Certification and Accreditation Systems

𝗜𝗦𝗢 9001 𝘃𝘀 𝗜𝗦𝗢/𝗜𝗘𝗖 17025 𝐔𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝𝐢𝐧𝐠 𝐭𝐡𝐞 𝐃𝐢𝐟𝐟𝐞𝐫𝐞𝐧𝐜𝐞 𝐢𝐧 𝐐𝐮𝐚𝐥𝐢𝐭𝐲 & 𝐋𝐚𝐛𝐨𝐫𝐚𝐭𝐨𝐫𝐲 𝐀𝐜𝐜𝐫𝐞𝐝𝐢𝐭𝐚𝐭𝐢𝐨𝐧 🎯 WHY THE CONFUSION? Both standards include: • Document control • Internal audits • Management review • Corrective actions • Risk-based thinking But their intent and depth are different. 🏢 𝐈𝐒𝐎 9001:𝐐𝐮𝐚𝐥𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐒𝐲𝐬𝐭𝐞𝐦 (𝐐𝐌𝐒) Purpose: Ensures an organization consistently meets customer and regulatory requirements. 🔹 Focus Areas > Process standardization > Customer satisfaction > Organizational risk management > Continuous improvement ✅ Strengths ✓ Applicable to any industry ✓ Improves operational efficiency ✓ Enhances brand credibility ❌ Limitations × Does NOT verify laboratory competence × Does NOT validate test results × No mandatory measurement uncertainty 🧪 𝐈𝐒𝐎/𝐈𝐄𝐂 17025:𝐓𝐞𝐬𝐭𝐢𝐧𝐠 & 𝐂𝐚𝐥𝐢𝐛𝐫𝐚𝐭𝐢𝐨𝐧 𝐋𝐚𝐛𝐨𝐫𝐚𝐭𝐨𝐫𝐲 𝐀𝐜𝐜𝐫𝐞𝐝𝐢𝐭𝐚𝐭𝐢𝐨𝐧 Purpose: Demonstrates technical competence and validity of laboratory results. 🔹 Focus Areas • Method validation & verification • Measurement uncertainty • Equipment calibration & traceability • Proficiency testing (PT) • Technical competence of analysts ✅ Strengths ✓ International recognition of lab results ✓ Legally defensible data ✓ Regulatory & export acceptance ❌ Limitations × Limited to laboratory scope × Technically demanding × Higher implementation cost 🏭 WHEN DO YOU NEED BOTH? ✔ Manufacturing company with in-house lab ✔ Contract testing lab inside a certified organization ✔ Organizations requiring both operational control and technical credibility 🔎 Final Insight ISO 9001 says: “Our processes are controlled.” ISO/IEC 17025 proves: “Our laboratory results are technically reliable.” 𝒕𝒉𝒆𝒚 𝒂𝒓𝒆 𝒏𝒐𝒕 𝒅𝒖𝒑𝒍𝒊𝒄𝒂𝒕𝒆𝒔 > 𝑻𝒉𝒆𝒚 𝒄𝒐𝒎𝒑𝒍𝒆𝒎𝒆𝒏𝒕 𝒆𝒂𝒄𝒉 𝒐𝒕𝒉𝒆𝒓

There's a lot of noise on LinkedIn right now about cyber security standards and a long-standing misunderstanding about the role of compliance in cyber security. It's good there is discussion and options, but I feel it is useful to try and bust a few myths. On the value of standards: 💠 Not all standards are equal - nor do they offer the same value so weigh them up and adopt with a purpose in mind 💠 Industry standards provide a baseline, a comparable benchmark and may be enforced by a regulator of your industry 💠 Internal standards based on risk assessment and tailored to context ensure you do what is right for your organisation 💠 Standards aren't just about controls - they are also about guiding governance, operations and improvement 💠 Effective standards demand risk management and continual improvement, not box-ticking! On the value of compliance: 💠 You don't "comply" with ISO/IEC 27001 - you conform to its mandatory requirements if you're going for certification 💠 The mandatory requirements focus on risk management and governance processes, not specific controls 💠 The implementation of controls is mandatory, but the adoption of Annex A controls is optional - selection must be justified 💠 Compliance to internal policies and standards is essential for effective risk management (don't release something you can't comply with) 💠 Adopting external standards helps you build trust with external stakeholders like customers and regulators On the value of independent audit: 💠 It's easy to make rules when you act alone - much harder when working through internal or external committees  💠 It's easy to evaluate your own work and whilst many of us in cyber security are critical, it shouldn't stop there 💠 Certification and accreditation rely on credible authority, training & qualified auditors, and accredited audit bodies 💠 Without independent review, control testing and risk management are often under scrutinised and left static 💠 If you share the results of your independent third-party audit then that helps to ensure consistency of operations with expectations 👇 Final Thoughts If you’re out there arguing that compliance and risk management are separate - or worse, in conflict - then that's a problem that needs to be fixed for better compliance, risk management, and cyber security. I argue that ISO/IEC 27001 is the most risk-based cyber security standard - scaling from small to large organisations with a strong regime of independent audit. Other standards have their place for specific purposes.

Procurement teams have started asking a different question. It is not, “Is your AI responsible?” That question is too slippery. Everyone says yes. The question is, “What can you prove, and what can we verify without becoming AI experts ourselves?” We keep seeing this play out the same way. A vendor shows up with a set of AI principles. A buyer nods politely. Then Legal leans in and asks for something boring. A scope statement. A monitoring record. A change log. Who reviews incidents. When. With what authority. That is why #ISO42001 is creeping into procurement conversations. Not because it is a magic badge. Not because it guarantees every model is safe. It is because it gives buyers a familiar mechanism for converting uncertainty into evidence. That is the real shift. The market is moving from values to controls. Here is the trap. ISO/IEC 42001 certification is not a product stamp. It is a management system certificate, issued for a defined scope. ➡️If you do not ask what is in scope, you do not know what the certificate actually covers. ➡️If you do not check accreditation, you do not know how much confidence to place in the audit that produced it. So if you are a buyer, treat ISO42001 the way you treat #ISO27001. Start with three questions: 1️⃣Credential Validation Who certified the AIMS, and is the certification body accredited for ISO/IEC 42001? 2️⃣ Scope Validation Is the specific product, model family, and delivery model you are buying inside the certified scope? 3️⃣ Operating Controls Validation What happens in production. Monitoring. Model change control. Incident response. Corrective action. Show me evidence, not a slide. If you are a vendor, this is also an opportunity. The fastest way to shorten diligence is not another trust statement. It is a one-page AI assurance pack that procurement can consume in five minutes (this may be a bit too dramatic 🙂). Think of an AI Model/System Card, but tailored to the needs of procurement officials. ➡️Include your scope, who owns the system, what you monitor, how you manage model changes, and what triggers escalation. The winners in the next buying cycle will not be the teams with the best slogans. They will be the teams with the cleanest evidence trail. A-LIGN Michael Brooks CISSP, PMP, MBA #TheBusinessofCompliance #ComplianceAlignedtoYou #AIGovernance #ISO42001 #ThirdPartyRisk #Procurement #ResponsibleAI

Not all certifications prepare you for the same thing. And that’s not a bad thing! Conversations about credentials often blur the lines between health information management, health informatics, data analytics, and software expertise. Here’s a distinction that often comes up in conversations about career preparation and credentials: 🤔 RHIT / RHIA validate mastery of health information management, governance, compliance, and data stewardship 🤔 CAHIMS / CPHIMS validate applied health informatics, systems, workflows, interoperability, and analytics leadership 🤔 CSBI validates data analytics and business intelligence skills, tools, and decision support 🤔 Software certifications (Epic, Cerner, etc.) validate platform-specific configuration and operational expertise 💡 These credentials are not interchangeable. They are designed to answer different professional questions. ✅ HIM credentials focus on how health information is governed, managed, and protected. ✅ Informatics certifications focus on how technology and data are used to support care, operations, and decision-making. ✅ Analytics certifications focus on turning data into insight and action. ✅ Software certifications focus on operating specific systems in specific environments. Career growth isn’t about choosing one credential over another. It’s about aligning credentials with the roles, responsibilities, and problems you want to solve. The question isn’t “Which certification is best?” It’s “Which certifications fit where you’re trying to go?” Oh! The places you can go. ✈️

Essential Food Safety Certifications and why they are important: Core Food Safety Systems HACCP – A preventive system to identify and control food safety hazards (biological, chemical, physical). ISO 22000 – International Food Safety Management System covering risk control across the entire supply chain. FSSC 22000 – GFSI-recognized scheme combining ISO 22000 with sector-specific PRPs (strong for export markets). Operational & Compliance Standards GMP (Good Manufacturing Practices) – Ensures hygienic and controlled production conditions. GHP (Good Hygiene Practices) – Basic hygiene requirements to reduce contamination risks and meet regulatory compliance. GFSI & Market-Driven Certifications BRCGS – Focuses on product safety, quality, and operational control; widely accepted by retailers. SQF – Ensures both food safety and quality; preferred by many global buyers. Religious & Ethical Certifications Halal & Kosher – Confirms compliance with specific religious dietary laws. Organic Certification – Verifies organic farming and processing practices. In short: The picture outlines key certifications that ensure food safety, regulatory compliance, global trade acceptance, and consumer trust across the food industry.

Confused Between Attestation, Accreditation, and Certification? You’re Not Alone! Many time we often mix up these terms, but understanding the differences is crucial—especially in industries where compliance and credibility matter. Here’s a quick breakdown: ✅ Attestation An expert’s formal opinion that certain criteria are met. 🔹 Example: A SOC 2 report provided by an external auditor confirming that an organization’s controls meet security standards. 🏅 Accreditation A recognition that an organization (or body) is competent to perform specific functions. 🔹 Example: UKAS accrediting a Certification Body to certify companies for ISO 27001 compliance. 📜 Certification Proof that an individual, system, or organization meets a specific standard. 🔹 Example: A company obtaining ISO 27001 certification for its Information Security Management System (ISMS) or an individual achieving CISSP status in cybersecurity. 💡 Quick Tip: Accredited bodies issue certifications. Attestation provides assurance, not certification. Next time you're discussing compliance frameworks, keep these differences in mind—they define the level of trust, recognition, and credibility in your field! #Cybersecurity #Compliance #ISO27001 #GRC #RiskManagement #Certification #Accreditation #Attestation #CISSP #CRISC #CISA

CAAS - A lot more than just a “sticker on the truck,” but a continuous process that strengthens organizations from the inside out, identifying risks, improving systems, and ultimately delivering better care to patients and communities. Delighted to welcome Sarah McEntee executive director of the CAAS - Commission on Accreditation of Ambulance Services (CAAS), to unpack what accreditation really means for modern EMS systems. Moving beyond the “sticker on the truck,” Sarah reframes CAAS as a living, breathing process — one that drives internal improvement, organizational alignment and long-term sustainability. From its origins within the American Ambulance Association in the 1990s, to the latest Version 4.0 standards, the conversation highlights how CAAS provides a unified, industry-driven framework that elevates agencies from compliant to high-performing. Rob brings a practitioner’s perspective, reflecting on his own experience navigating multiple accreditation cycles, emphasizing how CAAS becomes a “guiding light” for governance, clinical care and operational excellence. Together, we explore the structure of the standards, the application journey, and the cultural readiness required to succeed. The key takeaway is clear: accreditation is not a project with an endpoint — it’s a continuous process that strengthens organizations from the inside out, identifying risks, improving systems, and ultimately delivering better care to patients and communities. Episode timeline 01:30 – Origins of CAAS and need for unified standards 03:30 – Breakdown of CAAS standards (admin, clinical, operations) 06:30 – Deep dive into operational standards and structure 10:30 – Rob’s real-world experience with accreditation 12:30 – Accreditation as a process vs. project 16:00 – Value proposition: internal vs. external benefits 18:30 – Cost vs. value — and the risk of not being accredited 22:00 – Step-by-step accreditation journey (readiness → submission → review) 28:30 – Site visits and peer collaboration 31:30 – Resources, support and how to get started 34:30 – Final reflections and leadership call to action Enjoying the show? Email editor@ems1.com to share feedback. https://lnkd.in/gsK64i38

Creating a new dental program: what do you really need? 🦷🏗️ I have worked in both long-established and newly created dental schools and have seen firsthand what works—and what doesn’t. If you’re thinking about starting a new program, here are a few pearls worth considering. 💡 This is a hypothetical conversation one might have while walking through a brand-new dental school or helping build a new program. Imagine students are already enrolled. Dental students are already on campus. We are two weeks into the first semester of the first D1 class. Me: “What do you mean you only have eight pages of the DMD curriculum?” Academic Dean: “We cannot look backward. This is what we have now, and we must build on this.” Me: “What have you been doing for two years? …and how did CODA pass this?” That (hypothetical) moment captures the real risk of launching programs without systems, evidence, and accountability. ⸻ Designing a dental school isn’t about copying legacy curricula. Or worse copying a new untested curriculum from an old established dental school. It’s about building a system that reliably produces competent, practice-ready graduates—while meeting accreditation standards and societal expectations. What consistently matters: 1️⃣ Accreditation-driven self-study (SSR) 📋 The SSR isn’t paperwork—it’s the backbone. Strong programs align mission, governance, curriculum, assessment, and resources through continuous improvement. 📚 Fredekind et al., JDE 2002; Haden et al., JDE 2010 2️⃣ Competency-based education with Entrustable Professional Activities (EPAs) 🎯 EPAs move assessment from “did they pass?” to “can we trust them?”—and reflect real clinical readiness. 📚 Quinonez et al., JDE 2022; Tonni et al., JDE 2020 3️⃣ True curricular integration 🔗 Separating basic and clinical sciences weakens learning. High-impact programs integrate biomedical, clinical, and behavioral sciences around patient care. 📚 Haden et al., JDE 2010 4️⃣ Assess what learners actually do 🏥 Portfolios and workplace-based assessments capture competence at Miller’s highest level—does. 📚 Albino et al., JDE 2008 5️⃣ Quality improvement over quality assurance 🔄 QA finds problems in students. QI fixes the system—and improves outcomes. 📚 Chambers, JDE 2021 6️⃣ Program yield matters 📊 Success isn’t course completion—it’s how many graduates are clearly competent shortly after graduation. 📚 Chambers, JDE 2021 7️⃣ Faculty development is non-negotiable 👩🏫 New curricula fail without calibrated faculty trained in EPAs, assessment, and feedback. 📚 Haden et al., JDE 2010 Bottom line 🧭 A great dental program isn’t defined by how fast it opens—but by how deliberately it’s built. Curriculum matters. But systems, culture, and assessment philosophy determine whether graduates are truly practice-ready. #DentalEducation #AcademicDentistry #CODA #NewDentalSchools #CompetencyBasedEducation #EPAs #DentalLeadership