Blog post

Our commitment to the CCP scheme

Created:  06 Aug 2018
Updated:  06 Aug 2018
Author:  Anne W
Our commitment to the CCP scheme

Alive Alive-O

Recently, I've been challenged by several people, concerned that the NCSC hasn’t said anything publicly about our Cyber Certified Professional Scheme (CCP).  At least, not since our blog last year.

So, let me say right up front: the NCSC has not turned its back on CCP. Quite the opposite in fact. In his recent blog about the launch of the government’s consultation paper on Developing the Cyber Security Profession in the UK, Chris Ensor emphasised that we "are committed to supporting and developing the CCP scheme".

There are lots of people in the UK working in “cyber security”. But from a consumer perspective, it's difficult to identify the good from the 'not so good', particularly when you’re not an expert yourself. We believe CCP can fill this knowledge gap, and have been working behind the scenes on a plan to address the known shortcomings of the scheme, ensuring that it remains fit for purpose and valued by the cyber security community.

So, what have we been doing?

We know from our own observations, and the feedback that we get from the cyber security community, that the scheme isn’t perfect. That’s hardly surprising given that it's over 5 years old now, but this doesn't mean that CCP isn’t needed.

So, we've been listening to what users of the scheme tell us is important for them. We’ve been talking internally with NCSC subject matter experts, about how we want to reshape the scheme based on that user feedback. And we’ve been working with our scheme partners (the three certification bodies who act on our behalf) to determine what is and isn't working from their perspective - and how we might want to go about implementing change.

As a result of all of these discussions, a number of decisions have been made about the way forward and we've now initiated the project which will begin transforming CCP.

Two key changes

There are two key changes we want to implement.

The first is a move from the certification of roles to the certification of specialisms (e.g. Risk Management, Security Architecture etc). We've not defined in detail what these specialisms will be yet, and we will want to test our thinking, to ensure that it chimes with the wider cyber security community.

Why the change? Well, because CCP was always intended to be sector agnostic, but the role structure makes it look too government-oriented. We believe that specialisms are much more widely understood and should lead to wider recognition of the value of CCP for all sectors. Moving to specialisms also ensures coherence with other work in this area, such as the CYBOK, which will provide a guide to the underlying knowledge for specialisms. 

The second change is in the assessment process itself. Today we have multiple levels of assessment against the roles - practitioner, senior practitioner, lead practitioner. We want to move away from this, instead, recognising specialists. This means we will need to redesign the assessment process.

To be able to apply for assessment as a specialist, individuals will be expected to demonstrate a broad foundation level of underpinning knowledge in cyber security. It's anticipated that this will be satisfied by holding a relevant degree, apprenticeship, professional qualification or certification. Once pre-requisite knowledge has been judged as sufficient, applicants will go on to be assessed against their chosen specialism(s).

The NCSC intends to publish the requirements for foundational knowledge expected of applicants who do not hold a formal qualification or certification. Their knowledge will be assessed at a preliminary interview.

When’s this all happening?

Well, it’s already started. We’ve begun looking at the assessment criteria for foundation knowledge. We're working with the certification bodies to develop the assessment criteria for applicants AND the criteria for assessors, to ensure that they (the assessors) can carry out the new assessments. And we will continue to consult and seek feedback on what we're doing as the work progresses. We hope to have this preliminary work completed by late 2018, with a view to running a pilot in 2019.

Don’t panic!

We know this is a big change and that it might be unsettling for individuals who are either planning to apply for CCP, or who currently hold a certification. We expect and would encourage role certification to continue whilst we are redesigning and piloting the revised scheme. And we will ensure that there are transitional arrangements in place to allow appropriate time for those certified in roles to understand the criteria for specialisms, as we publish them.

When will we hear more?

As we begin the process of implementing changes to the scheme, you can expect more regular updates. I’m not going to speculate when these might be, as we're still in the early planning stages. But I will commit to an update in September, bringing you up to speed on what’s been going on over the summer.

In the meantime, if you have any thoughts on the above, you can let us know in the comments below or by contacting us directly.

Anne W
Head of Commercial Cyber Security Assurance Schemes


Ed - 06 Aug 2018
It is good to see the NCSC starting to breath life back into CCP, it has been ignored for too ling (when was it last referenced on a main set of NCSC slides or in an event keynote?)

Some questions:
How does this new shape for CCP fit with the current consultation being run by DCMS on developing the UK Cyber Security Profession, which closes at the end of August 2018?
Will the pilot for new CCP in 2019 support the DCMS aim of Chartered Status by 2020 as part of a new career pathway?
If the NCSC wish to use existing information security qualifications to support the new CCP, who will be mapping the existing certification bodies of knowledge to the CYBOK as the majority are US based?
Anne W - 13 Aug 2018
Hi Ed, glad you liked the blog and thanks for taking the time to respond. They’re great questions you posed and as others are no doubt thinking the same, let me see if I can answer them satisfactorily for you.

The DCMS consultation and the refresh of CCP are complementary activities, but focussed at different levels. The DCMS consultation is about developing the cyber security profession as a whole and the refresh of CCP is about recognising competent professional practice in cyber security at an individual level. The aim of the CCP pilot in 2019 will be for the NCSC to gain assurance that the CCP assessment criteria for specialisms are appropriate and robust. Clearly it would be for any future Cyber Security Council (such as DCMS has proposed) to decide how CCP should be factored into Chartered Status. However, CCP will continue to be a certification of competence in cyber security and as such I would expect it to be a candidate for being part of a pathway towards Chartered Status

With regard to ‘mapping the existing certification bodies’ bodies of knowledge to CyBOK’: the Cyber Security Body of Knowledge (CyBOK) project is meant to be a guide to the body of knowledge about cyber security. The knowledge that CyBOK codifies already exists in various publications and there is no requirement under CCP to map existing Bodies of Knowledge (BOKs) to the CyBOK. Careful consideration will be given to the range of information security qualifications appropriate to support CCP in the future and their applicability will be tested during the anticipated 2019 pilot.

Finally, I note your more general observation about CCP - “when was it (CCP) last referenced on a main set of NCSC slides or in an event keynote?”; as we set about changing things, we’ll try to do better in this space.
A Hodges - 08 Aug 2018
Had a look again at certification - still overly complicated, confusing & wordy. Some links are dead.
6 areas of expertise x three levels = 18 unique 'qualifications'. Why?
Don't we want to encourage more young people into the profession? If so then this is not the way

Anne W - 15 Aug 2018
Thanks for your comment; we’ll be reviewing the application process as part of the ongoing project work.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No