1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

ISO 9001:2015 Scope questions and others

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Chao Hsu, Oct 28, 2016.

  1. Chao Hsu

    Chao Hsu New Member

    Joined:
    Oct 28, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Southern California
    Hello all,

    I am an ISO 27001 Lead Auditor, but I am new to ISO 9001:2015. I have purchased the standards, read through them a few times, but I still have some questions.

    Background: I am with a diversified small 8(a) company in southern California, and my company has a number of government contracts delivering:
    (1) security systems (doors/alarms/CCTV/etc)
    (2) software solutions
    (3) IT services (help desk)
    (4) project management, design build, and some other consulting services

    Here are the questions.
    1a. Can my company get just one product/service (say, security systems) or all products and services ISO 9001 certified?
    1b. If all products and services must meet ISO 9001 requirement, can we development just one set of common core quality documents (eg. quality objective, procedures, etc.), with appendices in details for all the products and services ?

    2. What is the minimal training required? I know someone has to get training and certified as ISO 9001:2015 Lead or Internal Auditor, but any other training or roles? Can I do the ISO 9001 planning, then become an auditor to audit my own work?

    3. Does my company have to get certified by a industry specific Certification Body? What would be the best way to get all the diversified business certified?

    Thanks for any comment and suggestion.
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hi and welcome to QFO!

    The simple answers are:

    • Yes, you can (but products aren't ISO 9001 certified, it's the management system which produces them). Your scope is whatever you want it to be, within reason, but beware that it might look (to customers) like you took the easy route to get certified rather than including all products/services.
    • Minimal training is what you've decided you need to get to meet competency requirements. Training as an auditor doesn't make you competent. Also, doing something someone else did without understanding why they did it isn't a good idea.
    • No, not unless you have little/no choice.
    • The "best way", whatever that is, is to look at CBs who have done similar certifications, have competent auditors with experience and provide good service. If you chose based on price, location or some other cost related criterion, you WILL get burned.
     
  3. dubrizo

    dubrizo New Member

    Joined:
    Nov 9, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hard NO on auditing your own work.

    9.2.2 c: "The organization shall... select auditors and conduct audits to ensure objectivity and the impartiality of the audit process."

    If you are the only internal auditor, you can get someone outside of your organization to come in and conduct an audit of those areas where you conduct the work.
     
  4. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    The standard does not specify "the auditor cannot audit his own work". It is up to the external auditor to prove the evidence of objectivity.
     
    John C. Abnet likes this.
  5. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    My answers on:
    1a. Yes. Also need to consider your organization's context and the needs and expectations of interested parties.
    1b. Yes. Documented information that can be established on an integrated approach can include: quality manual, quality policy, quality objectives, procedures for internal audit, document and records management, corrective action, training, equipment maintenance, etc.
    2. Organizations usually undergo the following training and seminars: ISO 9001:2015 requirements awareness seminar, documentation workshops, risk-based thinking workshops, cause analysis workshop, internal audit training
    3. I'll just copy Andy's answer.
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Please be aware that, ISO 9001 was written with ANY sized business in mind. People can be objective and impartial and audit their own work. I can be very objective, for example. If I stick to facts, it's a lot easier...
     
    John C. Abnet likes this.
  7. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    2. Have you been trained as an Internal Auditor by an organization certified by ANAB? If so then you should have a certificate to demonstrate you pass the test. If you have , then you can pass that knowledge on to one of your team and train them to be auditor. Coming pout of a training course does not demonstrate competency.
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    MCW8888: ANAB doesn't certify training providers. It's usually (in the USA) Exemplar Global or (in the UK) IRCA - there are a few others, too.
     
  9. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Sorry, my mistake. Happy thanksgiving all.
     
    Andy Nichols likes this.
  10. Kamran ali

    Kamran ali New Member

    Joined:
    Mar 5, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Very informative post
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It shouldn't make it past the stage 1...
     
  12. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    What if they only forgot to specify design in their scope but actual controls are in place? What is your definition of a major NC?
     
  13. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    ISO/IEC 17021-1:2015(E) has the following definitions:

    3.12 major nonconformity - nonconformity that affects the capability of the management system to achieve the intended results. Nonconformities could be classified as major in the following circumstances:
    • If there is a significant doubt that effective process control is in place, or that product or services will meet specified requirements;
    • A number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.
    3.13 minor nonconformity - nonconformity that does not affect the capability of the management system to achieve the intended results.

    I don't think a design company that failed to specify "design" in their scope will get a major NC. They can easily correct that. But, if a design company (even if they claim it in the scope) lacks the controls to ensure conformity of products/services to requirements, then I, for one, will raise a major NC.
     
    Andy Nichols likes this.
  14. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    It is not yet misleading if they don't have yet the certificate to advertise. That's why I asked "what if they only forgot to specify but actual design controls are in place?" Since you are a CB auditor, you can easily advise them to mention design in the statement of the scope. A company that designs their own product would be interested to advertise their certificate with design in it. Raising a major NC because of the omission will only disgruntle a "client" (as defined by ISO/IEC 17021) and might challenge why a major NC was raised. That's why I also asked "what is your definition of a major NC?"
     
  15. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    How many customers actually look at the scope statement on the cert.? Probably almost none. They'll look at marketing materials -- web site, brochures, sales people -- to determine the capabilities of the company, design or not.