Need to include Premise of Outsourced Call Center in ISMS Surveillance Audit?

D

dmukherjee

#1
Dear members

I am a ISMS champion of my organisation would need your help to clear a doubt . We have outsourced our callcenter services. When we were certified it was an internal department and with in scope of audit . Now do i have to include the vendors premises for surveillance audit purposes ?

Alson how do I show it in the scope diagram ?


thanks
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
Good day dmukherjee,

An outsourced process is typically removed from scope and treated as a supplier, with vendor controls similar to those of purchased raw materials for manufactured product. There will be expectation of ongoing oversight to ensure the process is achieving the results your organization desires.

If this outsourced process is providing customer satisfaction input, which I encourage as a practice, it can be considered a product supplied to you.

I hope this helps!
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#3
I am a ISMS champion of my organisation would need your help to clear a doubt . We have outsourced our callcenter services. When we were certified it was an internal department and with in scope of audit . Now do i have to include the vendors premises for surveillance audit purposes ?
According to ISO 27006:2007, the following applies to your ISMS CB:
Certification bodies shall ensure that interfaces with services or activities that are not completely within the scope of the ISMS are addressed within the ISMS subject to certification and are included in the client organization's information security risk assessment.
Best thing for you to do: communicate with your CB ASAP and be prepared to talk about your risk management process when outsourcing the service to an external call center.
 
A

alandavid

#4
Best thing for you to do: communicate with your CB ASAP and be prepared to talk about your risk management process when outsourcing the service to an external call center.
You are absolutely right.
 
Thread starter Similar threads Forum Replies Date
N FDA UDI - Label vs. Labeling - Does the insert need to include UDI? Other US Medical Device Regulations 1
shimonv Does 510(k) submission need to include UDI Data Other US Medical Device Regulations 6
T Do I need to approve my Registrar and include them in the Approved Supplier List? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
K Need help with AS9100 Scope Change to include Manufacturing Process Maps, Process Mapping and Turtle Diagrams 1
D Do we need to include ISO 9001 Clause 7.3? Design and Development Exclusion Design and Development of Products and Processes 8
B Quality Policy - Need to include "Customer Satisfaction & Continual Improvement? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
D ISO/TS16949 Internal Calibration Lab need to include Production Equipments IATF 16949 - Automotive Quality Systems Standard 26
Howard Atkins What does the internal audit procedure for TS 16949 need to include? Clause 8.2.2 General Auditing Discussions 7
E Documenting Titration Testing - How much information do I need to include? Other ISO and International Standards and European Regulations 8
J Need a contract monitoring Tool General Information Resources 0
P UDI-PI requirements on reusable surgical device, do we need serialisation? ISO 13485:2016 - Medical Device Quality Management Systems 0
J Need Help with FPY Data in Assembly Process Manufacturing and Related Processes 7
W 17025 and NIST handbook relationship (need advice) ISO 17025 related Discussions 8
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
K Need procedure for D&D inputs? ISO 13485:2016 - Medical Device Quality Management Systems 4
S Need help on "Country of Origin" Medical Device and FDA Regulations and Standards News 0
Ed Panek Immediate need for 80601-2-56 Consulting expert. PM me for details Career and Occupation Discussions 0
Tagin You're Gonna Need a Bigger Root Cause Coffee Break and Water Cooler Discussions 12
M PSA Suppliers - CSR matrix and need the quality manual of PSA APQP and PPAP 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
K "World Class Product" based QM. I need advice. Quality Management System (QMS) Manuals 14
I Do I need to sign off my annual audit calendar? Internal Auditing 2
P Do we need to retrospectively use the "MD" symbol (indicating device is a medical device) on labels, e.g. finished devices within expiration date? EU Medical Device Regulations 2
M Do I need separation in my circuit with a medical charger? IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
V Certified Auditor - Need of additional certification specific to industry ( GMPs) ASQ vs ECA vs others Professional Certifications and Degrees 1
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Records Control - Does each individual record need to be numbered? Records and Data - Quality, Legal and Other Evidence 2
N Is there a need for clinical test of Class IIa products (for MDR)? EU Medical Device Regulations 2
J Do Software Subcontractors need to be ISO13485 compliant in the EU? EU Medical Device Regulations 3
K Do I need a "State of the art" plan? CE Marking (Conformité Européene) / CB Scheme 1
S Need advice for schooling Quality Manager and Management Related Issues 5
R What information do i need to get from the device manufacturer 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
S Need guidance on project ISO 13485:2016 - Medical Device Quality Management Systems 2
H Need MSA 4th ed. compliant attribute MSA template General Measurement Device and Calibration Topics 4
J Need Change Control Yes/No Decision Tree Template ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
C Does an accessory need an IFU if it use is discussed in the Parent device IFU? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
B Countries with no need for FSC (Free sales certificate) Other Medical Device Regulations World-Wide 0
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
A Brexit When does the UK responsible person need to be in place? UK Medical Device Regulations 10
R Do we need issue ECN (Engineering Change Notice) towards updated Material Specification? Design and Development of Products and Processes 2
N IPC-A-630 - Is this free or do i really need to pay for it? Manufacturing and Related Processes 4
C ISO/ IEC 17021 Resource requirement (need help) Document Control Systems, Procedures, Forms and Templates 5
P Need a programmer for QVI's VMS software for optical inspection machine Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
silentmonkey How to decide what characteristics need to be verified during incoming inspection? ISO 13485:2016 - Medical Device Quality Management Systems 5
D Change Approval Requirements - Does every change need formal customer approval? Design and Development of Products and Processes 17
T Do I need a qualified compiler for class B software? IEC 62304 - Medical Device Software Life Cycle Processes 3
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 3
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
L Proof of Concept Studies - Do we need to comply with SAE reporting? Medical Device and FDA Regulations and Standards News 3

Similar threads

Top Bottom