IATF 16949 Contingency plan requirements / Sanctioned Interpretations?

[Lisa Jacobs]

I'm trying to follow up on a desk audit and my auditor does not seem to be very responsive. Looking for information from you all if you have it?

Attached is my contingency plan. I thought I had everything covered. The auditor responded with this:

"Cyber attacks are not included, required by sanctioned questions now. Please update before the audit."

My question: Where can I find this list of sanctioned questions? I don't trust this auditor, his desk audit brought up several items that I believe we have covered and he is asking me to correct.

My contingency plan is attached.

 

[Laura Halleck]

Lisa,

I don't have an answer regarding the list of sanctioned questions (although I'd like to see it too if anybody has it to share), but I wanted to say that I really like the format and structure of your contingency plan. It appears to be far more robust than many I have seen.

Laura

 

[Lisa Jacobs]

Thank you! I have requested information on how to change my auditor, as I feel many of these issues are related back to him.

 

[Golfman25]

Lisa,

I don't have an answer regarding the list of sanctioned questions (although I'd like to see it too if anybody has it to share), but I wanted to say that I really like the format and structure of your contingency plan. It appears to be far more robust than many I have seen.

Laura

Try here. But is wasn't really and interpretation of the standard as much as it was a rewrite.

http://www.iatfglobaloversight.org/...-Sanctioned-Interpretations-1-9-SIs_Final.pdf

 

[Sebastian]

I expect contingency plan to be a standalone document or including references to other documents, but definitely it has to describe:
1. Criteria to trigger contingency plan
2. Chronological sequence of activities
3. Responsibility for performing activities
4. Define post-contingency activities (e.g. see 8.5.1.4)

By the way word "meeting" in contingency plan is signal for me, there is a gap. Contingency plan shall be like "Go around" during landing. No need to think, simply evaluate situation against criteria and deploy already defined activities.

 

[k3lly]

Lisa, Your plan looks great! Can we steal it?

 

[brandieb1230]

The IATF website has a list of 1-9 SIs.

http://www.iatfglobaloversight.org/...-Sanctioned-Interpretations-1-9-SIs_Final.pdf


Number 3 references contingency plans.

c) prepare contingency plan for continuity of supply in the even of any of the following key equipment failures (also see section 8.5.6.1.1); interruption from externally provided product, processes and services, recurring natural disasters, fire, utility interruptions, CYBER ATTACKS ON INFORMATION TECHNOLOGY SYSTEMS, labour shortages or infrastructure disruption.



Our contingency plan is set up differently than yours, I like yours better!

This is what I have for cyber attacks- not sure if it could work for you:
*6.8.7 IT: The IT/IS department has many systems in place to prevent a cyber-attack or to retrieve lost data if computer systems malfunction including: firewalls, web filters, anti-virus protection, redundant back-up processes stored both on and off site and constant monitoring of threats. Our IT professionals are constantly researching and seeking new ways to keep our company’s digital information safeguarded.

 

[Eredhel]

I like what you've got too. I'm hoping you'll let us all steal from you .

 

[DavidO909]

I'm trying to follow up on a desk audit and my auditor does not seem to be very responsive. Looking for information from you all if you have it?

Attached is my contingency plan. I thought I had everything covered. The auditor responded with this:

"Cyber attacks are not included, required by sanctioned questions now. Please update before the audit."

My question: Where can I find this list of sanctioned questions? I don't trust this auditor, his desk audit brought up several items that I believe we have covered and he is asking me to correct.

My contingency plan is attached.

Hello Lisa, I just reviewed your contingency/risk plan, it is very detailed and well put together you can see the well thought out methodical process.
I do not see what your registrar auditor issue is. This format is leaps and bounds ahead of the majority of documents I have seen over my 18 year career as a Tier one global supplier to both the automotive and aerospace industries

 

[Sebastian]

David, auditor's comment was related to revised by Sanctioned Interpretations text of section 6.1.2.3, where new risk of cyber-attacks was added, but there was no such risk in so called "contingency plan" posted here.
To be clear, I do not see why auditor did not reject this document at all, as there is no evidence of effective planning of post-failure activities.