Hi John
Good questions to ponder. I have been pondring especially on the below clause for a couple of days now,
6.3c: Does your system include information systems, an essential infrastructure (as for most organizations)?
In our organization we have a process and manual in place for ISO 9001:2000 and I am in charge to make the required amendments interms of ISO 9001:2008.
We are an IT services company and are in industry for more than 20 years.
What I could presume interms of Information Systems with respect to our company is that a separate process is in place for Design to Maintanance and all the support services like purchase, technical support defined exclusively.
My problem now is, since it has been defined as Inforation Systems, In tech support process we have procedure in place to control the hardware,software, backup, recovery etc.. I think this is suffice. But something says that more could be added specifically interms of controlling servers like mail servers, routers, Firewall, classified informations that will be handled only by top management etc. I am struck as how to start with implementing this. Can you please give some inputs on this? Or is the existing process suffice... Your suggestion will be highly valuable. Thanks in advance.