What does a certified internal auditor do for the information security management system do?
An internal auditor for the information security management system is a person who conducts internal audits of the information security management system in organization, in order to verify conformity of the information security management system of organization with the requirements of SRPS ISO/IEC 27001:2014 or to conducts audits of the other party.
The task of the internal auditor is to:
- manage the audit program, plan and conduct the audit;
- identify audit findings, identify nonconformity findings and define nonconformities;
- prepare audit report and other audit findings;
- assess the adequacy of the proposed measures to eliminate nonconformities;
- verify the elimination of nonconformities;
- identify opportunities for improvement.
Who is the certification for?
- Persons who carry out internal audits in organizations that have implemented an information security management system in accordance with the requirements of the standard SRPS ISO/IEC 27001:2014;
- Consultants who want to get better acquainted with the way of planning and implementation of internal audits of the information security management system;
- Persons responsible for the information security management system in organization;
- Persons involved in teams for the development and maintenance of information security management system etc.
Why to get certified?
- Your knowledge and skills for conducting internal information security management system audits have been confirmed by a third party (certification body);
- Your organization, the organization that hires you as an internal auditor for the information security management system, is sure to have a qualified internal auditor;
- Increases your chances of getting a job;
- Provides you with greater credibility with the employer;
- Obliges you to continuous professional development.
What are the conditions for certification?
Applicant for certification/person must:
- meet certain conditions related to education, work experience, training and experience in conducting audits (see table below);
- pass a written test.
|Total work experience (years)
|Work experience (years) related to the scheme
|Training||Experience in audits|
|INTERNAL AUDITOR FOR INFORMATION SECURITY MANAGEMENT SYSTEM||secondary education||
3 (for secondary education) /
(in the information security management system and/or in jobs in the field related to the information security management system)
|training for an internal auditor for the information security management system lasting 16 hours, conducted by a training organization approved by StandCert*||at least 3 internal audits lasting a minimum of 3 hours each|
*Appropriate additional training (if the person is already an internal auditor for another management system) lasting 8 hours, implemented by a training organization approved by StandCert, can be recognized as adequate.
StandCert also accepts as adequate the trainings that are approved within the widely accepted certification schemes of persons in the field of management systems.
StandCert will also accept, as an adequate precondition for certification of persons, training with equivalent education and alternative education for which there is evidence that they meet the established criteria for recognition.
A person who has applied for certification and who meets the precondition for certification takes a written test lasting 60 minutes.
The test consists of two parts of a total of 20 questions. In the first part there are questions with offered answers from which the candidate should choose correct answer(s), and in the second part there are open questions in which the candidate is expected to give written answers (eg. questions for verifying certain standard requirement, formulating nonconformities, explanation on acceptance/non-acceptance of the proposed corrective measure, etc.).
The pass criterion is 70% of the possible number of points, provided that in both parts of the test a pass rate of at least 50% + 1 point is achieved.
Validity of the certificate
If a person has passed the test and met all the conditions for certification, he is awarded with a certificate for a period of 3 years.