Achieving Government Security Accreditation

"New ICT systems containing protected information will be accredited to the Government standard and their accreditation status will be maintained throughout the life of the system."

Data Handling in Government Report

The formal assessment of an information system against its Information Assurance requirements, resulting in the acceptance of residual risks in the context of the business requirement is called Accreditation. It is government policy that if a system contains positively marked information, or is part of the Critical National Infrastructure (CNI) it should be subject to Accreditation.

ECA takes the mystery out of achieving Government Accreditation. The ECA team has delivered more than 50 accredited systems and can provide specialist independent (CLAS) advice including qualified government Accreditors for more in depth advice.

What is accreditation?

Any business activity involves risk, to the organisation, to other business activities, to clients, customers and partners. Some of these risks are security related, in that they involve threats to the confidentiality, security, integrity and availability of its information and business processes, or to the ability of the organisation to monitor its own activities and comply with the law. Accreditation is the process whereby these risks are assessed, and cost-effective countermeasures are determined and put in place. It includes the point at which the residual risks are formally accepted on behalf of the organisation.

Accreditation is fundamental to the assurance and delivery of any ‘trusted’ system or service that underpins government business. It is a continuous process, throughout and beyond the life of the delivery project. The principles of this accreditation are now closely aligned with those of ISO27001 and ISO17799.


Supporting the accreditation process - Including PSN accreditation and certification

ECA has an unbroken track record of ensuring that clients achieve accreditation first time every time. Accreditation of a system should start when the IT project is first discussed. It is an integral service, not a ‘bolt on’; accreditation is a rolling quality assurance and validation process, in which business risks are constantly assessed and countermeasures put in place. An accredited system is inspected annually - and if substantial changes are made, it must be re-inspected.

With the advent of the PSN, the new UK Government inter-departmental communications network and the enhanced accreditation requirements this new scheme demands - ECA have successfully managed the PSN accreditation of the new Shared Services 1 contract. This meaning we are now in the very best position to help any organisation successfully join the PSN, especially where their existing information system has not previously or does not currently hold either previous GSi connection and/or HMG certificate of Accreditation for Information Assurance.

The ECA team can support public service providers - or organisations working with the public sector - through every step of the accreditation process. ECA’s experts can guide an accreditation strategy, prepare an Accreditation Document Set (ADS) and work with the Accreditor to ensure a satisfactory certification.

For more information on Security Accreditation UK please contact us.

Back to main Information Assurance page