Isms Latc

NABET Criteria for ISMS Lead Auditor Training Course Registration
_________________________________________________________________________________________________
_____________________________________________________________________________________ - 0 -

NABET/4001/0608/02

NABET Criteria for
INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS)
Lead Auditor Training Courses


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 1 -

NABET/4001/0608/02

Section 1: INTRODUCTION

1.1 This auditor/lead auditor training course shall provide training for potential auditors and audit
team leaders in the principles and practices of auditing Information Security Management
Systems (ISMS) in accordance with ISO 19011.

1.2 The primary focus of the auditor/lead auditor training course shall be to equip students with the
knowledge and skills to perform audits of Information Security Management Systems (ISMS)
based on the ISO/IEC 27001 standard, or recognized national and international equivalents
specified by NABET if any.

1.3 The training course provider shall:

a) present the body of knowledge of ISMS Auditing in such a way that students are able to
identify and understand good auditing practices, and

b) encourage students to analyze critically their own performance as a means for developing
effective auditor skills.

1.4 It is recommended that the students attending this course shall have an understanding of the
principles supporting information security management systems and of the ISO/IEC 27001
standard.

1.5 This recommendation should be conveyed by the course provider to prospective students in all
its communications, course promotion etc.

1.6 It should also be conveyed to the prospective students that no prior knowledge as above may
lead to unsuccessful completion of this course and the gaps in this knowledge may not be
covered during this course.

1.7 Successful completion of the NABET registered training course will satisfy the training
requirements for NABET registration to all grades of NABET ISMS Auditors.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 2 -

NABET/4001/0608/02

Section 2: COURSE OBJECTIVES

2.1 Learning Objectives

Learning objectives describe what students must be able to do so by the end of this course. Students
need to demonstrate acceptable performance in all of these areas in order to complete the course
successfully and you will need to demonstrate a factual and objective approach to the assessment of
student performance against the following.

By the end of the course students will be able to:

Knowledge:

2.1.1 Explain the purpose of an information security management system (ISMS) and explain the
processes involved in establishing, implementing, operating, monitoring, reviewing and
improving an ISMS as defined in ISO/IEC 27001,including the significance of these for ISMS
auditors.

2.1.2 Explain the purpose, content and interrelationship of ISO/IEC 27001:2005, ISO/IEC
27002:2005, ISO/IEC 27006:2007 and the legislative framework relevant to an ISMS.

2.1.3 Explain the role of an auditor to plan, conduct, report and follow up an ISMS audit in
accordance with ISO 19011.

Skills:

2.1.4 Interpret the requirements of ISO/IEC 27001 and ISO/IEC 27006in the context of an ISMS
audit.

2.1.5 Undertake the role of an auditor to plan, conduct, report and follow up an audit in accordance
with ISO 19011.

2.2 Enabling Objectives

In order for students to achieve the overall learning objectives, they will need to acquire and develop
specific knowledge and skills. These are specified below as Enabling Objectives and can be
considered as steps to the achievement of the Learning Objectives.

By the end of the course students shall be able to:

2.2.1 Explain the purpose of an information security management system (ISMS) and the
processes involved in establishing, implementing, operating, monitoring, reviewing
and improving an ISMS as defined in ISO/IEC 27001, including the significance of
these for ISMS auditors.

Knowledge:

2.2.1.1 Explain the purpose and business impacts of an information security management system.

2.2.1.2 Explain the process approach to information security management systems.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 3 -

NABET/4001/0608/02

2.2.1.3 Explain the processes involved in establishing, implementing and operating, monitoring and
reviewing and improving an ISMS, including the significance of this for ISMS auditors.

2.2.1.4 Describe in detail what is involved in selecting a system of controls through the process of
risk assessment, treatment and management, including:

a) ISMS scope and policy
b) Identifying and explain the element of the risk assessment process
c) Risk treatment plan and options
d) Risk reduction through the selection and implementation of a system of controls
e) Statement of applicability in relation to an organizations business activities and
associated risks.

2.2.1.5 Explain the importance and methods used in security incident handling and business
continuity.

2.2.2 Explain the purpose, content and interrelationship of ISO/IEC 27001: 2005, ISO/IEC
27002:2005, ISO/IEC 27006: 2007 and the legislative framework relevant to ISMS.

Knowledge

2.2.2.1 Describe the difference between auditable standards and guidance documents and
standards.

2.2.2.2 Explain the purpose and content of ISO/IEC 27002 and its relationship to ISO/IEC 27001.

2.2.2.3 Explain the control objectives and controls defined in Annex A of ISO/IEC 27001 drawing on
ISO/IEC 27002.

2.2.2.4 Explain ISO/IEC 27001 related concepts and terminology of quality management systems,
drawing on ISMS terminology and definitions.

2.2.2.5 Explain the difference between legal compliance and conformance with ISO standards and
outline relevant applicable legislation, intellectual property rights, data protection and privacy
of personal information.

2.2.3 Explain the role of an auditor to plan, conduct, report and follow up an ISMS audit in
accordance with ISO 19011 and the criteria contained in ISO/IEC 27006.

Knowledge

2.2.3.1 Briefly describe the structure of the ISMS certification industry, including:

a) The differences in purpose and conduct between 1
st
, 2
nd
and 3
rd
party audits.
b) The international Accreditation Forum and the European Co-operation for
Accreditation Interpretations and guidelines for 3
rd
party certification bodies and the
system of accredited certification including the function of the Accreditation Bodies
and Certification Bodies.
c) The role of NABET in the approval of training courses and registration of auditors.

2.2.3.2 Describe the roe of the auditor, including:

a) The ISMS audit process and auditing principles, methodology and good practice as
described in ISO/IEC 27006 and the current revision of ISO 19011.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 4 -

NABET/4001/0608/02

b) The roles and responsibilities of the client, auditors, lead auditors, auditees and
guides in accordance with ISO/IEC 27006 and ISO 19011, including the
management and team leader responsibilities of the Lead auditor in managing the
audit and the audit team.

c) The need for effective communication with the auditee, for auditor confidentiality and
for auditors to be sensitive to local customs throughout the audit process.

d) The NABET code of conduct.

2.2.3.3 Describe the process of planning an audit:

a) Describe typical forms of pre-audit contact, their purpose and when they might be
appropriate.

b) State the purpose of document review/ stage on audits and describe a typical
document review process and outputs.

c) Explain the purpose and significance of the audit scope, the importance of team
competency and selection of team members particularly with regard to process
knowledge and local information security regulations.

d) Explain the use, benefits and potential limitations of a checklist (or alternative) and
considerations for planning an audit of an activity for which there were no
documented procedures.

2.2.3.4 Describe the process of conducting an audit::

a) Explain how to approach a process audit, including audit of process inputs, outputs
and results of the process in terms of outcomes and explain how process measures,
quality objectives and continual improvement would be addressed through such an
audit.

b) Describe the purpose of typical content of and attendees typically present at audit
meetings, including opening and closing meetings, audit team meetings and auditee
feedback/review meetings.

c) Explain the process of and different methods for gathering objective evidence during
an audit, including the benefits and limitations of sampling and of observation.

d) Explain the typical role of top management in an audit and suggest approaches for
auditing top management commitment.

2.2.3.5 Describe the process of reporting and following up an audit:

a) State the purpose and typical content of a non-conformity report and describe typical
systems for grading non-conformity reports, including the implications and further
actions required for different grades of non-conformity.

b) Explain the terms correction, corrective action and preventive action and describe
the roles and responsibilities for taking and verifying corrective action.

c) Identify types of objective evidence that may be required to demonstrate effective
implementation of corrective and preventive action.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 5 -

NABET/4001/0608/02

d) Explain the purpose of ongoing surveillance visits.

2.2.4 Interpret the requirements of ISO/IEC 27001 and ISO/IEC 27006 in the context of an
ISMS Audit.

Skills

2.2.4.1 Draw links between the PDCA model and correctly apply this to the ISMS process
requirements specified in ISO/IEC 27001.

2.2.4.2 Interpret and apply ISO/IEC 27001 appropriately in an audit situation.

a) Suggest what objective evidence might be needed to demonstrate conformance with
ISO/IEC 27001 requirements.

b) Verifying the scope of ISMS certification in the context of ISO/IEC 27001.

c) Auditing multi-site ISMS scopes and the use of a sample based approach to multiple
site assessments.

d) Describe the basis on which exclusion of controls might be permissible to comply
with all requirements of ISMS.

2.2.4.3 Check and confirm the following ISMS audit objectives:

a) That the organization adheres to its own policies, objectives and procedures.

b) That the ISMS conforms with all the requirements of the ISMS standard or normative
document and is achieving the organizations policy objectives.

2.2.4.4 Identify and evaluate in an ISMS audit context:

a) Assessment of information security related risks to control of its organizational assets
and the resulting design of the ISMS.

b) The organizations security risk assessment approach, including the assessment of
the adequacy of any given approach.

c) The suitability of the organizations statement of applicability in relation to its
business activities and associated risks.

d) Objectives and targets derived from this process.

e) Performance monitoring, measuring, reporting and reviewing against the objectives
and targets.

f) Security and management reviews.

g) Management responsibility for the information security policy.

h) Links between policy, the results of information security risk assessments, objectives
and targets, responsibilities, programmes, procedures, performance data and
security reviews.

i) The activities and/or controls, which the organization is permitted to exclude from
their ISMS.

_________________________________________________________________________________________________
_____________________________________________________________________________________ - 6 -

NABET/4001/0608/02

2.2.4.5 Evaluate the information security related threats to assets, vulnerabilities and impacts on the
organization.

a) Establishing and maintaining procedures for the identification, examination and
evaluation of information security related threats to assets, vulnerabilities and
impacts on the organization, taking account of the following factors:

i. The criteria by which information security related threats to assets,
vulnerabilities and impacts on the organization are identified as significant,
and to develop procedure/s for doing this.

ii. That the analysis of security related threats is relevant and adequate for the
operation of the organization.

iii. There is no inconsistency between the organizations policy, objectives and
targets and its procedure/s or the results of their application.

b) The procedures employed in analysis of significance are sound and properly
implemented. If an information related threat to assets, vulnerability or an impact on
the organization is identified as being significant, it should be managed within the
ISMS.

2.2.4.6 Evaluate regulatory and legal compliance:

a) The organization has a management system that should achieve continuing
compliance with regulatory requirements applicable to the information security
impacts of its activities, products and services and that this system is fully
implemented.

b) The organization has evaluated legal and regulatory compliance and can show that
action has been taken in cases of non-compliance with relevant regulations.

2.2.5 Understand the role of an auditor to plan, conduct, report and follow up an ISMS audit
in accordance with ISO 19011.

Skills

2.2.5.1 Undertake the role of an auditor and/or audit team leader to plan an audit:

a) Identify the pre-audit information required to plan the duration and resources needed
to conduct the on-site audit and write an audit scope.

b) Prepare an on-site audit plan that is appropriate to the sequence and interaction of
the organizations processes, their environmental aspects and significant impacts,
and produce an audit checklist (or alternative).

c) Perform a document review or stage one audit in order to assess whether
documentation meets ISO/IEC 27001 requirements and to determine whether
adequate arrangements are in place to justify proceeding with the implementation
audit.

2.2.5.2 Undertake the role of an auditor to manage and conduct an audit to evaluate an
organizations effective implementation of processes, procedures and methodologies for
conformance with ISO/IEC 27001, including those areas describe in 2.2.4 above.

a) Participate in and demonstrate ability to control opening and closing meetings.

_________________________________________________________________________________________________
_____________________________________________________________________________________ - 7 -

NABET/4001/0608/02

b) Make sense of the information gathered in the context of ISO/IEC 27001 and the
audit organization by:

- Gaining an understanding of its processes including their purpose, inputs,
outputs, controls and related performance indicators.
- Selecting sufficient and relevant samples
- Reviewing appropriate documents
- Differentiating between documentation and records
- Exercising objectivity in the review of evidence collected

c) Demonstrate effective interpersonal skills and interview techniques through ability to:

- build rapport with the auditee
- use appropriate types of questions
- listen effectively
- make notes, use a checklist effectively and follow audit trails
- provide feedback to the auditee
- be sensitive to the needs and expectations of the auditee, including the local
customs and culture.

2.2.5.3 Undertake the role of an auditor to report and follow up the audit:

a) Evaluate the objective evidence gathered and correctly identify conformance and
non-conformance with requirements.

b) Recognize and report positive audit findings and opportunities for improvements.

c) Write a meaningful and accurate summary report of the audit including graded non-
conformity reports based on objective evidence obtained during your course of the
audit.

d) Make recommendations for certification/supplier approval based on audit findings

e) Present audit findings and recommendations to the client.

f) Evaluate proposals for corrective action and differentiate between correction and
corrective action.

2.3 The training course provider may develop more detailed learning objectives as
appropriate

2.4 Students achievement of the learning objectives shall be measured by the training
provider.

_________________________________________________________________________________________________
_____________________________________________________________________________________ - 8 -

NABET/4001/0608/02

Section 3: COURSE CONTENT

Early in the course presentation, the course provider shall provide to the students a description of the
learning objectives, course structure, format and programme, student responsibilities and the
assessment processes and assessment criteria against which they will be measured.

The course shall cover:

a) all aspects defined in the Course Objectives and

b) local requirements, culture, practices or approaches to auditing and the application of
ISMS as appropriate.

c) Benefits of ISMS auditor registration/certification.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 9 -

NABET/4001/0608/02

Section 4: COURSE STRUCTURE, TRAINING METHODS AND FACILITIES

4.1 Duration

4.1.1 The total course time devoted to direct instruction and to assigned team and individual
activities shall be at least 40 hours.

4.1.2 If the course is given through interpreters, the time shall be increased as required to meet the
learning objectives

4.1.3 Time devoted to the examination and to meals, breaks or other free time is not included in
the calculation of the course duration.

4.1.4 The course shall be presented during five consecutive days, unless otherwise authorized by
NABET.

4.2 Training Methods

4.2.1 Training courses shall be designed to have a high degree of interaction between students
and instructors. Training methods shall seek to involve and engage students throughout the
duration of the course.

4.2.2 The training course shall include both knowledge based sessions (to facilitate understanding
of concepts) and skill based sessions (application of knowledge and skills in practical
activities) and each student shall be subjected to realistic ISMS audit practices and
conditions.

4.2.3 Knowledge based sessions may be instructor led, but shall allow for some interaction with
students enabling instructors to test learning and students to clarify their understanding as
required.

4.2.4 Skills based sessions may be supported by instructor input to address the relevant
requirements and techniques such as for managing meetings and interviews.

4.2.5 Methods for validating student achievement of the learning objectives and for providing timely
feedback shall be included in the course.

4.2.6 Each student shall be required to participate in practical skills based activities: workshop,
case studies, auditor role-playing or actual Information Security Management system audit
situations. At least 50% of course time shall be used in such activities.

4.2.7 When students participate in actual audit situations, two thirds of the time spent conducting
such audits shall count towards the total course time. Transit time to and from the audit site
and any delay time is not to be counted.

4.2.8 Instructors shall demonstrate effective management of the course, including attention to time
schedule, course content, requirements of the standard, instructor conduct and other course
requirements.

4.2.9 Training aids such as videos that are directly relevant may be used to supplement the
training by the instructors. These may be commercial training videos or videos produced
during the course to record and review the performance of students. No more than three
hours of the total course time may be devoted to non-interactive, passive training aids.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 10 -

NABET/4001/0608/02

4.3 Class size ; Attendance

4.3.1 The number of students in a class shall be no greater than twenty nor fewer than four.

4.3.2 Students shall be required to be in attendance for the full duration of the course.

4.4 Number of Instructors

4.4.1 Each course offering for eleven or more students shall be presented by two instructors, who
shall be actively involved in either instruction or evaluation for the full duration of the course.

4.4.2 At least one instructor shall be NABET registered Lead Auditor or equivalent.

4.4.3 Additional resource people or trainee instructors may be used for specific subjects or
activities, however the main instructor/s remain responsible for the entire course offering.

4.4.4 When the number of students is four to ten, the course may be presented by one instructor.
This tutor shall satisfy the requirements for a lead tutor.

4.4.5 When specific activities (ex. Written quizzes etc.) involve neither instruction nor evaluation
and do not require the availability of the instructors for explanation, clarification or advice,
only one instructor need be present.

4.5 Course Materials

4.5.1 Each student shall be provided with a complete set of course notes to supplement the
training program.

4.5.2 The documents included in the course notes shall themselves illustrate good organization,
layout and document management practices, including document revision level and
appropriate page numbering.

4.5.3 The set of course notes shall prominently identify the approved course provider (ex. on cover
page etc.).

4.5.4 The student notes shall cover each session and shall include all important points of the
learning objective(s) being covered.

4.5.5 Examples of typical documents, reports and forms shall be included.

4.5.6 Course notes may include typical examination questions, provided they are not used in any
of the examinations, either during the course or following the course.

4.5.7 Each student shall have a copy of the current published version of ISMS standards. If the
standard are not supplied as part of the course notes each student shall be required to take a
copy to the course. A copy shall be made available for loan to any student who does not
have one.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 11 -

NABET/4001/0608/02

4.6 Facilities

4.6.1 The course provider shall ensure that suitable facilities for training are provided, including a
classroom, audio-visual and other training equipment, and facilities for team activities.

4.6.2 The course provider shall encourage students to be resident at or near the location of the
course offering, since this enhances participation in team activities and student contact with
instructors outside the structured class settings.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 12 -

NABET/4001/0608/02

Section 5: EVALUATION OF STUDENTS

Each student shall be evaluated using the following two independent elements, both of which shall be
satisfied if the student is to successfully complete the course:

a) the continual evaluation by the instructors of each students achievement of the learning
objectives detailed as above

b) a written examination that tests students ability to apply audit principles and practice
against the requirements of ISMS.

5.1 Continuous Evaluation

5.1.1 The continuous evaluation shall be documented and shall evaluate each students:

a) achievement of the learning objectives

b) attendance and punctuality during the course

5.1.2 Each students performance shall be reviewed at the end of each day by the instructor(s). A
daily grade shall be assigned for each student, reflecting the assessment of both instructors.

5.1.3 Course instructors shall identify students who appear to be having difficulty in achieving the
learning objectives or who are not performing adequately in course activities. Such students
shall be informed privately and in a timely manner of the instructors observations and be
given opportunity to improve.

5.1.4 A student who fails the continual evaluation must satisfactorily complete another full training
course before being eligible to receive a certificate of successful completion.

5.2 Written examination

5.2.1 The written examination shall evaluate the students comprehension of the audit process and
the application of ISMS and their ability to provide written justification of their evaluations.

5.2.2 The examination shall be designed so that a competent student (i.e. one who has
demonstrated achievement of the learning objectives) could achieve a minimum mark of 70%
in two hours.

5.2.3 The time allotted for taking the examination shall be two hours. Strict adherence to the time
limit shall be maintained.

5.2.4 The instructor may allow a student with particular disability that adversely affects the
students capability to complete the examination in the allotted time up to 30 minutes
additional time for taking the written examination. Any such allowance shall be indicated in
the records of the course or of the examination with supporting reasons.

5.2.5 At least 75% of the examination grade shall be based on questions that require written
responses, which test the students ability to analyze audit scenarios and understanding of
how to apply the ISMS standard during an audit.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 13 -

NABET/4001/0608/02
5.2.6 The reminder of the examination grade shall be based on multiple choice, true/false or short
answer questions.

5.2.7 The minimum passing grade shall be 70%.

5.2.8 The only reference material allowed during the examination is a copy of the ISMS standard,
Course material and self (participants) notes.

5.2.9 Copies of the examination questions (other than those in an example examination paper),
examination papers, solutions or completed examination papers shall not be supplied to any
student or any other party (except to the approval body) for any reason.

5.2.10 Training course provider shall ensure that the instructor(s) for any given course presentation
and/or designated authority are not aware of the examination paper to be used for that
presentation.

5.2.11 At least one instructor of the course must be present during the examination.

5.3 Grading : Pass/Fail Decisions

5.3.1 Each examination paper shall be graded by one of the instructors. Another instructor shall
check the addition of the score allocated in each section and re-grade all examination papers
with scores between 60 and 76 percent.

5.3.2 The course provider shall have procedures to resolve any differences in grading and issue
final grades.

5.4 Re-examination

5.4.1 A student who fails the written examination for the course conducted by the training course
provider, but has passed the continual evaluation shall be allowed one re-examination within
twelve months of the last day of the course.

5.4.2 A different examination paper shall be used for the re-examination.

5.4.3 A student who fails the re-examination must take a full training course again before being
eligible to take another examination.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 14 -

NABET/4001/0608/02

Section 6: TRAINING COURSE ADMINISTRATION

6.1 Administrative Procedures

The course providers Quality Management System should be based on ISO 9001:2008 standard.

The course provider shall develop and maintain documented procedures for the effective
administration of the course in line with ISO 9001:2008. Areas covered shall include:

i The design, development and evaluation of course materials and documentation to
ensure conformity with the current NABET criteria

ii Presentation of the course

iii The control of course publicity and advertising

iv A document control system for the maintenance and updating of procedures and course
notes.

v The criteria for selecting course instructors, procedures for their initial training, evaluation
of their delivery of the course and ongoing review of performance.

vi Management reviews of the course.

vii Records of individual students and each course offering, including analysis of statistics.

viii Student evaluation procedure, including pass/fail decisions.

ix Operation and conduct of the examination and re-examination, including security and
confidentiality of examination questions, answers and marked papers.

x Issue and withdrawal of certificates

xi Storage and eventual disposal of marked papers and continuous assessment records.

xii Methods such as statistical techniques used to analyze and improve student evaluations,
instructors performance and overall course performance.

xiii Notifying NABET of significant changes to the course before they are implemented.

xiv Complaints and appeals.

6.2 Records

i The course provider shall maintain records to demonstrate conformance to the NABET
requirements.

ii Records shall be maintained in English.

iii Records may be in the form of any type of media, such as hard copy or electronic media.

iv These records shall be maintained for at least three years.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 15 -

NABET/4001/0608/02

v These records shall be made available to NABET.

vi The records for each course presentation shall include:

a) Venue, dates, related advertisement and promotional literature

b) Names of instruction team members, with their auditor registration status at the time
of that course presentation, trainee instructors, observers.

c) Identification of the specific issue (revision level) of the course documentation used.

d) Identification of the examination paper used

e) Names of all students who attended the course, together with the continuous
evaluation results and the examination results for each student

f) All copies of marked examination papers, continuous evaluation forms and related
summaries

g) The percentage of students that successfully completed the course

h) Names of each student who took a re-examination, together with the re-examination
result for each.

i) Unique identification number of each certificate of successful completion and the
name of the student to whom it was issued.

6.3 Management Review

6.3.1 The management of the course provider shall review its administrative procedures at least
annually and shall maintain records of these reviews for at least three years.

6.3.2 The management shall review the following at least annually for effectiveness and
conformity:

a) Actions outstanding from previous management review meetings
b) Actions resulting from surveillance by the NABET
c) Administrative procedures
d) Course design
e) Course presentation
f) Performance of instructors and future training/CPD needs
g) Complaints and appeals
h) Analysis of student feedback and pass/fail rates

6.4 Instructors

6.4.1 All Instructors shall have the following competence:

a) shall be thoroughly experienced in the principles and practices of auditing
management system relevant to the content of the course


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 16 -

NABET/4001/0608/02

b) ability to facilitate the learning of appropriate auditing knowledge and the
development of auditing skills
c) shall be familiar to Risk Assessment concepts & Measurement techniques and
awareness to information security vulnerability & threats

d) familiarity with the current course materials and documentation

e) good communication skills to be able to impart necessary knowledge to students

f) have knowledge of current auditing practices and of relevant standards

g) familiarity with the applicable international and national regulations

6.4.2 Before allowing instructors to present a course, training providers shall first ensure that
he/she has acquired the competence as defined above. As a minimum this shall involve the
instructor (all the following):

a) participating either as a student or observer on a complete presentation of the
training organizations course

b) participating as an instructor under the supervision of a trained instructor for a
minimum of one course

c) must conduct each session of the course at least once in a year under supervision of
a trained instructor.

d) being monitored by the training provider presenting and managing the course

6.4.3 Lead instructor for each course shall be a NABET registered Lead Auditor or equivalent.

6.4.4 The Instructors must be provided with all necessary materials and supporting documentation
to plan, manage and present the course and assess students performance according to
defined requirements.

6.4.5 The course provider shall have documented procedures for :

a) selection of Lead Instructors & Instructors, on the basis of their competence,
qualifications, experience and training

b) initially assessing the conduct of Lead Instructors and Instructors during courses and
subsequently monitoring their performance.

6.4.6 These procedures shall include monitoring and review, at least annually, of each instructors
performance. Records of these reviews shall be maintained by the course provider.

6.4.7 Where there have been no previous presentations of a course (i.e. where the course provider
is seeking initial approval), the course provider shall have documented evidence of fulfillment
of the competence requirements of the instructors before the initial presentation.

6.4.8 Detailed resumes of all the Instructors should be sent along with the application to NABET.

6.4.9 Any additions in the list of instructors should be communicated to NABET immediately for
approval before participation of any instructor in the course delivery.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 17 -

NABET/4001/0608/02

6.5 Certificates

6.5.1 A certificate of successful completion shall be provided to each student who has passed
both the written examination and the continuous evaluation.

6.5.2 The certificate shall:

a) Be valid for three years from the last day of the course, irrespective of the date of
successful completion of the examination, for meeting the training requirements
for registration as an NABET auditor

b) Clearly state that the course is registered by NABET

c) Include the NABET registration mark

d) Include a unique identification number for each successful certificate

e) Clearly show the name of the course provider, as it is registered by NABET

f) Identify the course by course title, course number and dates of presentation of
the course

g) Include the name of the student, in the same form that the student would use to
apply for registration in NABET Auditor registration program

h) State that the student named has successfully completed the course

i) Include all information on a single side of the certificate

6.5.3 Certificates of Attendance may be issued to students who have not been successful in the
examination or the continuous assessment components but who have satisfied the
attendance requirement. The wording of any such certificates of attendance shall make it
clearly apparent that the student has only attended the course. There shall be no implication
of successful completion.

6.5.4 Students shall be informed by the course provider that certificates of attendance will not be
accepted for NABET auditor registration.

6.5.5 The design and content of the certificate of successful completion and the certificate of
attendance, and any changes thereto, shall be approved by NABET.

6.5.6 No alterations shall be made in the certificate without prior approval of NABET.

6.6 Complaints and Appeals
6.6.1 The course provider shall have documented procedures for handling & disposal of complaints
within a reasonable time.

6.6.2 The course provider shall have a documented appeal mechanism for handling appeals
against its decisions & disposal of appeals within a reasonable time.

6.6.3 The documented procedure shall include provision for corrective and/or preventive action to
be taken if required as a result of any complaint or appeal. The procedures shall include the
potential involvement of NABET in unresolved complaints or appeals.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 18 -

NABET/4001/0608/02

6.6.4 The course provider shall inform all students of the right to make a complaint or an appeal
and shall provide written details of the process for doing so, on request.

6.6.5 The course provider shall notify each complainant or appellant in writing of the result of the
complaint or appeal and of the right to appeal against the result to NABET.

6.6.6 The course provider shall maintain records of all complaints and appeals, of their resolution
and the corrective & preventive actions taken.

6.7 Subcontracting of Courses & Branches

6.7.1 A subcontractor is any organization not owned by your organization or any person not
employed by your organization that you give authority to administer or present your NABET
registered course.

6.7.2 No NABET registered course can be subcontracted to a second organization, a person or
course provider.

6.7.3 A Branch is an office/site owned and controlled by your organization and authorized to
market, administer or present your NABET registered training course under your name,
responsibility and control.

6.7.4 You should have appropriate methods to monitor and measure the performance of your
branches to ensure that the NABET requirements are consistently met.

6.8 Confidentiality
6.8.1 The course provider shall have adequate arrangements consistent with applicable laws to
safeguard confidentiality of all information provided by students, including results of
examinations.

6.8.2 These arrangements shall be extended to include organizations or individuals acting on its
behalf and representatives of the course provider.

6.8.3 Except as required in this criteria, information about a student shall not be disclosed to a third
party without written consent of the student, nor shall information about a students sponsor
be disclosed without written consent of the sponsor.

6.9 Changes

6.9.1 The course provider shall ensure that any major changes it intends to make to the training
course are first approved by NABET.

6.9.2 Following a decision on and publication of changes, the course provider shall verify that each
of its course instructors and branches carries out necessary adjustments to the course and
materials before the agreed effective date

6.9.3 The course provider shall notify NABET of any changes of address or any significant
changes in organization structure or provision of services.

6.9.4 NABET reserves the right to carry out assessment of changes to the Documents and/or
course delivery before its approval. The expenses for this re-assessment shall be borne by
the course provider.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 19 -

NABET/4001/0608/02

Section 7: ASSESSMENT OF COURSE PROVIDER

7.1 Language

All communications, documentation and records shall be in English.

7.2 Initial Assessment

7.2.1 Documentation assessment

NABET shall evaluate the documented system including (but not limited to):

i Quality Manual

ii The course material, including the subjects to be covered, the time schedule for the
various activities, and all the student and instructor materials such as course notes,
student reading materials, case studies, simulations, tutor notes.

iii The examination format, questions and answers, time allotted, grading procedure,
pass/fail requirements, policy and procedures for re-examination, technique for
continuous evaluation, procedures used to assure the quality of measurements.

iv The criteria for selecting instructors, procedures for assessing their performance and a
current list of instructors, their resumes and NABET registration status

v Course administration documents including policies for admission of participants, course
registration forms, fee schedules, course certificates and promotional material.

After the evaluation, NABET will inform the course provider of the non-conformities and/or
observations if any.

The course provider shall be required to close all observations and non-conformities before the next
stage of assessment.

7.2.2 Course Assessment

7.2.2.1 Following review and acceptance of the documentation procedures, NABET shall undertake
at least one full assessment of the presentation of the course. NABET shall evaluate all
aspects of the course and all activities of the instructors for conformance to the applicable
NABET criteria & course providers procedures, and evaluation of students for effective
delivery of the course.

7.2.2.2 During the assessment of the course, NABET Assessor reserves the right to allocate training
session to the particular instructor of the course.

7.2.2.3 The course provider shall be informed of the findings and non-conformities if any in the
closing meeting by the NABET Assessor. However the final report and the recommendation
will be sent after the decision of the NABET Board.

7.2.2.4 In case any corrective action is required, the course provider shall make the necessary
corrections & improvements, and submit the appropriate documentation within a defined time
schedule.

_________________________________________________________________________________________________
_____________________________________________________________________________________ - 20 -

NABET/4001/0608/02

7.2.2.5 An additional full or partial evaluation of a course offering may be done by NABET to verify
the compliance of corrections.

7.2.2.6 The NABET Registration Committee will take the decision on NABET registration for the
course depending on the Course Assessment report.

7.2.2.7 When NABET Registration Committee determines that the course providers presentation is
acceptable, NABET shall inform its approval to the course provider. This registration will be
with effect from the first offering of the course which was subjected to NABET assessment.

7.2.2.8 The annual registration fee should be paid by the course provider on receipt of invoice from
NABET. Subsequently for every year, the training course provider will have to clear the
surveillance assessment and pay the requisite fee for renewal of registration.

7.2.2.9 A certificate will be issued on receipt of fees.

7.3 Surveillance and Re-assessment

7.3.1 Surveillance Assessment

7.3.1.1 To assess course providers continuing conformance to NABET criteria and the effective
implementation of the course providers procedures, NABET shall normally conduct an
annual surveillance for:

a) Administrative procedures, practices and records.
b) A minimum (but not limited to) one-day surveillance of a course offering.

7.3.1.2 During the assessment of the course, NABET Assessor reserves the right to allocate
training session to the Tutors of the course.

7.3.1.3 Course surveillance and audits of administrative procedures shall be planned to ensure that
different aspects of the course and the course providers system are regularly reviewed.

7.3.1.4 Course presentation surveillances shall review different instructors and different venues.
NABET reserves the right to demand witness of a specific Instructor.

7.3.1.5 NABET reserves the right to carry out more frequent or longer surveillance as necessary for
specific course providers in case of complaints/concerns against the delivery or
administration of the course. Cost for the same shall be borne by the course provider.

7.3.1.6 NABET may conduct surprise surveillance of the course offerings.

7.3.2 Re-assessment

7.3.2.1 NABET shall carry out reassessment of the office procedures, documentation and complete
course offering to verify the compliance with the NABET criteria.

7.3.2.2 NABET shall inform the course provider in advance for the conduct of re-assessment.

7.3.2.3 The course provider shall apply in the requisite application form for the reassessment of its
course enclosing the necessary papers and the fee after three years from the date of initial
registration.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 21 -

NABET/4001/0608/02

7.4 Suspension or Cancellation

7.4.1 NABET may suspend or cancel an approval of the course because of any of the following,
but not be limited to:

i non compliance or violation of the NABET requirements

ii providing insufficient or incorrect information to NABET

iii improper use of NABET registration and logo

iv changes in the certificate format without NABET approval

v changes in the course material without NABET approval

vi failure to report any major changes in the course

vii any other condition deemed appropriate by NABET

viii non payment of fees.
ix
x At course providers request

7.4.2 All certificates of successful completion issued during the period of suspension must be
cancelled and recalled.

7.5 Appeals

7.5.1 An appeal against NABET shall be made in writing to the Board Chairman. An Appeals
Committee will be constituted out of the Board Members to resolve the issue.

7.5.2 In case of non-acceptance of the decision of the Appeals Committee by the applicant, the
appeal can be made to the Secretary General, QCI, who will then appoint an arbitrator for the
purpose. The arbitration shall be held in the city of Delhi and shall be in accordance with the
Arbitration and Conciliation Act 1996.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 22 -

NABET/4001/0608/02

FEE STRUCTURE
Training
Course
Fee Details
(in Rs.)

Auditor / Lead Auditor
Training Course
(in Rs.)

Internal Auditor Training
Course
(in Rs.)
a) Application Package 500/- 500/-
b) Application Fee 50,000/- 25,000/-

c) Assessment Fee

12,000/- per man day

*(Course material - 1 day
Administration - 1 day
Course delivery - 5 days)

# plus actuals


*(Course material - 1 day

# plus actuals
d) Annual Fee
(up to 12deliveries)
payable in advance
36,000/- 15,000/-

e) Above 12 offering

3,000/- per course 1,500/- per course

f) Surveillance
(every year)


*(Administration 1 day
Course delivery 2 day)

# plus actuals


*(Administration 1 day
Course delivery 1 day)

# plus actuals
g) Re-assessment (after 3 years)

Application

Assessment

36,000/-


*(Course material 1 day
Course delivery - 5
days)

# plus actuals

15,000/-


*(Course material 1 day

# plus actuals


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 23 -

NABET/4001/0608/02

GENERAL INFORMATION ON PAYMENT OF FEE
FOR TRAINING COURSE REGISTRATION
1. The fee is to be paid by a Demand Draft payable at Delhi or a local Cheque of Delhi in favor of
Quality Council of India.
2. Only the Application fee is to be sent along with the application. Applications not accompanied by
the application fee will not be considered.
3. The Annual fee is to be sent only after the receipt of confirmation from NABET. Certificate will be
sent after receipt of full fees and expenses.
4. Annual fee is to be paid in advance before the beginning of the next year of certification.
5. The company has the option to pay the additional course fee offerings in advance based on their
calendar of programmes or they may pay at the end of the year based on the number of
programmes actually conducted. This will be verified during the surveillance audit.
6. * Indicates a typical example. The number of man-days may vary.
7. # Expenses on local travel, outstation travel, boarding and lodging etc. of Assessors will be
charged on actuals.
8. All fees are non refundable.


_________________________________________________________________________________________________
_____________________________________________________________________________________ - 24 -

NABET/4001/0608/02

APPLICATION FOR
REGISTRATION OF ISMS
LEAD AUDITOR TRAINING COURSE

1. Name of the Applicant :
(Organization name)
..
2. Application for : New Course Registration Re- registration

3. Address : ...
..
..

Tel no.. Fax no. Email .
(Std code) (no.) (Std code) (no.)
(The addresses of other branch offices should also be given. It can be attached as separate sheet,
with this application.)

4. The following documents are enclosed (two copies):
a) System Manual for the course including :
I. Copy of the Course Material
II. Examination Paper (Sample)
III. Case Studies
IV. Any supporting notes/ Tutor Material/ Instructions etc.
V. Continuous evaluation formats
VI. Any other training material
VII. Administrative procedures
VIII. Instructor Qualification criteria and their evaluation procedures
b) List of Instructors with their resumes
c) Corporate Brochure
d) Organization structure & details of relationship with any certification body
e) Certificate and Letter of Attendance proposed to be issued to participants
f) Schedule of Courses (for next six months)
5. Please find enclosed herewith Demand Draft/ Cheque (Delhi only) no.__________ for Rs.
______________ dated ____________ drawn on _______________ in favour of Quality
Council of India, payable ate New Delhi towards the application fee.
6. Authorized Signatory:
Name
Designation
Signature .. Date.
ISMSL-01

Isms Latc

Uploaded by

Copyright:

Available Formats

Isms Latc

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Isms Latc

Uploaded by

Copyright:

Available Formats

NABET Criteria for ISMS Lead Auditor Training Course Registration

You might also like