Certification and Accreditation

1. Initiation and planning
At this stage, the administration initiates and plans the implementation of the program. A C&A implementation expert lays out the documentation (including the business case and requirement documents) and presents it to the administration in the form of a comprehensive C&A package.
 

2. Certification
At this stage, an external auditing team analyzes the C&A package and the information security systems of the organization. The audits will include running vulnerability scans, conducting interviews, and checking if everything complies with the accepted standards and norms.
 

3. Accreditation
In the accreditation stage, the certifying authority will review the compiled C&A package and will also go through the recommendations put forward by the auditing team. Before granting the accreditation, the authority will make its examination and see if there is a possibility of accepting non-remedied risks in the system.
 

4. Periodic monitoring
The system, the personnel, and the whole organization in general will be monitored periodically by a team whose sole responsibility is to ensure that the program stays operational as it should. Any risks, vulnerabilities, or threats that might arise during the monitoring stage will also have to be dealt with by the security enforcers of the organization.