由于需要记录信息,因此管理系统以“重载”著称。因此,许多组织都选择了软件解决方案,以将大量纸张转化为数字数据。遵守信息 安全要求和法规,例如GDPR。 通过仔细检查这种情况,我们实际上发现: -ISO 9001从来没有为建立,维护和改进管理 体系而需要“纸质规范”的要求; -如果业务流程本身支持数字化,则软件解决方案只能支持管理系统,否则,问题只能转移到另一种介质上,由于数字化会带来自身的挑战,这会使情况变得更糟。 -信息和个人数据的保护与安全一直是客户,合作伙伴和员工等利益相关者的合理关注。 那么组织如何从数字化中受益并仍然满足所有相关要求? 对ISO 9001的更深入研究表明,该 标准实际上对此有很多贡献.ISO 9001不仅与促进数字化兼容,而且可以轻松地用于促进和支持数字化发展。 ISO 9001:2015使数字化变得容易作为ISO 9001:2015“数字适应性”的一个主要例子,让我们看一下“ 文件化信息”的修订版本定义,例如,该术语现在包括: 质量管理手册,成文的程序,记录和文件-简而言之,是整个系统文档的所有表现形式。如果我们想了解这意味着什么数字化转型的机会,我们需要质疑确切的含义是什么? “无论如何?信息是所有沟通和相关结构的基础。信息使组织能够维护和发展知识,并根据需要在内部或外部共享知识。无论如何,都必须确保信息的可用性,完整性和机密性。但是,最重要的是信息的安全性:对数据传输和存储的安全标准的需求信息从未像今天这样高涨。乍一看似乎是零散的单个数据集合,一旦这些数据被分类,修改或嵌入并在特定上下文中变得有意义时,它便成为信息。包含的是权宜之计和有益的知识,从某种意义上说,信息是“价值的数据”,即组织自己确定的价值,那么什么样的知识足够相关才能成为“文档信息”?ISO 9001:2015告诉我们,我们认为组织的管理系统应包括“组织确定为系统有效性所必需的书面信息。”通常,与一条信息的价值有关的规范,视具体情况而定,例如企业部门,组织的规模和复杂性及其过程,利益相关者的要求和期望等。有效保护记录的信息:利用从信息安全中获得的“经验教训”快速浏览ISO / IEC27001的信息安全性表明,文件信息的 风险管理流程需要重点关注 PDCA周期的PLAN方面,即流程的计划从系统开始,从这里开始,风险管理遍布组织的整个结构。 无论 电子邮件,社交媒体或云服务器等现代通信媒体为记录信息的基础提供了什么,这都是首要的方法,其中包括着重于员工的意识。组织的解决方案可能是,如果操作员没有充分意识到其行动的潜在后果和相关风险,则他或她很可能将无法以最安全的方式处理事情。专注于合规性保质期非常短信息及其无常性是当今时代以及持续数字化的一个特殊挑战,这将影响信息的分发和处理。这使得从其余部分中识别出对于组织至关重要和相关的信息变得越来越困难,这给我们带来了麻烦。回到可用性,完整性和机密性的重要性。任何涉及多个活动的一系列活动(=过程)必须对人员进行审查,以了解所需的信息,其来源和币种以及将传输的信息。除了区分与组织相关的(决定)相关信息和受保护信息外,还需要GDPR和其他地方法律等法律要求通常要求技术必须是最新的,并且组织和技术措施也必须有效实施以保护信息。尤其是人员和客户数据需要根据其对组织的价值加以保护,而不仅仅是“简单”的一致性。最后,每个组织都必须自行决定他们要在多大程度上利用数字化转型的可能性,以及提供必要的资源。以安全的方式记录信息时,有很多优化方法如今对组织开放:从符合GDPR到 认证的管理体系(例如ISO 9001或ISO / IEC27001),都具有高度的兼容性,并且能够相互之间建立起来。上述标准可以提供指导关于相关主题的信息,可能会引导用户使用最佳实践方法找到降低风险的解决方案。AndreasAltena和AngelikaMüller的原创文章。 HOW MUCH PAPER FOR QUALITY? ISO 9001 in theage of digitalization Management systemshave a reputation of being “heavy on paper” due to the need for documentationof information. Many organizations, therefore, opt for a software solution, inorder to transform reams of paper into digital data. Digital data, however, arethen subject to information security requirements and legislation, such asGDPR. Upon closer inspectionof that situation, we actually find that: - ISO 9001 hasnever had a requirement for “reams of paper” in order to establish, maintainand improve management systems; - Softwaresolutions can only support management systems if the business processesthemselves support digitalization. Otherwise, problems will only be transferredto another medium, which can make the situation worse because digitalizationcreates its own challenges. - The protectionand security of information and personal data has always been a legitimateconcern among stakeholders such as customers, partners and employees. So how can anorganization benefit from digitalization and still fulfill all the relevantrequirements? A deeper look intoISO 9001 shows that this standard has a lot to contribute to this, actually.ISO 9001 is not only compatible with promoting digitalization, but can be usedeasily to facilitate and support digital developments. Digitalizationmade easy with ISO 9001:2015 For a primary example of the “digital suitability”of ISO 9001:2015, let us look at the revised version’s definition of“documented information”. This term is now being used to include, for example,quality management manuals, documented procedures, records and documents – inshort, the entire system documentation in all its manifestations. If we want tosee what opportunities for digital transformation this implies, we need toquestion what exactly is the meaning? What is “information” anyway? Informationis the basis of all communication and related structures. Information allows anorganization to maintain and develop knowledge, and to share it on the insideor outside as needed. The availability of information, its integrity and itsconfidentiality must be ensured regardless of intended use. Most essential ofall, though, is the security of information: the demand for security standards fortransmission and storing of data and information has never been higher thantoday. What may at first glance seem to be a scattered collection of individualdata becomes information as soon as this data is sorted, amended or embedded andgains significance in a specific context. And information becomes invaluablewhen it contains expedient and beneficial knowledge. In is in that sense thatinformation is “data of value” – which value is for the organization itself todetermine. So what kind of knowledge is relevant enough to become “documentedinformation”? ISO 9001:2015 tells us that an organization’s management systemshall include “documented information determined by the organization as beingnecessary for the effectiveness of the system.” Consequently, the norm focuseson the value of a piece of information, subject to the specific situation, e.g.business sector, size and complexity of the organization and its processes,requirements and expectations of stakeholders, etc. Effectively protectingdocumented information: using “lessons learned” from Information Security Aquick look at ISO/IEC 27001 for Information Security shows that a riskmanagement process for documented information needs to focus strongly on thePLAN aspect of the PDCA cycle, which is the planning of processes and systems.From here, risk management is spread throughout the organization’s structure. This is thepremier approach wherever modern communication media, such as e-mail, social mediaor cloud servers provide the basis for documented information. That includes,among other things, a focus on employee awareness. Because no matter how goodany given technical or organizational solution may be, if the human operator isnot sufficiently aware of the potential consequences of their actions, and theassociated risks, he or she will most likely not handle things in the mostsecure manner. A focus on compliance The immensely short shelf life ofinformation and its impermanence are a particular challenge of our times and ofcontinuing digitalization, which affects its distribution and processing. Thismakes it continuously harder to identify those pieces of information that areessential and relevant for an organization from the rest, which brings us backto the importance of availability, integrity and confidentiality. Any sequenceof activities (=process) involving more than one person has to be reviewed forwhat information is required, its source and currency, and what informationwill be transferred. In addition to the differentiation between documented informationthat is (decision) relevant for an organization and its protection, there isalso the need to be conformant, to fulfill the relevant requirements ofinterested parties. Legal requirements such as GDPR and other, local lawsusually require that technology needs to be stateof-the-art and organizational aswell as technical measures need to be implemented to effectively protect information.Especially personnel and customer data need to be protected according to theirvalue to the organization, above and beyond “simple” conformance. In the end,each organization will have to decide themselves to what extent they want toutilize the possibilities of digital transformation, and make available thenecessary resources. When it comes to documenting information in a securefashion, there are many options open to organizations today: from compliancewith GDPR to certified management systems such as ISO 9001 or ISO/IEC 27001,there is a high level of compatibility and being able to build up from one tothe other. The standards mentioned above can provide guidance on relevanttopics, and may lead their users to find solutions to reduce risk using the Best-Practice-Approach.Original article by Andreas Altena and Angelika Müller.
| 
发表于 2019-12-5 09:32:55
发表于 2019-12-5 11:02:34
楼主
发表于 2019-12-5 13:24:30
