Q: My company wants to become ISO 9001:2008 certified by the end of this year. We have nearly all of our common standard operating procedures (SOP) identified and written. But some of our departments—HR and IT in particular—are proving to be a little more difficult as far as identifying activities we might need to document.
Could you provide a few examples that might be available for SOPs for an IT department? More specifically, I’m looking for examples of what others may have done with ISO 9001:2008 in conjunction with IT and corresponding SOPs.
A: ISO 9001:2008 specifically requires the organization to have documented procedures for the following six activities:
- 4.2.3 Control of documents.
- 4.2.4 Control of records.
- 8.2.2 Internal audit.
- 8.3 Control of nonconforming product.
- 8.5.2 Corrective action.
- 8.5.3 Preventive action.
From an ISO 9001:2008 perspective, there are no mandatory procedures required for HR or IT departments as supporting functions for an organization. It is recommended, however, that you have your processes documented to ensure accountability for actions, consistency and standardization.
When there are many employees involved in various organizational functions, the handoffs between the functions and employees can blur, with little to no accountability for the final outcome. In addition, having processes undocumented is not scalable, repeatable and reproducible as the organization grows larger.
The ISO 9001 website guideline further clarifies that the extent of the quality management system’s documentation can differ from one organization to another based on:
- The size of organization and type of activities.
- The complexity of processes and their interactions.
- The competence of personnel.1
While the Expert Answers section may not be the right forum to share examples of SOPs, I can provide a typical list of ISO 9001 procedures that may be applicable to HR and IT functions.
A better way to develop procedures for the listed processes is to bring the stakeholders and experts together, map the process in its current state, brainstorm, identify and remove nonvalue-added activities, and then reissue a new value-added procedure.
Typical SOPs in HR
- HR planning process.
- New employee orientation process, including mandatory training and certifications.
- Training needs analysis.
- Employee training and development process, which
also includes training, skill competency assessments, periodic evaluations and
Typical SOPs in IT
- IT resource planning process.
- Data archival, retention, backup and disaster recovery process.
- IT hardware and software maintenance and information security management process.
- Quality information systems, including
infrastructure planning, implementation and improvement.
Senior manager, quality systems
San Jose, CA
- For clarifications of these areas, search for "guidance on the documentation requirements of ISO 9001:2008" on the International Organization for Standardization’s website at www.iso.org.
Cianfrani, Charles A., Joseph J. Tsiakals and John E. (Jack) West, The ASQ ISO 9000:2000 Handbook, ASQ Quality Press, 2002.
For More Information
Brewton, Oliver, Tim Culbreth
and Hans Groeger, "Not Your Normal SOP," Quality
Progress, June 2011, pp. 24-28.
Q: When I read the concepts and definitions of quality assurance, quality control and testing, it’s very clear what the difference is between them. When I read job openings on the web, however, it seems the concepts get confused.
Example 1: "Seeking a quality assurance engineer to write automation test scripts." I think this is confusing because I always thought testing was part of quality control and not part of quality assurance.
Example 2: "Seeking a quality engineer to inspect, audit and certify supplier facilities for compliance with sanitary, regulatory, production and QA requirements."
I think the second example is clearer. Could you explain the differences between the terms?
La Jolla, CA
A: As you will find in QP’s Quality Glossary , the terms "quality assurance" and "quality control" have many interpretations, even among quality professionals. Thus, the two terms are often used interchangeably.
When you consider that job postings most likely are written by HR professionals, it’s easy to understand how the terms may be confused further.
So, when reading the job postings, don’t get hung up on absolute definitions. The real question is whether you would be willing to perform the responsibilities as described. After all, if you’re hired, you can help educate the company on the differences between quality assurance and quality control.
Navis Pack & Ship MD-1106
Annapolis Junction, MD
Q: I have been searching for reference material on performing remote audits or e-audits, with little success. I found a paper from the International Register of Certified Auditors on auditing electronic-based management systems, and J.P. Russell’s article in the January 2011 issue of QP ("Remote Control"), but I have come up short otherwise. Do you know of any other references?
Winter Springs, FL
A: There are few references or resources regarding e-audits or remote auditing. I approached one organization and asked it to share its practices but was told it was proprietary information. Apparently, at the current stage of development, this organization felt that e-auditing provided a competitive advantage.
One of the reasons I wrote the article was to promote discussion and sharing to avoid everyone being forced to reinvent the wheel. Unfortunately, there are no case studies to guide you.
The closest thing I could find is from the ANSI-ASQ National Accreditation Board, which discusses computer-assisted auditing techniques in "ANAB Accreditation Rule 31, Application of IAF MD 4:2008 for Computer Assisted Auditing Techniques" (www.anab.org/media/4069/ar31.pdf). This document is about certification body rules, but it could be helpful. I hope you will be able to share what you learn with others.
J.P. Russell & Associates
Gulf Breeze, FL