IT being audited during ISO 9001

[Graciel]

Hi everyone. Do you guys see in Iso 9001:2015, a requirement that clearly relates to It department?
Some people audit item 8.2.1 e) , also at the IT department.
Considering that can happen a system breakdown or things like that, that could affect production, quality, logistics,etc.

 

[geoffairey]

8.2.1 doesn’t specifically apply to the IT department, but can relate to any department which communicates with Customers.
If, for example, you provide SaaS cloud services, it may be that the IT department need to communicate with customers about maintenance windows or downtime, but for product changes, your Operations dept or Product dept need to communicate.

 

[Tagin]

Do you guys see in Iso 9001:2015, a requirement that clearly relates to It department?

Some things that come to mind:

• 6.1 Risk (e.g., disaster recovery, antimalware, antiransomware, defense in depth, server redundancy, backup strategies, etc.)
• 7.1.3 Infrastructure
• 7.2 Competence (are your IT people capable enough for your organization? do you have programmers in-house; what are their skills?)
• 7.4 Communications (e.g., automated emailed notices, invoices, etc.)
• 7.5.3 Control of Documented Information (all aspects of clause)
• 8.4 Control of external services (e.g., use of cloud services, external network services, etc.)

 

[malasuerte]

7.1.3 Infrastructure

"The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services.
NOTE: Infrastructure can include:"
a) buildings and associated utilities;
b) equipment, including hardware and software;
c) transportation resources;
d) information and communication technology.

So now you see IT as part of the scope of your QMS; pretty much every other clause applies.

When IT stuff fails - they need to do CAPA, improve, etc
They should have indicators - velocity, downtime, fails
They should present to management
They are part of risk management - backup, cybersecurity, etc.

Etc, etc, etc.

 

[Graciel]

Some things that come to mind:

• 6.1 Risk (e.g., disaster recovery, antimalware, antiransomware, defense in depth, server redundancy, backup strategies, etc.)
• 7.1.3 Infrastructure
• 7.2 Competence (are your IT people capable enough for your organization? do you have programmers in-house; what are their skills?)
• 7.4 Communications (e.g., automated emailed notices, invoices, etc.)
• 7.5.3 Control of Documented Information (all aspects of clause)
• 8.4 Control of external services (e.g., use of cloud services, external network services, etc.)

About 7.1.3 how would they answer,by showing the softwares, tablets,cellphones etc?or this is the kind of item that auditor would check during the audit just by seeing it throughout the departments?

 

[malasuerte]

About 7.1.3 how would they answer,by showing the softwares, tablets,cellphones etc?or this is the kind of item that auditor would check during the audit just by seeing it throughout the departments?

Great question @Graciel

First off you need to know/understand (you can document if needed) all the IT "infrastructure" items that matter.

Here are some ideas:

• Is important data about your process, product backed up?
• Does your Automation/IT team have a business continuity plan in place? What happens if there was a cyber or security attack?
• Do the tools you use work the way they are supposed to?
• What problems happen in IT and how are they fixed?
• Email works. VPN work for people logging in from home.

Cellphones would matter if people rely on them to manage the process or respond to process/product issues?
Tablets would matter if they are used to log data - audits, quality checks; Need to make sure they work; they data is stored and accessible; secure.
Software - easy one: Is the software the latest revision?
Security - Do you ensure that virus scans if needed? People don't put thumb drives into PCs.

 

[Tagin]

About 7.1.3 how would they answer,by showing the softwares, tablets,cellphones etc?or this is the kind of item that auditor would check during the audit just by seeing it throughout the departments?

From 7.1.3: "The organization shall determine, provide and maintain the infrastructure..."

So....in my view....

• Determine
  • I think if this as like PLAN in PDCA
    • Is anyone assigned authority over IT?
    • Who's responsible to monitor the systems?
    • Are storage sizes, processing power, cooling requirements, network layout, etc. planned as needed?
    • Are IT-related risks (malware/ransomware, backups, disaster-recovery, etc.) being planned as needed?
• Provide
  • I think if this as DO in PDCA
    • Is the needed IT equipment being bought and installed?
    • Are we doing what we planned to do?
• Maintain
  • I think if this as CHECK/ACT in PDCA
    • Is anyone monitoring for inadequate free space on disks?
    • Anyone monitoring alert emails, notifications, error logs, etc.?
    • Is broken equipment being repaired/replaced?
    • Are backups actually being performed?
    • etc.

The extent to which an organization will have these things documented will vary with the org size, criticality of IT for them, and so on. It may be a few paragraphs in one document covering all infrastructure needs, or it might be a library of documentation for a complex IT structure, or something in between.

I think the smaller the organization the more a reliance on simple demonstration. Just like you don't need to have a written plan for your HVAC for small office environment, with complex calculations for heat generation/loss, etc.; instead, its demonstrable by how comfortable the office feels, the air smells fresh, the HVAC isn't leaking, and so on. Likewise, a small org doesn't need complex IT documentation; instead, do people have the PC's or phones they need?, do the printers work?, are files being lost on the server because a hard drive crashed with no backup?, is the software serving its intended need?, etc.

 

[ChrisM]

I've conducted internal audits for a previous employer that included the IT Department (of about 6 people). The Manager took it all in his stride and sometimes found useful things arose from the audit to develop the work that IT was doing. Some others may not be so fortunate with IT Managers. There is a lot to be covered from basic specification of computers, how often they are replaced, operating system to be used, the way that networks are set up and who has access, to backing up data and disaster recovery, selection of software, training staff to use software, provision of a "helpdesk" and so much more.
To my mind it definitely falls under "infrastructure" as an absolute minimum