Thanks Beatrice
do we regulate any software the way we regulate planes?
operating systems? compilers? web browsers? text/image/video/audio/3D editors? video games?
That said, software in these regulated industries tends to be a bit of a disaster area. Mainly because embedded software pays so much less, the average skill level is lower and no amount of quality paperwork is going to completely stop systematic incompetence. (not that the paperwork itself is inherently a problem: even skilled engineers will make mistakes sometimes and the quality system does generally mean that you do reviews and catch them. But when neither your planners nor your implementers nor your reviewers understand that casting pointers around willy-nilly in C is undefined behaviour, it's not gonna save you).
Sure it is good to keep oversight on AI use and co, but this only purpose is to feed countless useless executives and consultants shitting paper.
In the end, the company will be happy to put the "iso" sticker, and will stash the thousand page documents in a drawer with no one reading it and the company will continue to work the same as if this was not done. Just with money burned on the way.
aleks5678•2mo ago
simonjgreen•2mo ago
External auditors should be selected by looking for ones who themselves are audited by your regional government auditing body. Eg if you wanted to be audited and certified for ISO27001, and you happened to be in UK, you may choose BSI as your external auditor, who themselves are audited by UKAS.
It’s a web of trust model.
The purpose of these certificates are to shortcut compliance checks by your customers (or in some cases suppliers).
ISO27Auditor•2mo ago
Any accredited certification body the world can audit you, and you can also save a lot by opting for a smaller certification body abroad instead of, for instance, one of the big names (I am an auditor for ISO 42001 and ISO 27001 as well)