Blog post

Our commitment to the CCP scheme

Created:  06 Aug 2018
Updated:  06 Aug 2018
Author:  Anne W
Our commitment to the CCP scheme

Alive Alive-O

Recently, I've been challenged by several people, concerned that the NCSC hasn’t said anything publicly about our Cyber Certified Professional Scheme (CCP).  At least, not since our blog last year.

So, let me say right up front: the NCSC has not turned its back on CCP. Quite the opposite in fact. In his recent blog about the launch of the government’s consultation paper on Developing the Cyber Security Profession in the UK, Chris Ensor emphasised that we "are committed to supporting and developing the CCP scheme".

There are lots of people in the UK working in “cyber security”. But from a consumer perspective, it's difficult to identify the good from the 'not so good', particularly when you’re not an expert yourself. We believe CCP can fill this knowledge gap, and have been working behind the scenes on a plan to address the known shortcomings of the scheme, ensuring that it remains fit for purpose and valued by the cyber security community.

So, what have we been doing?

We know from our own observations, and the feedback that we get from the cyber security community, that the scheme isn’t perfect. That’s hardly surprising given that it's over 5 years old now, but this doesn't mean that CCP isn’t needed.

So, we've been listening to what users of the scheme tell us is important for them. We’ve been talking internally with NCSC subject matter experts, about how we want to reshape the scheme based on that user feedback. And we’ve been working with our scheme partners (the three certification bodies who act on our behalf) to determine what is and isn't working from their perspective - and how we might want to go about implementing change.

As a result of all of these discussions, a number of decisions have been made about the way forward and we've now initiated the project which will begin transforming CCP.

Two key changes

There are two key changes we want to implement.

The first is a move from the certification of roles to the certification of specialisms (e.g. Risk Management, Security Architecture etc). We've not defined in detail what these specialisms will be yet, and we will want to test our thinking, to ensure that it chimes with the wider cyber security community.

Why the change? Well, because CCP was always intended to be sector agnostic, but the role structure makes it look too government-oriented. We believe that specialisms are much more widely understood and should lead to wider recognition of the value of CCP for all sectors. Moving to specialisms also ensures coherence with other work in this area, such as the CYBOK, which will provide a guide to the underlying knowledge for specialisms. 

The second change is in the assessment process itself. Today we have multiple levels of assessment against the roles - practitioner, senior practitioner, lead practitioner. We want to move away from this, instead, recognising specialists. This means we will need to redesign the assessment process.

To be able to apply for assessment as a specialist, individuals will be expected to demonstrate a broad foundation level of underpinning knowledge in cyber security. It's anticipated that this will be satisfied by holding a relevant degree, apprenticeship, professional qualification or certification. Once pre-requisite knowledge has been judged as sufficient, applicants will go on to be assessed against their chosen specialism(s).

The NCSC intends to publish the requirements for foundational knowledge expected of applicants who do not hold a formal qualification or certification. Their knowledge will be assessed at a preliminary interview.

When’s this all happening?

Well, it’s already started. We’ve begun looking at the assessment criteria for foundation knowledge. We're working with the certification bodies to develop the assessment criteria for applicants AND the criteria for assessors, to ensure that they (the assessors) can carry out the new assessments. And we will continue to consult and seek feedback on what we're doing as the work progresses. We hope to have this preliminary work completed by late 2018, with a view to running a pilot in 2019.

Don’t panic!

We know this is a big change and that it might be unsettling for individuals who are either planning to apply for CCP, or who currently hold a certification. We expect and would encourage role certification to continue whilst we are redesigning and piloting the revised scheme. And we will ensure that there are transitional arrangements in place to allow appropriate time for those certified in roles to understand the criteria for specialisms, as we publish them.

When will we hear more?

As we begin the process of implementing changes to the scheme, you can expect more regular updates. I’m not going to speculate when these might be, as we're still in the early planning stages. But I will commit to an update in September, bringing you up to speed on what’s been going on over the summer.

In the meantime, if you have any thoughts on the above, you can let us know in the comments below or by contacting us directly.

Anne W
Head of Commercial Cyber Security Assurance Schemes


Ed - 06 Aug 2018
It is good to see the NCSC starting to breath life back into CCP, it has been ignored for too ling (when was it last referenced on a main set of NCSC slides or in an event keynote?)

Some questions:
How does this new shape for CCP fit with the current consultation being run by DCMS on developing the UK Cyber Security Profession, which closes at the end of August 2018?
Will the pilot for new CCP in 2019 support the DCMS aim of Chartered Status by 2020 as part of a new career pathway?
If the NCSC wish to use existing information security qualifications to support the new CCP, who will be mapping the existing certification bodies of knowledge to the CYBOK as the majority are US based?
Anne W - 13 Aug 2018
Hi Ed, glad you liked the blog and thanks for taking the time to respond. They’re great questions you posed and as others are no doubt thinking the same, let me see if I can answer them satisfactorily for you.

The DCMS consultation and the refresh of CCP are complementary activities, but focussed at different levels. The DCMS consultation is about developing the cyber security profession as a whole and the refresh of CCP is about recognising competent professional practice in cyber security at an individual level. The aim of the CCP pilot in 2019 will be for the NCSC to gain assurance that the CCP assessment criteria for specialisms are appropriate and robust. Clearly it would be for any future Cyber Security Council (such as DCMS has proposed) to decide how CCP should be factored into Chartered Status. However, CCP will continue to be a certification of competence in cyber security and as such I would expect it to be a candidate for being part of a pathway towards Chartered Status

With regard to ‘mapping the existing certification bodies’ bodies of knowledge to CyBOK’: the Cyber Security Body of Knowledge (CyBOK) project is meant to be a guide to the body of knowledge about cyber security. The knowledge that CyBOK codifies already exists in various publications and there is no requirement under CCP to map existing Bodies of Knowledge (BOKs) to the CyBOK. Careful consideration will be given to the range of information security qualifications appropriate to support CCP in the future and their applicability will be tested during the anticipated 2019 pilot.

Finally, I note your more general observation about CCP - “when was it (CCP) last referenced on a main set of NCSC slides or in an event keynote?”; as we set about changing things, we’ll try to do better in this space.
A Hodges - 08 Aug 2018
Had a look again at certification - still overly complicated, confusing & wordy. Some links are dead.
6 areas of expertise x three levels = 18 unique 'qualifications'. Why?
Don't we want to encourage more young people into the profession? If so then this is not the way

Anne W - 15 Aug 2018
Thanks for your comment; we’ll be reviewing the application process as part of the ongoing project work.
V - 10 Aug 2018
Regarding the statement "It's anticipated that this will be satisfied by holding a relevant degree, apprenticeship, professional qualification or certification."
Will a current CCP SIRA Practitioner certification satisfy this requirement?
Anne W - 15 Aug 2018
What we are proposing is that applicants would prove pre-requisite, foundational knowledge before taking the step of applying for certification in a CCP specialism. We anticipate publishing full details of how to prove that knowledge, but will be consulting our Certification Partners before we do so, to ensure that those decisions are made on the basis of the best information available to us. As we work through the details we will publish more information.
Piers B - 15 Aug 2018
One of the successes of CCP was the introduction of tiers of membership within the roles (Practitioner, Senior Practitioner, Lead~). Will such a towering be mirrored into the new specialist levels?

One of the failures of CCP was the lack of any requirement for government to use a CCP role at a certain level. Will any mandatory requirement be brought in to assist the new scheme to bed in or would that be seen as tying the scheme too closely to government and therefore not being inclusive enough?
Anne W - 20 Aug 2018

Thank you for your questions. I'll address them in turn.

It is likely in the first instance that there will be only one specialist level. Feedback we’ve received suggests that employers and recruiters didn’t always understand the difference between role levels and what they really want to do is recruit an “expert in subject X”. We are, however, still in the early days of planning for the revised scheme and if our ongoing research suggests that there is strong evidence for a need for additional levels, we would consider it.

You’re right to consider the need to demonstrate the inclusiveness of CCP. Whilst the scheme was always intended to be sector agnostic, feedback tells us that we haven’t really achieved this to date. So we need to do better in this space, hence the move to specialisms rather than roles. It should be much easier for employers to specify what they want in terms of expertise in particular specialism. Our expectation is that being certified by the NCSC will provide assurance of an individual’s competence to work on complex networks; and we know there is considerable demand for this both in the public and private sectors.
Russ G - 21 Aug 2018
The scheme is to expensive and has become a tax on the market. It is to complex and does not prove competence. I would be interested in working on the development of a future version.
Anne W - 23 Aug 2018
Thank you for your comments and – as the blog says - ‘… we will continue to consult and seek feedback on what we're doing as the work progresses.'
Rob Newby CCP (Senior SIRA and Architect) - 05 Sep 2018
Would be good to align with NIST CSF. Specialisms in Governance and Risk (Identify), Architecture (Protect), Security Ops (detect), Incident Management, Threat Intel, Red Teaming (Respond), and BC/DR (Recover). Would go some way to the international alignment you’ve been talking about. There are a lot of individual roles under this: you could start to define national blueprints for security departments and start to standardise the industry as a whole. Would be exciting.
Anne W - 07 Sep 2018
Thank you for your interest and taking the time to comment. We’ll give due consideration to your constructive feedback.
Mick - 22 Oct 2018
I would suggest that a large number of CCP members have committed time and money in achieving and maintaining their current role/level and providing an excellent service to their current employers. Has the NCSC considered some form of "grandfather" rights to those CCP members who hold Senior or Lead levels within their roles or will CCP members be expected to follow additional training/courses to acheive perhaps Chartered status or degrees before they can reapply for the new specialisms? If not i would suggest that there could be a rush by those members who dont hold degrees etc to jump onto the some additional security courses at a huge personal cost to bolster their vast years of experience in what is a very niche market. Will some form of guidance be forthcoming before we see a rush to the IT training market?
Anne W - 06 Nov 2018
Experience has taught us that the CCP role assessment process doesn't provide sufficient depth of assessment of foundational knowledge. CCP interviews have to test a large number of skills and this doesn't provide enough time to test foundational knowledge as well. Providing robust proof of foundational knowledge will be a key stage before you can apply to be certified in a specialism. This helps to raise standards and, just like other professional communities, provides a means of formalising what we need to know; we also hope it will make the application process more efficient and faster.
With regard to 'grandparenting in': head consultants in the Certified Cyber Security Consultancy scheme for offerings in Risk Management and/or Security Architecture will be certified in the respective CCP specialisms (so, in effect, 'grandparented in'), as they have already been assessed under the same conditions that will be required under the CCP process for certification in a specialism. They have been interviewed extensively to test both their foundational and specialist knowledge and have provided CVs and case studies to attest to this. However, there is no scope to 'grandparent in' individuals certified at Senior and Lead levels who haven't been through this process. As stated above, the processes for certification in roles and specialisms are not the same.
On the subject of proving foundational knowledge: it shouldn't be necessary to attend courses, if you don't have formal proof of knowledge acquisition. There will also be an 'experience-only' route where people can submit a technical CV, structured around an agreed number of Cyber Security Body of Knowledge Areas and attend an interview to satisfy the requirement for foundational knowledge. See for more information about the Cyber Security Body of Knowledge. If the interview is successful, they can then start the application process to be certified in a cyber security specialism.
Phil T - 26 Oct 2018
“But I will commit to an update in September, bringing you up to speed on what’s been going on over the summer.”

I think the fact it is now nearly November and there’s been no update tells us all we need to know about the NCSC’s commitment to CCP.
Liam - 20 Nov 2018
I've identified the CCP scheme as my next line of professional training and certification.
I'd be happy to take part in a pilot for the new certification structure next year rather than embark on an end-of-life course.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No