Difference Between Assurance, Certification, Accreditation, Acceptance
Suppose you are a junior security officer for a financial company.
You have been tasked to find new software that will protect customer data and maintain confidentiality.
Your senior security officer has said the new product should have quality assurance, and a formal certification process. Only then will it go through accreditation and acceptance.
Assurance, certification, accreditation, and acceptance sound like they should mean the same thing.
They don’t mean the same thing.
The CISSP exam will test to see if you know the difference.
Here is a breakdown:
When it comes to systems, assurance is a way to make sure the product has been developed in a secure manner.
Was there a secure and formal software development process?
Was the product created under safe and secure conditions?
Was the product transported to and from the customer in a secure manner?
Assurance answers questions about how well the software was made, not the actual functionality of the product. That is for the certification process to determine.
The certification process will prove to you as a security officer that the product will meet the business requirements and the security requirements.
Tests are performed on the product’s hardware, software, firmware, controls, and how it is to be implemented in a business environment.
Just like how you are going to be tested on the 8 domains in the CISSP exam!
Once certification has been passed, the results are submitted to senior management for the accreditation process.
If you are taking the CISSP exam, that's your certification process. If you are taking the CISSP exam because of your employer and your job depends on it, then they will go through the accreditation process to keep you in the company after your certification.
Quite simply, accreditation is the senior management’s official approval of the product to be used in the business.
Senior management looks at the results of the certification process, and then makes the decision on whether it should be accredited into the business, or not.
The actual users of the business are involved in the acceptance phase.
They will use the product, and report if it works to suit their daily business needs.
Basically, if the user feels it does what it is supposed to, then it is accepted.
For the CISSP exam, just remember “Acceptance” involves the user testing the product.