What is Personnel Certification under ISO/IEC 17024?

Why some cybersecurity certifications carry more weight than others - and what matters in the DACH region.

---

At a glance

• ISO/IEC 17024 is the international standard for the certification of persons by independent bodies.
• Accredited certifications undergo external review by national accreditation bodies such as DAkkS (Germany), ANAB (USA), or UKAS (UK).
• Not all well-known cybersecurity certifications are accredited under ISO 17024 - including industry staples like OSCP.
• In regulated sectors (government, defense, critical infrastructure), accreditation status can be decisive.

---

ISO/IEC 17024 in plain terms

ISO/IEC 17024 defines how a certification body that certifies persons - not products or management systems - must operate. Among other things, the standard requires independent examination development, documented competency requirements, transparent recertification processes, and a strict separation between training and examination.

In short: anyone operating under this standard may not offer training and examinations from a single source, must have exam content validated by expert committees, and is subject to regular external audits. The objective is comparability and trust - worldwide.

Accredited personnel certification vs. ordinary certificate

In the cybersecurity industry, the term "certification" is used inflationarily. An online course with a final test, a vendor badge after a workshop, a formal examination by an accredited body - all of these are referred to as "certificates." The differences, however, are substantial.

An accredited personnel certification under ISO/IEC 17024 means that a national accreditation body has audited the certifying organization and confirmed that its processes conform to the international standard. This covers the independence of examination development, the psychometric quality of the examinations, the governance structure, and the recertification procedures.

An ordinary certificate - whether from a training provider, a software vendor, or a professional organization - is not subject to any such external oversight. It may be excellent on the merits, but it lacks the independent audit of the underlying processes.

The difference is comparable to that between a TÜV-tested product and a manufacturer's warranty: both have their value, but only one is verified by an independent third party.

Who accredits?

Accreditation is carried out by national accreditation bodies:

• DAkkS (Deutsche Akkreditierungsstelle - Germany's national accreditation body): responsible for Germany, operating on the basis of EU Regulation (EC) No 765/2008. DAkkS is the sole national accreditation body in Germany and acts in a sovereign capacity as the national accreditation authority.
• ANAB (ANSI National Accreditation Board): one of the leading accreditation bodies in the United States. Most major cybersecurity certification organizations obtain their accreditation through ANAB.
• UKAS (United Kingdom Accreditation Service): the British accreditation body, relevant for the European and international market.

Through the multilateral agreements (MLA) of the international umbrella organization IAF (International Accreditation Forum), accreditations are generally mutually recognized in the private-sector context. Important caveat: this recognition does not automatically extend to the sovereign or regulatory domain. DAkkS has made clear that certificates issued by bodies accredited by an accreditation authority from a third country (e.g., USA/ANAB) do not meet the requirements of EU Regulation (EC) No 765/2008. For public procurement procedures within the EU, this can mean that only a DAkkS-accredited (or EU-based) certification is formally recognized as accredited.

Which cybersecurity certifications are accredited under ISO 17024?

The landscape is opaque. Here is an overview of the most important providers:

• ISC2: all 9 certifications (including CISSP, CCSP, SSCP, CC) are ANAB-accredited under ISO/IEC 17024. ISC2 was the first cybersecurity certification body to pursue this path consistently.
• ISACA: 4 out of more than 10 certifications are accredited - CISA, CISM, CGEIT, and CRISC. Newer certifications such as CDPSE, CCOA, and the AI certifications introduced in 2025/2026 (AAIA, AAISM, AAIR) do not yet carry ISO 17024 accreditation.
• CompTIA: 12 certifications are ANAB-accredited, including Security+, CySA+, SecurityX (formerly CASP+), and PenTest+. CompTIA thus ranks among the providers with the broadest accredited portfolio.
• GIAC (SANS): 14 of more than 30 certifications are ANAB-accredited, including GSEC, GCIH, GPEN, GCFA, GCIA, GSLC, GCED, GSNA, GICSP, GISF, GCFE, GCSA, GCLD, and GFACT. The remainder of the GIAC portfolio - despite its excellent technical reputation - is not accredited under ISO 17024.
• EC-Council: 7 certifications carry the accreditation - CEH, CEH (Practical), CCISO, CND, CHFI, CCT, and ECIH. Notably, CPENT (Certified Penetration Testing Professional) is not accredited.

Labor market relevance: where accreditation matters

In certain contexts, accreditation status is not a nice-to-have but a hard requirement:

DoD 8140 (USA): the U.S. Department of Defense requires certifications listed in the DoD 8140 Qualification Matrix for IT and cybersecurity positions. Most certifications listed there are ISO 17024-accredited. For service providers and consultants working with U.S. agencies or NATO structures, this is directly relevant - including in the DACH region.

Government and critical infrastructure in the DACH region: although Germany, Austria, and Switzerland do not (yet) have a positive list comparable to DoD 8140, tenders are increasingly oriented toward accredited certifications. In procurement procedures for critical infrastructure (KRITIS) and government projects, proof of accredited certifications can be an award criterion. It should be noted that under EU procurement law, only accreditations issued by EU-based accreditation bodies (such as DAkkS) are formally recognized - ANAB-accredited U.S. certifications are accepted in the private sector but may face formal obstacles in public tenders.

Recruiting and careers: on the open labor market, recruiters rarely distinguish between accredited and non-accredited certifications. What counts here is name recognition. Nevertheless, it is worth understanding the distinction - particularly for those looking to move into regulated industries.

The limits of accreditation: why OSCP still counts

Perhaps the most important caveat: ISO 17024 accreditation says nothing about the technical depth or practical relevance of an examination. It attests to process quality, not content excellence.

The clearest example is OSCP (Offensive Security Certified Professional) from OffSec. OSCP is not accredited under ISO/IEC 17024 - OffSec currently holds only "ANAB Applicant" status, meaning accreditation has been applied for but not granted. Nevertheless, OSCP is regarded as the gold standard for practical penetration-testing competence. Its 24-hour hands-on examination in a live network carries a weight in the industry that no accreditation can replace. The same applies to other practice-oriented certifications such as OSED, OSWE, or CRTO (Zero-Point Security).

The lesson: accreditation is a quality marker for the process. Technical recognition is earned through the reputation of the examination within the community.

Special case BSI: certification by statutory authority

The Bundesamt für Sicherheit in der Informationstechnik (BSI - Germany's Federal Office for Information Security) occupies a unique position. The BSI certifies persons - for example, IT-Grundschutz consultants or IT-Grundschutz auditors - not on the basis of ISO 17024 accreditation by DAkkS, but by statutory authority (BSI Act, BSIG §§ 52, 56).

The BSI is therefore not an accredited certification body in the classical sense, but a federal authority legitimized by its statutory mandate. For the German market - particularly in the KRITIS and public administration domains - BSI certifications carry substantial practical weight, even without ISO 17024 accreditation. In international comparison, however, this model is the exception rather than the rule.

---

For cybersecurity professionals in the DACH region: knowing the accreditation status helps with strategic career planning. Those aiming at regulated sectors should favor accredited certifications. Those seeking to demonstrate technical depth cannot avoid practice-oriented examinations - regardless of accreditation status.