Professional Registration
As an organisation which has been granted Royal Chartered Status, the UK Cyber Security Council now has the power to set industry standards and award professional titles for those working in the cyber profession. The resulting Standard for Professional Competence and Commitment provides certainty around the skills and competences of the workforce, creating a clear route into, and progression through, the profession. Read more about how this came about below.
A Registered Cyber Security Professional will be able to demonstrate competence and commitment in all the areas below and provide appropriate evidence.
There are four professional registration titles aligned to the Council’s professional standard:
An Associate will have demonstrated competence within areas of cyber security knowledge and are either employed in or ready for employment within cyber security. As such, they are operating at a level where their professional expertise could be used effectively in cyber security role.
The Associate Title is the first level of Professional Registration.
An ACSP must be able to demonstrate that they are working at the associate level by meeting the following criteria:
- Their knowledge and application of expertise within cyber security allows for them to carry our defined roles effectively.
- That they have reasonable communications and interpersonal skills.
- That they understand the need to develop management skills and have carried out some supervised activities within either a real or simulated cyber security environment.
- That they understand and apply integrity, morals, and ethical values.
- That they carry out and plan for continued development of themselves and the cyber security profession.
A Practitioner will have practical experience in cyber security and be a practitioner operating at a level at which their professional expertise is being used effectively in their role.
Individuals applying for the Practitioner category of professional registration will be required to demonstrate evidence of competence and commitment in all the areas noted below.
Practitioner Cyber Security Professionals should demonstrate:
- their knowledge, understanding and experience relating to their role, some understanding of cyber security in its wider sense, and should be able to demonstrate practical experience within their career.
- that they have reasonable communications and interpersonal skills.
- that they understand the need to develop management skills and have carried out some supervisory activity within a cyber security environment.
- that they understand and apply integrity, morals, and ethical values.
- that they carry out and plan for continued development of themselves and the cyber security profession.
A Principal title is awarded to an established cyber professional who plays an active part in the profession and can demonstrate practical contributions to cyber engagements whilst not necessarily leading them.
A Principal Cyber Security Tester is expected to be involved in larger and/or more complex security tests or lead engagements. They may take on more responsibility in terms of team leadership, they may buddy or mentor junior cyber security testing professionals, and/or have one or more technical specialists within the realm of security testing (e.g., network / infra / cloud / web apps / DevSecOps / IT / OT, etc) where they are considered an ‘expert’.
Building on the competencies for Associate, they should therefore:
- Be able to demonstrate a good understanding of the lifecycle of different types and complexities of engagement.
- Be able to define and describe the scope and objectives of a security test for a large and/or complex environment.
- Have a good understanding of the common legal and regulatory frameworks relevant to security and IT environments and should have an excellent knowledge of the framework/s relevant to their specialism.
- Have a good understanding of business risk as it applies to security weaknesses and controls.
- Be able to demonstrate the ability to create appropriate test platforms for different types and complexities of test, including their own specialism and at least one other.
- Be able to keep clear, concise, and accurate records of their test activities including descriptions of the repeatability of a finding, and how to classify findings.
- Be able to determine whether a finding is sufficiently critical to warrant notification to the client immediately, at the end of day, or in the final report; and to demonstrate clear, concise, and accurate reporting in the final report.
- Be able to present findings to senior management (i.e., CISO) comfortably.
A Chartered title is awarded to an established Cyber professional who can evidence leadership in cyber engagements whilst playing an active role in the wider profession and has knowledge of related specialisms.
A Chartered Cyber Security Professional will have significant practical knowledge in several Specialisms, though should have a particular Specialism at which they are an acknowledged expert. As such, they should be operating at a level where their professional opinion may reasonably be sought to contribute to the development of the overall cyber security profession.
Building on the competencies for Principal, they should therefore be expected to:
- Demonstrate an excellent understanding of the lifecycle of all types and complexities of engagement, including techniques for influencing a client through articulation of the benefits of cyber security testing.
- Be able to define and describe the scope and objectives of any security testing engagement, including large and complex tests involving multiple environments and technologies.
- Have a thorough knowledge of the common legal and regulatory frameworks relevant to security and IT environments and should have an excellent knowledge of the framework/s relevant to their specialism/s.
- Have a thorough understanding of the risks involved in testing, and of the business risks related to findings and their mitigations.
- Demonstrate a thorough understanding of the setup of multiple test platforms, including within team-based testing, and the need for all hardware, cabling, software, licensing, sandboxes, and sanitisation.
- Demonstrate a thorough understanding of the importance of clear, concise, and accurate records of all aspects of a test and ensure that quality of record keeping is maintained by the test team.
- Be able to determine whether a finding is sufficiently critical to warrant notification to the client immediately, at the end of day, or in the final report; and to demonstrate clear, concise and accurate reporting in the final report; to be able to convey clearly to the client (who may be non-technical) what any finding means in terms of their security posture and exposure to risk, and possible methods of mitigation
- Be able to present at Board level technical findings and assessment thematic comfortably.
The Cyber Scheme was approved as a Licensed Body in 2023, allowing us to assess and recommend individuals for Professional Titles. We are currently assessing registrations for the Security Testing, Incident Response and Secure Operations specialisms and the non-specialism specific Associate Title. More will follow as they are developed by the Council.
DSIT (Department for Science, Innovation and Technology) is funding government security professionals to gain a Professional Title under the UK Cyber Security Council Professional Standards Framework, free of charge. Please note that you must submit your application to us by 28th February 2025 in order to receive funding.
DSIT want to incentivise government employees to apply to these professional titles to further embed the professional standards both in the public and indirectly in the private sector.
The Cyber Scheme have been awarded a contract by DSIT to assess government employees applying for Professional Titles in Security Testing and Incident Response, and Associate Title (non specialism-specific).
If you wish to apply for a title via the Cyber Professional Titles Fund, please click here to access the Grant Registration Form. Please note you must be a Public Sector/Government worker to be eligible.
Chartership: How did we get here?
Royal Charters, granted by the Sovereign on the advice of the Privy Council, have a history dating back to the 13th century. Why are they so relevant today?
Professional Standards & Chartership
The Council has been created to provide increased confidence in the professional standing of individuals offering Cyber Security consultancy.
"The Cyber Scheme has worked with the National Technical Authority (CESG/NCSC) for Information and Cyber Security for several years. The business case for establishing an independent body to oversee the Cyber Security profession is welcome recognition of the scale of the challenge at a national level across all sectors and roles within the economy and society more widely. "
Andrew Jones, Strategy Director, The Cyber Scheme
Want to learn more about the Council’s role in professional registration? Please click here to be taken to The Council’s website.