Alive Alive-O

Recently, I’ve been challenged by several people, concerned that the NCSC hasn’t said anything publicly about our Cyber Certified Professional Scheme (CCP).  At least, not since our blog last year.

So, let me say right up front: the NCSC has not turned its back on CCP. Quite the opposite in fact. In his recent blog about the launch of the government’s consultation paper on Developing the Cyber Security Profession in the UK, Chris Ensor emphasised that we “are committed to supporting and developing the CCP scheme”.

There are lots of people in the UK working in “cyber security”. But from a consumer perspective, it’s difficult to identify the good from the ‘not so good’, particularly when you’re not an expert yourself. We believe CCP can fill this knowledge gap, and have been working behind the scenes on a plan to address the known shortcomings of the scheme, ensuring that it remains fit for purpose and valued by the cyber security community.

So, what have we been doing?

We know from our own observations, and the feedback that we get from the cyber security community, that the scheme isn’t perfect. That’s hardly surprising given that it’s over 5 years old now, but this doesn’t mean that CCP isn’t needed.

So, we’ve been listening to what users of the scheme tell us is important for them. We’ve been talking internally with NCSC subject matter experts, about how we want to reshape the scheme based on that user feedback. And we’ve been working with our scheme partners (the three certification bodies who act on our behalf) to determine what is and isn’t working from their perspective – and how we might want to go about implementing change.

As a result of all of these discussions, a number of decisions have been made about the way forward and we’ve now initiated the project which will begin transforming CCP.

Two key changes

There are two key changes we want to implement.

The first is a move from the certification of roles to the certification of specialisms (e.g. Risk Management, Security Architecture etc). We’ve not defined in detail what these specialisms will be yet, and we will want to test our thinking, to ensure that it chimes with the wider cyber security community.

Why the change? Well, because CCP was always intended to be sector agnostic, but the role structure makes it look too government-oriented. We believe that specialisms are much more widely understood and should lead to wider recognition of the value of CCP for all sectors. Moving to specialisms also ensures coherence with other work in this area, such as the CYBOK, which will provide a guide to the underlying knowledge for specialisms.

The second change is in the assessment process itself. Today we have multiple levels of assessment against the roles – practitioner, senior practitioner, lead practitioner. We want to move away from this, instead, recognising specialists. This means we will need to redesign the assessment process.

To be able to apply for assessment as a specialist, individuals will be expected to demonstrate a broad foundation level of underpinning knowledge in cyber security. It’s anticipated that this will be satisfied by holding a relevant degree, apprenticeship, professional qualification or certification. Once pre-requisite knowledge has been judged as sufficient, applicants will go on to be assessed against their chosen specialism(s).


The NCSC intends to publish the requirements for foundational knowledge expected of applicants who do not hold a formal qualification or certification. Their knowledge will be assessed at a preliminary interview.

When’s this all happening?

Well, it’s already started. We’ve begun looking at the assessment criteria for foundation knowledge. We’re working with the certification bodies to develop the assessment criteria for applicants AND the criteria for assessors, to ensure that they (the assessors) can carry out the new assessments. And we will continue to consult and seek feedback on what we’re doing as the work progresses. We hope to have this preliminary work completed by late 2018, with a view to running a pilot in 2019.

Don’t panic!

We know this is a big change and that it might be unsettling for individuals who are either planning to apply for CCP, or who currently hold a certification. We expect and would encourage role certification to continue whilst we are redesigning and piloting the revised scheme. And we will ensure that there are transitional arrangements in place to allow appropriate time for those certified in roles to understand the criteria for specialisms, as we publish them.

When will we hear more?

As we begin the process of implementing changes to the scheme, you can expect more regular updates. I’m not going to speculate when these might be, as we’re still in the early planning stages. But I will commit to an update in September, bringing you up to speed on what’s been going on over the summer.

In the meantime, if you have any thoughts on the above, you can let us know in the comments below or by contacting us directly.

Anne W
Head of Commercial Cyber Security Assurance Schemes

Source: National Cyber Security Centre

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!