<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe Pro";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">One discussion point during the code signing working group meetings is how you can better identify what constitutes a qualified auditor.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D">According to Jody: What seems to be happening is that organizations are applying the ETSI standard in cases in which either there is no National Standards Body, or where the national standards
body does not certify the company. Building on the scenario below, Audit Co is not recognized by ISRAC, but Auditor Jones has a CISP certification, which I’ve already confirmed with ETSI is not sufficient.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal">The group decided this was something better discussed as a baseline requirement revision.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One proposal is:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D">A Qualified Auditor is limited to an auditor that is employed by a company that is certified by a National Authority listed in either the Members or Associate Members link.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D">Thoughts?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D">We should add this to the agenda for next week if it’s not already listed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe Pro";color:#1F497D">Jeremy</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>