Hey everyone!

Long time no talk! Sorry been so quiet. We just finished year 3 of 92k audits.. No Minors this time, but I think the auditor was going through OFI withdrawl.. (Raised about 15)

Anyway, one of the things that was identified as an OFI was a document disaster recovery program. This all came to surface when I presented him with our drafted BCP plan which we used as part of our preventative action.

Is there anyone out there that has one? From my understanding there is a standard out there that covers this specifically?

Look forward to your comments!
Edith:eek:

Financial or environmental?

As far as 9K2K goes, I don't "think" that it out right states that you need one. Now read between the lines, 6.3, 6.4, etc. It is all over the place. Also a good business practice.
We are required by Ford to have one and we have linked it with the ISO 14001 preparedness requirement. Most are simple, I would be surprised if your IT department didn't already have something in place (off-site storage of backups, etc.). :bigwave:

I believe there are ISO standards concerning data security, but I can't recall the numbering and if they are officially released or not. You may be able to search ISO.org for them.

You can draw the line from the ISO requirement for record protection to data backup/recovery. Usually if we keep records on a server I just include a brief backup procedure, making sure somebody removes backup tapes from the premisis in case of fire.

You can get more advanced and contract with companies that will automatically backup your data across the internet to secure servers. We share the building with a company that does this. For a monthly fee they will back up your server to theirs every night. In the event of a disaster you are able to restore your data and even run on their server if your systems are down.

Tom

As far as ISO9001:2000 is concerned, I cannot really see the need for any data security standards in this case. I think clauses 4.2.3e & 4.2.4 are all it takes...

4.2.3e: to ensure that documents remain legible and readily identifiable,

4.2.4 Documents shall remain legible, readily identifiable and retrievable.

This would mean that a document disaster recovery program (Usually a computer based backup) is a good idea, right?

/Claes

Claes Gefvenberg said:
As far as ISO9001:2000 is concerned, I cannot really see the need for any data security standards in this case. I think clauses 4.2.3e & 4.2.4 are all it takes...

4.2.3e: to ensure that documents remain legible and readily identifiable,
4.2.4 Documents shall remain legible, readily identifiable and retrievable.

This would mean that a document disaster recovery program (Usually a computer based backup) is a good idea, right?

Randy Stewart said:
As far as 9K2K goes, I don't "think" that it out right states that you need one. Now read between the lines, 6.3, 6.4, etc. It is all over the place. Also a good business practice.


Both of the above are very good points. In the QMS of the lab I am working with, we are trying to be as paperless as possible consistent with other needs. We treat the computer system issues under 6.3 Infrastructure, on the basis that the computer network is part of the laboratory facilities. The procedure to implement that clause with respect to computers deals with physical security, data security (including backups), loss of computer system availability, and disaster recovery.

Our philosphy is that a properly functioning and secure computer network infrastructure (6.3) is important to enable the procedures of 4.2.3e and 4.2.4.

(We have also learned to test the procedures to ensure that they work. That was strongly reinforced the first time a server crashed -- in the middle of an audit!)


Graeme
-------------------------
"Murphy was an optimist!"

Edith,

What docs. are really important to your company? If there was a fire at your place, what might you lose that is critical to the functioning of your company and your customer? Of course it varies company to company. Maybe finance stuff like invoices, AP/AR, payroll data or tax data; maybe compositions or recipes for your products; maybe test records? Once you know the answer to this question, decide how you might back-up this info. so it would survive a fire, flood, tornado, computer virus attack, computer HD failure, etc. If it is all computerized, the job can be as easy as a backup to an off-site server as mentioned or a CD or tape backup carried home by someone as often as required. Paper docs. are more of a pain. For our company, we don't worry about any ISO standards to cover it, we simply do computer data backups every week and store copies of critical paper records in a fireproof safe. Keep it a simple as needed, but no simpler.

Edith said:

Hey everyone!

Long time no talk! Sorry been so quiet. We just finished year 3 of 92k audits.. No Minors this time, but I think the auditor was going through OFI withdrawl.. (Raised about 15)

Anyway, one of the things that was identified as an OFI was a document disaster recovery program. This all came to surface when I presented him with our drafted BCP plan which we used as part of our preventative action.

Is there anyone out there that has one? From my understanding there is a standard out there that covers this specifically?

Look forward to your comments!
Edith:eek:

Couple of questions what is BCP? What type of business are you in and are your records electronic or paper?

Lastly is the Standard you refer to BS DISC PD 0013- RECORDS MANAGEMENT - A GUIDE TO DISASTER PREVENTION AND RECOVERY AKA ISO 17799

Edith said:

Anyway, one of the things that was identified as an OFI was a document disaster recovery program. This all came to surface when I presented him with our drafted BCP plan which we used as part of our preventative action.


Hi, Edith!

Our Registrar gave us an OFI on this as well....and was summarily rejected. We do tape back-ups of our systems, but she wanted us to have a programme with our computer system supplier(s) to reinstate hardware and software as quickly as possible in case of a disaster (natural or otherwise). The intent is to ensure that we are back in business as quickly as possible.

We acknowledged her point but pointed out that it was not worth the cost to set-up that kind of programme.

Her response was that she was actually giving us a mandatory OFI! :confused: Arguing that an OFI is not mandatory...it is a recommendation from the Auditor to improve efficiency and effectivess that we, as the Auditee, can reject....she backed off. But every time she is back, she starts going down that path again.

There is no "shall" requiring us to have some sort of contingency plan. We do tape backups as part of "Good Management Practices"...and for now, that is where we draw the line. :cool:

Thanks for the info guys...

Most of our documents our hard copy, as they are shipping documents. However, we do back ups on our operating systems and accounting systems so it should cover most anyway..

Mandatory OFI... Wow, I think I've heard it all now... :bonk:

Thanks for the info guys...

Most of our documents our hard copy, as they are shipping documents. However, we do back ups on our operating systems and accounting systems so it should cover most anyway..

Mandatory OFI... Wow, I think I've heard it all now... :bonk:

I was just informed from our previous auditor that we would need to have a documented disaster plan. I said we back up our server twice a month and keep the disc's off site. She asked what happens if the place burns down, how would we provide our customer with their products in the time they requested them? Do we have a back up plan to subcontract the work out to another supplier? I said NO! Since our customer is mainly Honeywell and we are an OEM I seriously doubt, we will be sending our work out to another supplier of Honeywell's with our proprietary information. Is it not enough that we have Insurance, sprinkler systems, surge protectors, and fire extenguishers? Should I have stated in our procedure for the control of records that we back up our server? Help!

Paula

I was just informed from our previous auditor that we would need to have a documented disaster plan. I said we back up our server twice a month and keep the disc's off site. She asked what happens if the place burns down, how would we provide our customer with their products in the time they requested them? Do we have a back up plan to subcontract the work out to another supplier? I said NO! Since our customer is mainly Honeywell and we are an OEM I seriously doubt, we will be sending our work out to another supplier of Honeywell's with our proprietary information. Is it not enough that we have Insurance, sprinkler systems, surge protectors, and fire extenguishers? Should I have stated in our procedure for the control of records that we back up our server? Help!

Paula


What "shall" are they quoting from? There is no "shall" for contingency plans.

6.3 states "Infrastructure includes, as applicable..." - If it ain't applicable to your organization (like mine due to financial reasons), so be it.

4.2.3 states nothing about back-ups for doc control.

4.2.4 states that you shall establish "the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records." No mention of contingency plans. If you are happy with your contingency plan so be it.

Look, we all agree that it would be nice if we could have state-of-the-art backup plans that would guarantee our start-up after a disasater to avoid Customer Complaints. Unfortunately, the Real World seldom matches the Ideal World we would all rather live in.

Raptor, get that "shall" from the auditor. My organization has gone through this the past two audits and thankfully, our auditor has backed away.

Paula,
I know that Ford requires us to have a Disaster Recovery Plan for internal controls and GAO. So it may fall under Customer Requirements again.
We took DRP and combined it with our Emergency Preparedness Plan for ISO-14001.

I found what she was talking about... ISO9004 6.3 The process to define the infrastructure necessary for achieving effective and efficient product realization should include the following:
.........
"The plan for the infrastructure should consider the identification and mitigation of associated risks and should include strategies to protect the interests of interested parties."

But I totaly disagree that process to define = shall document.
Our Audit is scheduled for November, I can throw together a process for backing up the server and state the responsiblities and requirements, or can I just tell them the auditor if they ask, This is how we do it?

Thanks for your responses and help! :)
Paula

Unless a customer requires it, or your documentation requires it, I see no basis for a 9k2k auditor requiring a disaster plan of the scope your auditor suggested. A wise man once coined a pithy little quote: "Where is the shall?" Short and succinct, and I think applicable here as far as asking your registrar. Sounds like another registrar-specific "above and beyond ISO" requirement. :mad:

I found what she was talking about... ISO9004 6.3 The process to define the infrastructure necessary for achieving effective and efficient product realization should include the following:
.........
"The plan for the infrastructure should consider the identification and mitigation of associated risks and should include strategies to protect the interests of interested parties."

But I totaly disagree that process to define = shall document.
Our Audit is scheduled for November, I can throw together a process for backing up the server and state the responsiblities and requirements, or can I just tell them the auditor if they ask, This is how we do it?

Thanks for your responses and help! :)
Paula

9004 is not 9001! Your registrar should be auditing to 9001, not 9004!

9004 is not 9001! Your registrar should be auditing to 9001, not 9004!

EXACTLY what I was thinking and I just gained a few more grey hairs over this whole mess! :ko:

We are going for our AS9100A cetification and I thought we were ready untill the phone conversation I had earlier with our former auditor. She told me to just think about it....and then I came here where the smartest people on earth live! :D

We were given an improvement note against IT Management.

Quote :

"Guidlines have not been issued for the system back-ups carried out daily using 2 sets of tapes. Also any Disaster Recover Plans have neither been specified nor formally implemented"

Now I took this as meaning 6.3 b, as our main function is Sales, and the hardware and software of the computer being the process equipment necessary to operate our business.

I've just detailed our backup procedure, and a short note about what happens if the server breaks down, and I reckon that goes as deep as I need to, but we'll see after the next visit.

I agree with you Mike :agree:

Your right it goes as far as you need steve. I Have read this thread with alarm. i can't belive that auditors are insisting on this!! RCB, I was particularly alarmed by yours. No auditor can insist on you having this and it is un professional to bring this up time and time again. If I were you this would be nipped in the bud immediately with a call to the chief certification manager of your registrar.

We have 1 sentence in the document control procedure saying the computer system is backed up every night. We also keep a hard copy of procedures in case anything goes wrong ! i can't belive some of the things you guys are up against.

Steve, you do not have to write a procedure for this. it is down to the experience and skills of the IT department to carry this. And make sure you don't let your auditor dictate the way your system is run. They are only there to ensure compliance with the std.!!!

RCB, I was particularly alarmed by yours. No auditor can insist on you having this and it is un professional to bring this up time and time again. If I were you this would be nipped in the bud immediately with a call to the chief certification manager of your registrar.

That would have been the process followed if the "suggestion" had become a finding. As it did not progress beyond the OFI stage the first time around, and was simply an "off-the-wall" comment during the secound audit, there was no need to bring this up with the Registar.

I made comments about the professionalism on my feedback sheet and have been contacted by the Registrar before.

But there was no point in fighting a non-issue. If she had made it a finding and refused to budge, then yes, more drastic measures would have been taken on my end.

It's more than just fight the fights....it's fight the right fights.

Hey you guys,

Are Auditors getting desperate or what??? As we continue on this journey preventative maint. on document recovery, I look forward to Mr. auditor coming back on November 11th 2003, and saying well, you haven't done what I suggested, at which point I will basically turn around and say, "Well, ***** it's time we re-look at the contracts with you"

It's been
a great thread guys thanks! I look forward to showing my auditor :vfunny:

This was a comment on our Quality manaul review....I'll cut and paste

"3.ISO para 6.3 requires that the infrastructure be defined. The QSM does not appear to define the specific infrastructure and how it is maintained. Do documents such as disaster recovery plan exist? What safeguards or preventive measures are in place to ensure that there will be a minimum amount of failures with the infrastructure? (See ISO 9004:2000 for guidance)."

Don't know what we are currently doing as far as backup plan, but why would I want the "Specifics" in the QManual?

Oh well, I just recived the QM back today and our audit is next week, not much I can do about it now.

Cheesy,

Well, 6.3 says "determine, provide, and maintain" not "define" infrastructure. Does your QM say that you do this ("determine, provide, and maintain") somehow? Do you mention supporting procdures that address the "how" you do it? Maybe mentioning a PM program, ways that management can determine what infrastructure is needed, etc. ?

A "disaster recovery plan" is not in 9001:2000, so if your company does not feelone is needed I'd tell him, "No we do not have one. We minimize failures via our PM program."

JMO

I certainly don't use the quality manual to put specifics unless it seems appropriate to the organization's needs. I also did a quick review of section 6 of ISO 9004 and I see nothing even close to the auditors comment. I don't suppose you have the same registrar as Roxane do you?

Cheesy,

Well, 6.3 says "determine, provide, and maintain" not "define" infrastructure. Does your QM say that you do this ("determine, provide, and maintain") somehow? Do you mention supporting procdures that address the "how" you do it? Maybe mentioning a PM program, ways that management can determine what infrastructure is needed, etc. ?JMO

She uses the word "define" a lot in place of the standards "determine" in her report.
Our QM says nothing (take note: I didn't write our QM) about supporting procedures for 6.3. Here is what we have...not much, and I think this might be her point.

"Infrastructure: The Company’s executive management has determined, provided and maintains the infrastructure needed to achieve conformity to product requirements. This infrastructure includes:

A) Buildings, workspace and associated utilities.
B) Process equipment (both hardware and software).
C) Supporting services such as transport or communication.

6.4 Work Environment: The Company’s executive management has determined and manages the work environment needed to achieve conformity to product requirements.

hoeste said: "I don't suppose you have the same registrar as Roxane do you?"

I don't know about Roxane, but I do know it's the same as Paula's.

I'm just happy that we received feedback on our manual (even though it’s week before the audit). We just might get our $$ worth this year.

Cheesy, I bet I know exactly who your auditor is...the very same one who started the return of my grey hair! I am expecting the review of our QM back tomarrow and I will let you know if it contains the same questions. I am going to stand firm on the fact that a Disaster Recovery Plan is not a requirement of ISO 9001:2000 or AS9100A but... if it is a requirement of your customer and the Auditor knows this, then well you know what to do, comply.
Paula

6.3.2 Contingency plans
"The organization shall prepare contingency plans to satisfy customer requirements in the event of an emergency..."

I see two separate things in this tread. One is the requirement of computer backups and recovery systems, the other is a contingency plan (as referenced above). 6.3.2 is quite clear on the subject, however it is for ISO/TS 16949:2002 , not ISO 9001. Some auditors tend to think that if it is in TS, then ISO companies should do it as well. Perhaps they should, but it is certainly not required.

In the first case of computer backups and recovery plans. The only application I can see would be, if you use a strictly electronic system, how you ensure the requirements for 4.2.3 are met in the advent of computer failure. I was working for a company once where, for security reasons, we could only use files stored on the main hard drive. That drove us nuts. The time to open, save and print copies was unreal. Well, we had a main hard drive fail. None of us could work, so we didn't. 4.2.3 was not an issue, because no activity requiring document control was occuring.

Well we had our visit, and received an improvement note against PA.

Our PA kicks in after a CA is raised, as you would expect. PA is also generated from our department meetings, and management review if anything crops up.
We also detailed our calibration schedule, IT backup policy, disaster recovery on the network, our service schedules for the company vehicles, and spare vehicles we keep in case of serious break-down as our main function is selling and delivering to customers.

The improvement note was raised as follows :-

"In considering preventative action, the company has not also included or formally documented the review of potential threats and risks to the business in terms of the following :-

a. Loss of staff
b. Loss of key customers or suppliers, equipment, processes
c. Loss of premises in case of fire and so on. "

I think this is a bit harsh, I hadn't reckoned on going so deep into this.

How far do you realistically have to go ?

Alien invasion ? Nuclear attack ?

I think this is a bit harsh, I hadn't reckoned on going so deep into this.

How far do you realistically have to go ?I see. Is that auditor breathing helium all the time, or does he occasionally get in actual contact with Terra Firma? :rolleyes: .

8.5.3 requires you to "...determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence".

If you have not considered the potential risks for the above points, I would not question that. My interpretation would be that you don't consider the risks to be great enough to warrant preventive action. Besides: Is any of the above a nonconformity at all?

/Claes

Our auditor has been excellent throughout most of the audit, offering good advice on improving areas, and making valid suggestions. He also has an excellent overview of our business, and when he finds a NC, it's not the end of the world. I feel that we are obliged to make efforts rectify this, but I'm certainly not going into the detail that I think he wants from us.

The bottom line is that the most important thing to us is making sure the customer receives his delivery when he needs it. For this, we need a computer system for order processing, and even when the computer has gone down in the past, we get away with hand written paperwork, the old fashioned way!

If our delivery vans are not working, we can't meet the customer's needs, so we have to keep the vehicles serviced.

We have a large customer base, and if we lost a major customer, sure it would be painful, but we would carry on.

If key staff leave, as they well might, we have job descriptions and work instructions for a new employee to join the team, or be promoted. nobody here is indispensible, so again it would be painful, but not a huge problem.

Regarding c, if we had a major fire or other disaster that meant we lost the premises, we would have to close the business. All of our stock is here, we certainly don't have contingency stock and premises, and have no intention of doing so. We are not making any plans to cover this potential risk, so do I write this into a procedure ?

example :-

8.5.3. PREVENTATIVE ACTION

In the event of a disaster, the company has taken steps to ensure that we cease trading.

:confused:

Well we had our visit, and received an improvement note against PA.

The improvement note was raised as follows :-

"In considering preventative action, the company has not also included or formally documented the review of potential threats and risks to the business in terms of the following :-

a. Loss of staff
b. Loss of key customers or suppliers, equipment, processes
c. Loss of premises in case of fire and so on. "

I think this is a bit harsh, I hadn't reckoned on going so deep into this.

How far do you realistically have to go ?

Alien invasion ? Nuclear attack ?

There is no nonconformance here just an "improvement note", but it seems like the auditor has been trained to audit against ISO 9004. I am confused about this :confused: , are registrars doing internal training of their auditors to ISO 9004 standard?
Just when you think you have your "i's" dotted and your "t's" crossed, someone throws in an "improvement note" that makes you go hum? :bonk:
Paula

Our auditor has been excellent throughout most of the audit, offering good advice on improving areas, and making valid suggestions. He also has an excellent overview of our business, and when he finds a NC, it's not the end of the world. I feel that we are obliged to make efforts rectify this, but I'm certainly not going into the detail that I think he wants from us.
---X---
We are not making any plans to cover this potential risk, so do I write this into a procedure ?
I'm glad to to hear that your auditor is generally doing good work, although I clearly think he's lost contact with the ground in this case.;) .
---X---
Anyway: I don't think you need to put your decision down in a PA procedure. The PA procedure should describe your PA process, not the results thereof. That belongs in a record. Contents in that record could of course be a decision to update an existing procedure or write a new one...

Just like Paula, I'm a bit concerned by the fact that many auditors seem to be asking for things not required by the standard they're auditing acc. to. Make no mistake about it, I think ISO 9004 is a great tool when you build a system, but it would help a lot if auditors audited acc. to the proper standard and nothing else...

/Claes

Make no mistake about it, I think ISO 9004 is a great tool when you build a system, but it would help a lot if auditors audited acc. to the proper standard and nothing else...

/Claes
Dadgum it, Claes, there you go again, once again introducing common sense into the discussion! Is it any wonder you have problems with customers! :vfunny:

Dadgum it, Claes, there you go again, once again introducing common sense into the discussion! Is it any wonder you have problems with customers! :vfunny:
Er... Just one of them, actually... but on the other hand, that single one is major trouble at the moment...;) We'll get things sorted out in the end, though.

And I love to complicate matters by dragging facts into the discussion :biglaugh:

/Claes