Search results

Pre-requisite/eligibility criterion for 9001:2015 Internal Auditor certification

No, there is no pre-requisite for being an ISO 9001:2015 internal auditor. Each organization has the authority to determine what should be its own criteria either as a pre-requisite, not mandatory, either as competence requirement, mandatory.

Normally, organizations decide that internal auditors should have a good knowledge of the standard and of good auditing practices.

You can find more information below:

• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Webinar - Free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Making of a quality flow chart

Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - where I explain how to develop process mapping, drawing a model of how an organization works, based on the process-approach, and how to draw a flowchart describing each process.

The following material will provide you information about processes:

• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (where I apply the process approach as the basis for developing a quality management system)

Is IATF accreditation necessary?

The conditions for obtaining the IATF 16949: 2016 certificate are specified in IATF Rules 5. I give the details below to obtain this certificate.

1. Suppliers who produce parts for OEM (Original Equipment Manufacturer) and/or OES (Original Equipment Service) customers in the automotive industry and these parts must be fitted to the vehicle. As you know, production methods such as heat treatment, coating, assembly, welding, and the like are included in this scope.

2. The suppliers must be able to ship to the customer continuously and in mass production. If the produced 3D part is attached to the vehicle serially, the IATF 16949: 2016 certificate may be required. For this, it may be necessary to get the opinion of the customer.

3. Suppliers who manufacture aftermarket parts cannot apply for IATF 16949: 2016 certification.

The customer-specific requirements (CSR’s) must first determine the conditions for IATF 16949: 2016 certificate. If the supplier meets the above conditions and the customer has required to obtain the IATF certificate, then the supplier can apply for a certification audit to the certification body.

Rather than the supplier is small or large; especially, suppliers who produce parts directly for OEM and/or OES customers such as Ford, Daimler, Renault, etc., must obtain the IATF 16949: 2016 certificate if the customer does not have a different requirement.

Apart from that, an accredited ISO 9001: 2015 certificate is sufficient for automotive customers. Because of the first requirement for the IATF 16949: 2016, the standard is to be ISO 9001: 2015 accredited for the suppliers. Apart from this, the customer-specific requirement (CSR) of the customer is of course important.

For more information, see:

• Key Benefits of IATF 16949 Implementation https://advisera.com/16949academy/knowledgebase/key-benefits-of-iatf-16949-implementation/
• Project plan for IATF 16949:2016 implementation https://info.advisera.com/16949academy/free-download/project-plan-for-iatf-16949-implementation-presentation
• What are the main differences between IATF 16949 and ISO 9001? https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/

Is PII Information?

1 - Is customer PII considered as Information in ISO 27001:2013 Standard?

Answer: Information is any data with meaning, and ISO 27001 was designed to protect any kind of information, so Customer Personally Identifiable Information (PII) is also considered in its scope.

These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

This material will also help you regarding ISO 27001:
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement? This question confuses me on allowing exclusions in ISMS

Answer: First is important to note that for most countries the protection of PII is not a contractual obligation, but a legal obligation. For example, we have GDPR in Europe, CCPA in U.S., and LGPD in Brazil.

GDPR and other regulations require a contract between controller and a processor, in cases both when the outsourced processing is done within the country and outside the country.

For further information, see:
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

IT Auditing

1 - I am working with companies as a consultant and helping them prepare policies they require for ISO27001 and ISAE3402 (also SOC1 and SOC2). I have also managed the audit process for my own business. My question is what can I do if I get certified that I can't do now?

Answer: ISAE3402 is out of our fields of expertise to provide a proper answer, but regarding ISO 27001, if you are a certified ISO 27001 Lead Auditor, you can work for certification bodies as a certification auditor.

Another available ISO 27001 certifications are ISO 27001 lead auditor and ISO 27001 lead implementer, but they are not required for performing internal audit, or ISO 27001 implementation, respectively, but they can improve your chances to get related jobs.

For further information, see:
- ISO 27001 Internal Auditor training – Is it good for my career?  https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/  

- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

About courses related to these certifications, see:
If your intent is to apply for ISO 27001 information security-related jobs, you should consider these courses:

- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

- ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

2 - Secondly, do I have to get certified for all 4 - ISAE3402/ISO27001/SOC1/SOC2 or can I do one overarching certification that will apply to all? 

Answer: We are unaware of single certifications that cover all these standards, so you should contact ISO accredited training providers, or the organizations responsible for ISAE 3402 and SOC1/SOC2 frameworks, the ask for such information.

3 - Also what are the global bodies that accredit ISO certifications and does that apply to Advisera? Thanks for your help.

Answer: Considering ISO 27001 personal certification, the most recognized accreditation bodies for training providers are IRCA, PECB, and Exemplar Global (formerly RABQSA).

Advisera is accredited by Exemplar Global for 27001, 9001, and  14001 Foundations, Internal audit and Lead audit courses.

Documents necessary for audit

Besides mandatory documents required by the standard (e.g., ISMS scope, Information Security Policy, etc.), and documents related to controls implemented to treat relevant risks and applicable legal requirements, only documents deemed relevant by the own organization need to be presented to an Audit for ISO 27001 Certification, and these will depend on business needs, strategies, and objectives.

For example, an organization may identify that projects’ specifications are relevant for the ISMS scope, then these will need to be presented to the auditor. The same applies to processes maps.

Regarding an ISMS manual, in fact, ISO 27001 requirements have never prescribed the development of an ISMS Manual, and for good reasons. If you put all the policies and procedures into a single document, this will make the reading of such a document very difficult. Additionally, the standard already has a requirement for a document that describes how a company will implement its information security – it is called Statement of Applicability.

Included in your toolkit there is a List of documents file which identifies which documents are mandatory and those most often used because they are considered good practice.

These articles will provide you  further explanation about ISMS Manual and mandatory documents:
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ 

These materials will also help you regarding ISMS documentation:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 9001 Auditor path requirements

Glad to hear that you enjoyed the experience and want to go deeper. Being an electrical engineer may provide you with an advantage while auditing organizations where that is a plus and will not harm you while auditing other kinds of organizations.

So, after developing your experience as an internal auditor you can think about becoming a lead auditor and start thinking about working for a certification body. Consider our ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/

You can find more information below:

• Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Webinar - Free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Control of documents

Dear Carlos, thank you the feedback. It is helpful

Dealing with business processes experience

ISO 27001 allows you the flexibility to define what will be included in the scope - it is recommended to include the processes. locations or departments that include the most sensitive information. You cannot define the scope only for an information system.

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Understanding the requirements of clause 8.4 of the ISO 9001:2015

8.4.1 is about:

What processes (subcontracting), what products and services are relevant to the operation of your organization and are acquired from an external provider? Relevant in the sense: They help to make a difference; or avoid flaws that the customer recognizes and negatively values. In other words, you do not need to apply the requirements of the standard to everything you buy.

So 8.4.1 is about qualifying a potential supplier, is about selecting a supplier to satisfy a particular need:

And periodically evaluate supplier performance based on delivery results.

About 8.4.2 it better specifies the part of the control mentioned above: what to control during delivery, how to evaluate, who does what, what specifications, what records are used.

8.4.3 is about the information that goes on orders or contracts: The description of the product, service or process (1) Methods, processes or equipment to be used or to be followed in the provision of services (2) Relevant quality control criteria (3) In cases where there is a requirement of competence, mention it (c) It can sometimes make sense to describe means of contact, contact persons, authorities (d) It may make sense to define quality control rules during the provision of the service (e). It is to clarify that the company can go to the supplier's premises to carry out an audit or a quality control (f)

The following material will provide you more information:

• Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
• ISO 9001 document template: Procedure for Purchasing and Evaluation of Suppliers - https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/