[cabfpub] Auditor question

i-barreira at izenpe.net i-barreira at izenpe.net
Fri Mar 20 13:14:19 UTC 2015

This is what you can read in 319 403. In yellow I highlighted something that I consider important. Hope this can helps


7.4.3      Multiple sites  When to Consider Sample Based Approach

Where a TSP has a number of sites, the Conformity Assessment Body may consider using a sample-based approach to multiple-site audit where the TSP security management scheme meets the following requirements:

a)            Security for all applicable site is administered under control of the TSP's security policy administration; and

b)           All applicable sites are subject to the TSP's security management review programme.

Applicable sites for a sample based approach shall be those directly concerned with the operations of the TSP meeting the specified TSP policy requirements.  Requirements of Sample Based Approach

When using a sample-based approach, the Conformity Assessment Body wishing to use a sample-based approach shall have procedures in place to ensure the following:

a)            The initial contract review identifies, to the greatest extent possible, the difference between sites such that an adequate level of sampling is determined.

b)           A representative number of sites have been sampled by the Conformity Assessment Body, taking into account: 

1)            the results of internal audits of the central site and the other sites,

2)            the results of management review,

3)            variations in the size of the sites,

4)            variations in the business purpose of the sites,

5)            complexity of the trust service,

6)            complexity of the information systems at the different sites,

7)            variations in working practices,

8)            variations in activities undertaken,

9)            potential interaction with critical information systems or information systems processing sensitive information, 

10)         whether the site is operated by a sub-contractor or other external organization, and

11)         any differing regulatory requirements.

c)            The sample should be partly selective based on the above in point b) and partly non-selective and should result in a range of different sites being selected, without excluding the random element of site selection.

d)           Every site of the TSP that is subject to significant threats to assets, vulnerabilities or impacts should be included in the sampling programme.

e)           The surveillance programme should be designed in the light of the above requirements and should, within a reasonable time, cover all sites of the TSP operations unless it can be demonstrated that this does not impact on the results of the audit, and

f)            In the case of a non-conformity being observed either at the head office or at a single site, the corrective action procedure should apply to the head office and to all sites of the TSP operations which may be impacted by the same non-conformity.


The audit shall address the TSP's central site activities to ensure that central security administration is applied to all sites at the operational level. The audit should address all the issues outlined above.

The Conformity Assessment Body shall be prepared to substantiate or justify the number of sites being subject to the audit.



Iñigo Barreira

Responsable del Área técnica

i-barreira at izenpe.net




ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!

ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.



-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Gervase Markham
Enviado el: martes, 17 de marzo de 2015 11:44
Para: Jeremy Rowley; CABFPub
Asunto: Re: [cabfpub] Auditor question


On 10/03/15 04:36, Jeremy Rowley wrote:

> Personally, I think the intent was that as long as each CA had an EV 

> audit covering their portion of the requirements, then you were okay 

> (since all gaps are covered).  The first CAs auditor wouldn't actually 

> need to audit the second CA.  Is this not the case? I'd like to amend 

> the language to clarify how the two audits interoperate.


I think this depends on whether audits are fungible. That is to say, can they be split up into pieces with no loss of fidelity? If CA A is audited for the first half of the BRs, and CA B is audited for the second half, and they collaborate together to issue certs, is the result as well-audited as if one CA were doing it?


I don't think this is obviously the case, certainly not all the time.

The interactions between the two CAs may or may not be audited, depending on the split, and I would suspect an auditor needs sometimes to take an overall view of the process in order to confirm that certain criteria are met.


To put it another way: many audit criteria relate to the trees, sure, but some relate to the wood as a whole. :-)


Perhaps Don, Inigo or Arno could comment.




Public mailing list

Public at cabforum.org <mailto:Public at cabforum.org> 

https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/dca36780/attachment-0003.html>

More information about the Public mailing list