Hello Everybody,

I have follow the Elsmar Cove Threads for a year now. It is a splendid job guys !! :applause:

I am responsible to maintain the ISO 9001 QMS system in a telecommuncation equipment supplier, with main part of the work activity being network design, and project implementation. Staffs are ~30 .

I am now give the responsibility to upgrade the QMS to ISO 9001:2008 , and have some queries on additional item in Clause 6.3 : Infrastructure ...c) Supporting Services (...Information Systems).

Our office uses Information Systems mainly for database, e-mail services, with networking. Other software related to the equipments are in individual equipment's PC and not networked. We have our annual software and hardware audits.

The questions r :
a) What is the general requirements to maintaining Information Systems?
b) As it is one of supporting services, it is necessary to maintain a procedure if we already have an IT Policy and are able to provide evidence of its activities ?

To cover my back on this as part of the QMS (6.3), I have created a basic short procedure (SOP) for Computer Software & Infrastructure Management. This explains what is in place ({1} Infrastructure e.g. manufacturing control, accounting, e-mails etc) and how it is controlled ({2} General Requirements e.g. systems backup, upgrades, UPS, Anti Virus etc) and {3} Management Responsibility. Also noted links to 4.2.3 and 4.2.4 (control of documents and records).

Hello Everybody,

I have follow the Elsmar Cove Threads for a year now. It is a splendid job guys !! :applause:

I am responsible to maintain the ISO 9001 QMS system in a telecommuncation equipment supplier, with main part of the work activity being network design, and project implementation. Staffs are ~30 .

I am now give the responsibility to upgrade the QMS to ISO 9001:2008 , and have some queries on additional item in Clause 6.3 : Infrastructure ...c) Supporting Services (...Information Systems).

Our office uses Information Systems mainly for database, e-mail services, with networking. Other software related to the equipments are in individual equipment's PC and not networked. We have our annual software and hardware audits.

The questions r :
a) What is the general requirements to maintaining Information Systems?
b) As it is one of supporting services, it is necessary to maintain a procedure if we already have an IT Policy and are able to provide evidence of its activities ?
If your software and hardware are employed for the manufacturing process and quality control, they require periodic validation of related process and measurements. If not you donot need any special procedure to monitor them.But normal requirement of copying back-up of data to prevent loss of data is a general necessity.
The standard doesnot require any procedure for asset control.But work instructions at critical processes is necessary.
As I see there is no special requirement added in the revised standard in case of software/hardware..
V.J.Brahmaiah

To cover my back on this as part of the QMS (6.3), I have created a basic short procedure (SOP) for Computer Software & Infrastructure Management. This explains what is in place ({1} Infrastructure e.g. manufacturing control, accounting, e-mails etc) and how it is controlled ({2} General Requirements e.g. systems backup, upgrades, UPS, Anti Virus etc) and {3} Management Responsibility. Also noted links to 4.2.3 and 4.2.4 (control of documents and records).
Please show us also your 'basic short procedure'. We can learn or even improve upon it.
Thanks,
V.J.Brahmaiah

Please show us also your 'basic short procedure'. We can learn or even improve upon it.
Thanks,
V.J.Brahmaiah

Hi VJ,

No problem - see attachment. Obviously this SOP is specific for my company set-up and requirements, but I am sure it can be adapted.

Steve

Thanks guys.. appreciated the response :)

Hi VJ,

No problem - see attachment. Obviously this SOP is specific for my company set-up and requirements, but I am sure it can be adapted.

Steve

I will amend my Quality manual by taking your SOP as an example.:thanks:

Hi VJ,

No problem - see attachment. Obviously this SOP is specific for my company set-up and requirements, but I am sure it can be adapted.

Steve
Thanks SteveK your SOP is superb!
v.j.brahmaiah:applause:

Hi VJ,

No problem - see attachment. Obviously this SOP is specific for my company set-up and requirements, but I am sure it can be adapted.

Steve

Steve,

The only difference in my SOP and yours is that I laid out a contingency plan in case I arrive one morning and find our shop either empty (theft) or up in smoke... I laid out priorities in aquisitions, retrieval of off site backups, and general priorities in getting things up and running...

Steve,

The only difference in my SOP and yours is that I laid out a contingency plan in case I arrive one morning and find our shop either empty (theft) or up in smoke... I laid out priorities in aquisitions, retrieval of off site backups, and general priorities in getting things up and running...

Ted,

Nice to know somebody has a similar approach to such matters (sanity check!). However, I have to go a whole level up on a SOP for disasters, pandemics (swine flu!) etc. Because of the UK Civil Contingencies Act (2004), our customers (hospitals etc) require us to have a Business Continuity Plan (and policy) in place – which we have (about 30 pages worth!). There is even a British Standard to cover this (BS 25999-1), and it requires periodic testing (e.g. a simulation).

Steve

Ted,

Nice to know somebody has a similar approach to such matters (sanity check!). However, I have to go a whole level up on a SOP for disasters, pandemics (swine flu!) etc. Because of the UK Civil Contingencies Act (2004), our customers (hospitals etc) require us to have a Business Continuity Plan (and policy) in place – which we have (about 30 pages worth!). There is even a British Standard to cover this (BS 25999-1), and it requires periodic testing (e.g. a simulation).

Steve

Wow, sounds like you have your hands full !!

Hello Everybody,

I have follow the Elsmar Cove Threads for a year now. It is a splendid job guys !! :applause:

I am responsible to maintain the ISO 9001 QMS system in a telecommuncation equipment supplier, with main part of the work activity being network design, and project implementation. Staffs are ~30 .

I am now give the responsibility to upgrade the QMS to ISO 9001:2008 , and have some queries on additional item in Clause 6.3 : Infrastructure ...c) Supporting Services (...Information Systems).

Our office uses Information Systems mainly for database, e-mail services, with networking. Other software related to the equipments are in individual equipment's PC and not networked. We have our annual software and hardware audits.

The questions r :
a) What is the general requirements to maintaining Information Systems?
b) As it is one of supporting services, it is necessary to maintain a procedure if we already have an IT Policy and are able to provide evidence of its activities ?
Do address your back-up and disaster management that is in place for your data protection.

Ted,

Nice to know somebody has a similar approach to such matters (sanity check!). However, I have to go a whole level up on a SOP for disasters, pandemics (swine flu!) etc. Because of the UK Civil Contingencies Act (2004), our customers (hospitals etc) require us to have a Business Continuity Plan (and policy) in place – which we have (about 30 pages worth!). There is even a British Standard to cover this (BS 25999-1), and it requires periodic testing (e.g. a simulation).

Steve

I have a question here. How do you satisfy the new requirement related to verification & configuration management. "Confirmation of the ability of computer software to satisfy the requirements of the intended application would typically include its verification and configuration management to maintain its suitability for use."

We are about to bring IT under the QMS cover & as such need to address this requirement of 9001:2008. By configuration Management, what I understand is that one takes a snapshot of the Zero day configuration and freeze (control) this information so that it could be used in future events to track the source(s) of changes to the software (or hardware) attributes.

Is it similar to baselining & controlling the information or something more (or different) than this?

You inputs are appreciated,

Regards,

Sometime back when I did a search for such a procedure, I got this which is attached, I used it with modifications suitable for my organization. Hope this gives you a lead ....

Sometime back when I did a search for such a procedure, I got this which is attached, I used it with modifications suitable for my organization. Hope this gives you a lead ....

Thanks for the attachment. It is indeed a good procedure but still I don't find what i have been looking for, i.e.; configuration management & how to address it w.r.t. software developed & used in-house. Does one need to control & manage the configuration of SAP ERP? My own assumption is Yes, it does but I do wish to know how to go by with.

Any more inputs will be really appreciated.

So nice discussion I really need to cope this new requirement of information system, I request to all the experts please guide us and provide some more sample.

Thanks & best regards.

disaster recovery/ business continuity plan as well as ISO 27001 (in process) do we still need information sytem?:confused:

I have a question here. How do you satisfy the new requirement related to verification & configuration management. "Confirmation of the ability of computer software to satisfy the requirements of the intended application would typically include its verification and configuration management to maintain its suitability for use."

We are about to bring IT under the QMS cover & as such need to address this requirement of 9001:2008. By configuration Management, what I understand is that one takes a snapshot of the Zero day configuration and freeze (control) this information so that it could be used in future events to track the source(s) of changes to the software (or hardware) attributes.

Is it similar to baselining & controlling the information or something more (or different) than this?

You inputs are appreciated,

Regards,

Dear Samsung,

The configuration Management is name of the process which has the activities of baselining and controlling of the "work products". The term configuration mangement is used more in SEI CMMI where in a specific process area is assigned towards the Configuration management. I would request you to consult the CMMI for development Ver 1.2 to have more calrity on this.

IMHO changes in hardware attributes should not be a part of your Configuration Items list unless you are not producing it. In most of the cases the configuration management is applicable to the Standard software packages you are using, the application softwares you are developing and the artifacts you are documenting for your day to day reference.

The configuration management can sometimes be similar with the Document control process, but please remember that records can never ever be example of CI.

For your convenience I am noting down the specific practices (As per CMMI) of the configuration management process as follows:

1. Identify configuration Items;
2.Establish a configuration management system;
3.Create or release baselines;
4.Track change requests;
5.Control configuration items (Mostly through version control);
6.Establish Configuration Management records (Mostly analogus with the masterlist showing the status of "Current or "Obsolete");
7.Perform Configuration audits.

Hope this is useful in clarification of your doubts to some extent.

Regards,

Arin