Anyone who wishes to work in the information security environment, either within a government organisation or as a contractor to one, must be accredited to do so, regardless of any additional security clearances that may be required.

The certification, known as the Certified Cyber Professional (CCP) scheme, is not merely a qualification, but a full certification awarded to individuals who are able to demonstrate an application of their skills, knowledge and expertise to one of three approved certification bodies. At the time of writing, these are:

• the APM Group;¹
• BCS, the Chartered Institute for IT;²
• the NCSC website.³

The Chartered Institute of Information Security (CIISec), CREST and RHUL consortium⁴ contains comprehensive details of the scheme, which encompasses six different role areas:

• Accreditor. Accreditors provide impartial assessment of risks to which an information system may be exposed, and accredit such systems on behalf of the organisation’s senior management.
• Communications security officer/Crypto custodian. This role manages cryptographic systems and includes Payment Card Industry Data Security Standard (PCI/DSS) compliance.
• Cyber security/information assurance (IA) architect. This role is designed to develop or review system architectures so that they fit the business requirements for security, mitigate risks, conform to security policies and balance information risk against the cost of countermeasures.
• Cyber security/IA auditor. Auditors assess compliance with security objectives, policies, standards and processes.
• IT security officer/information security system manager/information security system officer. This role is to provide governance, management and control of IT security.
• Security and information risk advisor. This role is to provide business-driven advice on security and information risk that is consistent with cyber security policy, standards and guidance.

Note that at the time of writing, the titles and descriptions in the NCSC document are as above, but the titles on the web page are slightly different.

Each role may be assessed at one of three levels, except for the penetration tester, which has four levels and includes a Principle level. Otherwise, they are:

• Practitioner – this is the entry level to Certified Professional and is suitable for individuals who work on routine IA tasks under supervision.
• Senior practitioner – this level is suitable for individuals who work independently on complex projects and who normally lead a team of IA professionals or lead or oversee the work of other IA professionals.
• Lead practitioner – this level is suitable for highly experienced individuals working at senior levels in an organisation, who provide advice and/or leadership on complex strategic IA issues.

It does not follow that professionals who are very experienced at senior level will meet the role description for lead practitioner.

Two different areas of knowledge and expertise are assessed:

• The CIISec (formerly the Institute of Information Security Professionals (IISP) skills matrix for information security technical skills, more information on which is provided in a later section of this chapter and is also available to CIISec members at https://www.ciisec.org.
• The Skills Framework for the Information Age (SFIA) levels of responsibility for autonomy, influence, complexity and business skills. Many of the practitioner, senior practitioner and lead practitioner roles align with SFIA levels 2, 4 and 6. More detail is provided in the next section, and is also available from https://www.sfia-online.org.

Each of the three levels for each of the six roles is described in greater detail in NCSC Certification for Cyber Security/IA Professionals, currently Issue 5.4, dated November 2018, and available from https://www.ncsc.gov.uk/files/CCP-Certification_for_Cyber_Security_IA_Professionals_5-4.pdf.

In the main body of the document, each role has a brief role purpose description and a statement of responsibilities, followed by a ‘headline’ statement, which outlines the key responsibilities of the role for each of the three practitioner levels. This is followed by a table listing the indicative IISP skill levels for the three role levels. Annex A of the document contains a very detailed description of the CIISec skill definitions.

Each of the skill areas begins with a statement of the CIISec Principle, followed by the knowledge requirements for that skill area.

Following on from this, each skill subset (for example, Governance under Information Security Management) is described in terms of CIISec example skills and, as a NCSC supplementation, the attainment expected for each of the four skill levels.

The three certification organisations operate slightly different schemes with different costs, and prospective candidates are recommended to view the various options on the main CCP page at https://ncsc.gov.uk/information/about-certified-professional-scheme.

In addition to completing an application form that itemises and describes their SFIA and CIISec skill sets, candidates are strongly advised to have gained a thorough understanding of the following documents, the first of which is summarised in Chapter 11:

• HMG Security Policy Framework, which can be downloaded from https://www.gov.uk/government/publications/security-policy-framework.
• The Cyber Essentials Scheme, details of which can be found at https://www.ncsc.gov.uk/cyberessentials/resources.

SFIA

Established in 2003, SFIA was designed as a system aimed at IT professionals to match their skills against business requirements. The current SFIA Framework (SFIA 7, dated May 2018)⁵ is available at https://www.sfia-online.org/en.

The scheme consists of five business-related areas:

• autonomy;
• influence;
• complexity;
• knowledge;
• business skills.

These are assessed at seven levels of responsibility:

Level 1 Follow;

Level 2 Assist;

Level 3 Apply;

Level 4 Enable;

Level 5 Ensure and advise;

Level 6 Initiate and influence;

Level 7 Set strategy, inspire and mobilise.

The levels used in the CCP scheme are mostly 2, 4 and 6, but in some cases level 3 is used.

The 102 skills are subdivided into the following areas:

• information strategy;
• advice and guidance;
• business strategy and planning;
• technical strategy and planning;
• enterprise IT governance;
• strategic planning;
• information governance;
• information systems coordination;
• information security;
• information assurance;
• analytics;
• data visualisation;
• information content publishing.

THE CIISEC SKILLS FRAMEWORK

The CIISec developed its information security skills framework as a means of assessing prospective members prior to interview. At the time of writing, it is currently at version 2.4, dated November 2019. The skills are rated at six levels:

1. Basic knowledge.
2. Knowledge and understanding.
3. Junior practitioner.
4. Practitioner.
5. Senior practitioner.
6. Principal/lead practitioner.

The skills themselves are in 10 distinct groups, listed below.

A Information security governance and management

There are seven subcategories:

A1 Governance.

A2 Policy and standards.

A3 Information security strategy.

A4 Innovation and business improvement.

A5 Behavioural change.

A6 Legal and regulatory environment and compliance.

A7 Third party management.

B Threat assessment and information risk management

There are three subcategories:

B1 Threat intelligence, assessment and threat modelling.

B2 Risk assessment.

B3 Information risk management.

C Implementing secure systems

There are three subcategories:

C1 Enterprise security architecture.

C2 Technical security architecture.

C3 Secure development.

D Assurance, audit, compliance and testing

There are four subcategories:

D1 Internal and statutory audit.

D2 Compliance monitoring and controls testing.

D3 Security evaluation and functionality testing.

D4 Penetration testing and conducting simulated attack exercises.

E Operational security management

There are two subcategories:

E1 Secure operations management.

E2 Secure operations and service delivery.

F Incident management, investigation and digital forensics

There are three subcategories:

F1 Intrusion detection and analysis.

F2 Incident management, incident investigation and response.

F3 Forensics.

G Audit, assurance and review

There are three subcategories:

G1 Data protection.

G2 Privacy.

G3 Identity and access management (IAM/IdM).

H Business continuity management

There are three subcategories:

H1 Business continuity and disaster recovery planning.

H2 Business continuity and disaster recovery management.

H3 Cyber resilience.

I Information security research

There are two subcategories:

I1 Research.

I2 Applied research.

J Management, leadership, business and communications

There are three subcategories:

J1 Management, leadership and influence.

J2 Business skills.

J3 Communication and knowledge sharing.

K Contributions to the information security profession and professional development

There are three subcategories:

K1 Contributions to the community.

K2 Contributions to the information systems profession.

K3 Professional development.

SUMMARY

This completes the chapter on SFIA and the CIISec Skills Framework, which is generally used by non-governmental organisations. The next chapter deals with those documents and standards that are used more within UK government departments.

1 See https://apm.org.uk/.

2 See https://bcs.org.

3 See https://ncsc.gov.uk/information/about-certified-professional-scheme.

4 See https://www.ciisec.org/.

5 A beta release of SFIA version 8 was due to be published at the end of June 2021, with the full release in September 2021.