Search results

The scope of ISO 27001 training

All the examples given during the course are more suitable for small and mid-size companies (i.e., they consider a less complex environment).

If you will need to implement the standard in a corporation or you work for a corporation, you will just need to consider additional examples adapted to your company's needs.

Changing SOA in praparation of audit

You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.

Changing SOA in preparation of audit

You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.

Systems vs Suppliers

Please note that ISO 27001 approach for supplier security is through risk management and identification of applicable legal requirements (e.g., laws, regulations, and contracts). ISO 27001 does not use the concept of “critical supplier”.

Considering that, for each supplier, based on the results of risk assessment and applicable legal requirements, you must apply proportional security controls – i.e., the more risks, the more security controls will be required. Such controls may involve the implementation of controls on your own company and/or the enforcement of controls over suppliers by means of contracts or service agreements.

For example, in case of the HubSpot, in case related risks are considered too high, you should certainly address those through your own controls (e.g., backup, approval of access, etc.), and through agreements with HubSpot (if possible).

These articles will provide you with further explanation:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Secure development policy

Along with greetings, please we want to consult regarding the document "A.14_Politica_de_desarrollo_seguro_27001_ES", we need to know for point "3.3 Principles of safe engineering", if these principles should be detailed in this policy?, and if this is so, what principles should they be included? or provide some documentation or example to complement this point.

You can either document the principles you have in your organization in this section of the policy or refer to other documents where they are explained. Examples of principles are:

• security must be considered in business, data, application, and technological layers
• security must balance protection and accessibility needs
• adoption of user authentication techniques
• secure session control
• data validation
• guidance on secure programming techniques.

For further information, see:

• What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

Human resources appendixes question

1. On the company there are a few courses from Udemy and Coursera that some employees have taken and others that are currently taking them, ¿are these courses considered as training programs so I can put them on the 4.1 and 4.3 Appendix?

2. Are training records (4.2 appendix) fully necesary? It's just that we currently don't implement trainings to monitor performance and we don't have trainings to fill the document, also, I understand this appendix refers to trainings that are needed due to bad performance, ¿am I right? Let me know if it refers to something else.

As stated in requirement 6.2 e), a training record is a must to maintain appropriate records of education, training, skills, and experience. Considering the monitoring of the performance, it is not necessary to make it for each training. You can state that for particular training performance monitoring is not necessary, meaning that you as the manufacturer can decide which training will require performance monitoring and which not.

Internal auditing

It is up to the laboratory to plan the internal program and define the scope of each audit as it suits operations. They should be based on risk, meaning if there are particular activities where nonconformances have occurred or there is pressure on the laboratory (increased risk), these activities should be included. There is no mandatory way to go about your internal audits; therefore, you can combine any activities and any assessments that you deem necessary. It is important to clearly define the audit scope and requirement criteria before you start. Then, as a competent auditor, you would proceed with the audit to the depth you deem necessary, raising findings against the specific criteria and referencing the ISO 17025 clauses.

The following will provide more information for you on Auditing and ISO 17025:
The White paper (free for download) How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
The article ISO 17025 technical internal audit: The basics at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/
The ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure
The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist, and Internal Audit Report are available separately from the procedure link above; or included in the toolkit for preview and purchase.

Question about tensile testing

No reference materials are accredited by ISO 17025. The laboratory must determine the reference material/specimen criteria for any standard methods used,  and ensure these are complied with. I cannot comment specifically on a sector requirement.

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/
The ILAC P10:07/2020 ILAC Policy on Metrological Traceability of Measurement Results  available from https://ilac.org/publications-and-resources/

4.4.1.2 Product Safety

As you know, article 4.4.1.2 of the IATF 16949:2016 standard is related to product safety. You can document their requests from subparagraph a) to subparagraph m) in the form of a procedure, an instruction, or a manual, or a process.

The important thing is that you have somehow defined it in the quality management system. 

Audit Reporting

First, I would check what your internal audit procedure recommends in these cases.

Since it is an internal audit what to do depends on internal policy, tradition or culture.

If there is enough evidence collected during the pre-audit planning it is irrelevant if it is a nonconformity or a remark, or a non-official nonconformity. You want the organization to be aware of the situation and act upon it. If it is a formal or off the record nonconformity it is irrelevant.