Certification and Accreditation

Last updated

Certification and accreditation (C&A or CnA) is a process for implementing any formal process. It is a systematic procedure for evaluating, describing, testing, and authorizing systems or activities prior to or after a system is in operation. The process is used extensively across the world.

Contents

Definitions

Certification is a comprehensive evaluation of a process, system, product, event, or skill, typically measured against some existing norm or standard. Industry and/or trade associations will often create certification programs to test and evaluate the skills of those performing services within the interest area of that association. Testing laboratories may also certify that certain products meet pre-established standards, or governmental agencies may certify that a company is meeting existing regulations (e.g., emission limits).

Accreditation is the formal declaration by a neutral third party that the certification program is administered in a way that meets the relevant norms or standards of certification program (e.g., ISO/IEC 17024).

National bodies

Many nations have established specific bodies.

United Kingdom

In the United Kingdom, for example, an organization known as United Kingdom Accreditation Service (UKAS) has been established as the nation's official accreditation body. Most European nations have similar organizations established to provide accreditation services within their borders.

United States

There is no such "approved" accreditation body within the United States, however. As a result, over the years multiple accreditation bodies have become established to address the accreditation needs of specific industries or market segments. Some of these accreditation services are for profit entities, however the majority are not-for-profit bodies that provide accreditation services as part of their mission.

Information security

Certification and accreditation is a two-step process that ensures security of information systems. [1] Certification is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system. The evaluation compares the current systems' security posture with specific standards. The certification process ensures that security weaknesses are identified and plans for mitigation strategies are in place. On the other hand, accreditation is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate for a specified period of time.

In IT governance, the primary reason why certification and accreditation (C&A) process is being performed on critical systems is to ensure that the security compliance has been technically evaluated. Certified and accredited systems are systems that have had their security compliance technically evaluated for optimal performance in a specific environment and configuration. These certified systems are hereby evaluated to run in a specific working environment.

Related Research Articles

Professional certification, trade certification, or professional designation, often called simply certification or qualification, is a designation earned by a person to assure qualification to perform a job or task. Not all certifications that use post-nominal letters are an acknowledgement of educational achievement, or an agency appointed to safeguard the public interest.

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

<span class="mw-page-title-main">Organic certification</span> Certification process for producers of organic food and other organic agricultural products

Organic certification is a certification process for producers of organic food and other organic agricultural products, in the European Union more commonly known as ecological or biological products. In general, any business directly involved in food production can be certified, including seed suppliers, farmers, food processors, retailers and restaurants. A lesser known counterpart is certification for organic textiles that includes certification of textile products made from organically grown fibres.

<span class="mw-page-title-main">Inspection</span> Organized examination or formal evaluation exercise

An inspection is, most generally, an organized examination or formal evaluation exercise. In engineering activities inspection involves the measurements, tests, and gauges applied to certain characteristics in regard to an object or activity. The results are usually compared to specified requirements and standards for determining whether the item or activity is in line with these targets, often with a Standard Inspection Procedure in place to ensure consistent checking. Inspections are usually non-destructive.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

<span class="mw-page-title-main">Certification</span> Formal confirmation of certain characteristics of an object, person or organization

Certification is part of testing, inspection and certification and the provision by an independent body of written assurance that the product, service or system in question meets specific requirements. It is the formal attestation or confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review, education, assessment, or audit. Accreditation is a specific organization's process of certification. According to the U.S. National Council on Measurement in Education, a certification test is a credentialing test used to determine whether individuals are knowledgeable enough in a given occupational area to be labeled "competent to practice" in that area.

<span class="mw-page-title-main">Product certification</span> Performance and quality assurance

Product certification or product qualification is the process of certifying that a certain product has passed performance tests and quality assurance tests, and meets qualification criteria stipulated in contracts, regulations, or specifications.

ISO/IEC 17025General requirements for the competence of testing and calibration laboratories is the main standard used by testing and calibration laboratories. In most countries, ISO/IEC 17025 is the standard for which most labs must hold accreditation in order to be deemed technically competent. In many cases, suppliers and regulatory authorities will not accept test or calibration results from a lab that is not accredited. Originally known as ISO/IEC Guide 25, ISO/IEC 17025 was initially issued by ISO/IEC in 1999. There are many commonalities with the ISO 9000 standard, but ISO/IEC 17025 is more specific in requirements for competence and applies directly to those organizations that produce testing and calibration results and is based on more technical principles. Laboratories use ISO/IEC 17025 to implement a quality system aimed at improving their ability to consistently produce valid results. Material in the standard also forms the basis for accreditation from an accreditation body.

IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

The International Accreditation Forum, Inc. (IAF) is the world association of Conformity Assessment Accreditation bodies and other bodies interested in conformity assessment in the fields of management systems, products, services, personnel and other similar programs of conformity assessment. Its primary function is to develop a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon.

Higher education accreditation is a type of quality assurance process under which services and operations of post-secondary educational institutions or programs are evaluated to determine if applicable standards are met. If standards are met, accredited status is granted by the agency.

<span class="mw-page-title-main">NSF International</span> Organization

NSF is a product testing, inspection, certification organization with headquarters in Ann Arbor, Michigan. NSF also offers consulting and training services worldwide.

Environmental certification is a form of environmental regulation and development where a company can voluntarily choose to comply with predefined processes or objectives set forth by the certification service. Most certification services have a logo which can be applied to products certified under their standards. This is seen as a form of corporate social responsibility allowing companies to address their obligation to minimise the harmful impacts to the environment by voluntarily following a set of externally set and measured objectives.

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

eCOGRA is a London-based testing agency and standards organisation in the realm of online gambling. The company was established in 2003 in the United Kingdom at the behest of the online gaming industry as the first industry self-regulation system. eCOGRA is a testing laboratory, inspection body, and certification body, specializing in the certification of online gaming software and the audit of Information Security Management Systems.

<span class="mw-page-title-main">Standardisation Testing and Quality Certification</span> Science and technology agency of the Government of India

Standardisation Testing and Quality Certification (STQC) Directorate, established in 1980, is an authoritative body offering quality assurance services to IT and Electronics domains.

References

  1. Musa, Dr. Sam. "Certification and Accreditation (AKA: Assessment and Authorization" via Academia.edu.{{cite journal}}: Cite journal requires |journal= (help)