A procedure is a list of specific instructions or rules about the way certain things will be done.    Both ISO 9001 and ISO 27001 require certain procedures to be documented and the documentation of many others is deemed to be optional but may be practically essential as proof of compliance for audit purposes.  In the language of the Standards, certain  procedures “shall” rather than “should” be documented.

The mandatory procedures  for ISO 9001 which I have now identified are similarly listed in most of my sources. They comprise :

MP 1 Document Control

MP2 Control of Records

MP3 Internal Auditing

MP4 Control of Non-conformance

MP5 Corrective Action

MP6 Preventive Action

For the moment these are text dumps in my draft manual.  My primary focus here is covering off the minimum documentation requirement .

I make one small voluntary addition here.  It seems prudent to me to run regular internal checks on our data destruction equipment to verify it is destroying data in the way it should.  So I have also added a procedure for this under Verification of Purchased Product clause of ISO 9001.  I am not sure if it should necessarily go under this heading but I plan to include it as a procedure wherever it should be placed.

Based on diary entries from May 2008.

I decide to use some templates supplied by Adrian to document the company’s main workflows.  Eg from receiving an enquiry, to providing a quote, accepting an order, rocking up at the client’s site, destroying data, providing destruction certificates and sending out an invoice. 

The templates are in MS Word and I have to originate everything but the outline structure from scratch.  I had an initial text based version to as a starting point but formatting these in MS Word is very tricky due to the usual bugs and a completely different menu structure compared to the version I am used to.

It takes me a couple of days to sort the processes out because as well as drafting the documents I am developing improving the processes at the same time .  The full list of delivery processes which makes up 7 sides of super fiddly flow diagrams comprises:

DP1 Enquiry Handling

DP2 Estimate Preparation

DP3  Contract Preparation

DP4 Contract  Delivery 1

DP5 Contract Delivery 2

DP6  Service Execution

While going through the processes I have built a list of documents which as records will be key to the management system.  One example is a Certificate of Destruction.  Another would be an invoice.

Based on notes and my diary from May 2008.

In the first draft of my ISO 9001 manual, I have got 15 sides and 2,954 words.  That’s a lot of data, but a lot less than Ray Tricker!   Most of the wording seems to be repeating what the clauses of the ISO 9001 Standard itself say but in plainer English.  I can’t see the point of these clauses but I have heard these standards are about paperwork so maybe the inspector will like it!

Under different headings in the manual, I have made entries in blue text which were either suggested as generic insertions by, or featured in, other sources.  In addition, I have added paragraphs or sections that I think will be of specific benefit to Data Eliminate.

The clauses in the ISO 9001 Standard document itself represent different degrees of challenge in interpretation. I think I have worked out clauses from which Data Eliminate is excluded – a lot of these seem to relate to manufacturing processes.  Data Eliminate provides a service for the risk management of personal data and confidential information and as such is not a manufacturer.

Some clauses of ISO 9001 the Quality Management Standard itself  are easy to understand. I begin to work out which forms and procedures they relate to.  In other words, what an auditor is likely to look for to prove that one is in compliance with each clause.  Drawing some of these relationships is very straightforward. 

There is a second tier of more challenging clauses which requires some cross referencing and even a bit of digging into of Ray Tricker’s 500 page doorstop to work out what they mean. 

The third tier of discovery involves some mixing and matching - cross referencing items with clauses and requirements elsewhere in the document. This isa bit like playing “Pelmanism” or “Pairs” – the card memory game where you lay the 104 cards individually face down on a table.  Each player  takes it in turn over or look at two cards and  has to collect pairs by remembering where individual cards are located in order to match them up with their pair. 

The fourth tier comprises the bits about which I don’t have a clue .  This becomes my list of questions for Arthur – noted in red text within my Manual.

My ISO 9001 manual a contains a Quality Policy, an Organisation Chart and some Delivery Process diagrams.  The latter are flow charts. 

The Delivery Process diagrams are flow charts.  This is your internal workflow in servicing customers amongst other things.  I have seen some really simple example workflows but this is the first area I have found where I think I will voluntarily go for more detail.  This is partly because I need to get the processes laid out and documented before hiring employees.

I am confused about the requirement to define the  “interaction of processes”.  Versions of charts I have are quite different in style.  Showing how the sprocesses interact is what  I am unsure about at present. It seems that this may be a case where the concept being conveyed is so simple there is no real need for a chart!  (I have never been a fan of process charts.  It reminds me of my computing O level! )

Confidence in my interpretive ability is increasing the more I work on this!

I now have enough information to tackle ISO 9001 and produce the first draft or text dump of  the IMS or Quality manual.    I have now collated the following resources:

• A copy of the standard itself.
• The basic procedures and policies left by Peter from FXXP principally relating to BS7858 Employee Vetting
• Several downloads from sovereigncertifciation.com including a quality manual template
• The Integrated Management System (IMS) covering ISO 9001, ISO 14001 and ISO 18001 sent over by Adrian
• The 5 pages from the Ray Tricker Book
• One of two other documents from various websites

 Adrian’s manual covers 3 standards and is considerably more consise that the Sovereign Template which covers only one standard.  I only have some parts of the former.  The trouble is that it is that what I have is so succinct and merged/integrated that I can’t really tell how the contents relate to each of the individual standards. 

In Sovereign’s manual, the numbering system of the clauses mirrors that of the clauses within the standard itself.  This is clearly going to make life easier now but  I have read that taking this approach can have disadvantages later in making the manual too bulky.  Seems like its probably too bulky already for my purposes.

The challenge now is to collate all this into a coherent Manual and documentation for Data Eliminate. At first, I am going to pull a minimum manual together for .  I’ll do a generic one for ISO 9001 and one for ISO 14001 and then merge them.

I start with the ISO 9001 open on my desk.  I know now that I can pretty much ignore anything that comes in sections 1 through 3.  My first focus is Section 4.   I have the two manual templates open on my screen I start moving between the two, text dumping and amending.   This takes quite a while.

By the time I have finished the first draft of my manual is a text dump comprising the following headings:

1.0       Introduction

1.1       Organisation Description
1.2       Scope of Certification
1.3       Third Party Certification

2.0       Responsibilities

2.1       Office Based Personnel
2.2       Site Based Personnel

3.0       Business Processes

3.1       Description
3.2       Implementation & Maintenance

4.0       Quality Management System

4.1       General Requirement
4.2       Documentation Requirements

5.0       Management Responsibility

5.1       Management Commitment
5.2       Customer Focus
5.3       Quality Policy
5.4       Planning
5.5       Responsibility, Authority and Communication
5.6       Management Review

6.0       Resources

6.1       Provision of Resources
6.2       Human Resources
6.3       Infrastructure
6.4       Work Environment

7.0       Product Realisation

7.1       Planning of Product Realisation
7.2       Customer Related Processes
7.3       Design and Development
7.4       Purchasing
7.5       Production and Service Provision
7.6       Control of monitoring and measuring devices

8.0       Measurement, Analysis and Improvement

8.1       General
8.2       Monitoring and Measurement
8.3       Control of Nonconforming Product
8.4       Analysis of data
8.5       Improvement

 I feel like I have take a big step forward - I call Arthur to advance book a session with him so that I can go through all this with him once its done.

 Based on notes from my diary and other records from May 2008.