Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
1) I understand that the CISO performs internal audits in a company, but who should audit the CISO?
Answer: First is important to note that CISO is a very bad choice for the internal auditor because of the obvious conflict of interest (this role is in general responsible for all the ISMS, and auditors cannot audit their own work).
Considering that, you must consider another person to be the internal auditor (e.g., train another employee as internal auditor, or hire an external auditor).
For further information about CISO, see:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
2) Our company is dedicated to selling ERP in SaaS mode (software as a service), how should control A.14.3.1 (Protection of test data) be implemented? ... it is necessary to obfuscate the information of customers who are in the database?
Answer: The way to implement control A.14.3.1 will depend on the results of risk assessment and identified legal requirements. For example, risk assessment may identify that only strict control to test database is enough, or that creation of randomized dummy customer data may be needed. Additionally, contractual clauses may require the use of specific techniques, or forbid others, and some regulations like GDPR may require anonymization of test data.
This article will provide you a further explanation about the software development life cycle:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
This material will also help you regarding ISO 27001 controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Thank you very much!
With ISO 9001:2015 there is no longer a mandatory requirement for a quality management representative (QMR). ISO 9001:2015 makes no mention of a QMR.
You can find more information below:
"1.If the assessment of customer satisfaction (according to ISO 9001:2015) by the auditee is still mandatory, even if the related procedure and records are not more mandatory?
Answer:
It is mandatory that an organization determines how to get, monitor and review information about what is commonly called “customer satisfaction”.
2.Are auditors and certification bodies simply allowed to decide to not take into account as NEEDED the customers' satisfaction assessment by the auditees?"
Answer:
If clause 9.1.2 is included in the scope the audit, auditors should audit the customers' satisfaction assessment by the auditees. They can ask: how do you get and monitor customers’ satisfaction feedback? Did you receive that feedback? Did you analyze that feedback? What were your conclusions and decisions?
You can find more information below:
First, consider the scope of the audit. Will you audit one or more processes? Will you audit one or more departments or teams?
Then, study the audit criteria (ISO 9001:2015 clauses applicable within the scope, procedures, instructions, …). While studying the audit criteria start listing the questions that you want to make to whom, start listing what you want to see and where to think about the sample size that you should consider to later support your audit conclusions.
After this, you should have an idea about the time needed for each stage in your audit, considering the number of questions to ask and to whom, what you want to observe, the sample size, the number of records you want to check. Normally, 20 minutes is the minimum I take for each stage, and 1 hour the maximum.
You can find more information below:
ISO 9001:2015, clause 7.5.2 a), invites each organization to determine a document identification methodology, it gives some examples but does mandate a particular solution.
Without seeing the different types of documents and where are they located in document structure as presented in this article - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ - it is not very easy. The point is, your organization can design its own way for each kind of documents: a name, a code, a number. Isolated or linked to processes, to departments, to lines of business.
You can find more information about documentation below:
Records are the memory of an organization. Organizations without records, or missing records, or not knowing where to find them, are organizations with learning problems.
This is mainly treated in ISO 9001:2015 clause 7.5.3:
In the following diagram, I organize a set of questions to ensure records management.
You can find more information about records below:
what department to start the implementation?
Answer:
There is no technical answer to this question.
Normally, I like to start with a process (includes more than one department) that rapidly brings performance improvements. For example, for a manufacturing company, starting with a process like “Supply materials” (evaluate and qualify suppliers, order materials, receive and control materials, store materials, supply materials), may bring more confidence, more control, and show measurable gains.
Sometimes I have the opportunity to start with top management clauses and processes. Normally, when top management is really committed to the management system.
what the scope should cover?
Answer:
There is no technical answer to this question.
Deciding on the scope of a quality management system (QMS) is a management decision. For example, a hotel:
A hotel may develop a QMS just for the hospitality part, and just for travel agencies, not for treating individual guests.
You can find more information below:
In the TITLE 21--FOOD AND DRUGS CHAPTER I--FOOD AND DRUG ADMINISTRATION DEPARTMENT OF HEALTH AND HUMAN SERVICES SUBCHAPTER A – GENERAL, Part 11 Electronic records, electronic signatures is stated that c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.
For more information, see:
As you know, the involvement of top management is important for the IATF 16949: 2016 standard, and there are many requests in clause 5 specifically on this issue.
I can suggest a few methods to get senior management involved.