Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start?

[Jim Wynne]

Re: 7.5.4 Customer Property

As write, we are currently undergoing our anual internal audit - as always our external auditor has has made links between the protection of customer data (documents and records containing names and addresses) being classed as customer property. Other than basic controls of visitors, access to areas of data processing and processes and policies controling the retention and destruction of company documents and records - with no evidence that these controls have failed under 7.5.4 where does ISO 9001 stop and ISO 27001 start.

We're being audited against the 9001 standard and our own internal procedures, we're not yet 27001 registered.

Are you saying that your CB auditor has identified a problem with your control of customer property? Was there a nonconformity (a written NC statement)? If so, could you reproduce it here, verbatim? What is the auditor asking for?

 

[lamorenita_QA]

Hi I would like to add another question to this topic, ISO 13485 7.5.4 contains a note stating "Customer property can include intellectual property or confidential health information". Can someone define "confidential health information" or provide examples? could this be a reference to patient records?

 

[somashekar]

Hi I would like to add another question to this topic, ISO 13485 7.5.4 contains a note stating "Customer property can include intellectual property or confidential health information". Can someone define "confidential health information" or provide examples? could this be a reference to patient records?

Hii and welcome here.
In a way what you say is correct. Clinical trials report could be a confidential health information that can be treated as a customer property in ISO 13485 QMS, when shared by a customer with his supplier

 

[lamorenita_QA]

Thank You, this helps. This forum is AWESOME!!!

 

[Stijloor]

Thank You, this helps. This forum is AWESOME!!!

Please tell others about this fantastic resource!

 

[lamorenita_QA]

Yes, I have and will continue. Thx!

 

[glenn0004]

Re: 7.5.4 Customer Property

Now that we have received the written NC - our external auditor has written the NC towards the method that company documentation is transported to our archiving department (at one of our divisional branches, not at our head office) not to the extent of protection offered in branch - documents are transported either by registered post or in bulk via company vehicle from our head office to the branch where archiving is completed...he has noted that there is a risk here in respect of the protection of customer property (data).

 

[somashekar]

Re: 7.5.4 Customer Property

Now that we have received the written NC - our external auditor has written the NC towards the method that company documentation is transported to our archiving department (at one of our divisional branches, not at our head office) not to the extent of protection offered in branch - documents are transported either by registered post or in bulk via company vehicle from our head office to the branch where archiving is completed...he has noted that there is a risk here in respect of the protection of customer property (data).

I am sorry and surprised if it is a NC. His noticing of a risk is not a basis. At best he can recommend as an improvement aspect if he sees a risk.

 

[qusys]

Re: 7.5.4 Customer Property

Now that we have received the written NC - our external auditor has written the NC towards the method that company documentation is transported to our archiving department (at one of our divisional branches, not at our head office) not to the extent of protection offered in branch - documents are transported either by registered post or in bulk via company vehicle from our head office to the branch where archiving is completed...he has noted that there is a risk here in respect of the protection of customer property (data).

I believe that the auditor wrote a NC in the future...
What was the evidence that violeted the clause?
Do you have an internal procedure that say something for this activity and he revealed a non conformity vs those documented practices?
For example, use envelope closed with glue and signed off by a responsible and he noted some envelopes that were open ????
Pls, let us know verbatim the NC and evidence collected.
This NC could be appealed

 

[glenn0004]

Re: 7.5.4 Customer Property

Thanks for all for your inputs.. the NC reads:
Noted "XXXX", head of archiving department, (anecdotal) receives papaer documents from head office (Lincoln), transposrts them by car to archiving department. (Manchester), then scans, then shreds...potential loss of documents containing customer data.
The scanning and shreding is a documented process - the auditor asked for a risk assesment relating to the transportation of documents. This is somthing that we could not provide..hence my original where does 9001 stop and 27001 start. A risk assesment for me would be more 27001 than 9001.

In the end we have accepted the NC with an action of implimenting document classification (planned as part of 27001 implementation) that will cover distribution and transportation of documents and records.