ISO 17799 and ISO 27001 Newsletter

The David L Watson Interview

The following questions were presented:


You were the first Certified BS7799 c:cure Auditor. How did that come about? When was that?

In May 1998 about 20 security experts were appointed to perform the update and re-write of the BS 7799 standard.

I was part of the team that re-wrote clauses 2, 5, 6, 9 and10 during May and June 1998, mainly under Prof Brian Collins (now at RMCS, Shrivenham). This work was to become the 1999 version of BS 7799 part 1.

In the July of 1998, I was engaged by one of the Certification Bodies (CBs) to write for them a set of procedures so that they could perform Accredited Certification Audits for BS 7799.

Whilst researching this subject, I found that the c:cure Auditor Certification process was to be launched. The CB I was working with were keen to have Certificated Auditors on their books so that they could provide staff to perform the Certification Audits, and so I applied to IRCA (the International Register of Certificate Auditors) to become a Certified c:cure Auditor.

I had to provide evidence of my qualifications, experience in BS 7799, experience of auditing and sit an one hour interview by two security experts and a member of IRCA who was an ISO 9000 Auditor.

I was lucky as I had a reference from United Kingdom Accreditation Service (UKAS) who had witnessed one of my audits so I could provide evidence of successfully having carried out BS 7799 Certification Audits.

The interview was quite in-depth and probing but descended to farce when the ISO 9000 person said that he could not understand why there were no client names given on my application for whom I had worked. I stated that my contract did not permit me to divulge any client details at all, apart to a court of competent jurisdiction, whereupon he said he had never heard of this in his whole ISO 9000 experience, and of course I could tell him!

Of the two security experts, one had his head in his hands and the other was studiously observing the ceiling as I again refused to breach my contract.

I thought I had blown the interview but knew I was right in not breaching my contractual obligations. I was therefore pleasantly surprised to find that I was now one of the first certified c:cure auditors.

There were, from memory, only ever six or seven of us and about three Provisional Certified Auditors but the web site (c-cure.org) is long gone and suppressed from archive.org, so it is not possible to check.

For whatever reasons, the c:cure scheme folded and the two types of certification route (certified auditor or non-certificated auditor) ceased.


What happened then?

I carried on auditing and consulting for BS 7799 clients, though there was now no call for c:cure Certified Auditors!

In 2003, IRCA launched a new scheme and I applied for the Certified ISMS Auditor qualification.

I had to reprove my experience again, advise of the BS 7799 Lead Auditor Course that I had attended to ensure that this was acceptable to IRCA (there are a number that are not  you need to check before taking tem or you could find you have wasted your time) and submit my updated audit log again.

I had no interview this time and was pleased to see that I have been awarded the grade of Principal Certified ISMS Auditor

The requirements are given below for all grades of certified auditor

Auditor grade

Education

Work experience

Auditor training

Audit experience

Audits

Days

Provisional auditor

 

Minimum secondary

5 years or 4 years plus degree/near degree

2 years - information security related

ISMS lead auditor course

None

None

Auditor

Minimum secondary

5 years or 4 years plus degree/near degree

2 years - information security related

ISMS lead auditor course

4 (as trainee auditor)

20
(10 on-site)

 

Lead auditor

Minimum secondary

5 years or 4 years plus degree/near degree

2 years - information security related

ISMS lead auditor course

4 (as trainee auditor)

 

3 (as trainee lead auditor)

20
(10 on-site)

 

15
(10 on-site)

Principal auditor (consultant)

Degree/near degree

6 years - information security related

ISMS lead auditor course

7 (sole/lead audits)

35
(20 on-site)

Principal auditor (team leader)

Minimum secondary

5 years or 4 years plus degree/near degree

2 years - information security related

ISMS lead auditor course

6 years certified to lead auditor grade

 

3 sole audits using audit management skills in complex/demanding situations

These requirements are given on the IRCA web site

The last time I checked there were 12 Certified Auditors who had been certified by IRCA in the UK and I was the only Principal Certified ISMS Auditor.

The IRCA Certified Auditors all have their details published on the IRCA web site at

iqasecure.co.uk/irca/directory/default.asp?dir=1

There are currently 103 IRCA Certified Auditors throughout the world, with 12 in the UK





 

 


**The Newsletter**

The ISO 17799 and ISO 27001 Newsletter is published periodically. It provides news and background for those interested in information security generally, and ISO17799 / ISO27001 specifically. In addtion, we provide occasional 'breaking news' bulletins covering any major event related to the standards.



Subscribe

Free subscription is via our online form

 

 

Contact Us

© Copyright 2005/2006.