ICT Certification and Accreditation

- NZISM Qualifications with CANDA

CANDA specialises in developing people, process and technology solutions to help organisations manage their C&A (Certification & Accreditation) requirements.

ICT Certification and Accreditation

- NZISM Qualifications with CANDA

CANDA specialises in developing people, process and technology solutions to help organisations manage their C&A (Certification & Accreditation) requirements.

What is ICT Certification & Accreditation?

The Certification & Accreditation process is completed by defining the Statement of Applicability, performing a Risk Assessment, a Controls Validation Plan (CVP), a Controls Validation Audit (CVA) and then the System Security Certificate (SSC) itself.

On completion of the Certificate, Accreditation takes place with the system owner.

This accreditation is your ‘authority to operate’ or a security ‘warrant of fitness’

The services we provide can cover the entire process or individual components such as:

  • Providing the skilled staff to perform C&A functions;
  • Developing processes to meet C&A requirements;
  • Augmenting existing process and personnel;
  • Training workshops and solutions to improve or upskill;
  • Certification and Accreditation activity described above.

Why is Certification & Accreditation important?

NZISM compliance is crucial for all government agencies due to their responsibilities for keeping information entrusted by New Zealanders safe from loss, damage or compromise.

Agencies have responsibilities under various legislation to ensure the security and integrity of data processed, and systems operating, for the operation of government services in the service of the public or New Zealand.  The safe and secure operation of information systems is essential to New Zealand’s security and economic well-being.  These systems are vital for the successful operation of government organisations and underpin public confidence by supporting privacy and security.  The NZISM is the key standard which defines these responsibilities.

Agencies are responsible for:

  • Using and implementing the NZISM to set out a baseline level of information security controls for the systems operated by the Government Department, Agency or Crown entity.
  • To ensure that all information is appropriately classified and that appropriate minimum acceptable levels of controls are employed to protect the information according to the requirements for that classification under the recommendations laid out in NZISM.
  • Assessing the risks associated with data and information processed by the agency and implementing an assurance process which ensures that the appropriate controls are implemented, effective and maintained.

As these responsibilities require a thorough meticulous process to assess risk, application of controls, and mitigate residual risk, ICT security experts are often engaged to guide agencies through the C&A process.

Who participates in the Certification & Accreditation process?

As outlined by the NZISM standard, the primary participants involved in the C&A process are:

System Owners (You) – System owners are responsible for design, development, system documentation and system maintenance, including any requests for recertification or reaccreditation.

The Certification Authority – The authority responsible for the review of information and documentation provided by the System Owner to ensure the ICT system complies with minimum standards and the agreed design.

The Assessor or Auditor – who will conduct inspections, audits and review as instructed by the Certification Authority.

The Accreditation Authority – Consider the recommendation of the Certification Authority. If the level of residual risk is acceptable, the Accreditation Authority will issue the system accreditation (the formal authority to operate a system).

Contact CANDA to ensure NZISM compliance for your systems

Our experienced team at CANDA are experts in everything ICT security and risk related, and can provide a range of services to ensure your agency meets NZISM requirements.

As New Zealand’s trusted impartial experts on guiding agencies through the Certification & Accreditation process, we have extensive experience in risk assessment, cyber security, controls validation systems security certification, risk management, remediation management, department security policies, business continuity and disaster planning, user awareness training, network and host-based security, antivirus software, and more.

Contact CANDA today to speak to one of our team and learn more about how we can help.