[cabfpub] Auditor qualification
jeremy.rowley at digicert.com
Sat Mar 7 00:24:30 UTC 2015
One discussion point during the code signing working group meetings is how you can better identify what constitutes a qualified auditor.
According to Jody: What seems to be happening is that organizations are applying the ETSI standard in cases in which either there is no National Standards Body, or where the national standards body does not certify the company. Building on the scenario below, Audit Co is not recognized by ISRAC, but Auditor Jones has a CISP certification, which I've already confirmed with ETSI is not sufficient.
The group decided this was something better discussed as a baseline requirement revision.
One proposal is:
A Qualified Auditor is limited to an auditor that is employed by a company that is certified by a National Authority listed in either the Members or Associate Members link.
We should add this to the agenda for next week if it's not already listed.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public