nerdexam
(ISC)2

CISSP-ISSEP · Question #4

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or a

The correct answer is B. Accreditation is the official management decision given by a senior agency official to authorize C. Certification is a comprehensive assessment of the management, operational, and technical. Certification is the technical side - it's the comprehensive assessment of management, operational, and technical security controls (option C). Accreditation is the business/management side - it's the official decision by a senior agency official to authorize the system to operat

Risk Management

Question

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

Options

  • AAccreditation is a comprehensive assessment of the management, operational, and technical
  • BAccreditation is the official management decision given by a senior agency official to authorize
  • CCertification is a comprehensive assessment of the management, operational, and technical
  • DCertification is the official management decision given by a senior agency official to authorize

How the community answered

(50 responses)
  • A
    8% (4)
  • B
    88% (44)
  • D
    4% (2)

Explanation

Certification is the technical side - it's the comprehensive assessment of management, operational, and technical security controls (option C). Accreditation is the business/management side - it's the official decision by a senior agency official to authorize the system to operate, accepting any residual risk (option B).

Options A and D are wrong because they swap the definitions: A assigns the "comprehensive assessment" role to Accreditation, and D assigns the "official management decision" role to Certification - both are the reverse of the correct mapping.

Memory tip: Use the alphabetical order to anchor the sequence - Certification comes before Accreditation, just as Checking (assessment/testing) must happen before Approving (authorization). Think: "You Certify first, then Accredit" - the technical team certifies, the executive accredits.

Topics

#Certification and Accreditation (C&A)#Accreditation#Certification#Risk Management Framework (RMF)

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice