I am doing an audit about technical Support at our company and was using the ISO 9001:2015 standard to understand if their process meets the requirements. One of the items listed in the standard is that In determining the extent of post-delivery activities that are required, the organization shall consider: a) statutory and regulatory requirements.
What questions related to that finding would be appropriate to ask the technical Support group?
For example, you can ask if there are any legal requirements related to guarantees or complementary services, such as recycling and final disposal. From there you can ask if they are planned, you can ask for records about their treatment and check if planned procedures are followed, you can ask for any performance monitoring and evaluation records.
The following material will provide you information about post-delivery activities:
I do not understand how cyber-secuirty falls under clause 7.5.3 Control of Document information? From my understanding, this clasue explains how processes and procedures are documented, controlled, updated, retained, stored, version update, etc. Please advise.
According to clause 7.5.2 b) documents can be in several formats and supports suitable for use: on paper, in electronic format, as instructions in a computer application, as a graphic scheme, as a photograph of a defect, etc.
How do you ensure conformity to clause 7.5.2 c) in an electronic environment? Access control and different permissions levels
How do you ensure conformity to clause 22.214.171.124 b) in an electronic environment? Backups, antivirus, firewalls
How do you ensure conformity to clause 126.96.36.199 b) in an electronic environment? Backups, antivirus, firewalls
How do you ensure conformity to clause 188.8.131.52 c) in an electronic environment? Access control and different permissions
Oh I see. I failed to explain what cyber-security means for our company. When we say cyber-security, it refers to cyber-security for our products. We have a process in place to manage vulnerabilites of our products if dectected through internal testing, internal reporting, and/or external reporting and how we react and resolve that. What would this specfic process fall under?
Consider the example of a small manufacturing company that want to sell their branded product through a big wholesaler chain. Most certainly, in this case, the relevant clause is 8.2. The wholesaler has all the power and they will pay a price for each order.
If the manufacturing company pays directly to the channel partner a kind of rent to “own” a shelf to display the product to consumers then the relevant clause is 8.4.