Search results

Chapter 10.3 from IATF

First of all, the issue of high scrap should be included in your company's risk analysis. As a result, risks are fed by unfulfilled goals, trends that go higher than expectations, internal and external changes, and chronic problems.

Meanwhile, the high amount of scrap affects not only internal costs and profitability but also timely shipment to the customer.

If I were you, I would mention these issues in my production or quality process risk analysis.

In addition, the 6.1.2.1 Risk analysis article of the IATF 16949 standard  mentioned that, 

"The organization shall include in its risk analysis, at a minimum, lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework. The organization shall retain documented information as evidence of the results of risk analysis.’’

Therefore, such lessons learned shall be noted sometimes in the D-FMEA and sometimes in the P-FMEA. If your company is not responsible for the design, of course, it does not need to use D-FMEA, but there may be areas in P-FMEA that need to be updated.

Whether it is AIAG FMEA rev 4 or AIAG&VDA FMEA; Error type, error reasons, and actions can be updated due to these scraps, which is expected.

But I cannot say that every CI project should be subject to risk analysis or P-FMEA, it is necessary to look at it on a case-by-case basis.

Risk Register & BYOD

1 - My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in Site B.

Answer: You should consider the co-working spaces as an outsourced service in your asset register (you can add a new asset like “co-working space provider”). Air conditioning, power supply, and other assets related to the co-working space should not be included (all these are provided by the co-working space provider).

2 - By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? 

Answer: If private assets (e.g., private laptops, private smartphones, etc.) are used for business purpose, then these should be included in the Risk Register.

3 - We are using a virtual server from a third-parties provider (2 in Site C, and 1 in Site A). Should we include these virtual servers in the assets? 

Answer: Yes, you should include this virtual server as a third-party service.

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

4 - We have a website: ***. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us

Answer: Yes, a website is an asset - if you are using a cloud service for hosting your website then you could list something like 'XYZ service for hosting the website'. 

The scope of ISO 27001 training

All the examples given during the course are more suitable for small and mid-size companies (i.e., they consider a less complex environment).

If you will need to implement the standard in a corporation or you work for a corporation, you will just need to consider additional examples adapted to your company's needs.

Changing SOA in praparation of audit

You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.

Changing SOA in preparation of audit

You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.

Systems vs Suppliers

Please note that ISO 27001 approach for supplier security is through risk management and identification of applicable legal requirements (e.g., laws, regulations, and contracts). ISO 27001 does not use the concept of “critical supplier”.

Considering that, for each supplier, based on the results of risk assessment and applicable legal requirements, you must apply proportional security controls – i.e., the more risks, the more security controls will be required. Such controls may involve the implementation of controls on your own company and/or the enforcement of controls over suppliers by means of contracts or service agreements.

For example, in case of the HubSpot, in case related risks are considered too high, you should certainly address those through your own controls (e.g., backup, approval of access, etc.), and through agreements with HubSpot (if possible).

These articles will provide you with further explanation:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Secure development policy

Along with greetings, please we want to consult regarding the document "A.14_Politica_de_desarrollo_seguro_27001_ES", we need to know for point "3.3 Principles of safe engineering", if these principles should be detailed in this policy?, and if this is so, what principles should they be included? or provide some documentation or example to complement this point.

You can either document the principles you have in your organization in this section of the policy or refer to other documents where they are explained. Examples of principles are:

• security must be considered in business, data, application, and technological layers
• security must balance protection and accessibility needs
• adoption of user authentication techniques
• secure session control
• data validation
• guidance on secure programming techniques.

For further information, see:

• What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

Human resources appendixes question

1. On the company there are a few courses from Udemy and Coursera that some employees have taken and others that are currently taking them, ¿are these courses considered as training programs so I can put them on the 4.1 and 4.3 Appendix?

2. Are training records (4.2 appendix) fully necesary? It's just that we currently don't implement trainings to monitor performance and we don't have trainings to fill the document, also, I understand this appendix refers to trainings that are needed due to bad performance, ¿am I right? Let me know if it refers to something else.

As stated in requirement 6.2 e), a training record is a must to maintain appropriate records of education, training, skills, and experience. Considering the monitoring of the performance, it is not necessary to make it for each training. You can state that for particular training performance monitoring is not necessary, meaning that you as the manufacturer can decide which training will require performance monitoring and which not.