The person still does not have experience in conducting audits, or he does not have sufficient experience in conducting audits required for auditor.
What does a certified information security management system auditor-trainee do?
Auditor-trainee for information security management system is a person who as a member of the team or independently implements a complete audit of information security management system whether it is an internal audit, second party audit or third party audit for the purpose of certification, to verify conformity of the organization’s information security management system with requirements of the standard SRPS ISO/IEC 27001:2014.
Task of the auditor is to:
- manage the audit program, plan and conduct the audit;
- identify audit findings, identify nonconformity findings and define nonconformities;
- prepare audit report and other audit findings;
- assess the adequacy of the proposed measures to eliminate nonconformities;
- verify the elimination of nonconformities.
Who is the certification for?
- Persons who carry out audits in organizations that have implemented information security management system in accordance with the requirements of the standard SRPS ISO/IEC 27001:2014;
- Auditors of certification bodies for management system certification;
- Consultants who want to get better acquainted with the way of planning and implementation of information security management system audits;
- Persons responsible for the information security management system in organization;
- Persons involved in teams for the development and maintenance of information security management systems, etc.
Why to get certified?
- Your knowledge and skills for conducting an information security management system audit have been verify by a third party (certification body);
- Your organization, the organization that hire you as an auditor for the information security management system, is sure to have a qualified auditor;
- Increases your chances of getting a job;
- Provides you with greater credibility with the employer;
- Obliges you to continuous professional development
What are the conditions for certification?
Applicant for certification/person must:
- meet certain conditions related to education, work experience, training and experience in conducting audits (see table below);
- pass a written test.
|Total work experience (years)
|Work experience (years) related to the scheme
|Training||Experience in audits|
|AUDITOR-TRAINEE FOR INFORMATION SECURITY MANAGEMENT SYSTEM||higher education||
(in information security management system and/or on jobs in the field related to the information security management system)
|training for an auditor for information security management system lasting 40 hours conducted by a training organization approved by StandCert*||–|
* Appropriate additional training (if the person is already an auditor for another management system) lasting 24 hours, implemented by a training organization approved by StandCert, can be recognized as adequate.
StandCert also accepts as adequate the trainings that are approved within the widely accepted certification schemes of persons in the field of management systems.
StandCert will also accept, as an adequate precondition for certification of persons, training with equivalent education and alternative education for which there is evidence that they meet the established criteria for recognition.
A person who has applied for certification and who meets the precondition for certification takes a written test lasting 120 minutes.
The test consists of two parts of a total of 30 questions. In the first part there are questions with offered answers from which the candidate should choose correct answer(s), and in the second part there are open questions in which the candidate is expected to give written answers (eg. what objective evidence would you accept as adequate to meet the specific requirement of the standard/which questions would you ask the auditees; how would you act in a specific situation on audit; explain your position whether the finding from the example is conformiry or nonconformity)
The pass criterion is 70% of the possible number of points, provided that in both parts of the test a pass rate of at least 50% + 1 point is achieved.
Validity of the certificate
If a person has passed the test and met all the conditions for certification, he is awarded with a certificate for a period of 3 years.
How to move to the category auditor?
When a certified auditor-trainee for the information security management system, perform a sufficient number of audits required for the category of auditor for the information security management system, it is required to submit evidence of completed audits to StandCert who will evaluate the submitted evidence and if they are assessed as adequate, a new certificate will be issued. The validity period of the certification on the new certificate is identical to the validity period of the certification on the previously issued certificate.