Inside IT Certification and Accreditation for Your Business

Certification and accreditation is the process in which a third party or federal agency reviews a business’s information systems—which include IT and database management, security, programming, and networking—to ensure that the business meets the baseline standards and requirements for information technology.

Certification refers to a third party or federal agency evaluating your business for standards like security features, safeguards, and functionality of your information systems. If your business meets the requirements of the certification process, it is eligible for accreditation, which is a formal acceptance that your information systems are sufficient. The process of certification and accreditation ensures that your business’ information systems comply with industry standards of security.

The certification and accreditation process can be broken down into four phases:

1. 1. Your conformity assessment is initiated. You must plan a conformity assessment for your business by a certification body before seeking certification, to ensure that your business meets the proper standards for information systems. Your business’ information security officer (ISO) will prepare your business for certification by establishing a team, implementing a project plan and timeline, and compiling the materials needed for your certification and accreditation package. This includes a security plan and a thorough risk assessment.
2. 2. Your certification package is audited by a third party or federal agency. A team of independent auditors will review your certification and accreditation package to ensure it meets the necessary requirements. The auditors will run vulnerability scans to assess your system security based on the standards outlined in Special Publication 800 by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. Special Publication 800 is a catalog of security and privacy controls for all U.S. federal government information systems. If you meet the security requirements, the auditors will make a recommendation to the certification authority for accreditation.
3. 3. Your business receives accreditation. During this accreditation process, the accreditation body will review the results of your certification process and determine the level of risk. If your systems pass the certification standards and there is a level of risk management high enough to mitigate risk, a formal accreditation decision will be issued, granting you an Authority to Operate (AOT). AOTs must be renewed every three years.
4. 4. You continue to monitor and reevaluate the information systems of your business. Your system should be monitored and reevaluated regularly to maintain its compliance with your security certification. An information security officer (ISO) should regularly monitor your system for changes or lapses in your information technology's security. As well as the ISO's monitoring, federal agencies may perform annual audits on your information systems to ensure they comply with baseline standards for security.

Get the MasterClass Annual Membership for exclusive access to video lessons taught by business luminaries, including Sara Blakely, Chris Voss, Robin Roberts, Bob Iger, Howard Schultz, Anna Wintour, and more.