Notes from Megameeting 1st March 2010


DavidGiaretta STFC
JohnGarrett GSFC
MarkConrad NARA
RobertDowns CIESIN, Columbia University
BarbaraSierman KB
HelenTibbo UNC
BruceAmbacher UM

Summary A number of sections were looked at including 5.2.1 and 1.2-1.4. It was reiterated that we based the Requirements document on ISO 27006 and then Simon changed references to security to TDR and then pulled out the subsections which obviously needed to be TDR specific and placed then in page AuditorGuidelinesIssues. DG proposed that, while we could review every single part of the document, it would make more sense to focus on those part which are TDR specific - noting that most of the document is rather generic. Moreover we should remember that 27006 has been around for some time and the generic parts are therefore quite well tested.

Actions ALL to email the list with results of:

  • completion of reviewing Simons' list of issues on the WIki (AuditorGuidelinesIssues)
  • review of whole doc, pulling out and commenting on any additional subsections which need to beTDR specific
  • other comments if possible
by the next meeting

Transcript of chat

Terry Longstreth >> (All): Hi David
David Giaretta >> (All): Hi Terry
David Giaretta >> (All): Just looking through the Word doc
Terry Longstreth >> (All): I'm still making coffee.  I'll be back in 10
David Giaretta >> (All): Hi Bruce
BruceAmbacher >> (All): Hi.  Are others expected?
David Giaretta >> (All): Should be
David Giaretta >> (All): Let's wait a few minutes
David Giaretta >> (All): Was the Word doc OK?
David Giaretta >> (All): Hi Barbara
Barbara Sierman >> (All): Hello all
BruceAmbacher >> (All): I have not been able to spend time with it yet.
David Giaretta >> (All): Simon and I tracked the changes and put comemnts to show why changes were made where we could
David Giaretta >> (All): Hi Mark
Mark Conrad >> (All): Hello.
David Giaretta >> (All): Let me check if Simon sent apologies
Mark Conrad >> (All): I have started my review of the Word document. I made it up to
BruceAmbacher >> (All): Did we discuss 5.2.1/  I have no objections, I just do not recall seeing it before or discussing it.
Mark Conrad >> (All): I have a number of comments for 5.2.1. I do not believe that we discussed this in the past.
David Giaretta >> (All): No I don't think that was pulled out by Simon into the wiki as being contentious 
BruceAmbacher >> (All): What is the source?
David Giaretta >> (All): 5.2.1 is inherited from ISO 17021
David Giaretta >> (All): ...oops sorry - there is one in our doc
David Giaretta >> (All): So the wording we have is from the doc we based our doc on
David Giaretta >> (All): What comments do you have on 5.2.1 Mark?
Mark Conrad >> (All): I don't understand a).  I believe c) is already required by 17021. I don't understand why we want the exclusion/exception in d.). I am not sure I understand f.).
David Giaretta >> (All): Ho Helen, John
David Giaretta >> (All): Oops - Hi
Helen Tibbo >> (All): Hi, all. I was out with a bit of surgery last week - nothing life threatening - just a bit painful - so am not up-to-date with reading or anything else. Those pain pills are great...
David Giaretta >> (All): Helen there is a Word doc on the Wiki at which has the various agreed changes marked up
David Giaretta >> (All): We are discussing that - at the moment section 5.2.1
JohnGarrett >> (All): Hi all.  Helen, I hope you heal up quickly.
David Giaretta >> (All): Mark aren't these just clarifications to say what one CAN do and not be barred from auditing through conflict of interest
RobertDowns >> (All): Hi
Helen Tibbo >> (All): Thanks, Barbara. Got the document, David
Mark Conrad >> (All): David, I don't understand what a) is saying.
Mark Conrad >> (All): It appears to say that certification body personnel can carry out any type of audit prior to the certification audit - except an internal TDR audit or review.
David Giaretta >> (All): SO the audit body cannot do the internal audits prior to the actual audit but it can do other audits
JohnGarrett >> (All): We inherited this section from 26006 or whatever.  They just wanted to make sure the activities listed here didn't disqualify a group from providing an audit.  I think including a) is a bit of overkill since to be it seems to say an auditing body can do an audit with disqualifying itself.
BruceAmbacher >> (All): Why would anyone engage in these activities except with the aim of audit and certification?  Does this say you do all such activities to help an organization prepare for an audit if you are not on that audit team?  How can you do these without being in conflict?
Mark Conrad >> (All): I recommend removing a).
Helen Tibbo >> (All): The danger here, I am guessing is that since much of this will be subjective (we have no clear cut metrics of "how good" for many of the requirements), the more familiarity an auditor or audit team has with an institution - even if it is all above board and benign - the greater the likelihood of a favorable formal audit. I think that is human nature.
JohnGarrett >> (All): I don't have a problem with either keeping it or deleting it.  I think those things are allowed whether we say it or not.
Mark Conrad >> (All): Helen, This is all extensively covered in 17026.
David Giaretta >> (All): Bruce it looks as if this was in 27006 in order to make it clear that one can do some things without being barred. If we remove (a) does it open the way for nit-picking people argiing to exclude people who did previous audits or followed up on previous audits e.g. helping to resolve non-conformities.
Mark Conrad >> (All): David, I think it should exclude such folks.
RobertDowns >> (All): Well, we could have the individuals with such perceived conflicts report them to the rest of the audit team so that it is above board.
Terry Longstreth >> (All): (1 of 5) This all resonates with my concern over our references to 17021.  I believe:
David Giaretta >> (All): Robert - yes - that would be a good compromise. Mark - I'd be worried about cutting the pool of available auitors down
Terry Longstreth >> (All): (2 of 5) Overall - Still need to clarify 17021 relationship   (1) TDR Certification is extension of 17021 (i.e. single audit plan encompasses both)
Terry Longstreth >> (All): (3 of 5) 2) TDR Certification is independent of 17021, but requires conformance to listed normative 17021 sections   (3)  "      "         requires 17021 cert as a precondition
Mark Conrad >> (All): David, At the expense of the credibility of the auditing body?
JohnGarrett >> (All): Actually, I do think you are barred from doing future audits if you help the organization clear up previous non-conformities.   Any type of recent (within 2 years) consultancy with the organization bars you from certifying them.
Terry Longstreth >> (All): (4 of 5) Normative references to 17021 sections should include mnemonic summaries of relevant 17021 content   1) to make it clear what we're talking about when new version of 17021 is published
David Giaretta >> (All): John - so how does 27006 work?
Terry Longstreth >> (All): (5 of 5) 2) to allow reading of our document without dependence on 17021   -- Auditing will still require full 17021, but our document should be able to be read by itself
BruceAmbacher >> (All): The key seems to be whether such activities are focused on the repository being audited.  Is that correct?
Mark Conrad >> (All): Terry see 1.2 Scope.
JohnGarrett >> (All): David, I not sure what your question is?    The basic condition is that is you are a consultant to an organization, you can certify them.
Mark Conrad >> (All): The document we are looking at refers to 17021. You all are discussing 27006 - not referenced in this document. DO we need to change that?
Terry Longstreth >> (All): I did see 1.2 - I find it unclear.  As an example of what I mean by mnemonic summary:
JohnGarrett >> (All): Sorry, that should have said you can NOT certify them, if you are a consultant.
Terry Longstreth >> (All):  Example: 5.1   LEGAL AND CONTRACTUAL MATTERSThe requirements from ISO/IEC 17021:2006, Clause 5.1 apply:  The TDR Certification body shall be constituted as a legal entity, have certification agreements with its clients, and maintain continuing responsibility for certification actions it has issued. 
David Giaretta >> (All): Terry - going back to where we started - we were basing our doc on an existing already accepted and used ISO standard (ISO 27006) so that we had the minimum work to do. What you suggest seems an awful lot of unnecessary work. We shuld be able to follow in the footsteps of 27006
David Giaretta >> (All): John, 5.2.1 is saying what is NOT considered a consultancy and is therefore would NOT be a cause of exclusion
Mark Conrad >> (All): David 27006 or 17021? There are no references to 27006 in this document.
Mark Conrad >> (All): David, I do not believe we should have such an exception.
David Giaretta >> (All): Mark - we copied 27006 and then changed ISMS to TDR globally - what we then needed to do in these meetings is to tweek the words e.g. the qualifications for auditors.
JohnGarrett >> (All): Yes, David, I agree our 5.2.1  is saying what is allowed. The 17021 section 5.2 says what must be done to ensure impartialiaty.
Mark Conrad >> (All): I still recommend removing a.). What do other folks think?
RobertDowns >> (All): If these are allowed under 17021, then we might just require that they be reported to the auditing committee and documenting them so that there is no perception of a conflict of interest.
Terry Longstreth >> (All): 27006 is a security standard.  I think we should draw the distinction between it as a document model,  or as a prescribed set of normative sections.
Helen Tibbo >> (All): So, although we copied 27006, since 27006 refered to 17021, that's why 17021 is listed in our text rather than 27006, right?
Mark Conrad >> (All): Robert, I do not believe they are allowed under 17021.
JohnGarrett >> (All): Just to be clear Mark, you do think that a certification body can certify an organization a second time don't you?
David Giaretta >> (All): I guess I'd like to understand why this was put in by the 27006 people - I assume it was for a good reason and I'm worried we will fall foul of whatever they were guarding against
JohnGarrett >> (All): Helen, Yes that is correct.
BruceAmbacher >> (All): Mark, does your position on a change realizing it refers to certification bodies, not individuals.
David Giaretta >> (All): Helen - yes.
JohnGarrett >> (All): We no longer have any connection to 27006 (other than our document will look very similar to 27006)
Mark Conrad >> (All): Bruce, No. 
Terry Longstreth >> (All): @John: so tailoring our sections for clarity wouldn't violate the 27006 template?
Mark Conrad >> (All): John, Recertification is allowed under 17021.
RobertDowns >> (All): If the committee certified an organization previously, the committee should be allowed to recertify a repository.
JohnGarrett >> (All): Terry, no we can make changes to the text in our document.  We don't have to follow the 27006 template.   I think we should just ignore where it came originated from now on.
David Giaretta >> (All): Mark - maybe you are right (a) is belt and braces and can be removed. Although I'd like to think some more about it for the reasons I gave before
JohnGarrett >> (All): Mark, I agree with you 17021 allows recertification and our 5.2.1 a) just says the same thing.
JohnGarrett >> (All): Since it says the same thing, I don't care if it is removed or if it stays.  What about other people?
Terry Longstreth >> (All): John,That's always  been my understanding. I was reacting to David
Mark Conrad >> (All): It is difficult to understand what a) is saying. Unless someone has a compelling reason to leave it in, I think it should be removed be cause it is confusing.
Terry Longstreth >> (All): I would recommend 1.2 be amended to answer the question in my  1-5 of 5, above
RobertDowns >> (All): I believe that 5.2.1a allows the auditing committee to engage in informational meetings, etc. with repositories that are applying for certification.
Terry Longstreth >> (All): c/answer the questions/address the issues/
Mark Conrad >> (All): Terry, What would you recommend? We have been going round and round about the relationship between this document and 17021 for months.
JohnGarrett >> (All): Reading it again, maybe there was a concern that auditiing bodies could do other types of audits than a TDR audit.
David Giaretta >> (All): Terry I though we resolved this last time - there is no separate 17021 audit
Terry Longstreth >> (All): then say so
Terry Longstreth >> (All): in 1.2
Terry Longstreth >> (All): maybe
David Giaretta >> (All): Terry - Not sure what words you are suggesting.
David Giaretta >> (All): But we were on 5.2.1 - and were were actually to start in section 9 I thought -  so we are going backwards!
Terry Longstreth >> (All): as above: TDR Certification is extension of 17021 (i.e. single audit plan encompasses both)
JohnGarrett >> (All): Terry, I think we are pretty clear about the relationship to 17021.  Each section of our document says "The requirements from 17021 Clause XXX apply."
David Giaretta >> (All): But there is no 17021 audit
Terry Longstreth >> (All): When we're done, there will b
RobertDowns >> (All): The auditing committee should be able to examine documents of a repository that is preparing for certiification, prior to the certification process. Giving advice could save everybody a lot of time and effort.
Terry Longstreth >> (All): We'll be certifying 17021 compliance for TDRs, willy nilly
Mark Conrad >> (All): David, We went back to 5.2.1. because we had questions about it and this section was not in Simon's original document identifiying sections that needed further review. I have other sections of concern as well.
David Giaretta >> (All): No we'll be certifying compliance with the metrics doc
David Giaretta >> (All): Fine to do 5.2.1 - just worried about constant jumping.
David Giaretta >> (All): ...I'd like to finish at least one go through at least
Mark Conrad >> (All): Robert, The appearance of a conflict of interest would be enough to damage the credibility of the certification body. We should error on the side of caution.
JohnGarrett >> (All): Robert, the auditing committee can look at document, but it can't consult with the organization and tell them this is what you need to do in their individual case to pass an audit.   This limits the impartiality of the auditing organization, if they are the ones who tell an organization how to do something and then check that they are doing it while getting paid for both activities.
RobertDowns >> (All): My statements did not imply that the auditing committee was getting paid.
Mark Conrad >> (All): David, I would like to make it all the way through, too. I think it would be more productive to have everyone review this entire document and go through it one time beginning to end and be done with it.
David Giaretta >> (All): Mark - as I said, I'm OK with deleting (a) because it looks like belt and braces
RobertDowns >> (All): If the committee is getting paid to help an organization  prepare, then it could be a potential conflict of interest.
Mark Conrad >> (All): Robert, Even if they are not getting paid, it could be seen as doing a favor to get business.
JohnGarrett >> (All): I guess the getting paid part can be a bit of red herring.   You can still not be impartial even if the payment structure isn't there.
RobertDowns >> (All): I am convinced and agree to delete a.
David Giaretta >> (All): Mark - yes - I guess SImon's wiki page was aimed specifically at those topics which clearly needed some TDR specific consideration e.g. auditor qualifications. Those were the minimum we should change/consider. I hoped we could consider other things later
JohnGarrett >> (All): I agree with Mark, it would be good to systematically just go through the document.
Mark Conrad >> (All): Can everyone have their comments on the entire document done and e-mailed to the group by Friday for discussion at next week's meeting?
David Giaretta >> (All): But rather than drop what we are doing I'd still like us to go though the points picked out in the Wiki
Mark Conrad >> (All): David, Decisions made earlier in the document may have an effect on decisions later in the document.
David Giaretta >> (All): But that was the reason that SImon pulled out what he did - they were TDR specific. I'm not sure how 5.2.1 is TDR specific. We could wordsmith everything but it will take a long long time.
Mark Conrad >> (All): David, This entire document is supposed to be TDR specific, isn't it?
David Giaretta >> (All): Then how could we just copy 27006?
JohnGarrett >> (All): David, yes I think we should cover those issues as part of a systematic review of the whole document.   Actually, I thought that was what we had started to do and the issues listed were the only ones that anyone had.
David Giaretta >> (All): Mark - in other words most of the doc is generic - that's why we kept saying "boilerplate"
BruceAmbacher >> (All): But new sections were introduced with this version that folks are not comfortable with or do not understand.  
Mark Conrad >> (All): David, See 1.2 and 1.3.
David Giaretta >> (All): Bruce - which new sections have been introduced?
BruceAmbacher >> (All): This is the first version I recall with the text of 5.2.1
David Giaretta >> (All): But as we said - that was copied from 27006 so we always had it in.
David Giaretta >> (All): Check with 27006
Mark Conrad >> (All): David, Is there a good reason to review the sections on the wiki first and then do a systematic review of the entire document?
JohnGarrett >> (All): This whole standard is specifically about the requirements for an auditor to do an audit of a TDR using our metrics document.  There are general parts to this standard that would be included for any of audit, and there are a very few things that are specific to a TDR audit.
David Giaretta >> (All): I would say yes because (1) the other stuff is not TDR specific - although we can check taht and (2) by accepting what is tried and tested (and generic) we save ourselves a lot of effort. Checking the topics pulled out in the Wioki are the non-generoic things
Mark Conrad >> (All): John, That was my understanding. I believe there are things in this document that need to be modified or removed to do that.
JohnGarrett >> (All): Bruce, section 5.2.1 has been there since the beginning.  
Mark Conrad >> (All): David,
Mark Conrad >> (All): Are you saying not TDR specific?
David Giaretta >> (All): Yes
Mark Conrad >> (All): Then why is it in here?
JohnGarrett >> (All): Mark, OK.  I agree with a systematic review.  What we have is a start at what we think we need, but  people need to identify where they have issues.
David Giaretta >> (All): Because we copied it from 27006
JohnGarrett >> (All): Mark, I know you have identified issues.  Others may not have done so yet
David Giaretta >> (All): let me try pputting it differently:
David Giaretta >> (All): ...27006 is accepted through ISO review anad is used for 2700 audit bodies I guess
JohnGarrett >> (All): But we need to identify all the issues now.  This draft has been available for well over a year and most people haven't identified where they have concerns.
RobertDowns >> (All): I think that it is worth discussing the issues that have been identified.
David Giaretta >> (All): ...the more we change in our doc the further we get from what is already accepted
David Giaretta >> (All): ....therefore we should change the minimum we need
David Giaretta >> (All): .......and those are the TDR specific things
RobertDowns >> (All): Bruce, if you are speaking, I am unable to hear you
David Giaretta >> (All): Remember the Metrics doc is not perfect, and neither will this doc be. However by basing it on something taht has been accepted the more likely we are to have something useful
BruceAmbacher >> (All): The language in this document at 5.2.1 is different from the boxed text in the November 2008 version.  So our text is not just a cut and paste and cnd the rewrite has inteoduced confusion.  So I have not seen it before and it has not been there all along.
David Giaretta >> (All): Bruce the boxed text is from 17021
David Giaretta >> (All): ....the text OUTSIDE the boxes is what we copied from 27006
David Giaretta >> (All): ........and that has not changed except for the few pieces we touched following our discussions
Mark Conrad >> (All): David, Apparently we do not have a common view of what is TDR specific in this document.
David Giaretta >> (All): I have few enough hairs - don't make me pull the rest out!
Mark Conrad >> (All): If someone is speaking I cannot hear you.
David Giaretta >> (All): Mark - I agree it is possible taht there are more TDR specific things than Simon identified. But I think what Simon identified IS TDR specific. Maybe when talking about other text we should argue WHY it is TDR specific
David Giaretta >> (All): ...first - before jumping into the discussion
David Giaretta >> (All): SO how about finishing off Simon's list (form the WIki) then people email in identifying those sections which they think are TDR specific - and WHY
JohnGarrett >> (All): This standard should cover everything (general and specific) that an auditor should do to perform an audit of a TDR.  To make it easier to cover everything, this standard says you have to do what is specified by 17021 (all generic) plus you also have to do these other things (both generic and specific).
Mark Conrad >> (All): David, It should all be TDR-specific or why do we need a document in addition to 17021?
JohnGarrett >> (All): I don't see any need to identify what is TDR specific or not.  We just need to identify if we need the requirement for an audit of TDR or not.  If it is needed, it stays.  If it is not needed, it goes.
Terry Longstreth >> (All): How do we reconcile John's statement with David's (that the certification is against the metrics doc, not 17021, since 17021 isn't mentioned in the metrics doc?)
JohnGarrett >> (All): Terry, I think you misunderstand.  The audit is against the metrics document.   This standard and 17021 give procedures to follow while doing the audit of a TDR against our metrics document.
David Giaretta >> (All): Mark - there are things like the auditor qualififcations which are pretty TDR specific. I think we need something other than 17021 because 17021 is too generic - e.g. does not specify auditor qualifications. Of course the other point is that 2700 has the accompanying 27006 - which is what we copied
Mark Conrad >> (All): David, I believe I have heard you say that if it is in 27006 it should be in this document. I do not believe that to be the case.
BruceAmbacher >> (All): Did not earlier text say we should now ignore 27006 now that we used its template?
Terry Longstreth >> (All): John - I'd agree with what you say, but the Auditor guidelines never says that
David Giaretta >> (All): John - we need to identify which pieces are TDR specific because otherwise we will end up discussing the WHOLE document and that is probably unnecessary. I imagine the guys who did 27006 were pretty smart and also they had some experience - they had gone through the previous version of standards - 1700 I think - so we can inherit some smarts from them
JohnGarrett >> (All): Terry, OK, maybe we should say that better in the introduction.
Mark Conrad >> (All): David, You're assuming that everything needed for ISMS is needed for TDR. 
David Giaretta >> (All): Mark - yes that could certainly be the case BUT I am worried that it's in 27006 for some good reason and if it's not for some obvious security related reason then it probably has to do with making the audit system work.  Those are the sorts of things we can probably benefit from. Therefore unless it is definitely harmful to a TDR audit (i.e. a good TDR specific reason) I'd error on the side of keeping things in.
David Giaretta >> (All): ... it has the benefit that we can get this doc into formal review quicker
Mark Conrad >> (All): David, If we choose to do that sections 1.2 through 1.4. need to be revised to reflect that scope and rationale.
JohnGarrett >> (All): David, I agree with you that TDR specific items are probably concentrated in certain sections, but I also think the whole document can be reviewed.
David Giaretta >> (All): John - of course - but the question is - what do we discuss in these meetings? We should all read the whole doc
JohnGarrett >> (All): Can we set a schedule to review section 5 this week, section 6 next week and so on.  Then we can finish this in just over a month.
BruceAmbacher >> (All): I have a security investigator coming in a few minutes and must sign off.  Let me know what the focus for next week will be.
David Giaretta >> (All): Mark - not sure why you say that - do you have specific suggestions? I thought 1.2-1.4 is pretty plain.
JohnGarrett >> (All): We stick to the schedule and cover a section without continuing to go back a start over.
Mark Conrad >> (All): John, I think we need to resolve section one first so we know what the criteria are for reviewing the rest of the document.
Helen Tibbo >> (All): I am going to have to leave soon and have printed out the document with Simon's list from the wiki. I will be away this week but will take this with me. Please email the group some marching orders.
Helen Tibbo >> (All): Have to run now.  Bye!!!
David Giaretta >> (All): Bye Helen
Mark Conrad >> (All): David, 1.2 - 1.4. says that the material in this document is specific to TDR and modifies 17021. It does not say it includes points drawn form 26007 that are not TDR specific.
Terry Longstreth >> (All): I have to leave, too.  I'll try to summarize my concerns in an email.
JohnGarrett >> (All): OK, I guess we can start at Section 1.  Why don't you just propose what you would like to say.  We need each of the sections that are there in that order to comply with CCSDS publication standards, but we can say whatever we think is appropriate.  Please suggest wording that you think will work.
David Giaretta >> (All): But Mark - it includes things that are generic as John said and as I thought we all agreed.
Mark Conrad >> (All): David, That is not what 1.2 - 1.4 says.
David Giaretta >> (All): it's a generic doc with a number of TDR specific things in - but one has to do all of it to offer audit and certification
Mark Conrad >> (All): David, That is not what 1.2 - 1.4 says.
JohnGarrett >> (All): Mark, I don't think we should talk about 27006.  It was used only a template to get us started and we do not refer to it in any way in this document.
David Giaretta >> (All): John - in terms of the schedule - that would be fine but on past performance I don't think it would work.
Mark Conrad >> (All): John, David is suggesting we leave stuff in here just because it is in 27006. How do we explain that in the scope and applicability sections of this document?
David Giaretta >> (All): The only way forward I can see is (1) finish SImons list (2) identifiy other TDR specific things and (3) a general go through as a last check
JohnGarrett >> (All): I don't think we should leave things in just because they are in 27006.  I think we should leave things in only if they apply to audit of a TDR with our metrics document.
Mark Conrad >> (All): John, I agree, but that is not what David is proposing.
David Giaretta >> (All): Mark - sometimes (always!) one needs generic things in order to accomplish some specific things. So to fly to the USA I need the generic action of going to the airport.
Mark Conrad >> (All): The generic things are supposed to be covered in 17021.
David Giaretta >> (All): ...all I am saying is that unless we can definitely see some harm then we give the 27006 guys some credit for being sensible.
Mark Conrad >> (All): Then the scope for this document needs to state that.
David Giaretta >> (All): But 17021 just says the equivalent oif "you should fly in an airplane" but does not say "go to the airport" and *get a flight to the USA*
JohnGarrett >> (All): I think most of the generic things will be covered by 17021, but perhaps not all of them.  Or perhaps we would like to explain our understanding of the generic requirements in 17021
David Giaretta >> (All): Mark - I just don't see what you want to see in scetions 1.2-1.4. 
JohnGarrett >> (All): I think the two of you are mostly agreeing.
David Giaretta >> (All): ...Mark if you want to say - this docuemnt closely follows 27006 - that would probably be fine.
Mark Conrad >> (All): All I am saying is we need to indicate in 1.2 - 1.4. Why stuff is included in this document. If stuff that was in 27006 is to be included because the 27006 guys might have seen something we didn't see, we should say that is why it is in here.
Mark Conrad >> (All): Otherwise, everything in here should be TDR specific.
JohnGarrett >> (All): I think the first paragraph of 1.4 is what we are saying - that there is a hierarchy of auditing documents and this standard ensures that those good practices can be applied to TDR auditing
David Giaretta >> (All): John - sure we could add something there - a reference to 27006 perhaps
JohnGarrett >> (All): We should NOT refer to 27006.  It no longer has anything to do with this document.  It was a good template, but it is nothing more than a template.
Mark Conrad >> (All): The first paragraph doesn't identify where in the hierarchy this document fits and the last paragraph of 1.4. talsk about the scope.
JohnGarrett >> (All): Mark, do you have a proposal for what you would like the wording to be?
Mark Conrad >> (All): I will complete my comments on the entire document and send them around to the group.
JohnGarrett >> (All): That sounds like a great idea.
Mark Conrad >> (All): See you next week.
David Giaretta >> (All): I guess we need a clear understanding/agreement between ourselves about what we are doing. Then we can see if the non-normative partsneed  updating
David Giaretta >> (All): Actions on everyone?
David Giaretta >> (All): I still suggest ACTIONS: (1) finish Simons' list (2) review whole doc and pull out TDR specific things and (3) if possible provide other comemnts
Mark Conrad >> (All): Read the document and forward your comments in time for folks to have time to read them before the next meeting?
David Giaretta >> (All): Yes, definitely
Mark Conrad >> (All): Ok. Bye.
RobertDowns >> (All): Bye
David Giaretta >> (All):  Bye all
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2010-03-01 - DavidGiaretta
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback