Clarifying Certification vs. Accreditation, Policy vs. Procedure, and Other Compliance Terms
Do you ever feel a bit confused by some of the language used in the world of compliance? You’re not alone. For those outside of the industry, it can be difficult to tell which words and phrases are essentially synonymous, and which seem similar but actually have completely different definitions.
What’s the difference between certification and attestation? How do you explain controls versus requirements to stakeholders in your organization?
Read on for answers to those questions and more as we demystify some of the most frequently confused and conflated terms in compliance.
Certification vs. Authorization vs. Compliance vs. Accreditation
A certification is the document that many people picture when they think about the end result of verifying compliance. Because certification is issued by a third-party entity, it enhances trust in an organization’s compliance with certain rules or standards. At A-LIGN, we can help organizations earn the most requested certifications, including ISO 27001, ISO 27701, ISO 22301, HITRUST, CMMC (when it is released), and others.
The forthcoming Cybersecurity Maturity Model Certification (CMMC) program will be an example of a certification to prove that organizations have adequate controls and processes in place to protect federal information.
The concept of authorization exists primarily within the federal compliance space. Authorization means that an organization has been given the green light to do business with a federal agency. Due to the sensitive nature of government-related information, the assessment and authorization process entails a comprehensive evaluation of information system policies, security components, various documentation, and additional safeguards.
With FISMA (RMF), FedRAMP and StateRAMP, the assessment will culminate in an official authorization package that provides the authorizing government agency or agencies with all the information they need to make a risk-based decision. If the level of risk is determined to be acceptable, the organization will be granted an authorization to operate, typically through and Authority to Operate (ATO) letter signed by the agency’s Authorization Official (AO).
Sometimes, a certification for a compliance standard does not exist, as is the case with SOC 1 and SOC 2. Though you will often see the term “SOC 2 certification” that statement isn’t really accurate. With SOC 2, an organization undergoes an assessment resulting in an attestation report which proves compliance. In an attestation report the third-party assessor documents a conclusion about the reliability of a written statement, to which the organization they are assessing is held responsible.
In some cases, such as NIST 800-171 or NIST 800-53 frameworks like FISMA (when used for internal compliance purposes), self-attestation of compliance is the only option. For increased reliability, you can leverage an independent third-party assessment organization such as A-LIGN to help guide you through the self-assessment process.
Compliance is the overarching concept to which all of the terms discussed below are related and simply means that your management system fully adheres to, or is compliant with, the requirements of a given standard or regulation. Oftentimes, an organization asserting that they are compliant with a standard is not enough — their prospects, customers, or partners may want to see official proof that their compliance has been tested and confirmed by an independent third-party. For example, a SOC 2 report can be shared as proof of compliance after a non-disclosure agreement has been signed by both parties. A SOC 3 report is meant to be shared publicly and placed on your organization’s website.
In the context of compliance, accreditation refers to the status of a certification body (CB) that has been thoroughly tested and vetted so they may provide a high level of assurance in the certifications they award. In other words, accreditation means that an organization is qualified to perform certain compliance assessment services.
For example, A-LIGN is an ISO 27001 and ISO 22301 official certification body that is accredited through the ANSI-ASQ National Accreditation Board (ANAB). This means when an organization receives an ISO certification through us, they can call it an “accredited certification.” When a CB has not been approved by a national accreditation authority, the “unaccredited certifications” they issue may not be accepted under some circumstances, such as contractual requirements. This can mean that an organization must re-do the work to earn an accredited certification.
Audit vs. Assessment
Often used interchangeably in conversation, there is a difference between cybersecurity compliance audits and assessments. An auditessentially captures a snapshot of compliance at a certain point in time and is an evaluation of IT and security performance against certain controls, specifications, or guidelines. An assessment, on the other hand, provides a higher-level overview of cybersecurity maturity, and often includes an audit as part of the final stage of the process.
By taking a deeper look at all the factors that impact the area being assessed, an assessment can help an organization understand the areas they need to focus on improving. Because security posture and effectiveness can drift between audits, we find organizations that conduct internal self-assessments on a regular basis will move through an external assessment or audit more smoothly and efficiently.
It’s worth nothing that in the federal compliance space, the term audit is typically not used — assessment is the preferred nomenclature. The official NIST glossary defines audit as:
“(The) independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.”
NIST defines assessment as:
“The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.”
Policy vs. Procedure
It’s important to make the distinction between these two interconnected concepts that come up frequently in compliance. Policies are the overarching principles that guide how you make decisions and operate on a day-to-day basis. A policy can be thought of as a framework that expresses the why behind certain tactics and objectives. Keep in mind that policies aren’t set in stone and carry a degree of flexibility, meaning they can and should be updated as the company evolves and expands.
Procedures describe, in detail, the steps that should be taken in specific situations. They have a defined beginning and end, and are often repeated to achieve certain outcomes. Procedures are more about the how related to a certain area of compliance. For a more detailed look at how policies and procedures work together, check out What Are the Top Policies and Procedures Needed for a SOC 2 Audit?
Requirements vs. Controls
When learning about the details of a given compliance audit or assessment, you may see the terms “requirement” and “control” used in similar contexts and wonder what the difference is. Both terms are used to describe certain processes, procedures, or activities that an organization may have to perform to manage cybersecurity risk.
The key difference here is that requirements are mandatory (e.g., a regulation, law, contractual commitment, or policy) while controls are typically not. Controls are the procedures and preventive measures that an organization executes to address an identified risk. By mapping controls to specific requirements, organizations can identify similarities across various control sets and requirements and design strategies to streamline their efforts, saving time and resources. A Master Audit Plan (MAP) is a valuable tool for pinpointing areas of overlap across frameworks so you can map controls more efficiently.
In federal compliance, the control is the risk-reducing mechanism and the requirement is the requisite value for that control (e.g., data retention). A given control’s requirement can change depending on the compliance standard. For example, FISMA has a data retention requirement of at least three years while the HIPAA requirement is a minimum of six years.
Building Trusting Relationships Through Compliance Marketing
As you continue to learn more about compliance and the nuances of different concepts and topics, we suggest you leverage a strategic compliance partner to guide you to success. More than 2,500 global organizations trust A-LIGN to assist them in managing and reducing cybersecurity risks.
We deliver a unique single-provider approach as a:
- Licensed SOC 1 and SOC 2 Auditor
- Accredited ISO 22301, ISO 27701, and ISO 27001 Certification Body
- HITRUST CSF Assessor Firm
- Accredited FedRAMP 3PAO
- Candidate CMMC C3PAO
- PCI Qualified Security Assessor Company
If you are in need of a strategic compliance partner capable of addressing every step of your audit or assessment across the scope of each major framework, A-LIGN is here to help.