IJCA - Volume I - Flipbook - Page 43
42 The International Journal of Conformity Assessment
resource needs and meet them to achieve their
KMS objectives. These resources may include
infrastructure, technology, communication,
competence, awareness, and documented
information. The standard stresses and
mandates documented information as evidence
of competence. Research [9] shows that
organizational barriers are the most prohibitive
to successfully implementing a KMS. Therefore,
organizations shall design their programs to
ensure all required competencies are met or
updated and relevant elements are communicated
internally (or with external parties), and include
activities to raise organizational awareness.
Section 8 – Operation: Organizations shall
determine and plan KMS processes—including
outsourced processes—to meet the requirements
of this standard. During implementation, these
processes must be controlled according to the
established criteria. Documented information is
mandatory to ensure all processes are conducted
as planned. The knowledge development process
given in Figure 1 may be used as a base model.
Similarly, according to NASA, the KM process
is “the architecture used to acquire and benefit
from knowledge resources and capabilities
[10].” Considering its business processes, an
organization may ask questions to design its KMS
process, such as how and from which sources
knowledge may be acquired, which is the best
strategy to capture knowledge, and what methods
will be applied throughout the life cycle. Most
importantly, every process must have a goal and
envisioned benefit.
Section 9 – Performance Evaluation: This section
consists of three subtitles. First, organizations
must identify, monitor, measure, analyze, and
evaluate performance indicators and metrics and
then document the results. Second, organizations
shall conduct planned internal audits to measure
conformance levels in accordance with the
standard’s guidelines as well as organizational
requirements. The audit program and results must
also be documented. Last, management personnel
should regularly review the effectiveness of a KMS
and document the results.
Section 10 – Improvement: Organizations
shall have a methodology in place to address
nonconformities with root causes and corrective
actions as well as strategies for continuous
improvement. The standard mandates
2022 | Volume 1, Issue 1
43
documented information for the evaluation of
corrective actions.
Supplemental Materials: Annex A gives brief
information on the range of KM, where Annex B
informs on the relationship between this range
and related disciplines. Finally, Annex C introduces
aspects of KM culture in the organizational culture
KMS and Other ISO Standards
Although ISO 30401:2018 is the only standard
focused on KMS, there are two main standards
that relate to knowledge management. In 2011, the
technical committee (ISO/TC176/SC2) responsible
for the “ISO 9001 Quality Management Systems –
Requirements” standard conducted a worldwide
survey that revealed a demand to include a KM
requirement. The next ISO 9001 update, published in
September 2015, included knowledge as a resource
requirement, stated in clause 7.1.6 as follows:
“The organization shall determine the knowledge
necessary for the operation of its processes and to
achieve conformity of products and services. This
knowledge shall be maintained and be made available
to the extent necessary. When addressing changing
needs and trends, the organization shall consider
its current knowledge and determine how to acquire
or access any necessary additional knowledge and
required updates [11].”
To meet this requirement, organizations can either
choose to implement ISO 30401 requirements as a
whole or use its guidance to integrate knowledge
management elements into a ISO 9001 quality
management system. This integration should cover
process approach, plan-do-check-act cycle (PDCA),
and risk-based thinking. Creating a knowledge map
by linking an organization’s products and services
to identified knowledge categories and linking to
resources may be a good starting point.
A simple model may be used for a specific product,
service, or organizational activity as illustrated in
Figure 2. With the direction of top management,
the organization takes considerations into account
related to need or update for knowledge, which may
be identified through a variety of sources. Once
identified, an author prepares all materials (i.e.,
documents, audio-video sources, web or software
applications, etc.) to share available knowledge
with interested parties. A review—based on four
key principles—is required prior to approval,
publication, and communication by organizational
Figure 2. Model for integrating KMS to ISO 9001:2015
representatives. The users of this knowledge may
identify areas requiring correction or improvement
and provide feedback so that organizational
representatives can make any necessary updates.
Also, with performance evaluations, the organization
has the opportunity to acquire new knowledge.
This cycle can be applied to all relevant products,
services, or organizational activities if appropriate
and applicable.
Another publication, “ISO/IEC 27001:2013
Information Technology — Security Techniques
— Information Security Management Systems –
Requirements” (ISMS) [12], also has connections
with KM. Since data evolves into information
and then into knowledge, one must consider the
security of information, and therefore knowledge.
This standard is based on CIA triad model that
includes confidentiality, integrity, and availability.
According to ISO 27000:2018 [13]—which provides
an overview of ISMS along with relevant vocabulary
terms—confidentiality requires that information is
not made available or disclosed to unauthorized
sources (in other words, only authorized individuals
or systems can view information). Integrity alludes
to the accuracy and completeness of information,
implying it has not been intercepted or manipulated.
Availability means information is accessible and
usable on-demand (e.g., a database is available to
those who have access privileges). The lack of any
of these attributes can result in commercial harm,
business damage, or reputation loss.
Another view is that KMS and ISMS applications
have a couple of intriguing similarities [14]. Both
management systems are dependent on people
and both are aimed at the production of public
goods [15]. Another similarity is the positive
effects of knowledge that is exclusive to a specific
organization (e.g., organization-wide promises of
higher benefits). ISMS acts as a preventive tool
by applying the CIA’s triad model—confidentiality
decreases the risk of knowledge being shared
with rivals by assuring exclusiveness, integrity
safeguards knowledge from manipulation, and
availability ensures knowledge is accessed on a
need-to-know basis. Considering these points,
complying with requirements and applying relevant
controls given in Annex A of the ISMS standard
helps organizations secure their information more
effectively.
Other publications such as “ISO 55001:2014
Asset Management – Management Systems
– Requirements” [16] or “ISO/TR 13054:2012
Knowledge Management of Health Information
Standards” refer to knowledge in the body of
