WIXLIB

NCSC Certified Cyber Professional(CCP) Assured ServiceQuestions and answers on the new approach toSpecialism RecognitionTHE COPYRIGHT OF THIS DOCUMENT IS RESERVED AND VESTED IN THE CROWN.APRIL 2021

In this document the NCSC has gathered answers to questions raised about our new approach tocertifying specialisms rather than roles.Many of these were raised and discussed at the Certified Cyber Professionals Community Event heldon 16th February 2021. It is hoped that this document serves as a reference for those discussions forboth those at the event and those that could not attend.We are grateful to all who attended and engaged in the discussions – your inputs shaped thisdocument, thank you. The answers represent what was said at the time and we will endeavour tokeep you updated as our thinking develops over time.The information has been grouped into four topic headings:1.2.3.4.SpecialismsSpecialisms AssessmentTransitionValue Proposition1. SPECIALISMSThe bar is being raised for future certification – it will be specialists only, starting with the RiskManagement Specialism, to be launched in summer 2021. This will be followed by other specialisms.There are two levels of specialism: Certified Cyber Professional (Risk Management Specialism); andAssociate Cyber Professional (Risk Management Specialism).These two levels will also apply to other specialisms as they are introduced. The difference is that thehigher level of Certified Cyber Professional essentially recognises effective practice in differentcontexts.Q. How long will the Specialism certification period be? Why do you have to re-validate?The specialism certification will last for three years. Re-validation is important to ensure professionalshave remained up to date with developments in their specialist areas. Whilst we won’t expectprofessionals to have to provide the same foundational knowledge evidence when re-validating, it willbe important to demonstrate that they’ve continued to practise and update their cyber securityknowledge and have logged continuing professional development.Q. What will the next Specialisms be? Can I suggest SecOps as the next Specialism?The Security Architecture specialism is currently being piloted, so that may be another specialism tofollow Risk Management in due course. Other specialisms are also being considered, such as Audit &Review, Incident Management, Security Testing & Vulnerability Assessment, Investigation & Forensics.One factor in these considerations is the external market, which is why we were keen to gatherevidence from current CCP professionals on what market demands they see for any particularspecialisms. To this end we gathered responses through a survey circulated after the event on 16thFebruary. We are always interested to hear at any time practitioners’ views on what futurespecialisms might suit their profession.Q. How would the Certified or Associate Certified Professional (Security Architecture Specialism)incorporate business outcome (as well as technical aspects)? Is the certified security architect morelike a security solutions engineer?NCSC views both business needs and user needs being key to the assessment criteria. Securityarchitects are going to be focussed on the security technical side, but at the same time we think that

to be a good security architect you need to be able to understand the business context so that youcan: Decide what level of security is appropriate and proportionate.Help seniors make the difficult trades between good enough security and delivering thebusiness needs.Understand interplay between business processes and the technology.Understand what is technically practical from an enterprise architecture point of view."Security solutions engineer" is part of the role in that there is some overlap. Whilst we need to see arange of soft and technical skills for security architecture, we do feel that you need to keep technicallystrong.Security architects fill a very important niche – i.e., someone who has breadth of cyber securityknowledge and an excellent set of consultancy skills. A Certified Cyber Professional (SecurityArchitecture Specialism) is probably the broadest specialism possible, and it is quite possible that suchprofessionals might develop their career beyond that role. They should be the top security architectsin the country, able to advise on risk of any technology or industry, even if it is not their specialistarea, and be deeply technical with excellent consulting skills demonstrated through a track record ofsolving the most complex security challenges.Q. What seem to be the biggest technical gaps for a Security Architecture Specialism: network / cloud /protective monitoring / AD / storage / virtual?A CCP Security Architect should have a good foundation in all of those and the ability to become a lotmore specialist if needed. No-one can know every technical area, but an architect, with their goodgeneral technical base, should at least know enough to be able to spend a day or two doing in-depthresearch on any arbitrary technology if it is pertinent to a customer. We generally find that architectshave an excellent broad range of skills, but then are specialist in one area too.Q. What would be the nature of a Cyber Security Audit & Review Specialism?Regulators have a demand for cyber security Auditors, so it is certainly under consideration as aspecialism. One of the questions is whether it is effectively a cyber security specialism with an auditqualification as well or an audit specialism with a cyber security risk qualification.Q. How will the Specialisms fit with Chartered professional status with the UK Cyber Security Council?The Council stands up in spring 2021. It’s our long-term aspiration to transition CCP to the Council, asit belongs within professional development and recognition. The NCSC and the Council will need todiscuss how and when this can happen.Q. I have historically crossed the divide between risk and architecture. Can you have two Specialisms?You can have as many specialisms as you like as long as you fit the criteria.2. SPECIALISMS ASSESSMENTThe assessment will be based on demonstration of foundational knowledge qualifications plus casestudies plus interview.All three Certification Bodies will use exactly the same assessment process.Q. How has the assessment process changed?[For example] Will the CREST CR TSA still be required for Security Architecture? Will the exam berevised for new requirements? Does the CISSP-ISSAP concentration offer more evidence of skills neededfor CCP Architect?

The assessment process for CCP Specialisms is very different from that for CCP Roles. Specialismassessment process: Proof of foundational knowledge (see next question for criteria).2 sides of A4 case study to show how you’ve applied specialist knowledge (not foundationalknowledge), instead of the several pages of evidence that a role application currentlyrequires. There are exemplar case studies which follow the assessment categories used in theinterview (approach to risk assessment, approach to risk treatment, etc.).Interview based on case study and sometimes also on a scenario, to demonstrate specialistpractice (if applying for multiple specialisms, separate interviews will be required for eachspecialism).No-one will be required to hold both a role and a specialism certification for the same cybersecurity activity. Your role certifications will continue to be valid in the usual way until theperiod for which you were certified has expired. The deadline for CCP role applications andre-certification applications was 28th February 2021.Q. Why do I have to prove foundational knowledge?Why are globally recognised qualifications such as CISSP, CISM and SABSA not recognised as indicativeof a good standard for SIRA and Security Architecture?As a guide, proposed professional certifications should: cover a broad range of CyBOK Knowledge Areasbe vendor neutralrequire an examinationrequire evidence of professional practicerequire continued learning, or periodic re-validationNCSC would consider any qualification that demonstrates these foundational requirements. CISMand membership of ISACA are now included as indicative of proof of foundational knowledge.It is important for all parties in the assessment process – both candidates and assessors - that weminimise the risk of accepting people for the more rigorous stages of specialism assessment tosubsequently find they do not have sufficient foundational knowledge.For Certified Security Architecture specifically, it is hard to find available qualifications which cover thenecessary knowledge base. It might look to be at an appropriate depth in one area (eg riskmanagement) but not enough on how technical you are. They are still useful to show your roundeddevelopment though, especially at Associate level.Q. Are there any views on how much assessment under the new scheme will cost?This will be a matter for Certification Bodies to decide.3. TRANSITIONQ. When will the new accreditation scheme be implemented and will there be a transition fromexisting CCP? When will current CCP scheme come to an end - especially for those where the newspecialism is not yet in place?The new accreditation process will be implemented in summer 2021 and there will be a managedtransition from the existing CCP process. Individuals can apply to be certified under the new processas soon as their specialism becomes available for accreditation. If individuals prefer, they can continuewith their existing CCP role accreditations until they become due for renewal.No role certificates will have had a start date any later than 31st March 2021. Role certificationperiods in effect on the date that role applications close will run their full 3-year course.