Search results

ISO 17025 Lead Auditor Certification

As you are performing internal audits on behalf of laboratories for their ISO 17025:2017 management system purposes, not on behalf of a certification body, ISO 17025 Lead auditor certification it is not mandatory. It is important, however, if your customers’ require it; or you see it as a means to further develop your skills and career. As per ISO 17025:2017 clause 6.6, Externally provided products and services; the requirement is that as an external provider, you should be competent (able apply your knowledge and skills) to perform the contracted tasks and provide a service that meets the laboratory’s need. The laboratory must communicate to you the reason they are contracting you and the qualification and competence required. This should include if they require you to have lead auditor certification or not. 

If you choose to obtain ISO 17025:2017 Lead Auditor certification; select a suitable course offered by an approved Training Partners of an international certification body such as Exemplar Global (formally RABQSA) or IRCA (The International Register of Certificated Auditors). 

As ISO 9001 is incorporated into the ISO 17025:2017 Management requirements and ISO 17025 Lead Auditor certification courses may not be as readily available as ISO 9001, you may consider starting by enrolling in the free ISO 9001 Lead Implementer Course. It is available at https://advisera.com/training/iso-9001-lead-implementer-course/. 

There is information about certification on that page and you can also have a look at Advisera’s Certification FAQs at https://advisera.com/training/eu-gdpr-courses/

Risk Assessment

All the products you mention are templates in MS Excel - therefore, you can adapt them (or merge them) as you see fit, and you can copy and paste the data from one document to another. 

On the landing page of each of those documents you can see a free preview and download a free demo of each document:

• Risk Assessment Table: https://advisera.com/27001academy/documentation/risk-assessment-table/ 
• Risk Treatment Table: https://advisera.com/27001academy/documentation/risk-treatment-table/ 

Backout procedure

Backout procedure is your plan in case change is not implemented sucessfully. It will help you return to initial state (before change is implemented) or some other remediation actions (e.g. in cae you can't go back to initial state - like, revisiting the change and actions performed to find an error, etc.).

Here are some more details:

Service Transition in ITIL https://advisera.com/20000academy/blog/2013/06/11/service-transition-itil/

What is the remediation procedure and back-out in the ITIL/ISO 20000 Change Management process? https://advisera.com/20000academy/blog/2017/06/13/what-is-the-remediation-procedure-and-back-out-in-the-itiliso-20000-change-management-process/

RAG rating

The RAG rating system is a standard system typically used for rating tasks in project management as Red/Amber/Green (much like a traffic light) as to whether they are on track, in trouble or no problems.

Keeping in mind that this is not a requirements of OHSAS 18001 or ISO 45001, you could use this as part of an assessment report by rating if a task was on time, or if a requirement was not met or partially met, or the status of a risk. How you use it would be up to you as it is your choice as to how you want to assess something and not a requirement of the standard.

If you are looking for a simple gap analysis tool you can check out our Free ISO 45001 Gap Analysis Tool, https://advisera.com/45001academy/iso-45001-gap-analysis-tool/

ISO 27001 and LGPD

If I understood well, you're asking why ISO 27001 was not mentioned in the LGPD (Brazilian personal data protection law).

Typically, laws and regulations do not require particular standards to be implemented because they do not want to prescribe how the implementation needs to look like. 

GDPR (European personal data protection regulation) is very similar to LGPD, and it also does not refer to ISO 27001 - we have analyzed GDPR and found ISO 27001 to be very useful for its implementation, you can find the white paper here: What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help 

OH&S opportunity assessment

As per ISO 45001 there is no defined mechanism in the standard for identifying and assessing the OH&S opportunities and other opportunities. It is up to the company to determine the process and assessment criteria it will use.

You can find out more in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

ISO 9001 audit

Yes, all clauses of the standard are to be included in the internal audit program. If your organization uses those processes to manage those topics, they should be audited.

For example, about the Corrective Action Process I would like to verify if you develop corrective actions, if your corrective actions act upon true root causes, if your corrective actions are implemented and effective, and if your corrective actions take too much time to take place.

The following material will provide you information about audits: 

- ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/

- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/

- book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Appendix 3 – Internal Audit Checklist for ISO 27001

I'm sorry about this confusion - yes, you should go with the "Integrated" version, this one is optimized if you go only for ISO 27001 implementation. 

"Premium" is optimized if you go for both ISO 27001 and ISO 22301 standards, while "Cloud" is if you go for ISO 27001, ISO 27017 and ISO 27018 standards. 

Difference between legal and other requirements

In the ISO terminology, other requirements could be regulatory or contractual requirements. 

This article will help you: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ 

AS 9100 and referencing the revision level

As per the AS9100 requirements, the quality policy does not need to make reference to the AS9100 standard, so if you choose to include this you can choose not to include the revision level. As for business cards, this is also not detailed in the requirements of the standard.

You can find out more on the policy in the article: How to write the AS9100D Quality Policy, https://advisera.com/9100academy/blog/2018/07/09/how-to-write-the-as9100d-quality-policy/