Application Guidance for Professional Registration
There are four professional registration titles aligned to the Council’s Standard of Professional Competence and Commitment. Please familiarise yourself with the standard to help you decide which level you should be applying for. Click on the tabs below for a summary of each level. Please note Associate Level is not specialism-specific.
An Associate will have demonstrated competence within areas of cyber security knowledge and are either employed in or ready for employment within cyber security. As such, they are operating at a level where their professional expertise could be used effectively in cyber security role.
The Associate Title is the first level of Professional Registration.
An ACSP must be able to demonstrate that they are working at the associate level by meeting the following criteria:
- Their knowledge and application of expertise within cyber security allows for them to carry our defined roles effectively.
- That they have reasonable communications and interpersonal skills.
- That they understand the need to develop management skills and have carried out some supervised activities within either a real or simulated cyber security environment.
- That they understand and apply integrity, morals, and ethical values.
- That they carry out and plan for continued development of themselves and the cyber security profession.
A Practitioner will have practical experience in cyber security and be a practitioner operating at a level at which their professional expertise is being used effectively in their role.
Individuals applying for the Practitioner category of professional registration will be required to demonstrate evidence of competence and commitment in all the areas noted below.
Practitioner Cyber Security Professionals should demonstrate:
- their knowledge, understanding and experience relating to their role, some understanding of cyber security in its wider sense, and should be able to demonstrate practical experience within their career.
- that they have reasonable communications and interpersonal skills.
- that they understand the need to develop management skills and have carried out some supervisory activity within a cyber security environment.
- that they understand and apply integrity, morals, and ethical values.
- that they carry out and plan for continued development of themselves and the cyber security profession.
A Principal title is awarded to an established cyber professional who plays an active part in the profession and can demonstrate practical contributions to cyber engagements whilst not necessarily leading them.
A Principal Cyber Security Tester is expected to be involved in larger and/or more complex security tests or lead engagements. They may take on more responsibility in terms of team leadership, they may buddy or mentor junior cyber security testing professionals, and/or have one or more technical specialists within the realm of security testing (e.g., network / infra / cloud / web apps / DevSecOps / IT / OT, etc) where they are considered an ‘expert’.
Building on the competencies for Associate, they should therefore:
- Be able to demonstrate a good understanding of the lifecycle of different types and complexities of engagement.
- Be able to define and describe the scope and objectives of a security test for a large and/or complex environment.
- Have a good understanding of the common legal and regulatory frameworks relevant to security and IT environments and should have an excellent knowledge of the framework/s relevant to their specialism.
- Have a good understanding of business risk as it applies to security weaknesses and controls.
- Be able to demonstrate the ability to create appropriate test platforms for different types and complexities of test, including their own specialism and at least one other.
- Be able to keep clear, concise, and accurate records of their test activities including descriptions of the repeatability of a finding, and how to classify findings.
- Be able to determine whether a finding is sufficiently critical to warrant notification to the client immediately, at the end of day, or in the final report; and to demonstrate clear, concise, and accurate reporting in the final report.
- Be able to present findings to senior management (i.e., CISO) comfortably.
A Chartered title is awarded to an established Cyber professional who can evidence leadership in cyber engagements whilst playing an active role in the wider profession and has knowledge of related specialisms.
A Chartered Cyber Security Professional will have significant practical knowledge in several Specialisms, though should have a particular Specialism at which they are an acknowledged expert. As such, they should be operating at a level where their professional opinion may reasonably be sought to contribute to the development of the overall cyber security profession.
Building on the competencies for Principal, they should therefore be expected to:
- Demonstrate an excellent understanding of the lifecycle of all types and complexities of engagement, including techniques for influencing a client through articulation of the benefits of cyber security testing.
- Be able to define and describe the scope and objectives of any security testing engagement, including large and complex tests involving multiple environments and technologies.
- Have a thorough knowledge of the common legal and regulatory frameworks relevant to security and IT environments and should have an excellent knowledge of the framework/s relevant to their specialism/s.
- Have a thorough understanding of the risks involved in testing, and of the business risks related to findings and their mitigations.
- Demonstrate a thorough understanding of the setup of multiple test platforms, including within team-based testing, and the need for all hardware, cabling, software, licensing, sandboxes, and sanitisation.
- Demonstrate a thorough understanding of the importance of clear, concise, and accurate records of all aspects of a test and ensure that quality of record keeping is maintained by the test team.
- Be able to determine whether a finding is sufficiently critical to warrant notification to the client immediately, at the end of day, or in the final report; and to demonstrate clear, concise and accurate reporting in the final report; to be able to convey clearly to the client (who may be non-technical) what any finding means in terms of their security posture and exposure to risk, and possible methods of mitigation
- Be able to present at Board level technical findings and assessment thematic comfortably.
A Chartered Cyber Security Professional will be able to demonstrate competence and commitment in all the areas below and provide appropriate evidence.
A: Knowledge, Understanding & Experience
B: Communication & Interpersonal Skills
C: Collaborative Management, Leadership & Mentoring
D: Integrity
E: Personal Commitment
The UK Cyber Security Council’s titles align to the RQF and other frameworks. For candidates, this describes the approximate level of knowledge required; for example, a Chartered professional should have cyber security knowledge equivalent to a Level 7 qualification e.g. a master’s degree.
Candidates do not need a master’s degree and can demonstrate knowledge gained in other ways, e.g. on the job, self-guided learning, certifications, other degrees or a combination thereof. Cyber security knowledge is only one element of the requirements. Candidates must also demonstrate experience of cyber security and the competencies shown below.
A Registered Cyber Security Professional will be able to demonstrate competence and commitment in all the areas below and provide appropriate evidence.





"It is recommended you provide plenty of detail as to why you should be chartered, showing evidence of your skills and competencies wherever possible".
Andrew Jones, Strategy Director, The Cyber Scheme
Application Form
We recommend following the STAR technique, a proven method of answering tricky situational questions systematically while providing all the essential details.
The STAR technique is a method of answering questions that is comprised of four steps:
Situation
Describe the situation and when it took place.
Task
Explain the task and what was the goal.
Action
Provide details about the action you took to attain this.
Result
Conclude with the result of your action.
Professional History
You are expected to cover your complete professional history as well as your current work in industry. Start with your most recent post and work backwards over a 10-year period. Mention your individual achievements, tasks, and actions, talk about yourself rather than team efforts.
- Indicate the size and complexity of any projects or tasks you describe
- Give an extended description of your current role
- Explain any acronyms or abbreviations the first time you use them.
Education History
The application form also asks for your education history, such as professional qualifications, apprenticeships, and degrees.
Additional information required
You will be given the opportunity to detail any papers you have contributed to; this can include articles published in recognised journals, in-house publications, conference and seminar presentations, and any other contribution to industry, national and international bodies.
You are then asked to provide evidence of your competence mapped to the Standard of Professional Competence & Commitment (UK CSC SPCC). Using the STAR model will also prove beneficial here.
Finally, you will also be asked to provide at least two referees; professionals who are familiar with your technical knowledge and work-based experience.
Once your application has been approved your pathway will follow one of two routes (these take the same time):
- Interview (viva) OR
- Employer attestation (testimonials).
(Security testing only; you must have completed an appropriate exam within the last three years – see below).
In some circumstances we may decide to interview a candidate even if they have chosen testimonials, to gather sufficient evidence or expand on evidence supplied. An interview will be conducted by an Assessor holding a professional title of at least the level being assessed.
Final Assessment
Following the application, examination and interview, a Final Assessment review will take place before Professional Registration can be awarded. The Final Assessment Assessors are responsible for holistically reviewing all the evidence from each stage and will take recommendations from assessors and interviewers as necessary.
Obtaining a Professional Title with The Cyber Scheme - applicants tell all
Security Testing specialism only
Depending on which category of chartership you are applying for, different exams map to the required skill level. The CHECK Scheme examination standard has been mapped against the UK Cyber Security Council Standard for Professional Competence and Commitment (UKCSC SPCC) and approved as a means of testing technical knowledge requirements.
For registrants applying through The Cyber Scheme, this means:
- For Chartered Title, applicants are required to pass or hold The Cyber Scheme’s CSTL exam (App or Inf), or equivalent exams from other organisations, and be able to demonstrate significant delivery experience at Team Leader level to proceed with their application.
- For Principal Title applications, registrants are required to pass or hold The Cyber Scheme’s CSTL exam (App or Inf), or equivalent exams from other organisations.
- For Practitioner Title applications, registrants are required to pass or hold The Cyber Scheme’s CSTM exam, or equivalent exams from other organisations.
- The Associate Title is not specialism-specific but can be the first step on the ladder to Practitioner in Security Testing. Please click here for further details.
Existing CTM and CTL certificate holders
If you hold current Team Leader or Team Member qualifications and wish to obtain professional recognition, you will only be required to complete the application form and attend a remote interview.
You won’t need to re-sit your existing certification in order to apply for a professional title. Applicants must be aware that their Professional Title status relies on relevant certificates being valid and in date.