With the release of v2 (October 2020) accreditation guidelines and partial recognition of IS0 27001 certification, there is a requirement to seek an assurance report regarding the controls detailed in Schedule 2. What auditor qualifications would be considered acceptable to meet this requirement? An ISO 27001 or ASAE3150 Auditor?
Where an applicant has an ISO 27001 certification, the applicant may seek to rely on this certification as partial evidence to demonstrate that it satisfies the information security obligation. The Accreditor will accept, as part of an accreditation application, a current ISO 27001 certification together with a reduced scope assurance report covering the controls that are not covered by the ISO 27001 certification. The additional assurance report must be prepared in accordance with one of the accepted standards set out in the guidelines. For example, ASAE/ISAE/SOC 1 or 2 standard.
Further details on the requirements, including specified controls, are set out in the Supplementary Accreditation Guidelines: Information Security, in particular at sections 2.1.5, 2.1.1 and 2.1.2.