Anyone who wishes to work in the information security environment, either within a government organisation or as a contractor to one, must be accredited to do so, regardless of any additional security clearances that may be required.
The certification, known as the Certified Cyber Professional (CCP) scheme, is not merely a qualification, but a full certification awarded to individuals who are able to demonstrate an application of their skills, knowledge and expertise to one of three approved certification bodies. At the time of writing, these are:
The Chartered Institute of Information Security (CIISec), CREST and RHUL consortium4 contains comprehensive details of the scheme, which encompasses six different role areas:
Note that at the time of writing, the titles and descriptions in the NCSC document are as above, but the titles on the web page are slightly different.
Each role may be assessed at one of three levels, except for the penetration tester, which has four levels and includes a Principle level. Otherwise, they are:
It does not follow that professionals who are very experienced at senior level will meet the role description for lead practitioner.
Two different areas of knowledge and expertise are assessed:
Each of the three levels for each of the six roles is described in greater detail in NCSC Certification for Cyber Security/IA Professionals, currently Issue 5.4, dated November 2018, and available from https://www.ncsc.gov.uk/files/CCP-Certification_for_Cyber_Security_IA_Professionals_5-4.pdf.
In the main body of the document, each role has a brief role purpose description and a statement of responsibilities, followed by a ‘headline’ statement, which outlines the key responsibilities of the role for each of the three practitioner levels. This is followed by a table listing the indicative IISP skill levels for the three role levels. Annex A of the document contains a very detailed description of the CIISec skill definitions.
Each of the skill areas begins with a statement of the CIISec Principle, followed by the knowledge requirements for that skill area.
Following on from this, each skill subset (for example, Governance under Information Security Management) is described in terms of CIISec example skills and, as a NCSC supplementation, the attainment expected for each of the four skill levels.
The three certification organisations operate slightly different schemes with different costs, and prospective candidates are recommended to view the various options on the main CCP page at https://ncsc.gov.uk/information/about-certified-professional-scheme.
In addition to completing an application form that itemises and describes their SFIA and CIISec skill sets, candidates are strongly advised to have gained a thorough understanding of the following documents, the first of which is summarised in Chapter 11:
SFIA
Established in 2003, SFIA was designed as a system aimed at IT professionals to match their skills against business requirements. The current SFIA Framework (SFIA 7, dated May 2018)5 is available at https://www.sfia-online.org/en.
The scheme consists of five business-related areas:
These are assessed at seven levels of responsibility:
Level 1 Follow;
Level 2 Assist;
Level 3 Apply;
Level 4 Enable;
Level 5 Ensure and advise;
Level 6 Initiate and influence;
Level 7 Set strategy, inspire and mobilise.
The levels used in the CCP scheme are mostly 2, 4 and 6, but in some cases level 3 is used.
The 102 skills are subdivided into the following areas:
THE CIISEC SKILLS FRAMEWORK
The CIISec developed its information security skills framework as a means of assessing prospective members prior to interview. At the time of writing, it is currently at version 2.4, dated November 2019. The skills are rated at six levels:
The skills themselves are in 10 distinct groups, listed below.
A Information security governance and management
There are seven subcategories:
A1 Governance.
A2 Policy and standards.
A3 Information security strategy.
A4 Innovation and business improvement.
A5 Behavioural change.
A6 Legal and regulatory environment and compliance.
A7 Third party management.
B Threat assessment and information risk management
There are three subcategories:
B1 Threat intelligence, assessment and threat modelling.
B2 Risk assessment.
B3 Information risk management.
C Implementing secure systems
There are three subcategories:
C1 Enterprise security architecture.
C2 Technical security architecture.
C3 Secure development.
D Assurance, audit, compliance and testing
There are four subcategories:
D1 Internal and statutory audit.
D2 Compliance monitoring and controls testing.
D3 Security evaluation and functionality testing.
D4 Penetration testing and conducting simulated attack exercises.
E Operational security management
There are two subcategories:
E1 Secure operations management.
E2 Secure operations and service delivery.
F Incident management, investigation and digital forensics
There are three subcategories:
F1 Intrusion detection and analysis.
F2 Incident management, incident investigation and response.
F3 Forensics.
G Audit, assurance and review
There are three subcategories:
G1 Data protection.
G2 Privacy.
G3 Identity and access management (IAM/IdM).
H Business continuity management
There are three subcategories:
H1 Business continuity and disaster recovery planning.
H2 Business continuity and disaster recovery management.
H3 Cyber resilience.
I Information security research
There are two subcategories:
I1 Research.
I2 Applied research.
J Management, leadership, business and communications
There are three subcategories:
J1 Management, leadership and influence.
J2 Business skills.
J3 Communication and knowledge sharing.
K Contributions to the information security profession and professional development
There are three subcategories:
K1 Contributions to the community.
K2 Contributions to the information systems profession.
K3 Professional development.
SUMMARY
This completes the chapter on SFIA and the CIISec Skills Framework, which is generally used by non-governmental organisations. The next chapter deals with those documents and standards that are used more within UK government departments.
1 See https://apm.org.uk/.
2 See https://bcs.org.
3 See https://ncsc.gov.uk/information/about-certified-professional-scheme.
4 See https://www.ciisec.org/.
5 A beta release of SFIA version 8 was due to be published at the end of June 2021, with the full release in September 2021.