Confirmed users, Administrators
5,526
edits
CA/Audit Statements: Difference between revisions
Jump to navigation
Jump to search
m
fixed typos
m (formatting to clarify steps) |
m (fixed typos) |
||
| Line 159: | Line 159: | ||
# The ability to conduct an audit that addresses the criteria specified in an Eligible Audit Scheme (see Section 8.1); | # The ability to conduct an audit that addresses the criteria specified in an Eligible Audit Scheme (see Section 8.1); | ||
# Employs individuals who have proficiency in examining Public Key Infrastructure technology, information security tools and techniques, information technology and security auditing, and the third-party attestation function; | # Employs individuals who have proficiency in examining Public Key Infrastructure technology, information security tools and techniques, information technology and security auditing, and the third-party attestation function; | ||
# (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ISO 17065 applying the requirements specified in ETSI EN 319 403; | # (For audits conducted in accordance with any one of the ETSI standards) accredited in accordance with ISO/IEC 17065 applying the requirements specified in ETSI EN 319 403; | ||
# (For audits conducted in accordance with the WebTrust standard) licensed by WebTrust; | # (For audits conducted in accordance with the WebTrust standard) licensed by WebTrust; | ||
# Bound by law, government regulation, or professional code of ethics; and | # Bound by law, government regulation, or professional code of ethics; and | ||
| Line 185: | Line 185: | ||
** The CABs accreditation documentation explicitly refers to all of the following: | ** The CABs accreditation documentation explicitly refers to all of the following: | ||
*** ETSI EN 319 403 | *** ETSI EN 319 403 | ||
**** as the relevant standard for the CAB to perform ETSI audits, allocated under ISO 17065 as framing standard. | **** as the relevant standard for the CAB to perform ETSI audits, allocated under ISO/IEC 17065 as framing standard. | ||
**** The EU eIDAS Regulation 910/2014 can be listed to supplement that information but – alone – is not sufficient to demonstrate ETSI auditors qualification. | **** The EU eIDAS Regulation 910/2014 can be listed to supplement that information but – alone – is not sufficient to demonstrate ETSI auditors qualification. | ||
*** ETSI EN 319 401 and ETSI EN 319 411-1 | *** ETSI EN 319 401 and ETSI EN 319 411-1 | ||
| Line 197: | Line 197: | ||
* Require the ETSI auditor to provide a comprehensive written explanation about why they are not conformant with the above mentioned scheme. The auditor must provide a rationale clearly referring back to all of the following: | * Require the ETSI auditor to provide a comprehensive written explanation about why they are not conformant with the above mentioned scheme. The auditor must provide a rationale clearly referring back to all of the following: | ||
** European Accreditation to demonstrate they act under the EU accreditation scheme, | ** European Accreditation to demonstrate they act under the EU accreditation scheme, | ||
** ISO 17065 plus ETSI EN | ** ISO/IEC 17065 plus ETSI EN 319 403 to demonstrate they are accredited/allowed to audit publicly trusted CA/Trust Service Provider according to ETSI EN 319 401 and ETSI EN 319 411-1 and | ||
** ETSI EN 319 411-2 for QWACS certificates according to the EU eIDAS Regulation 910/2014. | ** ETSI EN 319 411-2 for QWACS certificates according to the EU eIDAS Regulation 910/2014. | ||
* Review the documents and explanation. | * Review the documents and explanation. | ||
* Request external review from ACAB’c to provide opinion about the CAB's accreditation. | * Request external review from ACAB’c to provide opinion about the CAB's accreditation. | ||