Securing Information
Strengthening Business

Demystifying the Accreditor Role: Think Referee

For public sector organisations or suppliers required to achieve formal accreditation for their ICT systems, early engagement is key. The Accreditor role is crucial to ensure business risks are determined and the requirements for security controls to manage these risks are agreed as soon as possible.

For those organisations new to the mysterious world of accreditation, their relationship with the Accreditor can be confusing at first.

Is the Accreditor an all-knowing demi-god of security information sitting in an ivory-clad tower whose word is final and beyond reproach? Or, is he part of the team charged with ensuring that risks to government ICT systems are adequately managed?

Of course, the latter is true but the role of the Accreditor is not always easy to understand as it covers so many different aspects of information security.

To make more sense of the role, I think a football referee analogy comes in useful . Like a referee, an Accreditor plays an impartial role to ensure the rules of the game are met without bias. A referee does not determine the rules and neither does an Accreditor set policy. They are both responsible for understanding the rules and making balanced decisions based on the evidence presented to them. For example, a referee can only take appropriate action if a foul is actually witnessed. Equally, an Accreditor can only make an accreditation decision if all the evidence is presented.

Here are a few more similarities.

Why Accreditors are like referees:

  1. A referee enforces the rules of the game. An Accreditor ensures that security solutions are in compliance with security policy.
  2. A referee is responsible from start to end. An Accreditor is responsible from the very beginning of a design, through implementation and operations and through to final disposal.
  3. A referee issues verbal and formal warnings. An Accreditor provides warnings where designs are not in compliance with policy.
  4. A referee has assistants to enforce compliance. An Accreditor can call on the assistance of others – example would be a Security Assurance Co-ordinator or CHECK team.
  5. A referee cannot make a decision based on hearsay no matter how convincing the argument – if a foul is not seen, then it cannot be given. An Accreditor can only make a decision based on the evidence presented.
  6. A referee has some scope to interpret the rules of the game and are issued guidelines to help. An Accreditor may have some leeway to interpret policy requirements based on business benefits.
  7. A referee keeps time. An Accreditor ensures that security requirements are produced and implemented.
  8. A referee does not pick the teams. An Accreditor does not select security controls.
  9. A referee does not decide the team formation. An Accreditor does not design security solutions.
  10. A referee does not buy new players. An Accreditor does not fund security solutions or testing.
  11. A referee does not determine the rules of the game. An Accreditor does not set policy.
  12. A referee does not carry out investigations. An Accreditor does not conduct audits or compliance testing.
  13. A referee does not select the substitutes. An Accreditor does not offer alternative solutions.

If you want to get the most from the process it’s good to set your expectations of the accreditation process correctly and have a clear understanding of exactly what the role involves – where the Accreditor’s responsibilities lie and where they don’t. Let me know if the analogy helps.

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Less rules, more goals. How recent changes in regulatory approaches can enable innovation in information security

Regulated sectors such as the civil nuclear industry and financial institutions have seen a recent shift towards outcome-focused regulation which is

How to pass Cyber Essentials PLUS first time

As anyone who’s ever run a race will know, it’s all about the preparation. As the saying goes, ‘if you fail to plan – you plan to fail’. The

The NIS Directive explained – compliance and guidance

Originally published in May 2018 just before it entered UK law, this article covers the NIS Directive, also known as NIS (D). We look at what it is,