What is your opinion? Thank you for your time and attention.
Answer:
The worst thing you can do is to hire two consultants at the same time, it is the safest way to get conflicting information :) Jokes aside, the standard requires organization to apply methods for identification and traceablity only to the outputs of its processes, not the inputs (raw materials, etc.). If you don't have explicit requirement from your cu stomer to perform identification and traceability of your raw materials, you don't have to do it.
There is no requirement for internal auditors to be certified, thy only need to be familiar with requirements of the standard and auditing techniques. Your existing auditors just need to get familiar with new requirements of the standard and they will be ready to conduct internal audits.
There is no requirement to establish entire procedure, it enough to establish criteria for selecting the internal auditors and criteria is knowledge of the standard and auditing techniques.
Is this only the responsibility of management Representative to select the internal auditors or management decision ?
The standard does not specify who should be appointing internal auditors, it can be the management representative or somebody else, whatever the organization finds the most appropriate.
How it should be impartial selection?
Of course, you cannot ensure 100% impartiality, but what the organization should avoid is situation where internal auditor is auditing his own work.
What if Internal audit delays due to work again and again, will it be count as a non conformity or not?
Embedded software is computer software, written to control machines or devices that are not typically thought of as computers. It is typically specialized for the particular hardware that it runs on and has time and memory constraints.
The clause refers to organizations that are developing the software, not to the ones that are only using or embedding the software into its products, so you can consider this clause as inapplicable to your organization.
Risk assessment and information classification
Answer: Information classification is a security control you implement after the risk assessment, so you do not classify information and performs risks assessment, but by means of the risk assessment you identify the need to classify information, generally because you have types of information that requires different types of securitycontrols.
Answer: Yes. Since 2012 all released ISO management systems have the same structure, which makes integration easier. Regarding other frameworks, they have many similarities with ISO standards, being only a question of mapping the correlations between them.
(in which document of the ISO 27001 package can I locate the information security guidelines in the business continuity? (ISO 27002: 2013 Chapter 17))
Answer: The templates which cover the information security aspects in business continuity are located on folder 08 Annex A, sub folder A.17 Business Continuity.
In the List of documents file that comes with your toolkit you have information about which template covers which standard's clause and where they are located.
Becoming environmental auditor
Answer:
The main question is whether you want to become internal environmental auditor or external environmental auditor. If you want to be come internal auditor, you need to have competences that include knowing the standard and the auditing techniques, this can be achieved by attending internal auditor course and they are usually not very demanding. Here you can take a look at our free ISO 14001:2015 Internal Auditor Course https://advisera.com/training/iso-14001-internal-auditor-course/
If you want to become lead auditor, the person who will conduct audits for the third party (i.e. certification body) you need to get Lead Auditor certificate and also to meet other requirements of the organization that hires you, such as proper education, experience, etc.