How the QMS/ISMS works
The Quality Management System/Information Security Management System (QMS/ISMS) works as follows:
Identification of stakeholders and their needs
AQU Catalunya has identified its stakeholders, ascertaining their needs and expectations through:
- Their participation in meetings, workshops, etc.
- Surveys on activities or processes to assess satisfaction.
- Attention to queries and complaints that may arrive through different channels, especially through help desk.
Maintenance and updating of QMS/ISMS documents
The QMS/ISMS relies on a controlled document structure comprising the following levels of information:
- Key documents: reference documents describing the high-level operations of specific areas within the Agency, such as the security document, personnel policy, training policy, etc.
- Procedures: documents detailing how a process is to be executed and the responsibilities to be fulfilled at each stage. AQU Catalunya has implemented and regularly updates 73 procedures that describe the 14 processes.
- Instructions: documents that specify in detail one part of a procedure.
- Regulations: set of documents that are mandatory and regulate the inner workings of the Agency.
Identification and management of risks
AQU Catalunya identifies and assesses any risks within the processes that are part of the QMS/ISMS. With these possible risks identified, it is able to enact measures to prevent or minimise them and periodically reviews the effectiveness of these actions. It also assesses risks to the information security system in order to guarantee:
- Integrity: The information to which we have access must be accurate, complete and unabridged. It ensures that it is no way altered or modified, either voluntarily or involuntarily, by any person or mechanism.
- Availability: It ensures that authorised persons have access to the information or data when required for the performance of their duties.
- Confidentiality: The information is accessible only to those persons so authorised.
Implementation of activities
- Annual planning of the activities to be carried out
AQU Catalunya specifically identifies the activities included in the planning for each year, which takes into account the Strategic Plan, assigning them a unique code, which is essential to be able to allocate financial and human resources. This document sets out AQU Catalunya's overall annual objectives.
- Implementation of activities
Activities are carried out taking into account the QMS/ISMS documents (regulations, manuals, procedures and instructions).
Some activities may be considered as projects. Each project has an initial record. This document identifies the objectives to be achieved, the people involved, the different resource needs, risk analysis, and a plan of the project implementation. Projects are then regularly monitored and officially closed, which includes the elaboration of a meta-evaluation and publication of results.
- Measure of compliance with activities and processes
Overall compliance with the annual activity plan is monitored on a quarterly basis and with the Strategic Plan every six months, taking into account the established objectives.
Likewise, AQU Catalunya has identified indicators for measuring each of the Agency's processes and their results. These indicators are managed by a computer application, which provides them as a dashboard.
The indicators are monitored every six months by the Quality Management and Information Security Committee and are taken into account in the review of AQU Catalunya's processes.
All AQU Catalunya's activities, given that they are coded, are monitored in terms of workload (by area and level of work and, in some cases, by type of task) and budget.
- We review our performance:
AQU Catalunya carries out meta-evaluation at three levels: the meta-evaluation of projects, the meta-evaluation of areas and processes and the overall meta-evaluation of AQU Catalunya, which is submitted to the Governing Council. It also carries out the Management Review, where the QMS/ISMS is reviewed.
AQU Catalunya Meta-Evaluation report 2022 [Catalan]
It also undergoes regular internal and external audits to ensure that it complies with the related requirements and that everything is kept up to date. These audits assess:
- QMS/ISMS AQU Catalunya carries out annual internal and external audits for the review and renewal of ISO 9001 and ISO 27001 certification.
- ESG compliance. AQU Catalunya conducts an international external ESG compliance assessment every five years.
- Data protection. AQU Catalunya carries out an annual internal audit of compliance with the General Data Protection Regulation and the regulations deriving therefrom.
- Annual accounts. AQU Catalunya conducts an annual external audit of the annual accounts to demonstrate their compliance with financial regulations.
- Public procurement. AQU Catalunya conducts an annual external audit of compliance with public procurement regulations.
- Web accessibility. AQU Catalunya conducts external audits every three years to verify compliance with the European Directive on the accessibility of the websites and mobile applications of public sector bodies.
It also undergoes regular internal and external audits to ensure that it complies with the related requirements and that everything is kept up to date. These audits assess:
- QMS/ISMS AQU Catalunya carries out annual internal and external audits for the review and renewal of certification.
- ESG compliance. AQU Catalunya conducts an international external ESG compliance assessment every five years.
- Data protection. AQU Catalunya carries out an annual internal audit of compliance with the General Data Protection Regulation and the regulations deriving therefrom.
- Annual accounts. AQU Catalunya conducts an annual external audit of the annual accounts to demonstrate their compliance with financial regulations.
- Public procurement. AQU Catalunya conducts an annual external audit of compliance with public procurement regulations.
- Web accessibility. AQU Catalunya conducts external audits every three years to verify compliance with the European Directive on the accessibility of the websites and mobile applications of public sector bodies.
- Improvements
The improvements, recommendations, suggestions, etc. that emerge from the meta-evaluation and system review processes are entered into a computer application that manages them. Together they constitute the Improvement Action Plan. For each improvement, the area and person responsible, the actions to be taken, the objective to be achieved and the timetable for implementation are established. Quarterly monitoring of their implementation is carried out.