Become an Accredited Service Provider
Accreditation Process Overview
Application Submission - During the Accreditation Application process, the Service Provider must submit information relating to the business and provide a completed Self-Assessment, outlining compliance with the National Information Security Compliance Framework (NISCF) accreditation requirements.
The Accreditation Application Form requires that Service Providers identify the Service Areas for which accreditation is desired.
Application Review – Following receipt of the Accreditation Application the National Cyber Governance and Assurance Affairs will review the submission for completeness and assess compliance with the NISCF accreditation requirements.
If further information or evidence is necessary, this will be requested (or it may be necessary to perform an on-site assessment).
Where additional information or evidence is required to achieve full compliance, the Service Providers will have six (6) months of the date of application to complete the application process.
For Service Providers who have previously been accredited, the National Cyber Governance and Assurance Affairs will produce an Accreditation Package. The Accreditation Package (comprised of the application, previous assessment reports) shall be provided alongside the Service Provider’s Accreditation Application to further inform the Accreditation Decision.
Accreditation Decision - Following the Application Review, the Service Provider Accreditation Application (or Accreditation Package) is progressed to the National Accreditation Board (alongside an accreditation recommendation) for a formal accreditation decision.
If the National Accreditation Board agrees to award accreditation, the Service Provider will be provided with an Accreditation Certificate by the National Cyber Governance and Assurance Affairs. The Accreditation will remain valid for three (3) years subject to successful accreditation maintenance.
Maintaining your Accreditation Status
Once accreditation has been awarded, Service Providers enter the Accreditation Maintenance Process through which ongoing compliance with the National Information Security Compliance Framework (NISCF) accreditation requirements must be assured. This is achieved through a combination of scheduled and random surveillance audits.
Scheduled Surveillance audits will begin six (6) months after initial accreditation. They will be completed every twelve (12) months thereafter and six (6) months prior to the expiry of the accreditation. In addition, Accredited Service Providers are required to notify the National Cyber Governance and Assurance Affairs of any changes which may result in a non-compliance with the National Information Security Compliance Framework (NISCF) accreditation requirements.
Where non-compliance is identified, either through receipt of a Change Notification or as a result of a Surveillance Assessment, the Service Provider will be notified and requested to submit Corrective Action Plans and Implementation Evidence to support remediation of the non-conformity.
The Corrective Action Plan is required within ten (10) calendar days following notification of the non-conformity. The remediation time-frame varies dependent upon the severity of the non-conformity.
- Major Non-Compliance must be remediated within sixty (60) days, and,
- Minor Non-Compliance must be remediated within ninety (90) days.
If both the Corrective Action Plan and the Implementation Evidence have been received within the permitted time-frames, and accepted by the National Cyber Governance and Assurance Affairs, the Service Provider will remain accredited.
Apply for Accreditation
Service providers seeking accreditation are required to submit completed application documentation through the National Cyber Governance and Assurance Affairs compliance portal.
New applicants will need to register a new account before continuing with the application process.
NB: If this is the first time your Organization is registering on this site, your Nominated Representative should be the first person to register. The system will automatically assign the first person to register as the Organization's Nominated Representative.
Existing account holders should always ensure the correctness of all information (including that the primary contact and business data) prior to submitting any application.