ISO 9001:2000 - Document Disaster Recovery Program Requirement?

R

Raptorwild

Distaster Plan

Edith said:
Thanks for the info guys...

Most of our documents our hard copy, as they are shipping documents. However, we do back ups on our operating systems and accounting systems so it should cover most anyway..

Mandatory OFI... Wow, I think I've heard it all now... :bonk:

I was just informed from our previous auditor that we would need to have a documented disaster plan. I said we back up our server twice a month and keep the disc's off site. She asked what happens if the place burns down, how would we provide our customer with their products in the time they requested them? Do we have a back up plan to subcontract the work out to another supplier? I said NO! Since our customer is mainly Honeywell and we are an OEM I seriously doubt, we will be sending our work out to another supplier of Honeywell's with our proprietary information. Is it not enough that we have Insurance, sprinkler systems, surge protectors, and fire extenguishers? Should I have stated in our procedure for the control of records that we back up our server? Help!

Paula
 

RoxaneB

Change Agent and Data Storyteller
Super Moderator
Raptorwild said:
I was just informed from our previous auditor that we would need to have a documented disaster plan. I said we back up our server twice a month and keep the disc's off site. She asked what happens if the place burns down, how would we provide our customer with their products in the time they requested them? Do we have a back up plan to subcontract the work out to another supplier? I said NO! Since our customer is mainly Honeywell and we are an OEM I seriously doubt, we will be sending our work out to another supplier of Honeywell's with our proprietary information. Is it not enough that we have Insurance, sprinkler systems, surge protectors, and fire extenguishers? Should I have stated in our procedure for the control of records that we back up our server? Help!

Paula


What "shall" are they quoting from? There is no "shall" for contingency plans.

6.3 states "Infrastructure includes, as applicable..." - If it ain't applicable to your organization (like mine due to financial reasons), so be it.

4.2.3 states nothing about back-ups for doc control.

4.2.4 states that you shall establish "the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records." No mention of contingency plans. If you are happy with your contingency plan so be it.

Look, we all agree that it would be nice if we could have state-of-the-art backup plans that would guarantee our start-up after a disasater to avoid Customer Complaints. Unfortunately, the Real World seldom matches the Ideal World we would all rather live in.

Raptor, get that "shall" from the auditor. My organization has gone through this the past two audits and thankfully, our auditor has backed away.
 
R

Randy Stewart

Paula,
I know that Ford requires us to have a Disaster Recovery Plan for internal controls and GAO. So it may fall under Customer Requirements again.
We took DRP and combined it with our Emergency Preparedness Plan for ISO-14001.
 
R

Raptorwild

Disaster Recovery

I found what she was talking about... ISO9004 6.3 The process to define the infrastructure necessary for achieving effective and efficient product realization should include the following:
.........
"The plan for the infrastructure should consider the identification and mitigation of associated risks and should include strategies to protect the interests of interested parties."

But I totaly disagree that process to define = shall document.
Our Audit is scheduled for November, I can throw together a process for backing up the server and state the responsiblities and requirements, or can I just tell them the auditor if they ask, This is how we do it?

Thanks for your responses and help! :)
Paula
 

Mike S.

Happy to be Alive
Trusted Information Resource
Unless a customer requires it, or your documentation requires it, I see no basis for a 9k2k auditor requiring a disaster plan of the scope your auditor suggested. A wise man once coined a pithy little quote: "Where is the shall?" Short and succinct, and I think applicable here as far as asking your registrar. Sounds like another registrar-specific "above and beyond ISO" requirement. :mad:
 

Mike S.

Happy to be Alive
Trusted Information Resource
Raptorwild said:
I found what she was talking about... ISO9004 6.3 The process to define the infrastructure necessary for achieving effective and efficient product realization should include the following:
.........
"The plan for the infrastructure should consider the identification and mitigation of associated risks and should include strategies to protect the interests of interested parties."

But I totaly disagree that process to define = shall document.
Our Audit is scheduled for November, I can throw together a process for backing up the server and state the responsiblities and requirements, or can I just tell them the auditor if they ask, This is how we do it?

Thanks for your responses and help! :)
Paula

9004 is not 9001! Your registrar should be auditing to 9001, not 9004!
 
R

Raptorwild

Mike S. said:
9004 is not 9001! Your registrar should be auditing to 9001, not 9004!

EXACTLY what I was thinking and I just gained a few more grey hairs over this whole mess! :ko:

We are going for our AS9100A cetification and I thought we were ready untill the phone conversation I had earlier with our former auditor. She told me to just think about it....and then I came here where the smartest people on earth live! :D
 
C

CHESHIRE STEVE

We were given an improvement note against IT Management.

Quote :

"Guidlines have not been issued for the system back-ups carried out daily using 2 sets of tapes. Also any Disaster Recover Plans have neither been specified nor formally implemented"

Now I took this as meaning 6.3 b, as our main function is Sales, and the hardware and software of the computer being the process equipment necessary to operate our business.

I've just detailed our backup procedure, and a short note about what happens if the server breaks down, and I reckon that goes as deep as I need to, but we'll see after the next visit.
 
C

Cathy

I agree with you Mike :agree:

Your right it goes as far as you need steve. I Have read this thread with alarm. i can't belive that auditors are insisting on this!! RCB, I was particularly alarmed by yours. No auditor can insist on you having this and it is un professional to bring this up time and time again. If I were you this would be nipped in the bud immediately with a call to the chief certification manager of your registrar.

We have 1 sentence in the document control procedure saying the computer system is backed up every night. We also keep a hard copy of procedures in case anything goes wrong ! i can't belive some of the things you guys are up against.

Steve, you do not have to write a procedure for this. it is down to the experience and skills of the IT department to carry this. And make sure you don't let your auditor dictate the way your system is run. They are only there to ensure compliance with the std.!!!
 

RoxaneB

Change Agent and Data Storyteller
Super Moderator
Cathy said:
RCB, I was particularly alarmed by yours. No auditor can insist on you having this and it is un professional to bring this up time and time again. If I were you this would be nipped in the bud immediately with a call to the chief certification manager of your registrar.

That would have been the process followed if the "suggestion" had become a finding. As it did not progress beyond the OFI stage the first time around, and was simply an "off-the-wall" comment during the secound audit, there was no need to bring this up with the Registar.

I made comments about the professionalism on my feedback sheet and have been contacted by the Registrar before.

But there was no point in fighting a non-issue. If she had made it a finding and refused to budge, then yes, more drastic measures would have been taken on my end.

It's more than just fight the fights....it's fight the right fights.
 
Top Bottom