Certification and accreditation: What’s on the CISSP exam?
Certification and accreditation (CnA or C&A) is a procedure used to implement any formal process. The process can be considered a systematic evaluation, testing and authorization of systems (or their activities) before or after they become operational. The C&A procedure is used abundantly around the world.
Attaining the CISSP certification distinguishes an information security expert from their competition and awards them a badge of credibility. C&A is an integral part of the CISSP CBK, and the aspirants must be theoretically and practically well-versed in the subject to ace the exam. In simple terms, certification can be defined as the complete evaluation of a product, system, process, event or skill that’s normally measured against an existing benchmark, norm or standard.
For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate.
Earn your CISSP, guaranteed!
What is certification and accreditation and how does it relate to security engineering?
Most trade organizations and industries develop carefully designed certification models and programs to test and evaluate the skills of the people performing jobs falling under the specific interest areas of the organization. Testing laboratories can also certify products that meet pre-established norms and standards, and government bodies have historically certified companies that comply with regulations (e.g., emission limits).
Accreditation, on the other hand, is a formal declaration by a neutral third party that the certification was conducted by relevant standards and norms (e.g., IEC 17024). In most countries around the world, there are specific bodies that operate nationwide to enforce these regulations. In the U.S., the ANSI National Accreditation Board (ANAB) is the country’s recognized accreditation organization.
There are many ways of building and implementing a certification and accreditation program at the enterprise level. It typically involves people, technologies and processes of various types. All of the constituent entities are important, but some special program components are absolutely essential to the program’s success. If these pertinent components don’t function as they should, the program’s implementation can be severely hampered, leading to undesirable repercussions. Following are some of the most important elements critical to the success of a C&A program at an enterprise:
The C&A business case
An enterprise certification and accreditation program can only flourish if it has been based on a solid business case that lists the key benefits the company will reap. The business case helps the company understand why the program will be beneficial. The benefits can include:
- Diligence: A C&A program provides a way to exercise due diligence within an organization. Management can ensure that adequate levels of security are implemented throughout the organization.
- Accountability: The program provides a way to hold managers, executives and employees accountable for the security and integrity of systems they interact with or are responsible for.
- Transparency: The program also affords visibility and transparency to IT security across the enterprise by addressing the different levels of security.
- Cost-Effectiveness: The C&A program ensures the sound running and management of different processes within an organization, proving to be cost-effective in the long run.
The C&A goal setting
Once the business plan documents are formalized, an organization must set the goals it expects to achieve through the C&A program. The goals should be:
- Comprehensive: The program should affect every system, service and personnel in the organization. The greatest advantage of the program is the standardization of requirements, outcomes and processes. Failure to comply with the program’s requirements can result in the loss of desired standardization.
- Integrated: The program must also incorporate integrations of the various components of the systems that are running across the enterprise.
- Timely: Goals should have realistic timeframes with clear deadlines. Review and assessment cycles need proper scheduling throughout the implementation period to ensure steady progress and maintain momentum.
- Achievable: Goals must be achievable. Setting extravagant, unachievable goals is counterproductive. To set achievable goals, the enterprise must be self-aware.
Earn your CISSP, guaranteed!
Establishing tasks and milestones
A typical C&A program is extensive and requires division into small tasks and milestones. This stage is critical as it establishes the implementation plan. Organizations must enforce separation of duties at this stage to ensure clear assignment and understanding of responsibilities. Setting clear milestones enables top-level management to track progress, maintain efficiency and ensure accountability throughout the program’s implementation.
Scrutinizing program execution
The program’s success depends most on its execution. Organizations should engage an expert with experience in enterprise-level C&A implementation. Program oversight must include accountability for assigned tasks and milestones with specific deadlines. Close monitoring ensures compliance with all standards and norms throughout implementation.
Stages of a C&A program
Predominantly, C&A programs can be divided into four stages, each with its own distinct objectives and deliverables.
1. Initiation and planning
At this stage, the administration initiates and plans the program’s implementation. A C&A implementation expert lays out the documentation (including the business case and requirement documents) and presents it to the administration as a comprehensive C&A package.
2. Certification
At this stage, an external auditing team analyzes the C&A package and the organization’s information security systems. The audits will include running vulnerability scans, conducting interviews and checking if everything complies with the accepted standards and norms.
3. Accreditation
In the accreditation stage, the certifying authority will review the compiled C&A package and go through the recommendations put forward by the auditing team. Before granting the accreditation, the authority will conduct an examination to see if there is a possibility of accepting non-remedied risks in the system.
4. Periodic monitoring
The system, the personnel and the whole organization, in general, will be monitored periodically by a team whose sole responsibility is to ensure that the program stays operational as it should. Any risks, vulnerabilities, or threats that might arise during the monitoring stage will also have to be dealt with by the organization’s security enforcers.
Earn your CISSP, guaranteed!
Final word
Certification and accreditation programs provide a framework for enterprises to ensure security, accountability and, at times, efficiency. An information security expert should be well aware of all the concepts, theories and practices that make C&P programs effective.
This article presented a brief overview of the fundamentals of the program and candidates looking to pass the CISSP exam should consider other resources while preparing as well, including:
- Download the CISSP exam tips and tricks ebook to prepare for the exam questions.
- Read our cybersecurity salary guide to discover how certifications can increase your income.
- Examine cybersecurity certifications and skills: A roadmap for mid-career professionals to learn which certifications are in demand.
- Visit our CISSP training hub for even more CISSP information.
And if you are planning to take the exam soon, check out our CISSP Boot Camp and get up to speed in six days!
In this Series
- Certification and accreditation: What’s on the CISSP exam?
- CISSP domains overview: Your complete preparation guide
- What is the ISC2 ISSMP (Information Systems Security Management Professional) certification?
- What is the ISC2 ISSEP (Information Systems Security Engineering Professional) certification?
- What is the ISC2 ISSAP (Information Systems Security Architecture Professional) certification?
- CISSP experience waiver: What you need to know
- CISSP concentrations: How ISSAP, ISSMP & ISSEP have changed
- Mitigating access control attacks in the CISSP exam
- CISSP DoD 8140: What changed from DoD 8570?
- CISSP jobs in 2025: Cybersecurity manager outlook and career opportunities
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring
- CISSP interview prep: 10 common questions and answers
- CISSP resources: Free books, videos, practice exams and other study tools
- CISSP certification cost and requirements (2025): Your complete preparation guide
- Perimeter defenses: What you need to know for the CISSP exam
- Understanding control frameworks and the CISSP
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- Due care vs. due diligence: What you need to know for the CISSP exam
- The ISC2 code of ethics: A binding requirement for certification
- Security governance principles: What you need to know for the CISSP exam
- Understanding access control: A CISSP certification guide
- Renewal requirements for the CISSP certification
- Secure communication channels: What you need to know for the CISSP exam
- Risk management concepts and the CISSP
- CISSP: Business continuity planning and exercises
- Data and system ownership in the CISSP exam
- Information and asset classification in the CISSP exam
- Incident management and the CISSP exam: What you need to know
- CISSP prep: Security policies, standards, procedures and guidelines
- Earning CPE credits to maintain the CISSP
- Data security controls and the CISSP exam
- CISSP: Disaster recovery processes and plans
- Vulnerability and patch management in the CISSP exam
- Secure system design principles: CISSP exam concepts and frameworks
- Change management and the CISSP
- Threat modeling and the CISSP
- CISSP exam questions: 5 drag & drop and hotspot questions
- CISSP certification salary: A comprehensive 2025 salary guide
- 8 tips for CISSP exam success in 2025
- Environmental controls and the CISSP
