Authority Document vs Policy

Go to solution
DMH
Kilo Contributor

‎05-11-2020 08:42 AM

We are debating whether to setup our internal Quality Manual (which contains our basic IT general controls) as a Authority Document or a Policy.  Is there a reason why we couldn't\shouldn't setup as an Authority Document?  Appreciate any suggestions.

0 Helpfuls
  • 3,561 Views
1 ACCEPTED SOLUTION

Go to solution
Uncle Rob
Kilo Patron

‎05-12-2020 07:32 PM

Not a compliance expert, but it seems to me that Authority Documents are externally sourced and agreed upon as authoritative by multiple external parties:  ie. SOX, PCI, GDPR, etc.

Policies are things your company decides to do.  So if you have an internal quality manual there's a good argument that putting them in authority docs is just more work, when you can just as easily put them in policies instead.

View solution in original post

6 REPLIES 6

Go to solution
JohnJasinski
Tera Expert

‎05-13-2020 07:37 AM

DMH - Robert, Adam, Rafael and Scott all provide great help - expert advice.   

Extra comments: check out COBIT 2019 - APO11.01 Establish a quality management system (QMS) - in the Governance and Management objectives book - page 126.   Policy objective in APO01.09 - page 59. 

Book is free to anyone.  https://www.isaca.org/bookstore/bookstore-cobit_19-digital/wcb19fgm

The book is a reference - use it as desired - Authoritiative source, ITGCs, Policy or Knowledge Articles - use with NOW functionality as needed.  COBIT maps to all leading standards, frameworks and practices - single integrated umbrella model - framework of frameworks.     

COBIT can be used in a variety of ways knowing it all works together as a complete system.  Examples:  Governance and Management design,  Policy and Controls framework, Authoritative source, Continuous Control Monitoring, Knoweldge, Assessments, Org structure / RACI, Metrics, Maturity & Capability, Implementation, Mappings, People skills, Inputs & Outputs, Systems, WBS structure for RFPs and contracts and more.  No need to make it up anymore.  Great desk reference.  Context, structure and content.   Standardization cost savings > customization benefits.  I have all ISACA COBIT 2019 content available for use in ServiceNow. 

Book is free to anyone.  https://www.isaca.org/bookstore/bookstore-cobit_19-digital/wcb19fgm

     

Go to solution
Lucky10
Kilo Expert

‎05-13-2020 08:43 AM

DMH-

From an implementation perspective, it really depends on how you want to report and manage that document and what is in your current environment.  The comments above are correct, the "Authoritative Docs" item is intended for external doc management, but has various functions available.  Things to ask...

  1. Do you already have defined "Control Objectives" in the system?
  2. Are you using an integrated Authority Doc solution (UCF)?
  3. Do you want to map your "Quality Manual" ITGC items to existing Control objectives or measure them independently?

The third question's response will help guide you.

I have seen customers that have a list of control objectives already in place and being measured, but want to map other controls to the existing items for compliance reporting only, simply adding the content as an Authority Document and then mapping to the Control Objectives gave them that ability.  

If those controls are not in place yet and need to be measured, then I would recommend that you add the ITGC items as control objectives, load the "manual" as a "Policy" record and map the newly created Control Objectives to it.  You can then monitor the defined controls and report on the compliance to the "manual" that you created.