ISO 9001 Applicable Requirements for a Company Website?

[normzone]

Hello again, and as always, thanks for all the assistance I derive from this place, both in your responses and in the times I scan your posts and find what I'm looking for.

Today I'm inquiring as to what requirements I should be aware of regarding our company's website. We supply computers to the big boys who supply it to the military.

The website has existed independant of any procedural controls for some time, but we're revamping it and I've got the people in charge warmed up to the idea that there may be a need to document a procedure for maintaining the website as an extension of our controlled documents.

Are there elements in the ISO 9000:2008 system that are commonly applied to websites as an extension of the organization, or am I making much ado about nothing? If this is not necessary I'll leave sleeping blogs lie.

 

[Big Jim]

Re: Website - ISO 9000 applicable requirements?

I think it is a bit of a stretch to consider your web site as a document that needs to be controlled.

 

[normzone]

Re: Website - ISO 9000 applicable requirements?

Thank you - it may be a stretch, and if so I'm content not to go there. I have found an example of a disconnect on the website - one of our controlled documents available there was of an obsolete revision.

Addressing that issue is simple - get an updated revision on the site. But long term? That seems as though it would require either a website procedure or a document control caveat addressing the website as containing controlled copies.

And as other organizations do, we boast about product on our website, and I believe that's going to be extended to design practices as well.

 

[Marc]

Re: Website - ISO 9001 applicable requirements?

Opinion: If you state product specifications and such for items you either make or resell (especially if you make them), it very well could be that document control is applicable. I would.

 

[Pancho]

There is also the aspect of your customers' overall experience with your company.

Clients do not express all their requirements in their PO, and the delivery of your "product" may well begin before you even get the PO. Published specs are indeed a critical part of this pre-delivery. Other items include company credibility (reference lists, testimonials, photos, etc.), product differentiation, inquiry forms, user manuals, installation instructions, etc. These are delivered to your client through your website, often as a first contact. And few products these days do not require accompanying services.

Smart organizations rely on their websites to deliver a large portion of their service on-line, whether they offer off-the-shelf or custom products, and whether this service is pre- post- or during delivery.

A high quality experience is best delivered if you plan and control it. Thus, if your website is a significant part of your client's experience, then it is also part of your product and you should control its creation and content. If your website is not currently a critical part of that client's experience, then maybe it should be. Your toughest competitors are probably on to it already.

 

[Sidney Vianna]

Are there elements in the ISO 9000:2008 system that are commonly applied to websites as an extension of the organization, or am I making much ado about nothing?

I second Pancho's take. There are a few aspects of ISO 9001 which are closely connected with an organization's website. Such as

7.2.3 Customer communication
The organization shall determine and implement effective arrangements for communicating with customers in relation to
a) product information,
b) enquiries, contracts or order handling, including amendments, and
c) customer feedback, including customer complaints.

Also, if you allow customer to place orders directly in your website, the information communicated to the customer, such as product availability and estimated delivery dates should be trustworthy, thus the data made available via the website needs to be properly managed.

 

[JaneB]

Re: Website - ISO 9000 applicable requirements?

I think it is a bit of a stretch to consider your web site as a document that needs to be controlled.

The 'web site' perhaps, but definitely not its contents or attachments. But (as always) it depends on what the content of the particular website is.

Consider examples on websites such as:

• company policies
• material about products, such as specifications, technical drawings and MSDS (Material Safety Data Sheets) or services, such as service descriptions
• order portal (again, with info on their products)
• other communications with customers as highlighted by Pancho

All definitely requiring control but too often overlooked. You're definitely on the right track, Normzone.

 

[Phiobi]

Sidney is spot on: Quote:

In Reply to Parent Post by normzone

Are there elements in the ISO 9000:2008 system that are commonly applied to websites as an extension of the organization, or am I making much ado about nothing?
I second Pancho's take. There are a few aspects of ISO 9001 which are closely connected with an organization's website. Such as
Quote:
7.2.3 Customer communication
The organization shall determine and implement effective arrangements for communicating with customers in relation to
a) product information,
b) enquiries, contracts or order handling, including amendments, and
c) customer feedback, including customer complaints.
Also, if you allow customer to place orders directly in your website, the information communicated to the customer, such as product availability and estimated delivery dates should be trustworthy, thus the data made available via the website needs to be properly managed.

I know of a few companies that have detailed the services they provide, tolerances they can meet and performance they give etc on their website. When they have fallen short of this their customers have pulled copies of said web pages to back up warranty claims and back up accusation of failing to meet contract. I once heard it called "digital catalogue" i.e. As the website stated a level of service it was therefore included within the customer's perception.

This may not lead to you controlling your site through your management system but you should be careful there is no gap between what you say you do and what you actually do!

 

[JaneB]

Phiobi,

Spot on.

The only bit I would disagree is where you say

This may not lead to you controlling your site through your management system

I would advise the opposite. If someone doesn't control their website and its contents through their management system... how do they control it?

Too often, it's just 'left up to the web guys' (like marketing is too often left up to the marketing people). It's all part of the system: and as you say, there needs to be no gap between what is said and what is done. Indeed, you could argue that given the extremely public nature of websites and their content, one needs to be doubly careful to control and manage its content.

 

[Paul Simpson]

I agree with the majority of the points made so far but have a couple more points to add.

<snip>
The website has existed independant of any procedural controls for some time, but we're revamping it and I've got the people in charge warmed up to the idea that there may be a need to document a procedure for maintaining the website as an extension of our controlled documents.

You're right, normzone. The use of a web site should be part of your document control procedure. I'll explain below.

d) to ensure that relevant versions of applicable documents are available at points of use,

So if you use external web sites to make controlled documents available to customers (7.2.3 as mentioned) then this part of publishing web content needs to be controlled - and by a documented procedure, too.

Are there elements in the ISO 9000:2008 system that are commonly applied to websites as an extension of the organization, or am I making much ado about nothing? If this is not necessary I'll leave sleeping blogs lie.

You have already identified that further control is needed as obsolete versions were available and the relevant document control clause is:

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Whew - another document control question!

There is a debate as to whether the site is a document but certainly parts of the content appear to be.