A Conformity Assessment Body (CAB) is a company responsible for carrying out audits or conformity assessments for Trust Service Providers (TSPs).
Each Conformity Assessment Body must carry out audits in accordance with the regulations applicable in the sector. In the case of Trust Conformity Assessment Body (TCAB), we conduct our audits in accordance with the eIDAS Regulation and other relevant standards in the IT security sector such as ETSI, ENISA, CA/B Forum and Spanish local regulations such as SEPBLAC, among others.
The audit process is carried out in the following three phases:
- Planning and programming:
The audits are carried out with an Audit Plan, which will be carried out by the audit team each year. In this Plan, the audit data are established (date, duration, scope, points to be audited, audited area, contact persons) and checklists (date, time, points of the standards to be audited, audited area, contact persons) , auditors)
To prepare it, the reports of other audits already carried out will be collected. Once this is done, the Technical Committee will review and approve the audit plan.
To initiate the audit, an initial meeting will be held with the client to confirm the scope of the audit, the data collected in the Audit Plan, establish a sequence of the audit and analyze the points that both parties consider necessary. After this step, the audit will begin following the Audit Plan as a work guide. There are two steps at this point:
– Documentary review: we will verify the conformity of the system (documents, records) through compliance with the points of the standards / laws of reference.
– On-site inspection: verifications of compliance with the established controls will be carried out. A sampling inspection of the objective evidences will be carried out to prove the correct functioning of the technical and organizational processes related to the scope of the audit.
- Audit report:
Once the audit is completed, the audit team will write a results report, clearly and definitively identifying the detected non-conformities. In addition, there will be a final meeting in which the audit team will present the report to the client, so that he can review and sign it. In those cases where significant non-conformities are present, a new date will be scheduled for the next audit to verify the elimination of these non-conformities.
It is mandatory to send the CAR (Conformity Assessment Body) to the Supervisory Body, within 3 days after it is received, so that it may decide if it is granted the status of qualified and, consequently, if I can be included in it. the EU Confidence Lists.
In general, the CABs have a character of authority, since it is usually accredited by the National Certification Entities (in the case of Spain, ENAC) in order to be able to provide their services.
Click here to access the list of Conformity Assessment Bodies accredited against the requirements of eIDAS Regulation.