Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Becoming ISO 9001 Lead Auditor
Answer:
The lead auditor course is the first step to become a certification auditor. The process to become an ISO 9001 Lead Auditor and get a job , whether permanent, temporary, or as a freelancer, will take you some time because first you need to have practical experience in auditing methodologies and techniques. In this article you will find some information on how to become an ISO 9001 Lead Auditor - Benefits and ptential problems becoming an ISO 9001 lead auditor: https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/
Once you have become a lead auditor you may look for a job opportunity in order to become a full-time employed auditor or to work as a subcontractor with some of the certification bodies.
These materials can help you to understand how to become a lead auditor in ISO 9001:2015:
- Articl e -What does ISO 9001 Lead Auditor training look like?: https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/
- ISO 9001 Lead auditor course: https://advisera.com/training/iso-9001-lead-auditor-course/
- Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Mandatory records and Customer Relationship Management
Answer:
Just considering ISO 9001:2015 requirements the answer is no. Please check clause 8.2.3.2 – the only mandatory records are about product/service specifications and about reviewing customer’s orders. There are no required records about visiting customers.
After saying this, I must add that as a consultant I recommend companies to keep records about the relationship with its customers (CRM is about this) in order to find, to detect trends.
The following material will provide you information about mandatory records:
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ -90012015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISMS Policy
Answer:
Responsibilities for communication of information related to information security, the adoption and implementation of the Training and Awareness Plan can be designated to the Chief Information Security Officer (CISO), if the organization decides to implement such a role, or to an existent role with access to TopManagement.
These articles will provide you further explanation about CISO role:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
ISMS Budget
Answer:
There are a significant number of variables to be considered when estimating an implementation cost, but you already have figured out some important issues. Broadly speaking, I can suggest you these main topics to consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
Regarding ISMS maintenance costs, the above mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.
These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project -
Interested parties, strategic orientation and ISO 9001:2015
Answer:
ISO 9001:2015 clause 4.2 has requirements about interested parties and their expectations. I like to address this topic with an overall strategic view. Your organization has customers, they are the reason for your organization’s existence. So, customers are a natural interested party. Customers are all different and can be group segmented. For example, some value above all a low price, some value the service, the customization, and some value brand or innovation. Each group has different expectations. Your organization can also work with:
* influencers, for example, bloggers that promote your organization’s products and services among potential customers;
* regulators, for example, to promote certain product or service requirements;
* customers of your organization’s customers, for example, they can be more receptive to your organization’s value proposition, and they have power over your customer;
* suppliers, for example, perhaps your organization has a particular supplier that is strategically important because they can give an important support;
* employees, for example, perhaps your organization has some employee categories with well-trained people highly coveted by the competition.
* What are their expectations, why should they work with your organization? Why should they prefer to work with your organization?
It is becoming increasingly common for an organization to succeed to consider an ecosystem of stakeholders that extends well beyond the classic organization-client relationship.
The following material will provide you information about interested parties:
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- free online webinar (check after minute 12:30) - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Control A.14.2.5 Secure System Engineering Principles
Answer:
Since you have identified that control A.14.2.5 is applicable, I'd suggest you first to review your risk assessment and legal requirements, because principles and policies are closed related, and maybe the Secure Development Policy would also be applicable to your ISMS.
If it is confirmed that there is no need for a Secure Development Policy, then you can use the text from section 3.3 of the Secure Development Policy template to develop a document that will fulfill your specific needs.
These articles will provide you further explanation about selecting controls and development principles:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/ -
Developing documents
Answer:
You only have to develop polices and implement controls in these situations:
- There is unacceptable risks that can be treated by the control/policy
- There are legal requirements (e.g., laws, contracts, or regulations) demanding the implementation of the control/policy
- Top management has decided to implement the control/policy (normally by considering it a good practice or because the organization will have a competitive advantage with its adoption)
If none of these reasons occurs, you do not need to develop the policy / implement the control
These articles will provide you further explanation about developing policies and implementing controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27 001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
How to define legal requirements
Answer:
Legal requirements are different for every country and don’t depend on standard requirements. IATF in clause 5.1.1.1Corporate responsibility requires compliance with all legal requirements in all countries the company is operating.
Also, in other requirements, there is highlighted the need for compliance with legal requirements.
From country to country there are numerous ways to find legal requirements, some are national official gazette, the software’s that combines all laws and obligatory documents, law firms, consulting agencies, etc.
Definition of compliance with the legal requirement can be done for example in table wherein first column you write a law, in second requirements that are specific to your company and in the third column what organization did to fulfill the requirement and comply with the law.
I suggest you to find out more in articles:
- Determining interested parties and their requirements according to IAT F 16949:2016 https://advisera.com/16949academy/knowledgebase/determining-interested-parties-and-their-requirements-according-to-iatf-16949/
-Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/16949academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/ -
Filling in ISMS policy template
Section 4.1 consists of 4 (under)sections. I have a question about (under)section 1, 3 and 4 of section 4.1. In section 1 our company defined JUST ONE general objective (reducing the number of incidents by XX %). Does section 3 and 4 refer to section 1 or to section 1 and 2? If I have just one general objective and section 3 and 4 refer to section 1 then I have to write section 3 and 4 in singular too. Does section 3 and 4 refer to section 1 and 2 (where the control objectives are involved too) I can leave it like it is (in plural). Whats is right? To which section refer section 3 and 4?
Answer:
Section 4.1 paragraph 2) speaks about objectives for controls, and paragraphs 3) and 4) refer to both top-level objective(s) mentioned in paragraph 1 and control objectives mentioned in paragraph 2. -
Internal auditor certificate or qualification
Answer:
No, there is no requirement for any particular internal auditor certificate or qualification. Each organization has the authority to set the requirements for their internal auditors. Only your organization has the legitimacy to set the requirements applicable to your internal auditors. That said, it is wise to set as minimum requirements for internal auditors that they should know the standard (ISO 9001:2015) and they should know auditing practices. Your organization can ask for any evidence that they know or studied ISO 9001:2015.
The following material will provide you information about internal audits:
- Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course - https://tra ining.advisera.com/course/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/