Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start?

[qusys]

Re: 7.5.4 Customer Property

Thanks for all for your inputs.. the NC reads:
Noted "XXXX", head of archiving department, (anecdotal) receives papaer documents from head office (Lincoln), transposrts them by car to archiving department. (Manchester), then scans, then shreds...potential loss of documents containing customer data.
The scanning and shreding is a documented process - the auditor asked for a risk assesment relating to the transportation of documents. This is somthing that we could not provide..hence my original where does 9001 stop and 27001 start. A risk assesment for me would be more 27001 than 9001.

In the end we have accepted the NC with an action of implimenting document classification (planned as part of 27001 implementation) that will cover distribution and transportation of documents and records.

Understood your point, glenn0004.
Appreciated yoru thanks.
It is very tricky and I would like to make some questions to better understand the issue, saying as a starting point if your organization has felt a potential pitfall in the process/activity, it should be take into account based upon your documented preventive actions procedure.

Question:
Which kind of customer data are those? Drawings, specifications or what else?
Depending upon the nature of the data, you may also think that they are not considered as intellectual property, correct?

My suggestion:
I caught the point that during transportation the documents could be potentially loss ( due to an incident of the car etc... etc..), probably a very chip modification of the activity could prevent this, for example already duplicating the data before transportation ( in Lincoln) , so that you can have a copy in the office and one travelling. When the process of scanning and shreading is over in Manchester , you may want to destroy the copied ones.
Besides, probably the auditor searched for an FMEA of this process, you may want to implement it but this is not a requirement of ISO 9001, because this is a potential failure. I do not know what you established as a methodology within your preventive action procedure but I think that the organization shall also work in preventing action after assessing the risk for business and the company.
Pls let us know.

 

[Jim Wynne]

Re: 7.5.4 Customer Property

Thanks for all for your inputs.. the NC reads:
Noted "XXXX", head of archiving department, (anecdotal) receives papaer documents from head office (Lincoln), transposrts them by car to archiving department. (Manchester), then scans, then shreds...potential loss of documents containing customer data.
The scanning and shreding is a documented process - the auditor asked for a risk assesment relating to the transportation of documents. This is somthing that we could not provide..hence my original where does 9001 stop and 27001 start. A risk assesment for me would be more 27001 than 9001.

In the end we have accepted the NC with an action of implimenting document classification (planned as part of 27001 implementation) that will cover distribution and transportation of documents and records.

There is no requirement for formal risk analysis. It should be assumed that the handling of documents in the manner described is considered safe enough to obviate further deliberation. Unless the auditor can demonstrate through actual observation that there is a significant risk, he is way off base. I would seriously consider appealing the NC rather than going through a lot of wasted effort.

 

[Richard Regalado]

Re: 7.5.4 Customer Property

The NC is valid. It is indeed a risk and it was not made part of the risk assessment. In this particular example (read: customer data), I believe that the requirement of ISO 27001 is more stringent than that of ISO 9001 Clause 7.5.4.

For ISO/IEC 27001, there would be additional controls than just protecting customer property. Controls such as information classification, information handling procedures, protection of media in transit and intellectual property rights among others will apply.

 

[Jim Wynne]

Re: 7.5.4 Customer Property

The NC is valid. It is indeed a risk and it was not made part of the risk assessment.

You say that the NC is valid without giving a basis for the opinion. Where is the requirement for documented risk analysis? Here is the entirety of 7.5.4, ISO 9001:2008:

The organization shall exercise care with customer property while it is under the organization's control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer and maintain records (see 4.2.4).
NOTE Customer property can include intellectual property and personal data.

Leaving aside the unnecessary ambiguity of the second sentence, there is nothing here that can be reasonably interpreted to require documented risk analysis. As I suggested in my earlier post, the burden is on the auditor to objectively demonstrate the alleged risk(s) inherent in the organization's transportation/disposition of customer data.

 

[qusys]

Re: 7.5.4 Customer Property

The NC is valid. It is indeed a risk and it was not made part of the risk assessment. In this particular example (read: customer data), I believe that the requirement of ISO 27001 is more stringent than that of ISO 9001 Clause 7.5.4.

For ISO/IEC 27001, there would be additional controls than just protecting customer property. Controls such as information classification, information handling procedures, protection of media in transit and intellectual property rights among others will apply.

From the original post, it seems that the audit was held against ISO 9001 and not ISO 27001. The criteria of the audit are different, so the NC could be appealed, if the auditor did not see something not in complaince with what the organization established.
Based upon what glenn said, it did not happen.

 

[Richard Regalado]

Re: 7.5.4 Customer Property

From the original post, it seems that the audit was held against ISO 9001 and not ISO 27001. The criteria of the audit are different, so the NC could be appealed, if the auditor did not see something not in complaince with what the organization established.
Based upon what glenn said, it did not happen.

Thank you qusys. Yes you are right.

 

[qusys]

Re: 7.5.4 Customer Property

Thank you qusys. Yes you are right.

You're welcome, Richard.
The same was proposed by Jim just in time.
It appears that that the audit has done NC on the future.
It could have been an OFI , even though the organization has already taken it in charge

 

[glenn0004]

Re: 7.5.4 Customer Property

Many thanks for all of the supporting debate - for the point raised by qusys, the documents are copies of lease agreements and service level agreements both of which are our standard documents provided by us - any refrence to Banking Details ( direct debits) are removed during the administration of the paperwork - copy documents would be available (for a limited time) at the office that they were originally completed (used as a refrence until the delivery of product has been confirmed) - Post audit, I am going to sugest that we implement our planned document classification which will provide guidenec on the distribution of documents.

 

[Richard Regalado]

Re: 7.5.4 Customer Property

Many thanks for all of the supporting debate - for the point raised by qusys, the documents are copies of lease agreements and service level agreements both of which are our standard documents provided by us - any refrence to Banking Details ( direct debits) are removed during the administration of the paperwork - copy documents would be available (for a limited time) at the office that they were originally completed (used as a refrence until the delivery of product has been confirmed) - Post audit, I am going to sugest that we implement our planned document classification which will provide guidenec on the distribution of documents.

Hi glenn0004. Since you are going to implement a classification system of some sort, I suggest that in lieu of a document classification system, implement an information classification system. This will include all information relevant to the organization not just on documents such as passwords, information spoken in conversations, confidential contact details, etc.

I have an information classification matrix with handling procedures. I can share this with you if needed.

Regards, Richard.

 

[glenn0004]

Re: 7.5.4 Customer Property

Richard - any addition information / document to use as a benchmark would be most welcome. Thanks