[cabfpub] Delegated Third Parties, Network Security Requirements, and Audits

tScheme Technical Manager richard.trevorah at tScheme.org
Wed May 18 10:59:15 UTC 2016

Hi Gerv,

That's certainly how it works for our audits that are part of the ISO/IEC
27001 process. Our auditors should accept audit reports from other auditors
who have been accredited by bodies that are signatories to the appropriate
parts of the IAF Multilateral Recognition Arrangement (MLA)  (see
http://www.iaf.nu//articles/IAF_MLA/14). However that does not stop them for
doing due diligence on the report before deciding whether to accept it and
therefore take responsibility for the overall audit.

Richard Trevorah
Technical Manager
tScheme Limited

M: +44 (0) 781 809 4728
F: +44 (0) 870 005 6311


The information in this message and, if present, any attachments are
intended solely for the attention and use of the named addressee(s). The
content of this e-mail and its attachments is confidential and may be
legally privileged. Unless otherwise stated, any use or disclosure is
unauthorised and may be unlawful. 

If you are not the intended recipient, please delete the message and any
attachments and notify the sender as soon as practicable

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: 18 May 2016 10:50
To: Benedikt Heintel; public at cabforum.org
Subject: Re: [cabfpub] Delegated Third Parties, Network Security
Requirements, and Audits

On 17/05/16 20:59, Benedikt Heintel wrote:
>> I'd say that if CAs sharing infrastructure want to take advantage of
>> those economies, then they need to synchronise their audit periods and
>> all engage the same auditor, who can then do a single inspection of the
>> shared infrastructure and use the results to write multiple reports.
> Or rely on the audit report of another auditors, as it is practice in
> other international standards.

That might be acceptable if the master auditor takes responsibility for
the entire audit, and can't palm off responsibility for problems with
"well, they said it was OK, nothing to do with us". And presumably the
other auditors would need to be appropriately qualified also?


Public mailing list
Public at cabforum.org

More information about the Public mailing list