Certification Guidelines
This document provides guidelines for completing security certification questionnaires. It covers how to score individual control questions and when to pursue certification through self-assessment or third-party review.
Scoring Controls
Score each control as:
- Implemented: Fully operational with verified evidence
- Partially Implemented: Incomplete or lacks sufficient evidence
- Not Implemented: Control absent
- N/A: Not applicable (provide justification)
Evidence Collection
For each control scored "Implemented," provide:
- Procedure documentation: Policies, versions, approval dates
- Operational proof: Logs, records, tickets showing active use, interviews with team members
- Testing/validation: Drill results, incident reports, test outcomes
- Ownership details: Responsible party, review frequency, last update
- Technical artifacts: Configurations, screenshots, system exports
Self-Assessment
The self-assessment option is suitable for organizations wishing to internally validate their security posture. Self-assessment does not grant official certification, but rather serves as an internal checkpoint to track your security posture over time.
Third-Party Review
Third-party reviews are recommended for organizations seeking formal certification, and involve an external SEAL-certified assessor evaluating your security posture.
Certification Criteria
Third-party reviewers will issue certification when:
- All controls are "Implemented" or "N/A" with justification
- Evidence substantiates all claims
- Overall security posture meets framework requirements
Any controls scored as "Partially Implemented" or "Not Implemented" must be remediated during the review process before certification can be issued.
Review Process
- Complete initial assessment with evidence
- Reviewer verifies claims against submitted evidence
- Address any findings or requests for additional documentation
- Receive certification report with findings and recommendations