The person still does not have experience in conducting audits, or he does not have sufficient experience in conducting audits required for an internal auditor.
What does a certified internal auditor-trainee for information security management system do?
Internal auditor-trainee for the information security management system is a person who conducts internal audits of information security management systems in organization, in order to verify conformity of information security management systems of organization with the requirements of SRPS ISO/IEC 27001:2014 or to conducts audits of the other party.
The task of the internal auditor-trainee is to:
- manage the audit program, plan and conduct the audit;
- identify audit findings, identify nonconformity findings and define nonconformities;
- prepare audit report and other audit findings;
- assess the adequacy of the proposed measures to eliminate nonconformities;
- verify the elimination of nonconformities;
- identify opportunities for improvement.
Who is the certification for?
- Persons who want to participate in the implementation of internal audit in organizations that have implemented information security management system in accordance with the requirements of the standard SRPS ISO/IEC 27001:2014;
- Consultants who want to get better acquainted with the way of planning and implementation of internal audits of information security management system;
- Persons responsible for the information security management system in their organization;
- Persons involved in teams for the development and maintenance of information security management systems, etc.
Why to get certified?
- Your knowledge and skills for conducting internal audits of the information security management system have been confirmed by a third party (certification body);
- Your organization, the organization that hires you as an internal auditor for the information security management system, is sure to have a qualified person to conduct the internal audit;
- Increases your chances of getting a job;
- Provides you with greater credibility with the employer;
- Obliges you to continuous professional development.
What are the conditions for certification?
Applicant for certification/person must:
- meet certain conditions related to education, work experience, training (see table below);
- pass a written test.
|Total work experience (years)
|Work experience (years) related to the scheme
|Training||Experience in audits|
|INTERNAL AUDITOR-TRAINEE FOR INFORMATION SECURITY MANAGEMENT SYSTEM||secondary education||
3 (for secondary education) /
(in information security management system and/or on jobs in the field related to the information security management system)
|training for an internal auditor for information security management system lasting 16 hours conducted by a training organization approved by StandCert*||–|
* Appropriate additional training (if the person is already an internal auditor for another management system) lasting 8 hours, implemented by a training organization approved by StandCert, can be recognized as adequate.
StandCert also accepts as adequate the trainings that are approved within the widely accepted certification schemes of persons in the field of management systems.
StandCert will also accept, as an adequate precondition for certification of persons, training with equivalent education and alternative education for which there is evidence that they meet the established criteria for recognition.
A person who has applied for certification and who meets the precondition for certification takes a written test lasting 60 minutes.
The test consists of two parts of a total of 20 questions. In the first part there are questions with offered answers from which the candidate should choose correct answer(s), and in the second part there are open questions in which the candidate is expected to give written answers (eg. questions for verifying certain standard requirement, formulating nonconformities, explanation on acceptance/non-acceptance of the proposed corrective measure, etc.).
The pass criterion is 70% of the possible number of points, provided that in both parts of the test a pass rate of at least 50% + 1 point is achieved.
Validity of the certificate
If a person has passed the test and met all the conditions for certification, he is awarded with a certificate for a period of 3 years.
How to move to the category of internal auditor for information security management system?
When a certified internal auditor-trainee for the information security management system perform a sufficient number of internal audits required for the category of internal auditor for the information security management system he is required to submit evidence of completed audits to StandCert who will evaluate the submitted evidence and if they are assessed as adequate, a new certificate will be issued. The validity period of the certification on the new certificate is identical to the validity period of the certification on the previously issued certificate.