What ISO 9001:2008 procedures apply for IT (Information Technology)?

[Duke Okes]

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

Not every organisation chooses or uses certification to ISO 20000 (assuming you're not doing food safety). In the absence of such (and particularly in a smallish organisation) why on earth would you not use similar/same CAPA procedures? If they're intelligently written and flexible enough to cope with both applications of course.

Please read more carefully ... I said ISO 22000. That's for IT service management.

ISO 20000 is the equivalent to ISO 9001 for the food industry.

P.S. I've taken several dozen companies through ISO 9001 & TS 16949, all successfully. I've also helped develop computer systems. None of the processes for the latter were included as part of the ISO 9001 QMS, since they weren't selling the systems to customers, but instead using them for internal applications.

 

[Duke Okes]

P.S. Since the original poster indicated that their product was the "Design and Installation of Mechanical Equipment." I assumed the IT they were talking about might be things such as servers, CAD, etc.

If however, they are developing software that becomes part of and runs the equipment they are selling (e.g., using PLCs) then there may be procedures as part of sections 7.3, 7.5, and 8.2.4 to control development and testing of that software.

However, since the poster did not indicate that software development was part of the product my assumption was that the IT being discussed is simply that of business support, and would not be a part of the QMS.

 

[JaneB]

Jane:
You're totally missing the point.

No, you're misunderstanding.

I think you're taking an overly narrow view of 'ISO 9001 QMS documentation'. It makes zero sense to me to have artificial distinctions of 'this is ISO 9001 QMS documentation' and these over here aren't. It's (supposed to be) a business management system, not a series of little artificially constructed silos.

But if you do, then it all becomes auditable by your registrar, and you've created a really big mess.

Oh, rubbish. Polite translation: I disagree. a/that "it all becomes auditable' and b/you've created 'a really big mess'.

Read the scope of ISO 9001.

Oh, I have. Many times.
As Boris said in another thread: I hear the sound of my grandmother sucking eggs here.

 

[Duke Okes]

Okey dokey. You develop the systems your way, I'll do it my way. But when the QMS auditors come in they better also be qualified to audit environmental, safety, financial, IT, etc. processes if you put everything under the same system.

P.S. So why are there separate standards? (EMS, OHS, GAAP, ITIL)?

 

[Sidney Vianna]

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

Please read more carefully ... I said ISO 22000. That's for IT service management.

ISO 20000 is the equivalent to ISO 9001 for the food industry.

You've got that confused. It is the other way around.

 

[Duke Okes]

Re: What ISO 9000:2008 procedures apply for IT (Information Technology)?

You've got that confused. It is the other way around.

You're right. My mistake.

 

[JaneB]

Okey dokey. You develop the systems your way, I'll do it my way. But when the QMS auditors come in they better also be qualified to audit environmental, safety, financial, IT, etc. processes if you put everything under the same system.

That's what the scope statement is for! To define the scope of the certification and hence the audit.

I suspect we are having a misunderstanding based on what you are calling 'ISO 9001 documentation' though.

 

[Duke Okes]

I suspect we are having a misunderstanding based on what you are calling 'ISO 9001 documentation' though.

I mean documentation required to help the organization achieve ISO 9001 registration. That's what the poster was asking about.

Think about it this way:

- If a company had absolutely zero procedures, if you were going to help them get ISO 9001 registered, would you have them also write procedures for safety, environmental, IT, finance, etc.? I wouldn't. I would focus on quality processes only.

- If a company had zero procedures and you were going to help them get ISO 14001 registered, would you have them also write procedures for quality, safety, etc. I wouldn't. I would focus on environmental processes only.

I understand that organizations can (and ideally should) integrate these systems (e.g., so they don't have multiple processes for handling document control, training, etc.). However, if they do so they must be clear about which documents (or portions of those documents) being managed fall into which management system, so that when they are being audited (e.g., for QMS, or EMS, or OHS, etc.) the auditors know what they should and should not pay attention to. And for me, unless the company develops IT hardware or software that is sold to customers, those IT procedures used for development/test for internal applications would not be included as part of the QMS. They'd be part of the ITMS.

 

[JaneB]

Duke,
I don't want to belabour this. I didn't disagree with the good advice you offered, including:

Primary areas where there may be IT procedures under ISO 9001 are:

- 4.2.3 - ensuring that appropriate documents cannot be changed/accessed by just anyone, but only those who are authorized

- 4.2.4 - backing up of documents, data & records

- 6.3.c - ensuring adequate IT resources

But Qamty said they were:

My plan is to look for a certification in about two years meanhwile, I´m preparing the procedures that can help us
to have a control on our products, (Design and installation of Mech. Equipment) that is what we are now focusing at.

You're making assumptions (but not questioning) their use of It. You may well be right when you say:


Then I started with Client an complaints, CA/PA and Nonconformance procedures.

Giving them the advice that for IT they should go with ISO 20000 is unncessarily complicating the issue I think. (Why stop there? WHy not recommend another 1/2 dozen standards to get certified to?) I'm not sure that referencing all these other Standards is particularly hepful at this point.
I did disagree with your response to this question. The poster said:

What if happens if, for example, in backing up documents
and is faced a problem, and need to be fixed rapidly (drive failed,wrong tape installed) then, a correction action is needed, a disposiion has to be applied? using
the nonconformance procedure I have available for the Realiz. Process.

If a CA/PA is needed for this, then I suppose I can use the current CA/PA that I designed for the Realiz. Process?

Your advice...

You could, but I wouldn't. If your IT group were ISO 22000 registered then this would be handled under Incident Management and Problem Management.

Now, leaving aside the wrong Standard you're quoting here (22000 - Food Safety - instead of 20000) I think this advice isn't helpful. You've quite dodged the question about what if their IT group wasn't 20000 registered, and chances are high that they aren't.

Next question:

But if IT is considered in 6.3 (infraestructure) in 9000:2008
should we mention it or not? or how is this handled?

You said:

If IT process is managed well there should be no need for procedures related to section 6.3. The IT department would be informed through the business planning process what resources are needed, changes are required, etc., and would ensure that the IT infrastructure is developed and maintained as required. Perhaps some performance objectives for the department would be useful.

I disagreed.
That's all.
I do accept that one doesn't wish to complicate a system development by bringing in too many procedures - indeed I do. But I have also observed that sometimes 'IT' is the least well managed/controlled area of a business, and that just leaving 'em alone to do their stuff without at least a couple of basic procedures (the ones that you orginally mentioned for example) is a Bad Idea.

I've taken several dozen companies through ISO 9001 & TS 16949, all successfully. I've also helped develop computer systems. None of the processes for the latter were included as part of the ISO 9001 QMS, since they weren't selling the systems to customers, but instead using them for internal applications.

Uh huh. And I in similar situations I have quite often (not always) advised and assisted clients to do otherwise, since their aim was to improve the business and their processes, not simply achieve a certificate.

And for me, unless the company develops IT hardware or software that is sold to customers, those IT procedures used for development/test for internal applications would not be included as part of the QMS. They'd be part of the ITMS.

You can call it whatever 'MS' you like, I think you're still making somewhat artificial distinctions and somewhat confusing the issue.

 

[somashekar]

Hi, everybody

Confusing in considering Procedures, I hope to receive help from you.

I´m in the planning of developing ISO 9000:2008

I know there are Realization Process those is what we sell.
and also supporting process helping to the Real. Process.
to achieve goals, e.g. HR, IT, and so on.

My plan is to look for a certification in about two years
meanhwile, I´m preparing the procedures that can help us
to have a control on our products, (Design and installation of Mech. Equipment) that is what we are now focusing at.

Then I started with Client an complaints, CA/PA and Nonconformance procedures.

But as Someone here in this forum said, For IT specially, we should go with ISO 20000.

In 9000:2008, IT fits in 6.3 Infraestructure, where we should have at least procedures for: To ensure Backing-up of data, Security, Data Loss prevention, etc.

From this point of view, If I´m focusing on the realization products
and all my procedures are designed for that.

Questions:

-Should I adapt the existing ones to comply with IT?
because sometimes It will be needed a CA/PA in IT.

-Should I go deeply in developing procedures for IT?

- Can I consider only the Real. Process and creating only brief procedures for IT?

- What to include and not to include?

Please shed some light on me

Thanks

Hii Qamty.
You are right on track with your IT process in the ISO 9001 application mapped in the clause 6.3. It is a support service for your QMS operations. There is no need for you to peep into other standard concerning IT.
There is no requirement of a documented procedure for how you determine , provide and maintain 6.3. However if you so desire you can make a simple documented procedure under your document control system.

In 9000:2008, IT fits in 6.3 Infraestructure, where we should have at least procedures for: To ensure Backing-up of data, Security, Data Loss prevention, etc.

Good enough. Perhaps in loss prevention you mean disaster management for data in terms of how you will not lose data due to emergency or unforseen situations.
You need not deeply get into IT and leave it to them (your IT experts) to provide the necessary support services. You can also tell them (your IT experts) that you are interested in how your above quoted activities are being done, and they in turn will be able to say the procedure, or if you need, document one.
Again be assured you are on track concerning your IT stuff.
Good luck.