Organisations are required by ISO 9001:2015 to preserve the outputs (product / service provided) during production and service provision, to the level necessary in order to ensure conformity to requirements. It is also noted that preservation can include identification, handling, contamination control, packaging, storage, transmission / transportation, and protection.
Note that process outputs rather than product are referenced. An indication that this clause is equally relevant to organisations providing a service or products which are not of a physical nature. EG: Information. This is further emphasised as the additional descriptions of methods of preservation not only include contamination control and transportation, but also “transmission.”
If the provision of data or information by electronic means is part of the organisations process output (IE the transmission of the product,) a risk based approach should be taken to ensure against both loss of data and security issues during its transmission. This could include considerations of website based information portals and data / information and attachments included in email communications for example.
For manufacturing / processing-based organisations, a risk based approach and proportionate mitigation in the form of appropriate processes, procedures and controls is recommended when considering potential preservation issues at all stages of processing. IE from receipt, processing, storage and despatch. EG:
Auditors will wish to see evidence that organisations have considered and taken appropriate steps to preserve product or services provided through all stages of processing and that these controls have been effective. This is achieved via physical auditing of products and preservation arrangements such as production and warehousing environments and processes during the course of an audit, but also whilst reviewing other elements of the organisations management system. EG:
When reviewing actions to address risk and opportunities (see article 6.1) auditors may wish to look for evidence that risks associated with preservation have been considered, plans executed to mitigate and arrangements made for the monitoring of effectiveness. (See article 9.1.3 Analysis and evaluation.)
Through the review of customer complaints (article 8.2 Requirements for products and services - customer complaints) and Control of nonconforming outputs (article 8.7.) the effectiveness of arrangements may also be established.
Organisations involved in the transmission of data or information as part of their product or service, may have their arrangements for planning and ensuring against loss / corruption / theft of data during transmission verified during an audit on preservation.
This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!
David Barker CQP MCQI