmes, Process Driven Comprehensive Auditing, ASQ Quality Press, 2009
•  David Hoyle, John Thompson, ISO 9000 Auditor questions, Transition Support, 2009
•  J. P. Russel, The Process Auditing and Techniques Guide, ASQ Quality Press, 2010
•  Janet Smith, Auditing Beyond Compliance, ASQ Quality Press, 2012
•  Edward Humphreys, Implementing the ISO/IEC 27001 2013 ISMS Standard, Artech House, 2016
•  Douglas Landoll, Information security policies, procedures, and standards, Auerbach Publications, 2016
•  Dejan Kosutic, Secure & simple, A small-business guide to implementing iso 27001 on your own, Advisera Expert Solutions, 2016
•  Dejan Kosutic, ISO 27001 Risk management in plain english, step-by-step handbook for information security practitioners in small businesses, Advisera Expert Solutions, 2016
•  Dejan Kosutic, ISO 27001 annex A controls in plain english, Step-by-step handbook for information security practitioners in small businesses, Advisera Expert Solutions, 2016
•  Raphaël Hertzog et al, Kali Linux Revealed: Mastering the Penetration Testing Distribution, OFFSEC Press, 2017
•  Bridget Kenyon, Iso 27001 Controls: A Guide to Implementing and Auditing, IT Governance Publishing, 2019 
•  Tamuka Maziriri, ISO/IEC 27001 Lead Auditor: Mastering ISMS Audit Techniques, Independently Published, 2019
•  Cees van der Wens, ISO 27001 handbook: Implementing and auditing an 'Information Security Management System' in small and medium-sized businesses, Brave New Books, 2020
•  Abhishek Chopra, Mukund Chaudary, Implementing an Information Security Management System, Apress, 2020
•  Cynthia Brumfield , Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework, Wiley, 2021
•  Cesare Gallotti, Information security - 2022 Edition. Risk management. Management systems. The ISO/IEC 27001:2022 standard. The ISO/IEC 27002:2022 controls, Youcanprint, 2022
•  Dr David Brewer, ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability, Independently published, 2022

Minute of relaxation. Paganini's violin concert performed with facial expressions.

Top of the page

• Home
• My account
• Site map
• FAQ
• GTU