Search results

Can certified ISO 27001 Lead Auditor train and certify other people?

1. I was told a certified ISO 27001 LA can train and certify other people?

For ISO 27001 compliance purposes, a certified ISO 27001 Lead Auditor has recognized knowledge and skills that allow him to train other people.

Regarding certification, in theory, everyone can issue a certificate, but for the certificate to be recognized it should be issued by a trustworthy organization. 

A certification issued by a certified ISO 27001 Lead Auditor has limited recognition (normally it is recognized only by the organization he works for).

On the other hand, a certificate issued by an accredited training provider is often worldwide recognized.

In short, if your need for certification is only for internal purposes, a certified ISO 27001 Lead Auditor can issue that for you. In case you need a certification wildly recognized, you should look for an accredited training provider.

2. If true? is there a special certificate/training to be able to do this?

To become a certified ISO 27001 Lead Auditor you need to attend an ISO 27001 Lead Auditor course from an accredited training provider and be approved in its final exam.

In the link below, you can access the information about such a course:

• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

These articles will provide you a further explanation about lead auditors:

• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

Applicability of employee data

It depends. Referring to your employees data you act as a Controller, who is the legal entity which defines means and purposes of processing of personal data. That imeans that the Company is free to determine how data will be processed.

If you are an EU Controller you have to apply GDPR for all your personal data processing no matter where data subjects are located. If you are not an EU Controller, and your employees are not located in the EU, then, you don't have to comply with GDPR.

Here you can find more information about the EU GDPR applicability:

• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

Changing risk scale in Conformio

ISO 27001 does not prescribe which scale to be adopted, so we adopted a 1-3 scale to make risk assessment simpler and practical (a 1-5 scale will involve more values and alternatives).

These articles will help you:

• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

By the way, the risk assessment process is also explained in this free online training:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Management Representative Role

While AS9100 clause 5.3 does not dictate exactly who is to be appointed the management representative, it does require that it shall be a specific member of the organization’s management, so appointing a non-management person does not meet this requirement. As for Pro’s and Con’s of using a someone who is very low-level management to this position I can’t think of any Pro’s, and the biggest risk is the ability to have the “organizational freedom and unrestricted access to top management to resolve quality management issues” as required by the standard. This would occur if the low-level manager did not have the organizational clout to ensure that managers who are senior to the representative will resolve quality issues to the satisfaction of the quality representative.

You can read more on the quality management representative in the article: Is the management representative still required in AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/05/22/is-the-management-representative-still-required-in-as9100-rev-d/

QA Manual format changes

Thank you Mark. That's helped clarify the situation completely. Very helpful to understand the context of the QA Manual need outside the framework of the standard

Implementation ISO 13485 on making medical materials for medical laboratories

Yes, clinical chemistry reagents are considered to be in vitro diagnostic medical devices, therefore ISO 13485:2016 is apllicable as quality management standard.  

IT Assets Disposal/ Write-Off

First of all, congratulations on your company’s achievement.

Regarding the IT assets disposal, you need to evidence that the applied data deletion method has made the previously stored information unrecoverable and that its application was verified and approved by the data owner.

For example, for a laptop, you can perform full disk encryption two or three times in a row, and at each time encryption is performed you must destroy the related encryption key.

As a proof for auditors you can develop a "Destructio/Deletion Record" containing the information about the asset, the deletion method aplied, date when the procedure was performed, and the signature of the person responsible for the deleted data, as a confirmation that the procedure was successfull.

For technical guidance, you should consider these references:
- ISO/IEC 27040 Information technology — Security techniques — Storage security - https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
- NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

Risk managment plan

No, these non-medical devices do not require risk assessment. Of course, you have under the ISO 9001:2015 risk analysis and you can cover any specific risks for these there. 

More about risk management within ISO 9001 you can find on the following links:

• Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
• How to identify risk controls in ISO 9001:2015 https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
• How to identify risk significance in ISO 9001:2015 https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

• Conformio - Company Settings and Users

  I am not sure where you’re getting your information, but good topic. I needs to spend some time learning more or understanding more. Thanks for magnificent info I was looking for this info for my mission.

• ISO 27001 Conformio expert question

  First is important to note that ISO 27001 does not require an ISMS manual to be written, neither that documents are organized according to specific sections.

  Considering that, the documents under the Documents module become available after you: finish the templates wizard, or upload your own documents. The template wizards are suggested for the mandatory documents, and for documents related to the results of risk assessment and applicable legal requirements.

  For further information, see:

  • Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
  • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/