Hi Scott, As you might see in the meeting minutes which was sent by Dave, we got a comment about Auditor Qualification. ---------------------------------------------------------------------- Auditor Qualification The audit/assessment/evaluation team and the individuals on that team, should be qualified to assess the policies and practices of a PKI. Auditors should be competent to evaluate the CA management processes and operational procedures, its related IT security components and its PKI-unique elements. A PKI audit team shall consist of individuals who together have the necessary skills and experience to assess the policies, procedures and practices of the PKI. Auditors should be individually and organizationally independent of the PKI that is being audited. The following list comprises a set requirements for considering the expertise and qualifications of members of the assessment team carrying out a PKI audit: - Professional Certifications such as CISSP and CISA or equivalent; - Successful completion of training courses in assessment of IT security controls; - ... ---------------------------------------------------------------------- We got a comment that the list of requirements is very heavy, particularly the professional certification. Do you intend that auditors must satisfy all the requirements? Would you clarify your intention? Thanks, -- Yoshio Tanaka (yoshio.tanaka@aist.go.jp) http://ninf.apgrid.org/ http://www.apgridpma.org/