Skip to content

Certification Guidelines

SEAL/InitiativeCertifications

This document provides guidelines for completing security certification questionnaires. It covers how to score individual control questions and when to pursue certification through self-assessment or third-party review.

Self-Assessment

The self-assessment option is suitable for organizations wishing to internally validate their security posture. Self-assessment does not grant official certification, but rather serves as an internal checkpoint.

Scoring Individual Questions

  • Yes: Control is currently implemented and operational
  • N/A: Control doesn't apply to your organization (provide justification)

Evidence Collection (Recommended)

While not required for self-assessment, we recommend maintaining documentation for each "Yes" response:

  • Procedure documents
  • Operational records
  • Test results
  • System configurations

This documentation can be useful for future audits or third-party reviews, and can help track your own security posture over time.

Third-Party Review

Third-party reviews are recommended for organizations seeking formal certification, and involves an external SEAL-certified assessor evaluating your security posture.

Scoring Individual Questions

  • Implemented: Fully operational with verified evidence
  • Partially Implemented: Incomplete or lacks sufficient evidence
  • Not Implemented: Control absent
  • N/A: Not applicable (provide justification)

Required Evidence Per Control

For each control scored "Implemented," provide:

  • Procedure documentation: Policies, versions, approval dates
  • Operational proof: Logs, records, tickets showing active use
  • Testing/validation: Drill results, incident reports, test outcomes
  • Ownership details: Responsible party, review frequency, last update
  • Technical artifacts: Configurations, screenshots, system exports

Certification Criteria

Third-party reviewers will issue certification when:

  • All critical controls are "Implemented" or "N/A" with justification
  • Evidence substantiates all claims
  • "Partially Implemented" controls have documented remediation plans
  • Overall security posture meets framework requirements

Review Process

  1. Complete initial assessment with evidence
  2. Reviewer verifies claims against submitted evidence
  3. Address any findings or requests for additional documentation
  4. Receive certification report with findings and recommendations