CISSP-ISSEP · Question #4
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or a
The correct answer is B. Accreditation is the official management decision given by a senior agency official to authorize C. Certification is a comprehensive assessment of the management, operational, and technical. Certification is the technical side - it's the comprehensive assessment of management, operational, and technical security controls (option C). Accreditation is the business/management side - it's the official decision by a senior agency official to authorize the system to operat
Question
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.
Options
- AAccreditation is a comprehensive assessment of the management, operational, and technical
- BAccreditation is the official management decision given by a senior agency official to authorize
- CCertification is a comprehensive assessment of the management, operational, and technical
- DCertification is the official management decision given by a senior agency official to authorize
How the community answered
(50 responses)- A8% (4)
- B88% (44)
- D4% (2)
Explanation
Certification is the technical side - it's the comprehensive assessment of management, operational, and technical security controls (option C). Accreditation is the business/management side - it's the official decision by a senior agency official to authorize the system to operate, accepting any residual risk (option B).
Options A and D are wrong because they swap the definitions: A assigns the "comprehensive assessment" role to Accreditation, and D assigns the "official management decision" role to Certification - both are the reverse of the correct mapping.
Memory tip: Use the alphabetical order to anchor the sequence - Certification comes before Accreditation, just as Checking (assessment/testing) must happen before Approving (authorization). Think: "You Certify first, then Accredit" - the technical team certifies, the executive accredits.
Topics
Community Discussion
No community discussion yet for this question.