Accreditation vs certification
- "Certification" is the process of checking something against defined criteria, and if it passes (meets the criteria), issuing a certificate of compliance or conformity or assurance or whatever. Certification gives some assurance that the certified organisation or individual meets the criteria ... provided the certification body or person is competent and trustworthy, the checks were done properly, and the certificate itself is authentic. Hmmm, quite a few caveats there ...
- "Accreditation"
is the process of confirming that whoever is checking and issuing certificates
is properly qualified, competent and trusted to issue meaningful certificates
by following prescribed processes. It adds credibility, meaning and value to
the certification and issued certificates ... provided the accreditation
body or person is competent and trustworthy, the checks were done properly,
and the accreditation itself is authentic. Hmmm, quite a few caveats there
too ...
Many countries have their own national accreditation bodies,
many of whom are also active overseas. For example:
- UKAS, the UK Accreditation Service, is a UK 'government appointed' organisation, serving as the national accreditation body for the UK. They are permitted to use the crown icon indicating that they are sanctioned by the UK government, although they are actually an independent self-financing body - an interesting governance arrangement.
- India's
equivalent seems to be QCI, the Quality
Council of India, an Indian government-appointed body that
oversees accreditation for India. QCI describes itself as "an autonomous
body of the Ministry of Commerce & Industry". The NABCB (National
Accreditation Board for Certification Bodies) is
one of 4 'boards' (business units) within QCI.
- America's
equivalent accreditation body is hard to fathom. The main one appears to
be ANAB (ANSI
National Accreditation Board) which is a subsidiary
of ANSI (American
National Standards Incorporated) potentially begging
questions about its independence. ANAB claims to have accredited more than
3,000 organizations in over 80 countries - clearly, not just the US. The IAS
(International
Accreditation Service) is also US-based and there may well
be others.
UKAS, QCI, ANAB and IAS are members of the IAF, the International
Accreditation Forum which is the main but again not the only trade
body for accreditation, worldwide. IAF lists 96 members. IAF coordinates various
mutual recognition arrangements ensuring the equivalence of conformity certificates
issued by different accredited certification bodies.
There are also at least 6 regional
bodies e.g. UKAS belongs to EA (European
Accreditation) while QCI belongs to APLAC (Asia
Pacific Laboratory Accreditation Cooperation). I
guess they are trade bodies representing the interests of members based in each
continent. Or something.
Most accreditation bodies also seem to belong to ILAC (International
Laboratory Accreditation Cooperation) which I believe oversees
the laboratories testing measuring equipment and products against standards, with
the aim of ensuring that, say, a "metre", "volt" or "ampere"
mean precisely the same scientifically-defined quantities around the world. Unfortunately
for us, there is no equivalent scientifically-defined unit of information security
- not yet anyway. Maybe some day some one will invent an AI machine to measure infosec,
giving a meaningful value, but somehow I doubt it.
It is hard to think of a more complex global mesh of standards,
auditors, conformity assessors, organisations, bodies, accreditation services etc.,
quite a soup! Given the commercial, financial and integrity aspects to all this,
the turf-wars and tensions between competitors and the possibility (likelihood!)
of fraud, misrepresentation, coercion, bribery and corruption on top of good ol'
human error and misunderstandings plus the inevitable spectrum of competence, I'm
amazed the whole rickety governance structure hangs together at all.
Bottom line: caveat emptor. Assurance is risky too.