Purchasing is one of the most important processes of the Information Security Management System based on ISO 27001?certification?standard. The inputs to the Purchasing or the Purchasing Information comes from the Design & Development Process. Design specifies the parts and materials and their grades and qualities that are going to become part of the product. If this step is not correct then the purchased part will not meet the requirement of the Design and hence the Production will not be done correctly.
The organization shall develop the criteria for the evaluation and selection of External providers (Suppliers). The organization shall monitor the performance of the external providers and periodically re-evaluate them based on their ability to meet requirements for products and processes. The organization shall maintain documented information of these activities and any actions arising from the evaluations. The organization may develop an External Provider Audit Checklist and evaluate External Providers based on that criteria.?Calibration is done through measuring a standard .
The main objective of Purchasing is making sure that the purchased product conforms to what you asked for. So the control you place one the Supplier will be based on the effect it will have on the production process and the final product. For example if you bought a nail with a damaged head then you can easily put it aside and replace it with another nail with a good head. There is no need to place a strict control on the supplier.
You have to make sure that the supplier can provide the quantity and quality of products that you require. You also have to look into the financial strength and market reputation of suppliers.
The organization shall determine the controls to be applied to externally provided processes, products and services when products and services from external provider are intended for incorporation into the organization?s own products and services or products and services are directly provided by the external provider to the customer on behalf of the organization or a process or part of a process is provided by the external provider as a result of a decision by the organization.
Types and extent of control
The organization shall make sure that the externally provided products or services do not negatively affect its ability of providing consistent quality products and services to its customers.
The organization shall make sure that externally provided products and services remain within the control of its Information Security Management System.
The organization shall also determine the control?s that it plans to apply to the external provider and to the product.
The organization shall also take into consideration the potential impact of externally provided products and services on its ability to consistently meet customer and applicable legal requirements,
The organization shall also take into consideration whether the controls applied by the external provider are adequate or not.
The organization shall also determine the Verification and other activities required to ensure that the externally provided products and services meet requirements.
Information in the Purchase order is the most important information in the purchasing process. You should describe the product being purchased, and if appropriate then add the approval requirements for the product, process, procedure or equipment to be accepted. If you require a specific piece of equipment to be used then this should be included in the Purchase Order. Finally you should check the adequacy of purchasing information before sending the purchase order to the supplier. If the supplier does not have adequate information then it is your fault.
The adequacy of purchasing information shall be ensured prior to its communication to the supplier.
The organization shall communicate to the external providers its requirements for the products, processes or services to be provided. It shall communicate the requirements for approval of products and services, methods, processes and equipment and the methods for release of products and services. It shall communicate the competence requirements of supplier personnel, the requirements for external provider?s interaction with the organization, the control and monitoring of external providers performance to be applied by the organization and the verification or validation that the organization intends to apply at the premises of the external provider.
When the organization receives the products, then it needs to verify that it had got what it ordered. The products are first placed in the Quality Check Area in the store and they are checked for acceptable quality. If they pass the checking then they are placed in the store in designated area. Entry is made in the store register for the product or part. After that they are forwarded to the production area when the requirement arises and the Store Issue Requisition is given to the Store Personnel by the Production Personnel. Any product or part failing the quality check is placed in the Quarantine Area and the Store Manager in consultation with the Production Manager decides what to do. He has the option of using it under concession if the defect is slight. He also has the option of sending it back to the supplier or scrapping it with the supplier?s permission.?Calibration is a process through which you confirm that the measurements you have taken are true.