Blog post

Setting new foundations for the CCP scheme

Created:  14 Nov 2018
Updated:  14 Nov 2018
Author:  Anne W
Image of concrete poured for a building's foundations and reinforcing metal rods

In my last blog about our commitment to the Certified Cyber Professional (CCP) scheme I spoke about how the scheme needed to be reshaped to keep it relevant for the wide range of customers the NCSC now works with. I signalled two key changes:

  • a move from the assessment of roles to assessment against specialisms
  • the need for candidates to show a broad foundation level of underpinning knowledge in cyber security, prior to being assessed as a specialist.

We have continued consulting with our Certification Bodies (CBs) and the NCSC technical community to start putting some substance onto those proposed changes. This blog is the update I promised on the next steps in taking those changes forward.

From roles to specialisms

Just to recap on why the change. We want CCP to be relevant to all NCSC customers, not just government. However, the current assessment based on government-centric IA roles doesn’t really resonate with wider industry and business. We want to change this by focussing the assessment on the specific skills that really matter, rather than the context in which they are being applied.

We have decided to initially concentrate on assessing against two specialisms: risk management and security architecture. In time we expect the number of specialisms which professionals can be assessed against to increase. However, we need to begin 'small' and validate the assessment process and wider changes to the scheme before we expand it. We’re going to do this by running a pilot and we’re currently talking with our CBs about how we might conduct this.

My expectation is that the pilot will begin in the New Year and run for several months. This work will help us refine and streamline the evidence requirements for specialism as well as the assessment and application processes. Until we’ve had some feedback from the pilot, there isn’t much more to say about this now other than I’ll blog again on this subject at a future date.

What about foundational knowledge?

We want to have confidence that all our professionals have a comparable level of validated foundational knowledge before applying for specialisms. This helps to raise standards and, just like other professional communities, provides a means of formalising what we need to know. I should stress that we won’t be assessing foundational knowledge; instead we will recognise industry certifications and other qualifications and will ensure that these meet certain criteria in terms of topic coverage and testing.

We’ve given this quite a bit of thought over the last few months. Obviously, people acquire professional knowledge in very different ways, so we’ve consciously tried not to limit options whilst ensuring that they are of the right standard. Our current thinking is that there will be three possible ways to demonstrate foundation knowledge:

  • Holding an NCSC-certified degree
  • Full membership of the IISP
  • Holding a CISSP certification and full membership of ISC2

Why have we chosen these three?

The NCSC has invested a lot of time and effort into our certified degrees initiative and are therefore confident that anyone holding one of these degrees will leave with the right depth and breadth of foundational knowledge to meet our foundational knowledge requirement. Some individuals may hold the same degree from an academic institution prior to NCSC certification and we’ll assess these on a case by case basis.

There are many cyber security related professional certifications out there, but not all are equal in terms of knowledge covered and the way it is tested. We wanted to avoid the scenario of individuals simply attending “boot camps” and passing an exam, so our criteria for recognising a professional certification is that it should: provide the right breadth and depth of cyber security knowledge; be vendor neutral; require an examination; require evidence of professional practice; and require continued learning or periodic recertification. As you’d expect, we’ve spent a lot of time reviewing professional certifications and currently the only one we think meets our criteria is the International Information System Security Certification Consortium’s (ISC2) Certified Information Systems Security Professional (CISSP). Consequently, we’ll recognise CISSP plus an ISC2 endorsement of being in good standing as evidence of foundational knowledge.

Finally, like professional qualifications, the criteria for professional membership can vary. Institutions that offer professional membership must define and validate a suitable breadth and depth of cyber security knowledge; be vendor neutral; and require evidence of professional practice. We believe that full membership of the IISP meets this and again will recognise this as suitable evidence of foundational knowledge.

I want to stress that the above is not a closed book; it’s our starting position. We’ll continue to review qualifications and certifications to see if we can expand what we recognise. For example, we are exploring expanding our recognition of degrees to include courses supporting the new degree apprenticeship standard. In the longer term we would expect the Cyber Security Body of Knowledge (CyBOK) to become the standard against which the gaining of foundational knowledge will be judged.

If you think we have missed something, let us know.

The experience-only route

Whilst we believe that what has been laid out above is a fair and inclusive way of recognising foundational knowledge, we are also aware that there are good professionals out there who do not fall into any of these categories. We are therefore devising an experience-only route.

We still need to ensure that people choosing this route can demonstrate that the experience they have gained in the workplace has the right depth and breadth. We are planning on using the CyBOK as the basis for this. Our current thinking is that individuals would elect to demonstrate how their work experience demonstrates they have acquired foundational knowledge in an agreed number of the 19 Knowledge Areas. NCSC will publish the number of areas at a future date. This would be documented in a technical CV that they would submit for review and if accepted the applicant would then go on to be interviewed. If they are successful at interview they’ll meet the criteria for foundational knowledge and will then be eligible to apply for their chosen CCP specialism(s).

We’ll be providing further information on this as the pilot work informs our thinking.

A word to the Head Consultants of our Certified Cyber Security Consultancies

If you are one of these, you’re probably thinking you’ve seen this before. Head Consultants will have been through a very similar assessment as part of their company’s application to the Certified Cyber Security Consultancy scheme. Part of this process includes assessment of foundational knowledge by the NCSC as well as an interview by senior members of our technical community. If you fall in to this category, and you are a Head Consultant in either Risk Management or Security Architecture, you will automatically qualify for CCP certification in that specialism. We’ll be contacting all our Head Consultants in due course to discuss.

And finally

We do recognise that these are big changes, and we want to get them right. The pilot will help us do this and inform how we plan to transition from the old roles to the new specialisms. This will be a major focus for our planning work in the New Year. We’ll blog again as things progress.

As before, if you have any thoughts on the above, you can let us know in the comments below or by contacting us directly.

Anne W
Head of Commercial Cyber Security Assurance Schemes


Chris C - 14 Nov 2018
Presumably there will be a cost for becoming certified under the new scheme? If so, what is the point when all you are certifying is that I have an up to date CISSP qualification? Is it not reasonable just to provide evidence of that to an employer/customer and cut out the middle man, allowing this scheme to focus on those who have experience only? At an outlay of several hundred pounds over a 3 year period at current prices, it seems an odd situation to spend money on something that offers the certified holder with existing educational competencies for very little return. Will there be a lower price level for those who have existing qualifications, as surely the assessment criteria will be far less onerous than for those who cannot provide relevant certifications?
Anne W - 14 Nov 2018
Hi Chris.
The reference to CISSP is an example of the requirement for foundational knowledge. The NCSC will not be certifying the foundational knowledge, it is a precursor to being assessed as a specialist. Applicants for certification in a CCP specialism need to provide proof of foundational knowledge before they can embark on the process to apply for certification in a specialism. Thus the NCSC will only certify someone if they satisfy the requirements for specialist knowledge and experience as well as the requirements for foundational knowledge.
Graham K - 14 Nov 2018
With the move from "the assessment of roles to assessment against specialisms" will there be any change to the certification areas themselves (e.g. Auditor, SIRA, Architect etc), either being updated or renamed?
Anne W - 14 Nov 2018
Thanks for the question Graham. When all the lessons have been learnt from the 2019 pilot for specialisms, it is anticipated that specialism certification will ‘go live’. At that point all new role certifications will cease: role certifications which are current at that stage will run until the end of their normal 3-year period and then lapse. It is certainly possible that some of the role descriptions will be updated in the meantime.
Andy H - 14 Nov 2018
Anne, many thanks for your updated blog on the future of the CCP scheme. I have two questions if I may:
1. If someone currently holds a CCP (SIRA) accreditation at Practitioner level, is it worth applying through the relevant CB for this to be upgraded to Senior Practitioner (clearly with supporting evidence & experience) if the three levels of Practitioner, Senior Practitioner and Lead Practitioner are to be replaced with a single level of Specialism in the near future?

2. What are the transition arrangements to migrate current holders of CCP accreditations acrosss to the new specialisms?

Many thanks, and good luck!
Anne W - 20 Nov 2018
Hi Andy; thanks for the questions and your encouragement !

The first question I can’t really answer for you, but offer the following thoughts. We have currently not yet set a timetable for the start of certification in a CCP specialism as we need to first run the pilot, learn some lessons from this and work out our transition arrangements. So at the moment I cannot say whether assessment of specialisms will begin in the latter part of 2019 or whether it is more likely to start in 2020. If you feel that you have the evidence and experience to support a successful upgrade to Senior Practitioner in the meantime and you are successful in that, you could of course be reaping the benefit of that upgrade in the meantime. However, as I’m sure you appreciate, that decision is yours and we cannot advise you either way. Whatever route you chose though, I wish you success.

The second question is slightly easier for me to answer. Role certifications will run their 3-year course and once CCP specialisms 'go live', i.e. at some point after the 2019 pilot, people certified in a CCP role will be given the opportunity to consider the 'delta' between their current experience and knowledge and that required for certification in their chosen specialism. We will allow people a period of time to prepare to make the transition from a role certification to the requirements of a CCP specialism certification if they so wish. I would anticipate this period to be approximately 12 months, but this is still to be finalised; again we will confirm what the transition arrangements and timescales are after we have reviewed the results of the pilot.
Ross Thomson - 15 Nov 2018
Will existing CCP Senior Practitioner SIRAs/Architects, with full membership of the IISP and the CISSP qualification be expected to resubmit their technical CVs and be interviewed again?
Anne W - 20 Nov 2018
Hi Ross.
If you have full membership of the IISP, your foundational knowledge has already been proved. You would then have to prove your specialist knowledge and experience, through case studies and an interview. The pilot I mentioned will help us define the detailed criteria for assessment and the application process. We'd expect to be publishing these later in 2019 when the pilot has concluded.
Ronan - 15 Nov 2018
Hi Anne. I have a couple of questions for you.

ISC2, and CISSP holders might well take exception to the consideration of that certification as foundational knowledge for the purposes of CCP. ISC2 requires significant verified work experience in addition to passing the exam in order for a person to be award the CISSP. Isn't that level of effort beyond foundational?

ISACA, which is vendor neutral, offers a number of certifications all of which require the same combination of rigorous testing, verified evidence of professional practice as well as continued learning in order to maintain the certification. I appreciate that this is still early stage however does the current thinking you set out have the effect of negating or diminishing the value of ISACA certifications (or others which meet the criteria above) in the context of CCP and its specialisms?
Anne W - 20 Nov 2018
Hi Ronan, another two great questions.
On your first point, the extent of foundational knowledge required for CCP has to include a degree of experience in applying that knowledge. Passing an exam on its own does not impart sufficient knowledge. This makes the 'CISSP in good standing with the industry' and membership of IISP particularly relevant as proof of foundational knowledge.
On the ISACA question, I’d refer you to the answer I gave to Dan below about CISM and CISA. These professional certifications, whilst meeting most of our criteria and being proven in the specific areas of knowledge they validate, do not provide enough breadth or depth of knowledge to go on to qualify in a CCP specialism.
Dan R - 15 Nov 2018
Would CISM and CISA not suffice for proof of foundational knowledge? From my understanding they seem to meet your criteria.
Anne W - 20 Nov 2018
Hi Dan, thanks for your question.
Our criteria for recognising a professional certification as sufficient to demonstrate foundational knowledge is that it must have sufficient breadth and depth of cyber security knowledge when mapped against the CyBoK. The NCSC does not consider that there is sufficient evidence that CISM and CISA currently meet this requirement. Neither of these professional certifications are bad, far from it, they just don’t provide sufficient foundational knowledge that we believe is required before applying for specialisms under CCP.
Andy Smith - 16 Nov 2018
Interesting list for foundation knowledge. What about:
Full member/fellow of BCS+ISSG (4500 members)
Full member/fellow of The Security Institute
Chartered Security Professional
Anne W - 06 Feb 2019
Hi Andy,

Thank you for your comment.
Whilst these qualifications/memberships are of course good things to have if relevant to the individual, they don't represent the required depth and breadth of knowledge represented by the CyBOK KA's.

Carl Thorp - 19 Nov 2018
Will there be a natural evolution to the new scheme as existing CCP certifications expire or will there be a fixed date by which we all need to re-apply regardless of whether or not our current CCP is due for renewal?
Will existing CCP holders have to apply as if they are completely new to the scheme or will they simply renew their CCP and seamlessly move into the new scheme?
Anne W - 21 Nov 2018
Hi Carl – hopefully the answer I have given to the second part of Andy H’s question above answers this one for you:
"Role certifications will run their 3-year course and once CCP specialisms 'go live', i.e. at some point after the 2019 pilot, people certified in a CCP role will be given the opportunity to consider the 'delta' between their current experience and knowledge and that required for certification in their chosen specialism. We will allow people a period of time to prepare to make the transition from a role certification to the requirements of a CCP specialism certification if they so wish. I would anticipate this period to be approximately 12 months, but this is still to be finalised; again we will confirm what the transition arrangements and timescales are after we have reviewed the results of the pilot."
Warren Maseman - 21 Nov 2018
Can you tell me what this all means for the foundation CISMP exam from BCS will this be scraped? and is it even worth doing now?
Anne W - 04 Dec 2018
Hello Warren, thanks for taking the time to read the blog and comment.
The CISMP exam is one of the ways BCS establishes whether candidates for CCP Roles at Practitioner Level have demonstrated sufficient foundation knowledge to apply for certification under the scheme. As outlined in the blog, the NCSC intend to move away from role based certifications to specialisms. Specialisms will not be assessed in the same way as the current roles and will require a different breadth and depth of foundational knowledge. Full details of how assessments will be conducted in future will be published after the pilot has completed.
The future of CISMP is a matter for the BCS and in terms of your question as to whether it is still worth you doing the exam, I’m sure you’ll appreciate that this decision is yours and I can’t advise you either way. Whatever you decide to do though, I wish you success in your career.
Pete - 21 Nov 2018
Hi Ann. Are the any plans to take isc2 cissp concentrations into account?

If you hold a cissp-issap cetificate in good standinding, would this provide sufficient evidence to satisfy reqirements for the security architure specialism? If not, what additional criteria will the new ccp likely use to assess candidates against?
Anne W - 23 Nov 2018
Hello Pete, thank you for your comment.
Whilst the CISSP-ISSAP certification does demonstrate a depth of knowledge in security architecture, the CCP assessment process will include an interview so that the NCSC can determine experience as well as knowledge. Work on the assessment criteria for the Risk Management and Security Architecture specialisms is still in progress and yet to be finalised; this will be published as soon as possible. We will of course review the assessment criteria for CCP after conducting the pilot and as the process develops.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No