ISO 9001:2000 - Document Disaster Recovery Program Requirement?

E

Edith

Document Disaster Recovery

Hey everyone!

Long time no talk! Sorry been so quiet. We just finished year 3 of 92k audits.. No Minors this time, but I think the auditor was going through OFI withdrawl.. (Raised about 15)

Anyway, one of the things that was identified as an OFI was a document disaster recovery program. This all came to surface when I presented him with our drafted BCP plan which we used as part of our preventative action.

Is there anyone out there that has one? From my understanding there is a standard out there that covers this specifically?

Look forward to your comments!
Edith:eek:
 
R

Randy Stewart

Is it really a requirement?

As far as 9K2K goes, I don't "think" that it out right states that you need one. Now read between the lines, 6.3, 6.4, etc. It is all over the place. Also a good business practice.
We are required by Ford to have one and we have linked it with the ISO 14001 preparedness requirement. Most are simple, I would be surprised if your IT department didn't already have something in place (off-site storage of backups, etc.). :bigwave:
 
T

tomvehoski

I believe there are ISO standards concerning data security, but I can't recall the numbering and if they are officially released or not. You may be able to search ISo_Org for them.

You can draw the line from the ISO requirement for record protection to data backup/recovery. Usually if we keep records on a server I just include a brief backup procedure, making sure somebody removes backup tapes from the premisis in case of fire.

You can get more advanced and contract with companies that will automatically backup your data across the internet to secure servers. We share the building with a company that does this. For a monthly fee they will back up your server to theirs every night. In the event of a disaster you are able to restore your data and even run on their server if your systems are down.

Tom
 
Claes Gefvenberg

Claes Gefvenberg

Admin
As far as ISO9001:2000 is concerned, I cannot really see the need for any data security standards in this case. I think clauses 4.2.3e & 4.2.4 are all it takes...

4.2.3e: to ensure that documents remain legible and readily identifiable,

4.2.4 Documents shall remain legible, readily identifiable and retrievable.

This would mean that a document disaster recovery program (Usually a computer based backup) is a good idea, right?

/Claes
 
G

Graeme

Claes Gefvenberg said:
As far as ISO9001:2000 is concerned, I cannot really see the need for any data security standards in this case. I think clauses 4.2.3e & 4.2.4 are all it takes...

4.2.3e: to ensure that documents remain legible and readily identifiable,
4.2.4 Documents shall remain legible, readily identifiable and retrievable.

This would mean that a document disaster recovery program (Usually a computer based backup) is a good idea, right?
Click to expand...

Randy Stewart said:
As far as 9K2K goes, I don't "think" that it out right states that you need one. Now read between the lines, 6.3, 6.4, etc. It is all over the place. Also a good business practice.
Click to expand...

Both of the above are very good points. In the QMS of the lab I am working with, we are trying to be as paperless as possible consistent with other needs. We treat the computer system issues under 6.3 Infrastructure, on the basis that the computer network is part of the laboratory facilities. The procedure to implement that clause with respect to computers deals with physical security, data security (including backups), loss of computer system availability, and disaster recovery.

Our philosphy is that a properly functioning and secure computer network infrastructure (6.3) is important to enable the procedures of 4.2.3e and 4.2.4.

(We have also learned to test the procedures to ensure that they work. That was strongly reinforced the first time a server crashed -- in the middle of an audit!)


Graeme
-------------------------
"Murphy was an optimist!"
 
M

Mike S.

Happy to be Alive
Trusted Information Resource
Edith,

What docs. are really important to your company? If there was a fire at your place, what might you lose that is critical to the functioning of your company and your customer? Of course it varies company to company. Maybe finance stuff like invoices, AP/AR, payroll data or tax data; maybe compositions or recipes for your products; maybe test records? Once you know the answer to this question, decide how you might back-up this info. so it would survive a fire, flood, tornado, computer virus attack, computer HD failure, etc. If it is all computerized, the job can be as easy as a backup to an off-site server as mentioned or a CD or tape backup carried home by someone as often as required. Paper docs. are more of a pain. For our company, we don't worry about any ISO standards to cover it, we simply do computer data backups every week and store copies of critical paper records in a fireproof safe. Keep it a simple as needed, but no simpler.
 
A

Aaron Lupo

Re: Document Disaster Recovery

Edith said:

Hey everyone!

Long time no talk! Sorry been so quiet. We just finished year 3 of 92k audits.. No Minors this time, but I think the auditor was going through OFI withdrawl.. (Raised about 15)

Anyway, one of the things that was identified as an OFI was a document disaster recovery program. This all came to surface when I presented him with our drafted BCP plan which we used as part of our preventative action.

Is there anyone out there that has one? From my understanding there is a standard out there that covers this specifically?

Look forward to your comments!
Edith:eek:
Click to expand...

Couple of questions what is BCP? What type of business are you in and are your records electronic or paper?

Lastly is the Standard you refer to BS DISC PD 0013- RECORDS MANAGEMENT - A GUIDE TO DISASTER PREVENTION AND RECOVERY AKA ISO 17799
 
Last edited by a moderator:
RoxaneB

RoxaneB

Change Agent and Data Storyteller
Super Moderator
Re: Document Disaster Recovery

Edith said:

Anyway, one of the things that was identified as an OFI was a document disaster recovery program. This all came to surface when I presented him with our drafted BCP plan which we used as part of our preventative action.
Click to expand...

Hi, Edith!

Our Registrar gave us an OFI on this as well....and was summarily rejected. We do tape back-ups of our systems, but she wanted us to have a programme with our computer system supplier(s) to reinstate hardware and software as quickly as possible in case of a disaster (natural or otherwise). The intent is to ensure that we are back in business as quickly as possible.

We acknowledged her point but pointed out that it was not worth the cost to set-up that kind of programme.

Her response was that she was actually giving us a mandatory OFI! :confused: Arguing that an OFI is not mandatory...it is a recommendation from the Auditor to improve efficiency and effectivess that we, as the Auditee, can reject....she backed off. But every time she is back, she starts going down that path again.

There is no "shall" requiring us to have some sort of contingency plan. We do tape backups as part of "Good Management Practices"...and for now, that is where we draw the line. :cool:
 
E

Edith

Re: Document Disaster Recovery

Thanks for the info guys...

Most of our documents our hard copy, as they are shipping documents. However, we do back ups on our operating systems and accounting systems so it should cover most anyway..

Mandatory OFI... Wow, I think I've heard it all now... :bonk:
 
You must log in or register to reply here.
Top Bottom