Apologies for belaboring the point, but I think we might be talking past eachother.
You originally stated “The only place I am aware that lists the audit partner in a comparable world is the signing audit partner on public company audits in the US, which is available on the SEC website.” I gave two separate examples of such, and you responded to one (FPKI) by saying the report was not public (even when it is made available publicly), and the other I didn’t see a response to. This might feel like nit-picking, but I think this is a rather serious point to work through, because I don’t think you’re fully communicating what you judge to be a “comparable world”, as it appears you are dismissing these examples. I can think of several possible dimensions you might be thinking are relevant, but rather than assume, I’m hoping you can expand with a few simple questions. Some admittedly seem basic, but I don’t want to take anything for granted here. 1) Are you/the WTTF familiar with these audit schemes? 2) Are you aware of schemes that require disclosing the relevant skills and experience of the audit team to the client? (E.g. as done by BSI C5 audits under ISAE 3000) 3) Are you aware of such reports naming multiple parties for the use of the report (e.g. as done by FPKI audits) 4) Are you aware of schemes in which a supplier requires a vendor to be audited, and ensures that the customer of supplier are able to access such audits as part of their reliance upon supplier? (Note, this doesn’t have to be limited to ISMS systems) I’m trying to understand what, given the prevalence of these practices, makes these instances *not* a comparable world, since it seems that helps move closer to solutions. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy