‍This feature first appeared in the Summer 2023 issue of Certification Magazine. Click here to get your own print or digital copy.

‍

Quite often, the reason a candidate pursues an IT-related certification is because there is value in having a third party authenticate their skills – it makes them more valuable to their current, or future, employer. That third party may be directly associated with the creation and marketing of a particular hardware or software product (such as Microsoft, Cisco), or they may be vendor-neutral (such as or (ISC)² or CompTIA).

Regardless of which type of certification provider is involved, they will often tout that their certification is recognized by yet another party: ISO, IEC, ANSI, and so on. What, exactly, does any of this mean?

It means that a higher authority than the certification provider has extended their blessing to the exam and associated credential. And in return, the certification provider has agreed to adhere to a set of rules set forth by the higher authority.

To oversimplify, imagine that I decide the market would benefit by having a generic certification of proficiency with foundational spreadsheet skills generic enough to cover offerings from Microsoft, Google, and a few others. I call this certification Spreadsheet Attested and start offering exams through a testing center.

The odds are good that very few will see me as an authority in this sphere. It's entirely likely that candidate numbers will be low even though there may truly be a need for my credential and the exam(s) could be the best out there.

To make any certification stronger in the eyes of the market, one approach is to align it with a bigger or more respected entity such as the American National Standards Institute (ANSI). Having a highly recognized organization lend their credibility to the offering will enhance how Spreadsheet Attested is perceived in the market and increase its likelihood of acceptance.

Make no mistake: There are many more reasons to align with a partner other than just to borrow their credibility. This scenario of alignment and endorsement, however, plays out on a broad scale on a regular basis.

The gatekeepers

So who are these oversight organizations and what do they offer to the mix? Let’s take a look at some of the groups whose seal of approval is most relevant to IT certifications.

International Organization for Standardization (ISO) is the giant in the field. As the name implies, they are international, with more than 20 countries having participated in developing initial standards. Established in 1947 and headquartered in Geneva, Switzerland, the organization brings together experts from different countries to develop consensus-based standards that can be implemented globally.

ISO is a governing body focused on quality standards. As such, much of what they focus on are benchmarks, rigor, and improvement, with each member country represented by a national standards body.

The ISO develops standards for various industries, including manufacturing, healthcare, information technology, and many others. The standards developed by the ISO are voluntary, but they are widely adopted by organizations around the world. If you are a certification provider, then to be ISO-certified is to be authenticated by an independent body bestowing a global seal of approval on your program — and thus it is highly coveted.

One of the principles ISO strongly adheres to is keeping skills relevant and current. This typically manifests itself to the testing candidate in certifications that are only good for a short period of time, or that must be renewed, generally accomplished by earning continuing education credits (CEUs) or retaking the most current version of the certification exam.

American National Standards Institute (ANSI) can be thought of, in only a slight oversimplification, as the U.S. representative of ISO. Many IT certifications, such as those from CompTIA, tout that they are ISO/ANSI accredited.

ANSI is a private nonprofit organization that develops and promotes voluntary consensus standards. Like ISO, ANSI is responsible for developing standards across various industries, including healthcare, finance, and information technology, but ANSI standards are recognized nationally as opposed to internationally.

ANSI has developed more than 12,000 standards covering everything from product specifications to safety requirements and testing procedures. ANSI standards are developed through a consensus-based process, which involves input from various stakeholders, including industry experts, government representatives, and consumers.

International Electrotechnical Commission (IEC) is the oldest of the group, having been established in 1906. It focuses on the development of international standards for electrical and electronic technologies (as opposed to the ISO, which deals with a wide range of standards for various industries).

The IEC’s work is guided by a set of principles, which include openness, consensus, and transparency. The organization has also established a number of conformity assessment schemes to ensure that its standards are implemented correctly and consistently. Despite their different areas of focus, the IEC and ISO work closely together to promote international standardization.

The two organizations have a joint technical committee (ISO/IEC JTC1) which develops and maintains standards for information technology. In addition, the IEC and ISO have a number of agreements in place that allow them to collaborate on specific projects and initiatives.

The rules of the game

Each of these standards bodies are involved in much more than just IT-related certifications: more than 23,000 international standards have been developed by ISO. Because of this, this segment of their oversight is quite small, but there are three standards to be aware of: ISO/IEC 15408, 17024, and 27001 all deal with various aspects of information security and/or certification.

ISO/IEC 15408, also known as the Common Criteria for Information Technology Security Evaluation, provides a framework for evaluating the security of IT products and systems. It defines a set of criteria for evaluating the security functions of products, such as firewalls or operating systems, to ensure they meet specific security requirements. It also provides assurance that evaluated products have been independently tested and meet certain security standards.

ISO/IEC 17024 outlines the requirements for certifying individuals who work in the field of information security. This standard establishes a framework for assessing the competence of individuals who perform security-related tasks, such as security managers or penetration testers. It specifies the criteria for developing and maintaining certification programs, including the development of certification exams and the criteria for assessing candidates' knowledge and skills.

This standard was published in 2003 and revised in 2012. It is applicable to organizations that offer certification of individuals in various fields such as healthcare, engineering, IT, and many others. It outlines the requirements for the development and maintenance of certification programs, the certification process, and the management of the certification body.

This standard requires that certification programs be developed based on job analysis, which involves a systematic process of identifying the knowledge, skills, and abilities required to perform a job (to help ensure that the certification is relevant and meaningful).

The certification program must also include a detailed description of the certification process, including the eligibility criteria, examination content, and passing scores. This helps ensure that the certification process is transparent, fair, and consistent.

ISO 17024 also requires that the certification body be managed in a way that ensures the independence, impartiality, and confidentiality of the certification process (to help enhance trust in the certification). This standard mandates that the certification body has a quality management system in place that complies with ISO 9001, which is the international standard for quality management systems.

ISO/IEC 27001 is a standard for information security management systems and it provides requirements for establishing, implementing, maintaining, and continuously improving information security management systems by outlining a framework of policies, procedures, and processes for managing risks. It provides a systematic approach to managing sensitive information so that it remains secure and confidential, including risk assessments, control implementation, and ongoing monitoring and review.

Adding in the DoD

In the early 2000s, the United States Department of Defense (DoD) issued a directive requiring contractors to obtain ISO 9001 certification from an accredited certification body for certain contracts. The directive was issued to improve the quality of products and services procured by the DoD and to ensure that contractors comply with quality management standards.

The DoD directive applies to contracts for the supply of goods and services and it has had a significant impact on contractors. The requirement for certification has led to an increased focus on quality management and has birthed a number of subsequent directives.

One of those subsequent outcomes is Department of Defense Directive 8140/8570.01-M, a policy that outlines the requirements for training, certification, and management of the DoD workforce responsible for information assurance, cybersecurity, and IT management. Since the Department of Defense is a large employer — of both direct employees and indirect contractors — 8140/8570.01-M carries a lot of weight in the marketplace.

Five key elements of this directive are:

Certification Requirements: 8140/8570.01-M requires that all DoD personnel, military or civilian, performing information assurance or cybersecurity functions, obtain and maintain appropriate certifications. It identifies several categories of certifications based on job roles, responsibilities, and levels of expertise.

Training Requirements: 8140/8570.01-M specifies the training requirements for personnel who are new to information assurance or cybersecurity functions. It mandates that these personnel undergo mandatory initial training to acquire the necessary knowledge and skills to perform their duties effectively.

Management and Oversight: 8140/8570.01-M mandates the creation of a workforce management program that oversees the certification and training of DoD personnel. It requires the establishment of processes and procedures to track, manage, and document the certification and training of the DoD workforce.

Continual Improvement: 8140/8570.01-M emphasizes the importance of continuous learning and professional development. It requires personnel to participate in ongoing training and education to maintain their knowledge and skills in the evolving field of cybersecurity and IT management.

Credentialing: 8140/8570.01-M requires the implementation of a system that verifies and validates the certifications of DoD personnel. The credentialing system ensures that the DoD workforce meets the required certification standards for their job functions.

It is 8140/8570.01-M which establishes the framework for the management, certification, and training of the DoD workforce responsible for information assurance, cybersecurity, and IT management. The implementation of this directive is critical in maintaining the security of the DoD's networks and safeguarding national security.

The big picture

The standards related to IT certification from both national and international bodies provide a strong foundation for the development and maintenance of IT certifications. The use of these standards ensures that the certification process is credible, of high quality, and internationally recognized.

These standards provide a framework for continuous improvement, ensuring that the IT certification process remains relevant and up-to-date. The use of ISO/IEC/ANSI standards in the development of IT certifications is essential to ensure that such certifications are valuable and meaningful to both individuals and employers.

‍