8.6 Release of products and services, 8.3 Design and development - evidence required

Ava Martin

Starting to get Involved
Hi all,

I would like to ask for your opinion on what exactly should be the provided as evidence for 8.6 and 8.3. (examples of some possible documents etc)
We are Shared services providing services to our Business (in areas of Finance, Supply chain, General Accounting, Marketing & sales...)

For 8.3 - I believe this can be only applicable for us in terms of Continuous improvement (we do not directly design our services, as are migrated to our Shared Services), so would be the CI projects or for example if we develop a new team from existing one. But this is not always happening. Can we therefore have an exclusion of this subclause if not applicable?

8.6 - Release of products and services - can we provide the contracts we have and desktop descriptions? Or does it have to be something more specific?

Thank you a lot :)
 

Ava Martin

Starting to get Involved
Actually another question, but a different topic :giggle:, if a new process is migrated to our organization, obviously this team should have an exception from Auditing as in the migration phase. How long this team can have the exception? or better said is there any list of requirements, upon which we can check and make sure this team is not prepared for the ISO Audit? Do you have any best practices perhaps? :tg:
 

Johnny Quality

Quite Involved in Discussions
Actually another question, but a different topic :giggle:, if a new process is migrated to our organization, obviously this team should have an exception from Auditing as in the migration phase. How long this team can have the exception? or better said is there any list of requirements, upon which we can check and make sure this team is not prepared for the ISO Audit? Do you have any best practices perhaps? :tg:

Ava,

I would say that the team has exception ONLY if their activities are outside the scope documented on your certification. If so, it's up to you when you add their activities to the scope.
 

Ava Martin

Starting to get Involved
Ava,

I would say that the team has exception ONLY if their activities are outside the scope documented on your certification. If so, it's up to you when you add their activities to the scope.
Thank you Johnny. But they are in the scope. I mean for example, they are included from this year in our service catalogue and as part of a supply chain process, just as a new subprocess, currently in migration phase, they are still in the phase of hiring, documentation preparation etc. So I would say, we can give them exception for 6months, to stabilaze. All other subprocesse of SC will be audited of course, just this one will get expeption. I would like to provide them with some list of requirements, so they can literally check if they have all what is needed and therefore can be in 6months audited. :)
 

Johnny Quality

Quite Involved in Discussions
Hmm, have a chat with your CB. Sorry but I don't know the answer to that but having some time to stabilize sounds sensible. I'm sure your auditor will be interested to see what you have regardless.
 

Tagin

Trusted Information Resource
Thank you Johnny. But they are in the scope. I mean for example, they are included from this year in our service catalogue and as part of a supply chain process, just as a new subprocess, currently in migration phase, they are still in the phase of hiring, documentation preparation etc. So I would say, we can give them exception for 6months, to stabilaze. All other subprocesse of SC will be audited of course, just this one will get expeption. I would like to provide them with some list of requirements, so they can literally check if they have all what is needed and therefore can be in 6months audited. :)

The point is that your company already 'included from this year in our service catalogue and as part of a supply chain process'. So, on the one hand you are - in essence - implying they are up and running and compliant (because it is a subprocess of your 9001 system), but on the other hand, you want a special exemption for them for 6 months. I don't think you can have it both ways. If you had waited the 6 months to include them, then there would likely be no issue.

At the very least, this new process should be monitored via your Continuous Improvement system for risks, controls, monitoring, etc. during this transition to provide evidence for an auditor how risk is being addressed and monitored for a process which is not fully complete, yet which you are already offering as an active service.
 
Last edited:

Tagin

Trusted Information Resource
For 8.3 - I believe this can be only applicable for us in terms of Continuous improvement (we do not directly design our services, as are migrated to our Shared Services), so would be the CI projects or for example if we develop a new team from existing one. But this is not always happening. Can we therefore have an exclusion of this subclause if not applicable?

If you do not perform design of products/service offered, then I think you could possibly exclude it. It's not exactly clear what services you provide to your customers or to what extent you are involved in design. Take a look at TS9002:2016, it offers some examples of when 8.3 is needed for service-related organizations:
— a financial advisory organization that designs and develops the services it offers to its clients in relation to managing their stock portfolios;
— an educational organization which designs and develops its curricula


8.6 - Release of products and services - can we provide the contracts we have and desktop descriptions? Or does it have to be something more specific?

It's essentially whatever doc(s) it is that 'gives the go-ahead' to deliver the product/service to the customer. So, if your signed contract is what is used as the approval to trigger the start of the delivery of the service to the customer, then that works. Note that 8.6 requires traceability to the person authorizing the release, so presumably your company representative's signature on the contract is the authorizing person for your company?
 

Ava Martin

Starting to get Involved
The point is that your company already 'included from this year in our service catalogue and as part of a supply chain process'. So, on the one hand you are - in essence - implying they are up and running and compliant (because it is a subprocess of your 9001 system), but on the other hand, you want a special exemption for them for 6 months. I don't think you can have it both ways. If you had waited the 6 months to include them, then there would likely be no issue.

At the very least, this new process should be monitored via your Continuous Improvement system for risks, controls, monitoring, etc. during this transition to provide evidence for an auditor how risk is being addressed and monitored for a process which is not fully complete, yet which you are already offering as an active service.
Thank you, this definitelly makes sense and then for the future to wait till the process is stabilized before signing it in into the Service Catalogue. I have to speak with my management, to see why it is so.
 

Ava Martin

Starting to get Involved
If you do not perform design of products/service offered, then I think you could possibly exclude it. It's not exactly clear what services you provide to your customers or to what extent you are involved in design. Take a look at TS9002:2016, it offers some examples of when 8.3 is needed for service-related organizations:

We do not really perform desing of our services offered. These services are just "shifted" to our organization from the business. We are not the process "owners". But last year, external auditor pointed out that even tho we do not design the process "from scratch", we still have own initiated "process design" such as CI. So it is confusing whether to add or exclude it.



It's essentially whatever doc(s) it is that 'gives the go-ahead' to deliver the product/service to the customer. So, if your signed contract is what is used as the approval to trigger the start of the delivery of the service to the customer, then that works. Note that 8.6 requires traceability to the person authorizing the release, so presumably your company representative's signature on the contract is the authorizing person for your company?

Yes correct, our service level agreements are sign by representatives from our shared services and from the business. So I believe this will cover it.
 
Top Bottom