Certification vs. Accreditation

Could anybody clarify these terms accordance with the CISSP Off. CBK 7th edition?

From the book definitions are as follows:

certification: Certification is the comprehensive evaluation of the technical and nontechnical security features of an IT system and other safeguards made in support of the accreditation process to establish the extent to which a particular design and implementation meets a set of specified security requirements.

accreditation: In the certification phase, you test and document the security capabilities of a system in a specific configuration. With this information in hand, the management of an organization compares the capabilities of a system to the needs of the organization. It is imperative that the security policy clearly states the requirements of a security system. Managementreviews the certification information and decides whether the system satisfies the security needs of the organization. If management decides the certification of the system satisfies their needs, the system is accredited.

And moreover the book emphasises that: Certification and accreditation do seem similar, and thus it is often a challenge to
understand them. One perspective you might consider is that certification is often an internal verification of security and the results of that verification are trusted only by your organization. Accreditation is often performed by a third-party testing service, and the results are trusted by everyone in the world who trusts the specific testing group involved.

I am confused on the last paragraph. i think opposite is true. In other words, accreditation binded to an organization and other organisation may not accreditate the product due to their security policy. So results are not trusted everyone in the world. And also accreditations not performed by third-parties instead accreditaion is a specific organization's decision.

To illustrate, CISSP certification is world-wide accepted certification but some organisation may hire a perseon with CISSP and some may not. This is the accreditaion process of that organizsation.

Please help me to clarify these terms. I am studying for the CISSP exam and totally confused about these terms.

Find more posts tagged with

Comments

logikil

So you may want to be careful about thinking about the certification and accreditation in terms of achieving some sort of personal certification. However, that being said, there may be a to tie it back. So think of ISC2 as a whole and then the individual who achieves the CISSP certification. ISC2 as an organization is accredited against ISO/IEC standard 17024. This means that their program meets the needs of the DoD 8570 certification standards. So this is the accreditation of the entire program, worldwide. An individual receives a certification which is a singular thing applied to their skills. This aligns similarly.

I would still caution you about thinking of certification and accreditation in these terms and simply recognize that an internal organization certifies their own system based on their security posture, policies, standards and controls. A third-party (note this doesn't have to be external, they can be operating as an independent auditor of the same company) comes in and accredits that the system assuming it meets the security stance presented and needed by the organization.

jt2929

I relate these two terms to my daily job. I'm an ISSM/ISSO in the defense industry. When we have new computer systems that are going to be used for a classified contract, our system administrator hardens those systems. I will go in and verify the settings are correct, and certify that they are ready to be checked by the government. The government then comes in and accredits the system, meaning they can officially be used on a program. Hope this helps a little.

cyberexpert

Thanks for your answers.

jt2929, goverment accredits the system for using in goverment facilities i think. It is not valid world-wide. But you would apply an accredited laboratory (third-party) to certify the product and everyone would trust the certified product also government. And then who trust the third-party would accredite the system for using in their environments. In this case accreditation is organisation specific and certification valid world-wide. Isn't it?

cyberexpert

And one more think, i studied also in defense industry in international projects. In that projects some accredited third-parties certifies the product and then goverments make the decision for accreditation to use in their facilities. But every country make specific decision which concerns on their own not the other countries.

logikil

you still need to think context, even in your new example.

The Laboratory is accredited worldwide. That means that all organizations trust the information, processes, etc. that they use. That group has the ability to certify a system for use. That certification is based on certain security needs, posture, etc. The only reason that certification is valid worldwide is because the third party is accredited. So you still have a narrow scope (the certification) then given a world wide okay by process of being certified by an accredited organization. The definitions still hold. Best bet is to think of things specific to a system.

You certify the system does what it says (small scope)
Someone else accredits that it does what you certify that it does giving you the go ahead to use it in your environment (big scope)

jt2929

cyberexpert wrote: »

Thanks for your answers.

jt2929, goverment accredits the system for using in goverment facilities i think. It is not valid world-wide. But you would apply an accredited laboratory (third-party) to certify the product and everyone would trust the certified product also government. And then who trust the third-party would accredite the system for using in their environments. In this case accreditation is organisation specific and certification valid world-wide. Isn't it?

I don't work in a government facility, and they still accredit my systems. I myself certify the systems meet the government standards. The government then comes in and agrees with the certification, and issues an accreditation.