The organization monitors customers’ success and satisfaction with their products and services. The goal is to find out to which degree their needs and expectations are fulfilled.

The organization has determined the methods for collecting, monitoring and reviewing customer satisfaction information. Possible methods for collecting the information can include:

• customer surveys
• customer satisfaction questionnaires (e.g. NPS)
• feedback sent by customers related to delivered products and services
• feedback gathered on customer meetings
• market-share analysis
• customer reviews on internet
• warranty claims

Organization's top management sets quality objectives. Quality objectives meet the following requirements:

• they are consistent with the quality policy
• they are measurable
• they take into account applicable requirements
• they are relevant to conformity of products and services and to enhancement of customer satisfaction
• ther are monitored, communicated and updated as appropriate

In connection with the documentation of quality objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

The organization has a quality policy developed and approved by top management.

The policy shall include at least the following:

• is appropriate to the purpose and context of the organization and supports its strategic direction
• provides a framework for setting quality objectives
• includes a commitment to satisfy applicable requirements
• includes a commitment to continual improvement of the quality management system

The organization must operate, maintain, and continuously develop a quality management system. The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to the management system must be clearly documented.

The organization has a process for identifying internal and external issues that are relevant to its purpose and QMS. This can be implemented e.g. through strategy work or by utilizing SWOT (for internal issues) or PESTLE (for external issues) analysis.

Process includes describing how the relevant issues are followed and how they generate risks, changes, improvements or tasks to the management system, when they are relevant for properly reacting to the identified external and internal issues.

Examples of relevant internal issues might be:

• issues related to values
• issues related to culture
• issues related to organizational structure / governance
• issues related to organizational knowledge
• issues related to performance of the organization

Examples of relevant external issues might be:

• new relevant legislation
• new relevant technological developments
• actions by competitors or changes in competitive environment
• new market opportunities
• new economic opportunities

The organization has determined and provided the resources needed for implementing and continuously improving the quality management system.

When determining the resources, organization considers:

• the capabilities / constraints of existing internal resources
• what needs to be obtained from external providers

The organization shall also define the persons necessary for the effective implementation of the QMS and for the operation and control of its processes.

The organization proactively identifies and evaluates different quality related risks. Goal is to continuously improve, give assurance that the QMS reaches intended results and prevent or reduce undesired effects.

The quality risk documentation includes at least:

• Description of the risk
• Evaluated impact and likelihood of the risk
• Tasks for managing the risk or other treatment options
• Acceptability of the risk

The employees of organization accept the quality policy. The acceptance is monitored regularly. The quality policy may refer to a number of topic-specific policies or procedures.

The quality policy shall also in general be available in the organization, communicated and clearly understood by employees, applied in the organization and available to relevant (also external) interested parties.

The organization's top management must demonstrate a commitment to quality work and the quality management system. Management commits to:

• take accountability for the effectiveness of the QMS and its integration to organization's processes
• ensures that the quality policy and quality objectives are established and are compatible with the context and strategic direction of the organization
• defines the frameworks or other requirements that form the basis for work (e.g. customer promises, regulations or certificates)
• ensures that the resources needed to maintain quality are available
• communicates the importance of quality, process approach, risk-based thinking and customer focus
• ensures that the work achieves the desired results
• supports persons in contributing to the effectiveness of the quality management system
• promotes continuous improvement of quality management

Top management also decides the scope of the quality management system and records the decision in the description of the QMS. This means, for example, whether some parts of the organisation's activities is excluded from the scope of the QMS, or whether it applies to all processes and products / services of the organization.

From the point of view of the quality management system, non-conformities can be e.g. customer complaints, non-conforming process outputs, other situations where quality requirements are not met or other situations where related processes are not complied with.

In systematic quality work, all detected non-conformities are documented and corrected. Non-conformity documentation is managed in the QMS and it includes at least:

• description of the non-conformity and related requirement
• evaluation of non-conformity level and root cause
• improvements made to correct the non-conformity

The organization shall continuously strive to improve the performance of the quality management system. Ways to improve are being actively sought - not just through audits or clear non-conformities.

Task owner is responsible for documenting the improvements made to the quality management system and dividing them into tasks to be performed, monitoring task execution and assessing the reached effects.

The organisation regularly evaluates the level of quality and the effectiveness of the quality management system.

Organisation has defined:

• monitored metrics to provide comparable results on the development of cyber security level
• persons responsible for the metering
• methods, timetable and responsible persons for metrics reviewing and evaluation
• methods to document metric-related evaluations and results

Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to quality.

The organization has defined methods for analyzing and evaluating the quality-related metrics defined for each process and generally for customer satisfaction.

Analysis can be carried out e.g. on periodical workshops that focus on evaluating organization's quality from the top-level.

The results of analysis are used to evaluate at least:

• conformity of products and services
• customer satisfaction and its progress
• the overall performance of the QMS and needed improvements
• the effectiveness risk management
• the performance of external providers

The organization has defined the needed 'organizational knowledge' to effectively operate its processes or delived products / services. This knowledge is documented along with process and product / service documentation in the QMS.

Organizational knowledge can include e.g.:

• current documentation, specifications or instructions about processes or products / services
• capturing and sharing undocumented knowledge and experience (can include e.g. mentoring)
• lessons learned from non-conformities, near-misses, failures or successful projects
• the results of improvements in processes, products and services
• standards or studies
• partner / customer knowledge
• benchmarking against competitors

This knowledge shall be maintained and be made available to the extent necessary.

The organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates that are needed for achieving future objectives.