I’ve learned a lot about certification in that two years as I planned, researched and began to identify the steps best course of action to create this institute. While different certifications across industries apply different terms, I’ve tried to consolidate a common description of the “certification” ecosystem. At the core, you have some organization that wants to get something (often referred to as the target or object) certified and an entity or body that provides the certification. Beyond that are various organizations meant to ensure the certification offered is not done so in a perfunctory manner, in order to maintain the integrity of the certification. Here are some of the most common roles in the certification ecosystem:


To the best of my knowledge, no certification mechanism has distinct entities in every role. Some entities often hold multiple roles. Some of those may insulate their role from undue influence by having organizational firewalls or even separate legal entities. Here would be an example for ISO 27001 .

Certification SchemaISO 27001 Information Security Management System
Schema OwnerISO/IEC JTC 1/SC 27 Joint Technical Committee/Standards Committee on Information security, cybersecurity and privacy protection
Schema ApproverISO National Bodies – standards much be approved by a 2/3rds majority of National Body members of ISO (such as ANSI in the United States)
Certification BodyBritish Standards Institute (BSI)
Here is where things get interesting, BSI is also the National Body representing the United Kingdom within ISO, though presumably a different department within BSI performs these functions.
Accreditation Agency (Certification Body) United Kingdom Accreditation Service (UKAS) – accredits BSI as a certification body for ISO 27001
Assurance AssessorIn this case BSI also acts as the assessor, assessing the applying organization’s conformance with the schema.
Accreditation Agency
(Assurance Assessor)
None
Example with players in the ISO 27001 Certification Ecosystem

Two more examples, below, contrast the Payment Card Industries’ mechanisms for conformance to the Data Security Standards and the Payment Application Data Security Standards. You’ll note that because of the smaller set of organizations and the wider ranging impact of payment application providers on the security in the bank card system, PCI maintains tighter control of that mechanism.

Certification SchemaPCI DSS
(Data Security Standard)
PCI PA-DSS
(Payment Application Data Security Standard)
Schema OwnerPCI Standards Security CouncilPCI Standards Security Council
Schema ApproverNone, the owning entity (PCI SSC) is also the approver None, the owning entity (PCI SSC) is also the approver
Certification BodyNone. Assessments are submitted to applicants’ acquiring/merchant banks, who accept (or reject) the assessmentPCI SCC. Referred to as validated, not certified payment applications. “Although the Council reviews these reports for relevant quality assurance purposes, the Council does not independently confirm these reports or the data or information they contain, nor does the Council perform tests or analysis of applications, products, or their functionality, performance, suitability, or compliance.” speaks to the notion that Certification Bodies are not assessors ,but ministerial bodies issuing certification upon valid applications.
Accreditation Agency
(Certification Body)
NoneNone
Assurance AssessorCoalfire Systems, Inc. (Example)Coalfire Systems, Inc. (Example)
Accreditation Agency
(Assurance Assessor)
PCI Standards Security CouncilPCI Standards Security Council
Example with players in the PCI DSS and PCI PA-DSS ecosystem

As you can see, even fairly mature certifications may not have independent actors in each role. As a nascent certification, the planned role of the IOPD is to be the Schema Owner (we’re the entity developing and managing the standard) as well as the Certification Body (we will issue certifications). Eventually, as we mature, we would like to be accredited, possibly by ANAB, with is the American National Standards Institute accreditation board for certification bodies. Our plan is to allow both self-assessment and attestation by applicants and third party assessments by assurance assessors. This is similar to the Cloud Security Alliance (CSA) model which has STAR Level 1 for self-attestations and STAR Level 2 of third party audits for their various certifications. As a long term goal, we’d like to get the standards approved by the EDPB as recognized certifications for Article 25 Data Protection by Design and Default under GDPR.

We have a long road ahead and would love your help in getting there. If you’re interested in getting involved, please consider joining as an Ambassador, getting your organization to sponsor, or volunteering in other ways.

Leave a Reply