Search results

Finding an auditor

From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

The “DIY with expert support” approach does not change the main points you need to consider.

When looking for an auditor to perform an internal audit you should consider:

• the knowledge about your industry
• reputation
• pricing

We are not aware of specific jobs, boards, or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.

For further information, see:

• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

When looking for an auditor to perform a certification audit you need in fact to look for a certification body, and for this, there are several factors you should take into account when selecting a certification body, please read this article:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

The main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.dnvgl.com/
• DNV: https://www.dnvgl.com/services?ServiceTypes=136423
• SGS: www.sgs.com/
• TUV: www.tuv.com

You can also find a proper certification body at this link: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

You can use this link to enter your profile, and we will find the certification body that best fits your needs.

ISO 9001 Secondary review

No, records should be reviewed by the function with the authority to do it. If we are speaking of records from the purchasing area perhaps your quality system determines that review for content and approval is made by a function in the purchasing department.

During internal audits, auditors can audit records for content and approval.

You can find more information about documentation below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO 9001 QMS

ISO 9001 in its latest version of 2015 does not require a quality manual. So, a quality manual is no longer mandatory. However, as a consultant working with organizations, I recommend developing a quality manual. 

Since it is no longer mandatory, we are free to design its content. I recommend designing a document that presents the quality management system. Presenting:

• your organization and its history
• the scope of the quality management system
• its quality policy
• its model of working based on the process approach 

 In plain English would be something like:

• Who are we?
• To whom do we work?
• What are our priorities?
• How do we work? 

The following material will provide you information about the quality manual:

• The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
• Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Recommendations for the registrar

I´m assuming that by registrar you are referring to a certification body.

Considering that, the main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.bureauveritas.com
• DNV: https://www.dnvgl.com/
• SGS: https://www.sgs.com/
• TUV: https://www.tuv.com

From their main site, you can verify if they have offices in your country.

To help you select a certification body, I recommend these materials:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• List of Questions to ask an ISO 27001 or ISO 22301 certification body https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body

This material will also help you regarding preparation for certification:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

Calculating ROI for ISO 27001 ISMS implementation program

The best way to calculate the Return on Security Investment (ROSI) is to relate the investment in information security with the economic benefits that this will bring to the business. The calculation of the ROSI can be based on:

• Costs of incidents by taking into account all the relevant costs if an incident occurs and the probability of an incident. These are some types of incidents: Malicious activity (virus, trojan horses, etc.), unintentional human error (delete critical information by error, etc.), system errors/malfunctions (hardware failure, etc.), natural disaster & force majeure (earthquake, flood, etc.)
• Costs of security measures/controls and the level to which the risk of this incident would decrease because of such mitigation

This free tool can be very useful to give you an idea of how to calculate ROSI:

• Free Return on Security Investment Calculator: https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/ 

This article can be also interesting for you:

• Is it possible to calculate the Return on Security Investment (ROSI)? https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/

Clause 7.5.1

Please note that the “shall” word in this clause refers to all documents defined as mandatory by the standard and to those considered necessary by the organization. It does not specifically define a procedure for documentation control as mandatory.

So a documentation control procedure is not mandatory.

This article will provide you a further explanation about ISO 27001 mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

These materials will also help you regarding ISO 27001 documents:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Accreditation of GMO lab

The applicable standard for all non-medical testing laboratories is ISO 17025:2017. Depending on the country and accreditation body, a specific program may be on offer. For example, under Life Sciences where the accreditation body will have mandatory additional criteria and recommendations for testing genetically modified (GM) material. An accreditation body could offer a flexible scope of accreditation for laboratories quantifying GMOs. In the European Union for example, there is a published guideline for such flexible scopes. You can go to https://ec.europa.eu/jrc/en/publications-list and search for the keywords “flexible scope GMO”.

In some cases the program would be under General Testing, where accreditation would be per test; for example Material type: Foods and Food Products – Rice: Detection of genetically modified organism; or under the Biological program, for example Screening for Genetically Modified Organisms (GMO) by Immunoassay. I suggest you contact your accreditation body to find out the specific program and additional criteria.

For general information regarding ISO 17025, have a look at the article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/

Protecting and keeping data safe

First is important to note that only because you are transferring the risk to a cloud provider, it does not mean the risk will be automatically lower. It only means that it will be handled by other entities, which in most cases will have a better cost-benefit relation when comparing to treating the risk yourself.

Considering that, to get by extension the benefits of a certified cloud provider, and ensure the provider will handle your data properly, you need to have a contract or service agreement with it covering your security needs. So, instead of implementing controls related directly to the identified risks, you will need to consider for them controls to handle supplier relationships.

These articles will provide you a further explanation about supplier security:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

These materials will also help you regarding supplier security:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Career in compliance

I’m assuming that by compliance you mean activities related to ISO 27001 audit.

Considering that, you have two options:

• ISO 27001 Internal Auditor – this career involves audit an ISMS against ISO 27001 requirements in your own organization.
• ISO 27001 Lead Auditor – this career involves auditing an ISMS against ISO 27001 requirements as certification auditors (i.e., work for a certification body).

These articles will provide you a further explanation about ISO 27001 personnel certifications:

• ISO 27001 Internal Auditor training – Is it good for my career?  https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/ 
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

For courses related to these certifications, please see:

• ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
• ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/