Definition Defined - Definition and meaning of "defined"

Mikishots

Trusted Information Resource
With respect to AS9100D Clause 7.5.3.2, there is a requirement to define data protection processes.

While our IT group is very much included in our audit that contains review of document and record control (as we almost exclusively have a paperless system), this requirement has them asking exactly what "define' means. They are reluctant to create any kind of document that explains how they go about protecting data because they are not the kind of guys that will do anything outside IT work that they don't have to, and audits have shown that they indeed do have a robust method and infrastructure to do these activities reliably.

But what of "define"? Is there any guidance material that would explain what the Standard specifically means and expects when the term "define" is used? I've had a careful look in ISO 9000:2015 - Fundamentals and Vocabulary, but no dice.

My take: They need some kind of documentation that explains how they go about protecting our data, and to show that they can continue the practice without having to depend on certain individuals simply knowing what to do - a tidy segue-way into organizational knowledge!!!


thanks all.
 
Last edited:

CanadianQA

Involved In Discussions
Define "define"? Sounds a bit like your IT department is trying to lead you down the garden path.

7.1.3 requires that "The organization shall determine, provide, and maintain the infrastructure necessary for the operation of its processes and
to achieve conformity of products and services." This includes IT resources. IT processes do need to be described to the extent that you can confirm that customer and applicable regulatory requirements are met through internal audit, which in my opinion is part of maintaining your infrastructure.

I had my IT department describe for me how they do the following:
  • System Maintenance;
  • System Backups;
  • System Security;
  • Virus Control;
  • Environmental Controls

I put what they wrote down into my procedures manual, added it to my internal audit and review what they do every year.
 

Sidney Vianna

Post Responsibly
Leader
Admin
But what of "define"? Is there any guidance material that would explain what the Standard specifically means and expects when the term "define" is used? I've had a careful look in ISO 9000:2015 - Fundamentals and Vocabulary, but no dice.
The meaning of "define" in the context of ISO 9001 is provided in the Guidance on some of the frequently used words found in the ISO 9000 family of standards document.

As for the "things to consider" concerning AS9100D 7.5.3.2, point your browser to the AS9100 Guidance document.
 

Mikishots

Trusted Information Resource
I have seen this, but there is still the question - in writing, or verbally? Is it enough for them to simply tell me what they do? Does this constitute "define"?

The reason I ask - when someone new comes on board, that new staff member will not see this requirement anywhere in IT department's documentation - someone would have to TELL them. This ends up bumping heads with the requirements of "Organizational Knowledge", as it can be construed as tribal knowledge.
 

Ninja

Looking for Reality
Trusted Information Resource
There is a standard you must "prove" compliance with (dangling participle and all...)

If your "define"-ing is verbal, you should document compliance being verbal.

Which puts it in writing...

You're reaching for ways around ...that's a warning flag that you're straying from the path...just write the darned thing down and move on...there are more important things to get uptight about...

:popcorn:
 

Mikishots

Trusted Information Resource
Good thing I'm not responsible for writing their procedure. I'm just an auditor. The point is that they don't WANT to write it down, and I'm trying to determine if it can be complied with in another way that suits our workplace and yet still be in compliance.

I don't think there's any attempt at reaching around - I'm simply trying to determine how to comply with the intent of the Standard.
 

Ninja

Looking for Reality
Trusted Information Resource
Things are defined for a reason...so everyone is "speaking the same language".

Consider something that there is resistance to "defining" in writing...then (without management next to you) ask 30 people (who would be impacted by that definition) what XXX means.

might give you either a level of comfort, or a compelling reason to force the written...either way it seems you might benefit.

Just thinking out loud...
 

Cari Spears

Super Moderator
Leader
Super Moderator
With respect to AS9100D Clause 7.5.3.2, there is a requirement to define data protection processes.

While our IT group is very much included in our audit that contains review of document and record control (as we almost exclusively have a paperless system), this requirement has them asking exactly what "define' means. They are reluctant to create any kind of document that explains how they go about protecting data because they are not the kind of guys that will do anything outside IT work that they don't have to, and audits have shown that they indeed do have a robust method and infrastructure to do these activities reliably.

Hi,

Is your organization DPD approved by Boeing or any other customers?
 

Mike S.

Happy to be Alive
Trusted Information Resource
The terminology doc Sidney references defines "define" :bonk: as "state or describe exactly the nature, scope or meaning of"

So I would say that writing it down is preferred and safer but technically you are not in violation of the standard if all the people who need to know this are able to verbally define the system in the same way.

I get it -- you run into hardheads sometimes and don't have the authority to force them to do it the better way. So I would document to them the dangers of not defining it in writing (CYA) and then, if they are able to verbally comply, note it that way in the audit or wherever and move on. If it later comes back to bite them in the butt, they will have to address the issue in a corrective action.
 
Top Bottom