Search results

Chapter 10.3 from IATF

First of all, the issue of high scrap should be included in your company's risk analysis. As a result, risks are fed by unfulfilled goals, trends that go higher than expectations, internal and external changes, and chronic problems.

Meanwhile, the high amount of scrap affects not only internal costs and profitability but also timely shipment to the customer.

If I were you, I would mention these issues in my production or quality process risk analysis.

In addition, the 6.1.2.1 Risk analysis article of the IATF 16949 standard  mentioned that, 

"The organization shall include in its risk analysis, at a minimum, lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework. The organization shall retain documented information as evidence of the results of risk analysis.’’

Therefore, such lessons learned shall be noted sometimes in the D-FMEA and sometimes in the P-FMEA. If your company is not responsible for the design, of course, it does not need to use D-FMEA, but there may be areas in P-FMEA that need to be updated.

Whether it is AIAG FMEA rev 4 or AIAG&VDA FMEA; Error type, error reasons, and actions can be updated due to these scraps, which is expected.

But I cannot say that every CI project should be subject to risk analysis or P-FMEA, it is necessary to look at it on a case-by-case basis.

Risk Register & BYOD

1 - My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in Site B.

Answer: You should consider the co-working spaces as an outsourced service in your asset register (you can add a new asset like “co-working space provider”). Air conditioning, power supply, and other assets related to the co-working space should not be included (all these are provided by the co-working space provider).

2 - By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? 

Answer: If private assets (e.g., private laptops, private smartphones, etc.) are used for business purpose, then these should be included in the Risk Register.

3 - We are using a virtual server from a third-parties provider (2 in Site C, and 1 in Site A). Should we include these virtual servers in the assets? 

Answer: Yes, you should include this virtual server as a third-party service.

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

4 - We have a website: ***. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us

Answer: Yes, a website is an asset - if you are using a cloud service for hosting your website then you could list something like 'XYZ service for hosting the website'. 

The scope of ISO 27001 training

All the examples given during the course are more suitable for small and mid-size companies (i.e., they consider a less complex environment).

If you will need to implement the standard in a corporation or you work for a corporation, you will just need to consider additional examples adapted to your company's needs.

Changing SOA in praparation of audit

You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.

Changing SOA in preparation of audit

You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.

Systems vs Suppliers

Please note that ISO 27001 approach for supplier security is through risk management and identification of applicable legal requirements (e.g., laws, regulations, and contracts). ISO 27001 does not use the concept of “critical supplier”.

Considering that, for each supplier, based on the results of risk assessment and applicable legal requirements, you must apply proportional security controls – i.e., the more risks, the more security controls will be required. Such controls may involve the implementation of controls on your own company and/or the enforcement of controls over suppliers by means of contracts or service agreements.

For example, in case of the HubSpot, in case related risks are considered too high, you should certainly address those through your own controls (e.g., backup, approval of access, etc.), and through agreements with HubSpot (if possible).

These articles will provide you with further explanation:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Secure development policy

Along with greetings, please we want to consult regarding the document "A.14_Politica_de_desarrollo_seguro_27001_ES", we need to know for point "3.3 Principles of safe engineering", if these principles should be detailed in this policy?, and if this is so, what principles should they be included? or provide some documentation or example to complement this point.

You can either document the principles you have in your organization in this section of the policy or refer to other documents where they are explained. Examples of principles are:

• security must be considered in business, data, application, and technological layers
• security must balance protection and accessibility needs
• adoption of user authentication techniques
• secure session control
• data validation
• guidance on secure programming techniques.

For further information, see:

• What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

Human resources appendixes question

1. On the company there are a few courses from Udemy and Coursera that some employees have taken and others that are currently taking them, ¿are these courses considered as training programs so I can put them on the 4.1 and 4.3 Appendix?

2. Are training records (4.2 appendix) fully necesary? It's just that we currently don't implement trainings to monitor performance and we don't have trainings to fill the document, also, I understand this appendix refers to trainings that are needed due to bad performance, ¿am I right? Let me know if it refers to something else.

As stated in requirement 6.2 e), a training record is a must to maintain appropriate records of education, training, skills, and experience. Considering the monitoring of the performance, it is not necessary to make it for each training. You can state that for particular training performance monitoring is not necessary, meaning that you as the manufacturer can decide which training will require performance monitoring and which not.

Internal auditing

It is up to the laboratory to plan the internal program and define the scope of each audit as it suits operations. They should be based on risk, meaning if there are particular activities where nonconformances have occurred or there is pressure on the laboratory (increased risk), these activities should be included. There is no mandatory way to go about your internal audits; therefore, you can combine any activities and any assessments that you deem necessary. It is important to clearly define the audit scope and requirement criteria before you start. Then, as a competent auditor, you would proceed with the audit to the depth you deem necessary, raising findings against the specific criteria and referencing the ISO 17025 clauses.

The following will provide more information for you on Auditing and ISO 17025:
The White paper (free for download) How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
The article ISO 17025 technical internal audit: The basics at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/
The ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure
The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist, and Internal Audit Report are available separately from the procedure link above; or included in the toolkit for preview and purchase.

Question about tensile testing

No reference materials are accredited by ISO 17025. The laboratory must determine the reference material/specimen criteria for any standard methods used,  and ensure these are complied with. I cannot comment specifically on a sector requirement.

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/
The ILAC P10:07/2020 ILAC Policy on Metrological Traceability of Measurement Results  available from https://ilac.org/publications-and-resources/