Certification Authority Licensing - Qualified Auditor
It is also important that the auditors who review the certification authority’s system for compliance with CS-2 are qualified to do so. The Washington Administrative Code establishes auditor requirements at section 484-180-240(3).
The audit may be performed by an individual or by a team. If the audit is performed by an individual, that individual must be a licensed certified public accountant and also qualify as a computer security professional. If performed by a team, all of the auditors must be licensed certified public accountants and at least one member of the team must qualify as a computer security professional.
To qualify as a computer security professional, the auditor must be certified either:
- as a "Certified Information Systems Auditor (CISA)" by the Information Systems Audit and Control Foundation; or
- as a "Certified Information Systems Security Professional" by the International Information Systems Security Certification Consortium.
In foreign jurisdictions, the requirement that the auditor must be a licensed certified public accountant may be met by qualifying under the equivalent law of that jurisdiction.
Links for additional information about computer security professional qualifications: