Why Achieve Accreditation?
Achieving system accreditation will:
- identify the strengths and weaknesses of your system
- allow you to focus your resources on the areas most at risk, and
- highlight your system's security non-compliance and any associated residual risks.
Determining the authorities in your system accreditation framework will identify clear lines of accountability. Segregating these authorities will provide you with an impartial framework with which to assess the security of your system.
Security Assessments are conducted by IRAP Assessors.
Assessments of SECRET systems and below can be undertaken by agency Information Technology Security Managers (ITSMs) and IRAP Assessors.
Assessments of TOP SECRET systems can only be undertaken by ASD and IRAP Assessors with appropriate clearances.
For more information on Assessments see What is an IRAP Assessment?
The certification authority certifies that a system complies with prescribed information security controls and guidelines.
For government information systems the certification authority is typically the owning agency's Information Technology Security Advisor (ITSA).
ASD is the certification authority for all TOP SECRET systems and for gateways and cloud services hosting multiple government agencies. For more information see ASD Certified Gateways and ASD Certified Cloud Services.
Certification will be awarded if the certification authority is satisfied that the:
- system has been appropriately audited, and
- associated security controls have been implemented and are operating effectively.
The certification authority will make a recommendation to the accreditation authority based on any identified non-compliance and mitigation strategies.
The accreditation authority is typically the agency head or a senior executive who has an appropriate level of understanding of the risks they are accepting on behalf of the agency. The accreditation authority:
- accepts any residual risks that were identified during the audit and certification process, and
- awards accreditation.
Accreditation of a system ensures that either sufficient security mitigations have been put in place or that deficiencies have been accepted by an appropriate authority. Government systems must be awarded accreditation before the system is used to process, store or communicate information.
The following diagram shows, at a high level, the process of accreditation.
Diagram of the accreditation process - text description
- System owner requests accreditation.
- Accreditation Authority requests certification
- Certifications authority requests audit
- Assessor conducts first stage audit.
- System owner implements controls
- Assessor conducts second stage audit
- Certification authority assesses audit report and residual risk
- Certification authority awards certification.
- Accreditation authority assesses the certification report.
- Accreditation authority assesses residual risk and other factors
- Accreditation authority awards accreditation
- System owner operates the system
- system owner again requests accreditation and the process starts again