IT being audited during ISO 9001

Graciel

Involved In Discussions
#1
Hi everyone. Do you guys see in Iso 9001:2015, a requirement that clearly relates to It department?
Some people audit item 8.2.1 e) , also at the IT department.
Considering that can happen a system breakdown or things like that, that could affect production, quality, logistics,etc.
 
Elsmar Forum Sponsor
#2
8.2.1 doesn’t specifically apply to the IT department, but can relate to any department which communicates with Customers.
If, for example, you provide SaaS cloud services, it may be that the IT department need to communicate with customers about maintenance windows or downtime, but for product changes, your Operations dept or Product dept need to communicate.
 

Tagin

Trusted Information Resource
#3
Do you guys see in Iso 9001:2015, a requirement that clearly relates to It department?
Some things that come to mind:
  • 6.1 Risk (e.g., disaster recovery, antimalware, antiransomware, defense in depth, server redundancy, backup strategies, etc.)
  • 7.1.3 Infrastructure
  • 7.2 Competence (are your IT people capable enough for your organization? do you have programmers in-house; what are their skills?)
  • 7.4 Communications (e.g., automated emailed notices, invoices, etc.)
  • 7.5.3 Control of Documented Information (all aspects of clause)
  • 8.4 Control of external services (e.g., use of cloud services, external network services, etc.)
 

malasuerte

Involved In Discussions
#4
7.1.3 Infrastructure

"The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services.
NOTE: Infrastructure can include:"
a) buildings and associated utilities;
b) equipment, including hardware and software;
c) transportation resources;
d) information and communication technology.

So now you see IT as part of the scope of your QMS; pretty much every other clause applies.

When IT stuff fails - they need to do CAPA, improve, etc
They should have indicators - velocity, downtime, fails
They should present to management
They are part of risk management - backup, cybersecurity, etc.

Etc, etc, etc.
 

Graciel

Involved In Discussions
#5
Some things that come to mind:
  • 6.1 Risk (e.g., disaster recovery, antimalware, antiransomware, defense in depth, server redundancy, backup strategies, etc.)
  • 7.1.3 Infrastructure
  • 7.2 Competence (are your IT people capable enough for your organization? do you have programmers in-house; what are their skills?)
  • 7.4 Communications (e.g., automated emailed notices, invoices, etc.)
  • 7.5.3 Control of Documented Information (all aspects of clause)
  • 8.4 Control of external services (e.g., use of cloud services, external network services, etc.)
About 7.1.3 how would they answer,by showing the softwares, tablets,cellphones etc?or this is the kind of item that auditor would check during the audit just by seeing it throughout the departments?
 

malasuerte

Involved In Discussions
#6
About 7.1.3 how would they answer,by showing the softwares, tablets,cellphones etc?or this is the kind of item that auditor would check during the audit just by seeing it throughout the departments?
Great question @Graciel

First off you need to know/understand (you can document if needed) all the IT "infrastructure" items that matter.

Here are some ideas:
  • Is important data about your process, product backed up?
  • Does your Automation/IT team have a business continuity plan in place? What happens if there was a cyber or security attack?
  • Do the tools you use work the way they are supposed to?
  • What problems happen in IT and how are they fixed?
  • Email works. VPN work for people logging in from home.

Cellphones would matter if people rely on them to manage the process or respond to process/product issues?
Tablets would matter if they are used to log data - audits, quality checks; Need to make sure they work; they data is stored and accessible; secure.
Software - easy one: Is the software the latest revision?
Security - Do you ensure that virus scans if needed? People don't put thumb drives into PCs.
 

Tagin

Trusted Information Resource
#7
About 7.1.3 how would they answer,by showing the softwares, tablets,cellphones etc?or this is the kind of item that auditor would check during the audit just by seeing it throughout the departments?
From 7.1.3: "The organization shall determine, provide and maintain the infrastructure..."

So....in my view....
  • Determine
    • I think if this as like PLAN in PDCA
      • Is anyone assigned authority over IT?
      • Who's responsible to monitor the systems?
      • Are storage sizes, processing power, cooling requirements, network layout, etc. planned as needed?
      • Are IT-related risks (malware/ransomware, backups, disaster-recovery, etc.) being planned as needed?
  • Provide
    • I think if this as DO in PDCA
      • Is the needed IT equipment being bought and installed?
      • Are we doing what we planned to do?
  • Maintain
    • I think if this as CHECK/ACT in PDCA
      • Is anyone monitoring for inadequate free space on disks?
      • Anyone monitoring alert emails, notifications, error logs, etc.?
      • Is broken equipment being repaired/replaced?
      • Are backups actually being performed?
      • etc.

The extent to which an organization will have these things documented will vary with the org size, criticality of IT for them, and so on. It may be a few paragraphs in one document covering all infrastructure needs, or it might be a library of documentation for a complex IT structure, or something in between.

I think the smaller the organization the more a reliance on simple demonstration. Just like you don't need to have a written plan for your HVAC for small office environment, with complex calculations for heat generation/loss, etc.; instead, its demonstrable by how comfortable the office feels, the air smells fresh, the HVAC isn't leaking, and so on. Likewise, a small org doesn't need complex IT documentation; instead, do people have the PC's or phones they need?, do the printers work?, are files being lost on the server because a hard drive crashed with no backup?, is the software serving its intended need?, etc.
 

ChrisM

Involved In Discussions
#8
I've conducted internal audits for a previous employer that included the IT Department (of about 6 people). The Manager took it all in his stride and sometimes found useful things arose from the audit to develop the work that IT was doing. Some others may not be so fortunate with IT Managers. There is a lot to be covered from basic specification of computers, how often they are replaced, operating system to be used, the way that networks are set up and who has access, to backing up data and disaster recovery, selection of software, training staff to use software, provision of a "helpdesk" and so much more.
To my mind it definitely falls under "infrastructure" as an absolute minimum
 
Thread starter Similar threads Forum Replies Date
B Registrar being audited during our recertification - Can we we refuse? Registrars and Notified Bodies 6
W First time being audited (ISO 9001), asking for advice ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
lyobovnik Matters being audited, independence, participation and direct responsibility 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
D No evidence of certain processes on our scope being audited at our remote location IATF 16949 - Automotive Quality Systems Standard 4
L Being audited on AS9100 30th July - need example flow chart AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 15
J Being Audited Right Now... Not every department Internal Audited ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Does the Head of the Department being audited have the right to amend audit report? General Auditing Discussions 15
M Help! Im am being audited and have CS1 against me IATF 16949 - Automotive Quality Systems Standard 7
Raffy Internal Auditing - Showing independence of process being audited Internal Auditing 4
F So my quality management position is being marginalized by my job. Quality Manager and Management Related Issues 16
M How to answer ISO9001:2015 audit finding of old revisions of documents being used? Document Control Systems, Procedures, Forms and Templates 8
P Requirements for being an European Representative EU Medical Device Regulations 3
C IEC 60601 - 8.8.3 Dielectric Strength test. 4kv being applied to the ground conductor?! IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
S Are EC type examinations still being conducted under MDR? EU Medical Device Regulations 5
Q EN ISO 13485:2016/AC:2018 - AC:2018 being stated in the applicable harmonized standard listing Other ISO and International Standards and European Regulations 1
T Commission proposal being drawn up for postponement for date of application of MDR (2017/745) EU Medical Device Regulations 7
Nicole Desouza The Difference of being AS 9100D Compliant vs.Certified AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 13
D IATF 16949 FAQ 24 (8.4.2.2 Countries of Destination) - How is this actually being interpreted? IATF 16949 - Automotive Quality Systems Standard 3
M Search for predicates to see what claims are being made for those predicates 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M CBE (Change Being Effected) 510(k) Submission Other US Medical Device Regulations 2
M Informational Team-NB published a press release regarding the survey run among its members to analyse the certificates being issued Medical Device and FDA Regulations and Standards News 0
R DCMA QAS is holding up shipments of product due to them being late AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
S EQMS solution (Greenlight Guru and Q-Pulse currently being explored) Medical Information Technology, Medical Software and Health Informatics 8
G Audit finding - Components being transferred inter-plant Internal Auditing 3
A MedAccred being flowed down to Suppliers (2018) MedAccred Industry Group Program 0
R Non-normal Distribution Selection where the system is constantly being corrected Capability, Accuracy and Stability - Processes, Machines, etc. 11
chris1price Calibration of Instrument before being Discarded General Measurement Device and Calibration Topics 9
M Which Certificate should I have being a Dentist? Hospitals, Clinics & other Health Care Providers 4
I AS9100C Lead Auditor Training Courses being Cancelled AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
Gman2 Identification of Raw Material being used In-Process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
V Is MHLW Std No.169 - 2004 being Revised in Nov 2014? Other ISO and International Standards and European Regulations 5
S Advanced Surveillance and Recertification Procedures - being discontinued by the IAF December 2019 update ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
J Thread Gauge Calibration Failure for Pitch Diameter being too large General Measurement Device and Calibration Topics 3
somashekar Is OBL CE Marking route for Medical Devices being Reconsidered? EU Medical Device Regulations 4
K Difference between being a Management Representative and being a Lead Quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
I Does being a subsidiary fully absolve company B from complying with 21 CFR 820? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
C Ways to check to see if the gage is being used General Measurement Device and Calibration Topics 11
J SC and the linkage between CP and PFMEA ? When it?s being produced or controlled? IATF 16949 - Automotive Quality Systems Standard 4
D Plan & Procedure to handle a Product that's being Withdrawn from the Market 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 6
R Ethical Aspects while being Consultant and Certifier within same Organization. Consultants and Consulting 6
B Is the ISO 13485 auditor being too picky concerning CMDCAS? ISO 13485:2016 - Medical Device Quality Management Systems 5
Q Reduced Device License Fee was rejected for being sent in too early Canada Medical Device Regulations 2
somashekar About Technical File being available at Manufacturing Site ISO 13485:2016 - Medical Device Quality Management Systems 3
AnaMariaVR2 Why Being the Last Interview of the Day Could Crush Your Chances Career and Occupation Discussions 8
K Records Control - Auditor Objection to Data being Recorded and Stored in PC Records and Data - Quality, Legal and Other Evidence 21
M Corrective Action not being done by the responsible person Misc. Quality Assurance and Business Systems Related Topics 5
P Quality Progress Magazine without being a member of ASQ ASQ - American Society for Quality 7
V Failure Modes of 1-step being taken as cause in 2nd (subsequent/downstream) step FMEA and Control Plans 4
R When should a Corrective action be created? (Procedures not being followed) Nonconformance and Corrective Action 23
V Interviews - How to differentiate your deliverable/role for potentially being hired Career and Occupation Discussions 9

Similar threads

Top Bottom