I recently obtained the status of CESG Certified Cybersecurity Professional (CCP) as both a Security and Information Risk Advisor (SIRA), and also as a Cyber Security / Information Assurance Auditor.

I thought it would be useful to detail how I found the application process, my thoughts on the certification, and advice for anyone thinking about applying!

[Note: for those who don’t know, the CESG (Communications-Electronic Security Group) within GCHQ is now part of the National Cyber Security Centre (NCSC), but their branding for the CCP scheme hasn’t changed, yet.]

What is the CCP Scheme?

The CCP scheme is a way for cyber and information security professionals, primarily within the public sector (but not always), to gain an independent accreditation of their skills, knowledge and experience.

There are many benefits to obtaining certification, including:

  • having your professional expertise and competence independently assessed and verified
  • having your ability to apply your knowledge and expertise effectively to deliver business benefits confirmed
  • having proficiency proved in a specific role can set you apart from others
  • you become part of a recognised and growing community from which employers can recruit cyber security professionals
  • you will become eligible to work on UK government networks and Critical National Infrastructure (CNI) projects (subject to passing a security clearance check)

And that’s just a few benefits. Obviously, being independently certified allows you to show anyone you are dealing with, even within your own organisation, that you know what you are talking about! It adds weight to your advice or input into a project, and should let people trust that your opinions in relation to Information Security are well founded and backed up with real experience and knowledge.

Now, I’m not going to explain play by play how to apply for certification. All that information is freely available from the NCSC website, or by reading over this document.

What I do want to explain for anyone thinking about certification is how lengthy the process can be, and rightly so.

Step 1

First, you will need to complete an application form. The NCSC use a third party “evaluation partner”, which is essentially an independent organisation who review your application to ensure it meets the required standards.

The evaluation partners are currently either APMG, the IISP / Crest / RHUL consortium, or the organisation I went with to accredit my application, the BCS (British Computer Society).

The application form requires you to list your previous experience, relevant job roles and their responsibilities, your formal education, industry recognised certifications, and real world examples of carrying out the relevant work for the role you are applying for.

For example, an obvious requirement for the SIRA role is to carry out Information security risk assessments. So, one of the major things to evidence is having carried out those assessments before! This is achieved by writing an example, using the well known STARR method (Situation-Task-Action-Result-Reflection). This allows the assessor looking at your application to decide if you know how to carry out such a risk assessment, and if you have the experience required for that specific skill. It also allows them to understand you as an individual and how you apply your knowledge, which can be slightly different for each person (nobody works in exactly the same way!).

As you can see in the image below, the application for is pretty lengthy, and can take a number of days / weeks to complete:

One example isn’t enough, however. You need to provide (at least) a few examples for each skill, to ensure you provide enough information to allow the assessor to validate your experience.

Step 2

But, surely that’s open to abuse? Well, it would be….. but part of the process involves providing two separate sponsors, who are able to validate your documented experience. Those sponsors are contacted by the assessor, who goes over the application form and asked the sponsors to confirm that the applicant works with them, and has carried out the claimed tasks.

But that’s not all, if you claim to have a certain certification, you need to supply the official certificate and all relevant documents relating to your previous employment in Information Security Roles, and also official government issued ID to confirm your identity.

That might not sound like such a big ask, but the application process, given it’s size and the amount of information required (which is all evidenced and corroborated) can take some time to pull together.

For the Practitioner role, that would be you finished. For me, it was. The assessor reads the application, checks the evidence submitted, speaks to the sponsors, then decides if they are willing to accredit you given what they have had evidenced about you.

If, however, you are looking to obtain a more senior role (like Senior or Lead Practitioner), you need to do the above, but also have a face to face interview with the assessor, who will ask you more questions about your experience and, essentially, carry out a competency based job interview!

Step 3

The last step is the assessment. The third party assessor reviews all the evidence you have submitted, and decides if they want to award you the certification. This didn’t happen to me, but they can come back to you and ask for additional evidence for certain skills they don’t feel you’ve covered enough. In that case, you can have a think about it and re-submit the application with additional evidence as required.

Step 4

Receive the certification in the post! 😄

Receiving the Certification

It goes without saying, once you get the certification approved, you feel validated as a professional. This isn’t like a training course you go on, study really hard and pass an exam. This is a lengthy process of documenting what you do on a daily basis, and having a third party look at that, and decide if what you are doing is up to the standards of the NCSC. When that is confirmed, it feels great!

I would encourage anyone working in Information Security to go through the certification process. It’s a great way of showing you are experienced, not just with a bunch of certifications on your CV, but with real life experience which you can assure customers or employers has been independently verified.

If you’d like more information about the process, or if I’ve missed something and you aren’t sure about it, feel free to comment below and I’ll help you out. I now have two of these certifications, so I feel like I kind of know what I’m doing with them! 🤓

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.