Difference Between Assurance, Certification, Accreditation, Acceptance

Suppose you are a junior security officer for a financial company.

You have been tasked to find new software that will protect customer data and maintain confidentiality.

Your senior security officer has said the new product should have quality assurance, and a formal certification process.  Only then will it go through accreditation and acceptance.

They all sound like they should mean the same thing.

They don’t mean the same thing.

The CISSP exam will test to see if you know the difference.

Here is a breakdown:


Assurance is like performing a background check on an employee to make sure they haven’t committed any major crimes or tested positive for any drugs.

So when it comes to systems, it is a way to make sure the product has been developed in a secure manner.

Was there a secure and formal software development process?

Was the product created under safe and secure conditions?

Was the product transported to and from the customer in a secure manner?

Assurance answers questions about how well the software was made, not the actual functionality of the product.  That is for the certification process to determine.


The certification process will prove to you as a security officer that the product will meet the business requirements and the security requirements.

Tests are performed on the product’s hardware, software, firmware, controls, and how it is to be implemented in a business environment.

Just like how you are going to be tested on the 10 domains in the CISSP exam!

Once certification has been passed, the results are submitted to senior management for the accreditation process.


Quite simply, accreditation is the senior management’s official approval of the product to be used in the business.

Senior management looks at the results of the certification process, and then makes the decision on whether it should be accredited into the business, or not.


The actual users of the business are involved in the acceptance phase.

They will use the product, and report if it works to suit their daily business needs.

Basically, if the user feels it does what it is supposed to, then it is accepted.

For the CISSP exam, just remember “Acceptance” involves the user testing out the product.