Blog post

Certifying the professionals

Created:  31 May 2017
Updated:  31 May 2017
Author:  Chris E
Image of weights

We had a number of great questions during CyberUK2017, and some of those were about the future of Certified Cyber Professionals (CCP). Was the scheme still wanted? Would it continue to be supported by government? Will it be made more applicable to the private sector? If you stayed and listened to Ian Levy's closing keynote you will have heard him clearly reaffirm our commitment to improving professional skills, as well as identifying those skilled cyber security professionals who can help our customers with their particular cyber security challenges. So CCP is not disappearing.

This doesn't mean that CCP is perfect. It is 5 years old and continuing to grow, and as with most growing things changes need to happen for it to flourish. We've been listening carefully to the feedback from users and participants in CCP, and know some areas where we need to make improvements. For instance, the application process is too time-consuming, the role structure is too prescriptive, and we need to ensure that the NCSC is providing the right level of support to the assessors to ensure they can continue to do their jobs effectively as the scheme evolves.

So what are we doing? For a start, we’re considering how to change from assessing people against role definitions to certifying people in cyber security specialisms (eg risk, architecture, audit & review). This will enable the process to focus on the skills that really matter. We are working with the Certification Bodies (CBs) on this. We'll also work with them on how to streamline the evidence requirements for the specialisms, as well as recognising existing qualifications as part of the assessment process.

This will all take time but we'll make sure that as and when the assessment criteria change, people who are certified will be given time to transition into the new process.

We're committed to CCP. It’s here because we need it. CCP is a demonstration of competence and as such is a much-needed benchmark for what is good in cyber security practice.

We'll keep you updated as things progress.

See Anne W and Jon L's blog 'Putting the NCSC's badge on it..' if you want to learn more about what is happening with NCSC's assurance work.

Here is more information about the Certified Professional scheme.

Chris Ensor
Deputy Director for Cyber Skills & Growth

5 comments

Steve Trease - 31 May 2017
Interesting. Not heard of CCP before. A link to what the scheme is and who/what it is aimed at would be useful.
Chris E - 01 Jun 2017
Steve, thank you for the feedback. We have added the link to give more information about the scheme to the blog.
Max - 01 Jun 2017
As a purely 'private sector' holder of a CCP qualification in architecture I'd advocate reviewing how to make the scheme more relevant to non-government organisations. That includes, not just consultancies and consultants who sell into government. I went through the process very recently and was told that it was 'highly unusual' and 'refreshing' to see someone present only private sector evidence.
Tim D Williams - 25 Jun 2017
As a former member of the CLAS scheme and current holder of CCP qualifications, it is reassuring to read about the NCSC's commitment to CCP. While the original CCP roles may not be working perfectly for candidates or employers, I do feel that before making any significant changes to the structure of CCP in-depth consideration should be given to what has been learned by other organisations e.g. 1 the UK National Personnel Standards for Information Security published in 2016 by The Tech Partnership e.g. 2. the work done in the USA by NICE on their Cyber Security Workforce Framework and NIST's draft SP 800-181. That scheme not only allows for abstractions (categories and speciality areas) and specifies the Knowledge, Skills and Abilities required to fulfil particular roles but also clearly sets out the typical collaborations and information exchanges between roles, something that is less clear in the current CCP roles. It would be great if the CCP scheme could help to establish Britain as a world leader in personnel standards for Cyber Security by covering important things which are not present in other frameworks within a coherent overall framework which can easily be compared with, related to and where appropriate used in conjunction with other references.
Cyber Skills & Growth team - 12 Jul 2017
Tim, Thank you for your thoughtful and detailed comment on the blog; it’s always really valuable to have comments like yours. At the start of our certification programmes for people, education (university degrees) and training, we decided to use the IISP Skills Framework, on the basis that it has a good foundation of the skills groups applicable to cyber security, whilst at the same time allowing flexibility to build on that general foundation with supplementary detail to define in greater detail the breadth and depth of knowledge and capability in cyber security specialisms. As a result, the NCSC has used this framework to promote coherence across its people, education and training programmes. (It’s also used to assess membership of the IISP, making its use even more widespread in the UK and probably beyond). As you know from the blog, the NCSC aims to move from role certification to skillset/specialism certification for CCP (with an appropriate transitional period for those affected). This will enable a better fit between jobs and people (the right skills for the job instead of shoe-horning a role into a job it doesn’t really match). You may also like to be aware of the CyBOK project (Cyber Security Body of Knowledge – see www.cybok.org.uk ). This aims to compile a guide to a comprehensive body of knowledge for free and open access. The project is being funded by the National Cyber Security Programme and it aims to provide knowledge and learning outcomes for educational and professional levels and some career learning pathways, which should help us all to cover those important things that you rightly mention in your last sentence. Thank you again for your comments.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No