What does a certified information security management system auditor do?
A information security management system auditor is a person who, as a member of a team or independently implements a complete information security management system audit, whether it is an internal audit, second party audit or third party audit for the purpose of certification, to verify conformity of the organization’s information security management system with requirements of the standard SRPS ISO/ISO 27001:2014.
Task of the auditor is to:
- manage the audit program, plan and conduct the audit;
- identify audit findings, identify nonconformity findings and define nonconformities;
- prepare audit report and other audit findings;
- assess the adequacy of the proposed measures to eliminate nonconformities;
- verify the elimination of nonconformities.
Who is the certification for?
- Persons who carry out audits in organizations that have implemented information security management system in accordance with the requirements of the standard SRPS EN ISO 22000:2007;
- Auditors of certification bodies for management system certification;
- Consultants who want to get better acquainted with the way of planning and implementation of information security management system audits;
- Persons responsible for information security management system in organization;
- Persons involved in teams for the development and maintenance of information security management systems, etc.
Why to get certified?
- Your knowledge and skills for conducting an information security management system audit have been verify by a third party (certification body);
- Your organization, the organization that hire you as an auditor for the information security management system, is sure to have a qualified auditor;
- Increases your chances of getting a job;
- Provides you with greater credibility with the employer;
- Obliges you to continuous professional development.
What are the conditions for certification?
Applicant for certification/person must:
- meet certain conditions related to education, work experience, training and experience in conducting audits (see table below);
- pass a written test.
|Total work experience (years)
|Work experience (years) related to the scheme
|Training||Experience in audits|
|AUDITOR FOR INFORMATION SECURITY MANAGEMENT SYSTEM||higher education||
(in information security management system and/or on jobs in the field related to information security management system)
|training for an auditor for information security management system lasting 40 hours conducted by a training organization approved by StandCert*||at least 4 audits lasting a minimum of 160 hours of which 96 hours on location|
* Appropriate additional training (if the person is already an auditor for another management system) lasting 24 hours, implemented by a training organization approved by StandCert, can be recognized as adequate.
StandCert also accepts as adequate the trainings that are approved within the widely accepted certification schemes of persons in the field of management systems.
StandCert will also accept, as an adequate precondition for certification of persons, training with equivalent education and alternative education for which there is evidence that they meet the established criteria for recognition.
A person who has applied for certification and who meets the precondition for certification takes a written test lasting 120 minutes.
The test consists of two parts of a total of 30 questions. In the first part there are questions with offered answers from which the candidate should choose correct answer(s), and in the second part there are open questions in which the candidate is expected to give written answers (eg. what objective evidence would you accept as adequate to meet the specific requirement of the standard/which questions would you ask the auditees; how would you act in a specific situation on audit; explain your position whether the finding from the example is conformiry or nonconformity)
The pass criterion is 70% of the possible number of points, provided that in both parts of the test a pass rate of at least 50% + 1 point is achieved.
Validity of the certificate
If a person has passed the test and met all the conditions for certification, he is awarded with a certificate for a period of 3 years.