Put Your Certification To the Test
By: Allison Barton-Kramer
It's one thing to say your certification is world-class. It's another to prove it. ASIS International put three of its certification programs through a years-long process of rigorous analysis and in-depth audits, and now they have an internationally recognized accreditation to show for it.Certification is all about asking people to be better—to increase their knowledge, to prove their competence, to aim for excellence. At ASIS International, we wondered: How can we not ask the same thing of ourselves that we ask of our certificants?
The ANSI/ISO accreditation process is thorough and rigorous—and sometimes intimidating. Regardless, the benefits can be substantial. It can help an organization implement better internal structures and become better organized, from the lowest staff levels to the top. It can orient an association to meet or surpass industry standards—in other words, to claim a true leadership position. It helps an association earn or confirm worldwide credibility within its industry. Finally, the process can help an association identify and rectify problems and sustain positive long-term results.
An association interested in pursuing ANSI accreditation should enter the process with a clear understanding of its own internal certification processes. Three specific areas are particularly vital to know thoroughly:
Documentation. Where and how are policies and procedures stored? Who can edit documents? What signoffs are required to change a certification policy or procedure? How often are certification procedures reviewed? How do employees know what policies and procedures to use in a given situation?
Internal audit. What are your procedures for internal audit of your certification? How frequently is internal audit conducted? How is it documented? Who in management reviews the results? Are there audits for vendors that play a role in your certification? If so, how often do they occur?
Management review system. How is management involved in ensuring the effective application of the documented certification procedures? What are the certification's standards for continuous improvement, course corrections, quality control, and surveillance?
This question arose for us in the wake of September 11, 2001. Our mission is to promote excellence in and recognition of the security profession, so the attacks had a significant impact on our members and certificants as well as on ASIS as an organization. We saw our work as more important and urgent than ever before.
ASIS was confident that our certifications and training options were world class, but we wanted to raise the bar. We also wanted to further distinguish ourselves in an increasingly competitive, international, and varied marketplace while taking a proactive role in the development of strong standards for the security industry. In light of all this, we decided to pursue third-party accreditation for several of our key credentials through the American National Standards Institute.
ANSI and Accreditation
ANSI is a nonprofit agency that promotes and facilitates voluntary performance standards and assessment systems. ANSI is also America's official representative to the International Organization for Standardization (ISO) and the International Electrotechnical Commission.
We decided to seek ANSI accreditation for ASIS's three international certifications: the Certified Protection Professional (CPP), Professional Certified Investigator (PCI), and Physical Security Professional (PSP) credentials. Specifically, we targeted International Standard ANSI/ISO/IEC 17024 accreditation, which was designed for organizations responsible for professional certification. Accreditation under ISO/IEC standards signifies that the procedures and systems of a certifying body meet ANSI's essential requirements for openness, balance, consensus, and due process.
ASIS chose ANSI because its standards for accreditation were well known and highly regarded worldwide as thorough and stringent measures of quality. While we knew that meeting those standards would be demanding, we were also confident that demonstrating our compliance with ANSI requirements would underscore the world-class quality of our certification programs and perhaps elevate their profile—and ASIS's—among security professionals around the world. We also recognized that ANSI accreditation would afford ASIS protection against legal actions based on quality standards.
The ANSI process required that our certification programs be assessed and audited, with a rigorous review of management and psychometric procedures. The process was indeed challenging, and it was even more arduous than we first imagined.
What It Takes
We started by assessing and auditing ASIS's certification management and testing standards, systematically collecting, collating, and documenting information on all the policies, procedures, and activities used to meet the requirements of the CPP, PCI, and PSP certifications. ANSI provided guidelines for the assessment process, but we had to invest considerable time learning the nuances of ANSI's accreditation vocabulary and expectations for what kinds of information would be included. Fortunately, ANSI offers helpful training workshops.
ASIS takes pride in having received the ANSI seal of approval. Along the way, we learned some important lessons that may be valuable for other associations engaged in comprehensive change.
Change has to start at the top. We were driven by the desire to remain at the top of our game, especially with more and more players entering the certification field. We could not be satisfied with our existing strengths; we had to amplify them and find even better ways to support our security professionals. Fortunately, senior leadership was committed to championing both change and innovation.
Educate and communicate. Clear, consistent, and frequent communication was essential to building a base of growing support from all our stakeholders. We met regularly with key individuals and groups and provided regular updates. This was important even when we sometimes fell short of compliance. People needed a sense of progress and a sense that we were addressing issues that might be getting in the way of moving forward.
"Plans are nothing; planning is everything." Dwight D. Eisenhower was right. Planning for strategic change is different than an implementation plan. We were pursuing the ANSI/ISO/IEC standard not only to achieve accreditation but also to renew and enhance the processes and policies through which we educate and certify security professionals. We did not want to get lost in simply creating and collecting paperwork and documentation. We were driven by a strategic action plan that identified steps that were, in order, strategic, operational, and tactical.
"Plans are only good intentions unless they immediately degenerate into hard work." Peter Drucker was also on target. A plan for strategic change means little without an implementation plan and a dedicated project manager who helps staff and other stakeholders agree on action steps, individual responsibilities, deadlines, resources, and metrics.
People support what they help create. We tried to involve the right people at the right time in the accreditation process. We wanted them not only to understand what was required to secure ANSI recognition but also to see how their personal contributions to key processes were vital. The discipline of the ANSI review helped us see how mutual relationships connected us. People began to ask four important questions: What do you need from me? What do you do with what I give you? Are there any gaps? Am I giving you anything you don't need?
Know when to ask for assistance. ANSI was of great help and support to us, but we reached a point where we needed an objective, outside opinion, and perspective on what we had accomplished and what more needed to be done. The outside assistance provided by our consultant was invaluable.
Celebrate success, and be able to laugh at yourself. It is important to recognize successes, but we also tried to look at why we were successful and then build on those strengths. The accreditation process is exhaustive, but we kept our cool and tried to never lose our sense of humor along the way.
Collecting and organizing the data we needed took almost two years. The project consumed approximately 30 percent of the project manager's time and required input from staff at all levels. Our board of directors was involved periodically on questions that required governance review. The process could have been shorter had we been able to devote more association assets to the task. But like many associations, ASIS must work within the constraints of limited staff and fiscal resources.
The costs involved were significant but perhaps not exorbitant: We initially paid a $3,000 application fee (ANSI's fees have since changed). As part of the process, ASIS also paid for ANSI assessors to conduct a short onsite visit to our office, where they interviewed staff and reviewed documents as part of the intensive review of our application.
Effective communication, both inside ASIS and with external constituencies, was vital through the process. Not only did project managers need to understand the requirements and terminology of the ISO/IEC standard, but our staff also had to be able to apply the process to its work. We conducted a series of interactive meetings to ensure that staff members understood why we were pursuing ANSI accreditation and how their specific roles fit into our larger objectives.
Indeed, ANSI wanted proof of such communication and related implementation. As part of our application process, for example, ANSI could and did ask staff at all levels specific questions about policies and procedures and how their work was connected to the overall certification process.
Engaging ASIS employees in this way created its own highly positive effect. As staff increased their understanding of how their work was connected to the certification process, they began to look beyond merely documenting their roles to assessing the effectiveness of our processes. Individuals responsible for implementing policies and procedures began to identify concrete ways to improve the way ASIS works. Just as important, we began to identify better measures to track improvements in our productivity and efficiency.
Once we had documented our operations and were well on the way to resolving areas where ASIS policies and procedures were not in compliance with ANSI requirements, we realized that we had, in essence, created an effective, continuous quality-management process. We saw that we had an opportunity to continue to improve the way we manage change; we could consolidate the lessons we had learned and use them to improve ourselves over time. In short, we recognized that ANSI accreditation was about leadership as much as it was about quality.
The Final Stages
An external consultant helped us complete the final documentation and implementation plan for ANSI accreditation. He also provided the vision we needed to design and install a quality management system based on what we had learned through the ANSI process. Customized to our particular needs as an association, the system was designed to be readily understood and used by ASIS staff at all levels. (This added some expense to the ANSI application process, but it was an investment we thought was well worth the cost.)
Our hard work paid off officially when ASIS's three international certifications were awarded accreditation by ANSI. Since then, the quality management procedures we developed during the application process have helped us retain our ANSI approval. Our accreditation renews each year provided that we continue to meet stringent standards. Regular audits and a steady stream of reporting to ANSI ensure that we stay on track. We pay an annual fee for continued accreditation based on gross revenues from the previous year.
Obtaining ANSI approval has both enhanced the reputation of our services and improved the efficiency and effectiveness of ASIS processes and systems. Constituents who pursue ASIS certification know that such credentials have been judged by ANSI to be of world-class quality. Importantly, ANSI accreditation also provides ASIS another layer of protection against lawsuits based on quality standards. Moreover, we have developed better ways to assess how well our own systems are working, find problems, and determine a course of action to correct and improve processes.
The final analysis? The journey was certainly worth the energy and work it required. Today we have a stronger, better-run organization with a clearer strategic vision of our role in certification, and staff members who are more clearly invested in providing excellence—for ourselves, our organization, and our membership—in everything we do.
Allison Barton-Kramer is certification manager for ASIS International. Email: firstname.lastname@example.org