Where do policies fit in the setting up of a Quality Management System (QMS)?

[Benjibb]

Sorry if its an incredibly silly question, but I have begun mapping out the business processes and their interactions and working out which procedures need to be documented to explain the processes, but where do the policies fit in?

Thanks

 

[harry]

Re: Where do policies fit in?

I supposed you are referring to the quality policy.

For definition of quality policy refer to ISO 9000: 2005, 3.2.4 - overall intentions and direction of an organization related to quality as formally expressed by top management.

For a clue on where it should fit in, see:

ISO 9000: 2005, 2.3 - Quality management systems approach (item b) and that comes before determining the processes and resources necessary .... In simple words, it provides a framework to guide the operation and functioning of your organization.

 

[Benjibb]

Re: Where do policies fit in?

Hi Harry,

So general policies are not required by ISO 9001? The reason i ask is that my company currently has a bunch of security and data policies, I was just wondering if they would need to be included in the QMS.

 

[harry]

Re: Where do policies fit in?

Hi Harry,

So general policies are not required by ISO 9001? .......................

What do you mean by general policies? Are you referring to those that addressed specific areas or requirements of the standard?

 

[Benjibb]

Re: Where do policies fit in?

For example we have an Information Security policy and a Human Resources Security policy, would these need to be included in the QMS and if so how and where are the referenced.

 

[JaneB]

Re: Where do policies fit in?

So general policies are not required by ISO 9001? The reason i ask is that my company currently has a bunch of security and data policies, I was just wondering if they would need to be included in the QMS.

Benjibb, the sole policy mandated by ISO 9001 is a quality policy. BUT that does NOT mean you don't need any others. If you have'nt already, please go & read clause 4.2.1 d) (in documentation requirements) which points out that you must have in your quality system documentation the

documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.

My bolding added. Don't overlook this clause! Presumably you have 'a bunch of security and data policies' because you need them. (If you didn't need 'em, why else would you have them? What would happen if you killed them all off? ) So it sounds to me as though the answer to 'do we need them' is yes. Better, more accurate info on your context and what you do would be needed to give a more accurate response.

 

[JaneB]

Re: Where do policies fit in?

For example we have an Information Security policy and a Human Resources Security policy, would these need to be included in the QMS and if so how and where are the referenced.

It really depends on how your QMS is structured... again, impossible to give an accurate answer.

One way to do this effectively is to have some kind of diagram (or just a list & description) of the various documents that comprise the documentation of your QMS - you could either include them in the diagram or reference them in the table/list. I do NOT mean an itemised list of every document, just the main ones/groups.

If you keep in mind that the main thing you're trying to achieve with the diagram/list/whatever is to show the documents are that make up the documentation of your system, so everyone is clear: you, your auditor and, even, more valuably, people new to your organisation.

 

[Benjibb]

Re: Where do policies fit in?

Hi Jane,

Thanks for the insight. To give some context, I joined the company 3 months ago and it is only been opperational for just over a year. In terms of the documentation they currently possess, a company was contracted to draw up some preliminary policies and procedures prior to it being up and running regarding data protection and general HR policy etc to act as a guideline during the startup phase. Im coming to the conclusion now however, that what they actually "do" is not coherent with the polcies and procedures they have. So I'm assuming I should re-write or create entirely new procedures for what is actually practiced to form the QMS and only keep those that are relevent.

Thanks

Ben

 

[JaneB]

Re: Where do policies fit in?

Im coming to the conclusion now however, that what they actually "do" is not coherent with the polcies and procedures they have. So I'm assuming I should re-write or create entirely new procedures for what is actually practiced to form the QMS and only keep those that are relevent.

Hoo, yes. That's the right approach. It's a slippery slope (and definitely not recommended) to have documents that say you do stuff that you actually don't. Make the policies/processes/procedures reflect what you do - and of course meet all requirements - yours (including customers of course] ISO 9001's and any others relevant, eg, legal, contractual, etc etc. Then it all makes sense. And you're doing it. Which is what it's supposed to be about.