Our Professional Standards team have created the below set of Frequently Asked Questions based on feedback, conversations, and queries around, the CCP programme, Continuing Professional Development (CPD), Specialisms and Professional Registration.
Are Head Consultants required to hold the certified level of the relevant CCP specialism to apply for Chartership titles through the UK Cyber Security Council?
Under the Assured Cyber Security Consultancy Scheme, Head Consultants were required to hold the Certified level of the relevant CCP Specialism. Going forward, once the UK Cyber Security Council launches their Chartership Titles, Head Consultants will need to hold the Chartered title for the relevant UK Cyber Security Council specialism.
I have CCP and am due to submit a new application, what options do I have available to me?
Please see the latest communication regarding the extension of CCP which may help to answer your questions here.
1. Undertake full CCP with your existing certification provider (BCS, APMG or CIISec), ensuring your application is submitted and fees paid before deadline of CCP closure, September 30th 2023.
2. Within 6 months of certifying, or at the point of revalidation of your CCP certification you may apply for a top-up process via the UK Cyber Security Council through your existing certification provider, to convert your CCP certification to the relevant council chartership title. Alternatively,
3. Wait for and undertake a full application for either Governance and Risk Management or Secure System Architecture and Design specialisms with UK Cyber Security Council for the relevant chartership title, when these are launched late Summer 2023.
What is CPD?
CPD is Continued Professional Development. It is a commitment we expect from all Registrants awarded a Professional Registration Title to further develop their knowledge and skills.
This may involve structured activities such as courses, distance learning programmes, private study, preparation of papers and presentations, mentoring, involvement in professional body activities, or relevant voluntary work. This also involves on-the-job professional experience, attending events & seminars, and may involve activities completed for other organisations such as producing records for professional institutions/organisations, company training, development, and appraisal processes.
Why is CPD required?
Continuing Professional Development is vital within the cyber security sector as it ensures that cyber security professionals remain capable of addressing current and emerging challenges and strengthens their effectiveness in protecting information and communication systems, operational technologies and critical national infrastructure.
How do I log CPD?
Registrants must commit to planning, recording, and making available the reporting of their own CPD.
Each Licensed Body will provide advice on the format they expect you to submit CPD to them. This will include the requirement to reflect on the learning you have taken from the CPD activity and how you have applied that to your role.
What are the benefits of CPD?
Undertaking CPD will continue to develop and enhance your knowledge, skills and competence. This can include building on your strengths, honing current skills and developing them to new levels as well as career progression. It will ensure that your professional registration is maintained and provide you with a professional sense of direction.
What are the CPD requirements for Chartered?
Registrants require a minimum of 25 hours per year across several sources totalling 75 hours over a three-year period. This is applicable to all professional registration titles.
Is it only CIISec who can assess Chartered Security Architecture Professional?
Yes, only CIISec can assess Secure Systems Architecture professionals currently. The website has up-to-date information regarding licensed bodies and the specialisms they are licensed to assess.
Can one course of 30 hours be acceptable CPD?
One course is not what we are expecting. We expect 25 hours over several sources. Each of the licenced bodies will be able to provide you with more guidance.
There are many ways that you can take CPD, for example, networking with others, reading a journal, something that you are interested in. These examples can all count towards CPD. There are also many other ways that you can undertake CPD without even realising. Read the Guide to Good CPD document available on the website for more information.
Will there be other ways to gain CPD for "Contributions to the profession or field"?
Yes, by giving back to the field through journals and research, including speaking and presenting, or participating in formal lectures as well as the networking side, but ensuring that you are providing some kind of input into improving the profession, through helping with collaborations, and thought leadership. Read the Guide to Good CPD document available on the website for more information.
How would you differentiate between development and sharing information or teaching others?
There may be development work involved in putting a slide deck together, which can be counted as part of CPD. There is a kind of guide, so if you are putting a 3-hour course together, you could claim six hours as part of that development, including delivering it. But if you are running that on a regular basis, you cannot claim that development again unless there is a major change, or you know it is a completely different course. If you are developing a training course or a presentation, for an hour-long presentation you are allowed two hours as part of that development for CPD.
As an independent consultant, time off work is time with no pay. If I need a professional qualification such as Cloud Security on a weeklong course, are you saying I must also take more time off to do CPD?
It depends on the CPD you want to take. If you do a weeklong course for example, that covers some CPD activities, it is not going to be enough to satisfy the requirements. However, if you were to read a journal, or have a professional discussion with someone to enhance your knowledge in a different subject area, include sharing best practice techniques, thoughts, and ideas, for example, can count towards CPD.
Doing a range of things that would naturally keep you as a well-rounded individual in your profession, it should not be too taxing.
The NCSC Approved MSc in Cyber is a massive commitment by them, is that enough to satisfy the CPD requirement?
Unfortunately, undertaking an MSc by itself is not enough to satisfy CPD requirements. See the Guide to Good CPD for more information on the different types of CPD you could do.
Do we have to upload a list and evidence of CPD to the Council annually?
We would expect you to do this through the licensed bodies and whilst you may be reminded every three years, the best practice is to submit your CPD record annually.
Will the licensed bodies contact us?
The licensed bodies will advise when your registration is due for its annual renewal, including when your CPD record will be up for audit.
Do you have a timeline on when the road mapped specialisms will be available?
The Council have launched 4 specialisms already for Risk & Governance, Architecture & Design, Audit & Assurance and Security Testing. We expect to launch 4 further specialisms during 2024/25. These are:
Full details will be provided via our website and newsletter.
Are there any other licenced bodies that can support applications other than CiiSEC and the Cyber Scheme? Will this be expanded to other bodies / institutes in future?
Currently, there are three Licensed Bodies as CREST have recently been granted a License. We are working with other organisations and are expecting to offer licenses to these in the near future.
For an individual just starting in the cyber security profession, what is the required documentary evidence that needs to be submitted, and which specialism is most relevant to them?
The Council are working to demystify the industry, signpost to and create career pathways. Further updates will be provided, within our careers and qualifications area in the future.
Professional Registration, except for the Security Testing pathway, does not require any certification or qualification. It is an assessment of the applicant's understanding, knowledge and skill in cyber security. Whilst the knowledge an individual may gain from a certification will be useful, certifications are not a requirement, nor will they waive any part of the process.
Applicants who are applying for a professional registration title via the Security Testing specialism, should hold a CHECK Team Leader or CHECK Team Member exam, or be willing to sit it in advance of their application submission.
Which organisations are expected to offer the digital forensics specialism (and incident response specialism) in 2024? Will it be possible to be in the initial tranche of applicants if these are 'beta' applicants?
The Council are working with CREST and The Cyber Scheme to develop these specialisms. Work is expected to commence during 2024. Individuals can sign up to the Council’s newsletter to keep up to date with progress. Individuals who are interested in being part of the initial tranche of applicants, may email standards@ukcybersecuritycouncil.org.uk for further information.
Where would I find that Audit & Assurance contextualised standard?
The contextualised documents can be found at the end of the specialism information pages, within the career framework area of the Council’s website. The audit and assurance contextualisation can be found here: Audit & Assurance Contextualisation
Have the Armed Forces been engaged in the Council’s specialism development work?
The Council have engaged Armed Forces stakeholders in its work.
Is there a route for government applicants where evidence may veer into official-sensitive?
Applicants who work in a secure/confidential role are expected to be able to document their competence in a generic way against the competences detailed in the Council’s Standard of Professional Competence and Commitment without compromising any confidential information. The Assessors are professionally registered themselves and understand how to review this type of evidence.
What would be the most applicable registration to aim for, for a new professional to the field of cyber?
A new professional, within the cyber security sector, may be eligible to apply for our Associate Professional Registration title. Full details about this title can be found on our website. If you have any further queries, you can contact either of the Licensed Bodies or the Council for future assistance.
Prior to taking part in the 'professional discussion' are there any guides for applicants regarding what to expect during those discussions to enable the best possible preparation?
Candidate guidance is available via the Licensed Bodies. Applicants should expect the discussion to be guided by the Council’s SPCC and contextualised standard by specialism.
If an applicant requires additional support for the ‘professional discussion’ who should they contact and are there any of the pre questions in advance?
If an applicant requires specific details as a reasonable adjustment, Licensed Bodies will be able to provide these. You should not expect to receive a full list of questions or similar in advance as this will be a discussion rather than a test.
Must a successful applicant who is awarded professional registration continue to maintain a CIISEC membership alongside the UKCSC registration for the future?
Each Licensed Body has their own membership requirements which may or may not be linked to the registration fees. Information regarding this is available from a Licensed Body who can respond to these requirements.
Expressions of interest on the UK Cyber Security Council website for Chartered, Principal and Associate are currently closed to new submissions. When will this reopen?
The expression of interest form was taken down from the website temporarily but is now back up and available to use. This form is a way to join a communications list but is not the first step of an application for professional registration. Applications are processed end-to-end by Licensed Bodies.
If an applicant is unsuccessful at, say achieving Chartered status, can they be awarded a different title alongside the Licensed Body’s feedback?
It is expected that applicants will apply for the Professional Registration title that best fits their knowledge and competence. If, during the assessment process, the evidence indicates the applicant would be more suited to an alternative, the Licensed Body may inform you, however, it is not a requirement of the process to do so.
Are there any exemptions for the required experience for professional registration for active ISC2 and ISACA certified professionals? What about members of another cyber security organisation?
There are no exemptions. However, the experience and knowledge gained through these certificates and memberships will be helpful when you put together your evidence for your professional registration application.
Are all technical discussions / interviews virtual, is there an in-person option?
This is dependent on the Licensed Body and their process / preference. The Council supports either and both approaches. Exams in support of the Security Testing specialism pathway are in-person. If an applicant requires reasonable adjustments to be made for the interview process, including moving from online to in-person or vice versa, they should contact the Licensed Body handling their application.
If an applicant has over 20 years of Audit and Assurance experience in Info & Cyber Security with some technical knowledge, but a broad amount of experience across multiple clients in various industries, would they best be placed to apply for Chartered status?
The applicant should refer to the Council’s SPCC here to understand the professional registration title that would be most appropriate, and the career framework here for the appropriate specialism.
If an applicant applies for chartership in one area and then a new pathway is created can they apply for this also, or is there a way to map over without having to go through the application process?
The Council are working collaboratively with Licensed Bodies to develop a process to move from one specialism to another to ensure mobility within the industry. Individuals are welcome to hold professional registration across various specialisms. At the Chartered level we expect a good knowledge of several other specialisms, so expertise in two specialisms does not necessarily mean an applicant would need to hold two titles.
Have the Armed Forces been engaged in the Council’s specialism development work?
The Council have engaged Armed Forces stakeholders in its work.
Yes. We have a robust appeals process for the outcome of a professional registration application.
See more about the process here.