17.1 ligible Audit Schemes
The CA MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes:
1.WebTrust for Certification Authorities v2.0;
2.A national scheme that audits conformance to ETSI TS 102 042;
Whichever scheme is chosen, it MUST incorporate periodic monitoring and/or accountability procedures to ensure that its audits continue to be conducted in accordance with the requirements of the scheme.
The audit MUST be conducted by a Qualified Auditor, as specified in BR Section 8.2.
17.2 Audit Period
As specified in BR Section 8.1.
17.3 Audit Report
As specified in BR Section 8.6.
17.4Pre-Issuance Readiness Audit
If the CA has a currently valid Audit Report indicating compliance with an audit scheme listed in Section 17.1, then no pre-issuance readiness assessment is necessary.
If the CA does not have a currently valid Audit Report indicating compliance with one of the audit schemes listed in Section 17.1, then, before issuing Publicly-Trusted Certificates, the CA MUST successfully complete a point-in-time readiness assessment performed in accordance with applicable standards under one of the audit schemes listed in Section 17.1. The point-in-time readiness assessment MUST be completed no earlier than twelve (12) months prior to issuing Publicly-Trusted Certificates and MUST be followed by a complete audit under such scheme within ninety (90) days of issuing the first Publicly-Trusted Certificate.
17.5 Audit of Delegated Functions
Audits MUST be conducted for all obligations under these Guidelines, including timestamping and signing services, regardless of whether they are performed directly by the CA or by a Delegated Third Party. Functions performed by a Delegated Third Party MUST be included in the CA’s audit or the CA MUST obtain an audit report from the Delegated Third Party. If the opinion is that the Delegated Third Party does not comply, then the CA MUST not allow the Delegated Third Party to continue performing delegated functions.
The audit period for the Delegated Third Party MUST NOT exceed one year (ideally aligned with the CA’s audit).
17.6 Auditor Qualifications
As specified in BR Section 8.2.
17.7 Key Generation Ceremony
As specified in BR Section 184.108.40.206.