Why compliance is significant
Every industry has evolved to require high-quality products that are safe for usage according to the applicable rules. Those often appear as international standards that provide a framework for applying the global best practices from operational, ethical, and legal standpoints. Therefore, the primary benefits of aligning with those guidelines are reputational and financial gains.
Compliance can streamline operations and prevent defective products from being released or ensure incidents do not occur during the manufacturing processes. ISO 27001 compliance, for example, helps to protect you from the threat of a data breach, which could cause financial and reputational damage. Last year, the average cost of such a breach reached a record high of $4.35M, according to the 2022 IBM report and the Ponemon Institute.
Regarding implementation research, the ISO analysis of 42 studies and 373 ISO-certified companies showed that adopting the ISO 9001 standard enhances financial performance. The American Society for Quality (ASQ) study showed that for every $1 spent on your Quality Management System (QMS), you could expect an additional $6 in revenue, a $16 reduction in costs, and a $3 increase in profits. On average, they saw that effective quality management reduced costs by 4.8%.
Some of the more popular ISO standards include:
In this mini series of articles, we will describe how our tools help at different stages of establishing & improving the compliant Quality Management Systems, using the PDCA cycle (Plan, Do, Check, Act) as the guideline. This post will focus on the strategic level of the Plan stage.
Plan
In the world of Quality Management Systems, having the right tools at your disposal can make all the difference. Xray is a Jira-native Test Management app designed for various quality management needs, and is here to enhance your journey through these standards.
With Xray by your side, you can streamline testing, track quality, and support your compliance journey. In this article, we'll explore how Xray complements your strategic Quality Management Systems efforts and supports your compliance with ISO 9001, 27001, and 31000.
ISO 9001
This standard sets out the criteria for a Quality Management System and applies to the organizations engaged in the design, development, production, and servicing of goods (i.e., to most software development organizations). ISO 9001 is based on 7 quality management principles, and we will dive deeper into principles 3-6:
Engagement of people
This principle has two important components: empowerment/competence and collaboration.
Regarding competence, it is essential to have documentation covering the basics and nuances of the processes, tools, possible configurations, extensions/integrations, etc. Xray has plenty of self-paced resources (Data Center, Cloud, Xray Academy) to facilitate training, improve knowledge, and ensure seamless adoption.
To facilitate collaboration and foster clarity, you can invite every team member to participate in quality-related tasks, removing the friction that exists whenever different team roles use siloed tools:
- Quality-related artifacts from Xray can be shared in a variety of formats. All core entities, including Test Runs (i.e., results), can be exported to PDF, Word, or Excel using fully customizable documents in terms of layout.
- Comments and evidence can be added to all Xray issue-based entities (e.g., Tests) and also to Test Runs.
Process approach and improvement
The effectiveness of the quality management approach depends on how thoroughly it is integrated into all facets of your organization. Having the Atlassian ecosystem as the single source of truth significantly simplifies that integration aspect.
Furthermore, Jira and Xray enable multiple customizations to adapt to the evolving organizational needs:
- Different deployment versions (Data Center and Cloud) with seamless connectivity between Jira and Xray.
- Flexible ways for organizing your project related items (all-in-one vs testing entities separately)
- Different levels of objectives with traceability and quality gates
- Improved visibility into interrelated tasks with proper assignments and notifications
- Establish KPIs and quantifiably measure them
- add custom fields to any entity (e.g., probability, severity, performance thresholds)
- implement additional customizations (e.g., ScriptRunner, Automation for Jira)
Evidence-based decision making
This principle is primarily enabled by detailed reports that promote easier visibility and awareness. With Jira and Xray, you can export data in compliance-focused, human-readable formats and automate data snapshots.
Two options exist to achieve this: using the built-in Document Generator capabilities or the more complete and flexible Xporter App. With Xporter, it is possible to automate the creation of these documents and, for example, generate them upon a workflow transition, attach them to an existing Confluence page, or send them via email.
To consolidate the information from Jira and Xray, you can also use Jira Snapshots:
“The FDA submission requires specification and traceability reports. Jira Snapshots compiles these reports from the Jira and Xray data, avoiding burdening the team.”
Caris Life Sciences Success Case
ISO 27001
This standard establishes the requirements for an information security management system. ISO 27001 focuses primarily on maintaining information confidentiality, integrity, and availability.
Confidentiality and Information integrity
To support these principles, Jira and Xray allow you to:
- Implement access control and permissions for any entity (i.e., Project, Story, Test Plan, Test Execution, etc.)
Source: Atlassian Support
- Use e-signatures to track explicit approval.
- Xray issue-based entities can all be digitally signed using one of many available Jira apps. This unique advantage is that it provides full control over the core testing activities.
Availability of data
In order to enable auditing and facilitate diagnosis, data must be stored, and changes, whenever applicable, need to be identified. With Xray, you can ensure data persistence, maintain history visibility, and track changes without tampering.
- You can monitor overall changes and individual test step modifications from the Xray Test History tab on the Test Issue screen (under Activity).
- Historical results (i.e. Test Run details) cannot be modified. The same applies to past changes made on Jira issue-based entities. If a Test changes, the recorded results don't.
Atlassian is ISO 27001 certified. Xray holds a SOC 2 Type 2 certification. Both Xray and Jira are also committed to complying with GDPR, for instance:
- encrypting data in transit and at rest;
- providing data residency program;
- providing optionality within different product or account settings;
- using robust security controls.
ISO 31000
This standard family sets the guidelines for engaging in Enterprise Risk Management (ERM). It provides best practices for identifying, assessing, treating, and communicating risks.
It would be nearly impossible to successfully implement and sustain the risk management process compliant with ISO 31000 if an organization heavily depends on paper-based communication and record keeping.
Xray supports Risk-Based Testing (RBT) and allows you to define risks at different levels: project, requirement, or test. In Jira and Xray, you can:
- manage risks and track their status
- classify risks by impact, probability, and other user-defined fields
Navigating the Compliance Journey
In this two-part series, we've shed some light on the benefits of the benefits and strategies for achieving compliance. In the upcoming second part, we will take a deeper dive into the "Do, Check, and Act" stages of building a compliant Quality Management System. Stay tuned for more insights on how our tools can guide you through your compliance journey.
Compliance is not just a box to check; it's a commitment to excellence, safety, and the future of your industry. We look forward to guiding you through the next steps in your compliance journey.
For more detailed guides, read our compliance journey’s financial example, and our documentation page for a broader overview on ensuring compliance in regulated industries with Xray.
