Accreditation vs certification

First, two definitions:

  • "Certification" is the process of checking something against defined criteria, and if it passes (meets the criteria), issuing a certificate of compliance or conformity or assurance or whatever. Certification gives some assurance that the certified organisation or individual meets the criteria ... provided the certification body or person is competent and trustworthy, the checks were done properly, and the certificate itself is authentic. Hmmm, quite a few caveats there ...

  • "Accreditation" is the process of confirming that whoever is checking and issuing certificates is properly qualified, competent and trusted to issue meaningful certificates by following prescribed processes. It adds credibility, meaning and value to the certification and issued certificates ... provided the accreditation body or person is competent and trustworthy, the checks were done properly, and the accreditation itself is authentic. Hmmm, quite a few caveats there too ...

Many countries have their own national accreditation bodies, many of whom are also active overseas. For example:

  • UKAS, the UK Accreditation Service, is a UK 'government appointed' organisation, serving as the national accreditation body for the UK. They are permitted to use the crown icon indicating that they are sanctioned by the UK government, although they are actually an independent self-financing body - an interesting governance arrangement.

  • India's equivalent seems to be QCI, the Quality Council of India, an Indian government-appointed body that oversees accreditation for India. QCI describes itself as "an autonomous body of the Ministry of Commerce & Industry". The NABCB (National Accreditation Board for Certification Bodies) is one of 4 'boards' (business units) within QCI.

UKAS, QCI, ANAB and IAS are members of the IAF, the International Accreditation Forum which is the main but again not the only trade body for accreditation, worldwide. IAF lists 96 members. IAF coordinates various mutual recognition arrangements ensuring the equivalence of conformity certificates issued by different accredited certification bodies.

There are also at least 6 regional bodies e.g. UKAS belongs to EA (European Accreditation) while QCI belongs to APLAC (Asia Pacific Laboratory Accreditation Cooperation). I guess they are trade bodies representing the interests of members based in each continent. Or something.

Most accreditation bodies also seem to belong to ILAC (International Laboratory Accreditation Cooperation) which I believe oversees the laboratories testing measuring equipment and products against standards, with the aim of ensuring that, say, a "metre", "volt" or "ampere" mean precisely the same scientifically-defined quantities around the world. Unfortunately for us, there is no equivalent scientifically-defined unit of information security - not yet anyway. Maybe some day some one will invent an AI machine to measure infosec, giving a meaningful value, but somehow I doubt it.

It is hard to think of a more complex global mesh of standards, auditors, conformity assessors, organisations, bodies, accreditation services etc., quite a soup! Given the commercial, financial and integrity aspects to all this, the turf-wars and tensions between competitors and the possibility (likelihood!) of fraud, misrepresentation, coercion, bribery and corruption on top of good ol' human error and misunderstandings plus the inevitable spectrum of competence, I'm amazed the whole rickety governance structure hangs together at all.

Bottom line: caveat emptor. Assurance is risky too.

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

Philosophical phriday - compliance risk

Image
According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to:  Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation; Examine them for any security control requirements relating to, say, I&A; Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator; Design, implement, use, manage and maintain those I&A controls; Have the I&A controls checked or audited to gain assurance that the compliance requirements are met.  OK so far? Sounds reasonab
Read more