Demystifying the Accreditor role – think referee

For public sector organisations or suppliers required to achieve formal accreditation for their ICT systems, early engagement is key. The Accreditor role is crucial to ensure business risks are determined and the requirements for security controls to manage these risks are agreed as soon as possible.

For those organisations new to the mysterious world of accreditation, their relationship with the Accreditor can be confusing at first.

Is the Accreditor an all-knowing demi-god of security information sitting in an ivory-clad tower whose word is final and beyond reproach? Or, is he part of the team charged with ensuring that risks to government ICT systems are adequately managed?

Of course, the latter is true, but the Accreditor’s role is not always easy to understand as it covers so many different aspects of information security.

To make more sense of the role, I think a football referee analogy comes in useful . Like a referee, an Accreditor plays an impartial role to ensure the rules of the game are met without bias. A referee does not determine the rules and neither does an Accreditor set policy. They are both responsible for understanding the rules and making balanced decisions based on the evidence presented to them. For example, a referee can only take appropriate action if a foul is actually witnessed. Equally, an Accreditor can only make an accreditation decision if all the evidence is presented.

Here are a few more similarities.

Why Accreditors are like referees:

  1. A referee enforces the rules of the game. An Accreditor ensures that security solutions are in compliance with security policy.
  2. A referee is responsible from start to end. An Accreditor is responsible from the very beginning of a design, through implementation and operations and through to final disposal.
  3. A referee issues verbal and formal warnings. An Accreditor provides warnings where designs are not in compliance with policy.
  4. A referee has assistants to enforce compliance. An Accreditor can call on the assistance of others – example would be a Security Assurance Co-ordinator or CHECK team.
  5. A referee cannot make a decision based on hearsay no matter how convincing the argument – if a foul is not seen, then it cannot be given. An Accreditor can only make a decision based on the evidence presented.
  6. A referee has some scope to interpret the rules of the game and are issued guidelines to help. An Accreditor may have some leeway to interpret policy requirements based on business benefits.
  7. A referee keeps time. An Accreditor ensures that security requirements are produced and implemented.
  8. A referee does not pick the teams. An Accreditor does not select security controls.
  9. A referee does not decide the team formation. An Accreditor does not design security solutions.
  10. A referee does not buy new players. An Accreditor does not fund security solutions or testing.
  11. A referee does not determine the rules of the game. An Accreditor does not set policy.
  12. A referee does not carry out investigations. An Accreditor does not conduct audits or compliance testing.
  13. A referee does not select the substitutes. An Accreditor does not offer alternative solutions.

If you want to get the most from the process it’s good to set your expectations of the accreditation process correctly and have a clear understanding of exactly what the role involves – where the Accreditor’s responsibilities lie and where they don’t. Let me know if the analogy helps.

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch