What ISO 9001:2008 procedures apply for IT (Information Technology)?

Q

QAMTY

Hi, everybody

Confusing in considering Procedures, I hope to receive help from you.

I´m in the planning of developing ISO 9000:2008

I know there are Realization Process those is what we sell.
and also supporting process helping to the Real. Process.
to achieve goals, e.g. HR, IT, and so on.

My plan is to look for a certification in about two years
meanhwile, I´m preparing the procedures that can help us
to have a control on our products, (Design and installation of Mech. Equipment) that is what we are now focusing at.

Then I started with Client an complaints, CA/PA and Nonconformance procedures.

But as Someone here in this forum said, For IT specially, we should go with ISO 20000.

In 9000:2008, IT fits in 6.3 Infraestructure, where we should have at least procedures for: To ensure Backing-up of data, Security, Data Loss prevention, etc.

From this point of view, If I´m focusing on the realization products
and all my procedures are designed for that.

Questions:

-Should I adapt the existing ones to comply with IT?
because sometimes It will be needed a CA/PA in IT.

-Should I go deeply in developing procedures for IT?

- Can I consider only the Real. Process and creating only brief procedures for IT?

- What to include and not to include?

Please shed some light on me

Thanks
 
D

Duke Okes

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

Primary areas where there may be IT procedures under ISO 9001 are:

- 4.2.3 - ensuring that appropriate documents cannot be changed/accessed by just anyone, but only those who are authorized

- 4.2.4 - backing up of documents, data & records

- 6.3.c - ensuring adequate IT resources
 
Q

QAMTY

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

Thanks Duke Okes

But What if happens if, for example, in backing up documents
and is faced a problem, and need to be fixed rapidly (drive failed,wrong tape installed) then, a correction action is needed, a disposiion has to be applied? using
the nonconformance procedure I have available for the Realiz. Process.

If a CA/PA is needed for this, then I suppose I can use the current CA/PA that I designed for the Realiz. Process?

Is that right?

Thanks
 
D

Duke Okes

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

QAMTY said:
Thanks Duke Okes
But What if happens if, for example, in backing up documents
and is faced a problem, and need to be fixed rapidly (drive failed,wrong tape installed) then, a correction action is needed, a disposiion has to be applied? using the nonconformance procedure I have available for the Realiz. Process.
If a CA/PA is needed for this, then I suppose I can use the current CA/PA that I designed for the Realiz. Process? Is that right? Thanks
Click to expand...

You could, but I wouldn't. If your IT group were ISO 22000 registered then this would be handled under Incident Management and Problem Management. If you start putting all types of problems into the CAPA system it will quickly become overloaded. CAPA under ISO 9001 is intended to deal with customer complaints, audit NCs, product failures, and process failures that impact processes that may affect the customer and/or quality objectives.

Every organization has many management systems.
- Quality (ISO 9000)
- Safety (OHS 18000)
- EMS (ISO 14000)
- Financial (GAAP)
- IT (ISO 22000)

If you want an overall, integrated system then you could/would use the same CAPA system for all of these, but I typically don't recommend it, unless the organization is very sophisticated in design & management if it's management systems (business processes).
 
Q

QAMTY

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

Thanks again Duke Okes

Very helpful you explanation.

But if IT is considered in 6.3 (infraestructure) in 9000:2008
should we mention it or not? or how is this handled?

Best regards
 
D

Duke Okes

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

QAMTY said:
Thanks again Duke Okes

Very helpful you explanation.

But if IT is considered in 6.3 (infraestructure) in 9000:2008
should we mention it or not? or how is this handled?

Best regards
Click to expand...

If IT process is managed well there should be no need for procedures related to section 6.3. The IT department would be informed through the business planning process what resources are needed, changes are required, etc., and would ensure that the IT infrastructure is developed and maintained as required. Perhaps some performance objectives for the department would be useful.
 
J

JaneB

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

Duke Okes said:
If IT process is managed well there should be no need for procedures related to section 6.3. The IT department would be informed through the business planning process what resources are needed, changes are required, etc., and would ensure that the IT infrastructure is developed and maintained as required. Perhaps some performance objectives for the department would be useful.
Click to expand...

OK... so a 'well managed' process means (according to this) that there's no need for written procedures.

Oh good. So as a general manager (say) I'd have absolutely zero need to wonder how, for example, a mission-critical new IT system gets developed, tested and put into production after work by multiple different IT people on it (perhaps even in different locations & time zones) without any written procedures, because it's all gonna be just dandy... yeah, right.

Or as a division head of a large financial institution, no need to concern myself at all with how a major enhancement to my core system is done to accommodate a new range of online products and I can be quite confident that this change - to be implemented over the weekend in time to cope with the expected client demand matching a major marketing campaign. (without any procedures)

Because again, if the process is 'managed well' they won't be needed.

Yeah, right. :nope:

Your experience of IT and its multifaceted operations and critical importance in so many organisations is clearly very very different to mine.
 
J

JaneB

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

Duke Okes said:
Every organization has many management systems.
- Quality (ISO 9000)
- Safety (OHS 18000)
- EMS (ISO 14000)
- Financial (GAAP)
- IT (ISO 22000)
Click to expand...

Not every organisation chooses or uses certification to ISO 20000 (assuming you're not doing food safety). In the absence of such (and particularly in a smallish organisation) why on earth would you not use similar/same CAPA procedures? If they're intelligently written and flexible enough to cope with both applications of course.
 
Last edited by a moderator:
D

Duke Okes

Jane:

You're totally missing the point.

If you WANT to include IT related procedures in your QMS you can. You could also use the CAPA process for your financial audit findings (but bet you'll have a hard time getting your internal financial auditors to do that). You could include the records for getting the facility grounds cleaned/mowed if you want. etc. If you WANT to you can include EVERYTHING in your ISO 9001 QMS documentation.

But if you do, then it all becomes auditable by your registrar, and you've created a really big mess. And some of what they'd be auditing would be things that could include fraud, etc., not just lack of meeting customer requirements. Read the scope of ISO 9001.
 
You must log in or register to reply here.

Similar threads

D
Docs required under article 22 for class Is procedure pack
Replies
6
Views
250
DallasThomasIQVIA
DallasThomasIQVIA
B
How to integrate risk assessment of a medical device to a SOP for ISO 14155:2020
Replies
1
Views
299
Enternationalist
Enternationalist
D
Applying own brand as importer/distributer
Replies
1
Views
274
Cybel
C
J
SOC 2 information security auditing
Replies
0
Views
1K
john.b
J
K
ISO 14001 - Suppliers and Contractors
Replies
0
Views
94
Kasem
K
Top Bottom