Examples of Evidence
These competencies are for candidates applying for Professional Registration at Chartered level only
Please see below some examples of what we are looking for as evidence that candidates have relevant experience mapped to the competencies in the standard – these are contextualised for the Security Testing specialism. This is not a definitive list.
Competence: A
KNOWLEDGE, UNDERSTANDING & EXPERIENCE
Chartered Cyber Security Professionals should demonstrate their knowledge, understanding and experience relating to their Specialism, including understanding of cyber security in its widest sense and should be able to demonstrate knowledge across a number of security Specialisms.
This competence is about the depth of knowledge and application of expertise, not only within their own Specialism but across a number of related Specialisms that allows for the development of novel and unexpected solutions to address cyber security challenges.
This will include understanding the interaction and inter-relationship between technology, people, physical environment, and risk. This will include roles or activities that have a degree of complexity and required analytical problem solving in meeting customer / organisational requirements.
Criteria
The individual shall demonstrate that they:
A-1 Have led, managed, or carried out activities that have a degree of complexity within their Specialism or across a number of Specialisms and understand how skills should be applied across a number of projects and to different environments.
A-1:
- Detailed whole of organisation security testing and investigating a complex cyber security issue, identifying workable solutions and selection of most appropriate solution.
- Contribution to whole of business Risk management and incident response strategies and their relationship to vulnerability management and analysis procedures.
- Led Technical response to a significant cyber security incident, identifying appropriate actions and implementation of a remediation plan.
- Researching a complex cyber security vulnerability/ problem, carrying out analysis and evaluating the results.
- Evaluating a cyber security requirement, developing a requirements specification, analysing the market, selecting, and implementing the solution.
- Leading and delivering complex scoping engagements involving multiple technologies, 3rd party supply assurance and location/jurisdiction complexity.
A-2 Have applied analytical problem solving in meeting customer/organisational requirements.
A-2:
- Led the design and development of a cyber security vulnerability management plans linked to an organisations vision and business objectives.
- Contribution to whole of business Risk management and incident response strategies and their relationship to vulnerability management and analysis procedures.
- Led Technical response to a significant cyber security incident, identifying appropriate actions and implementation of a remediation plan.
- Researching a complex cyber security vulnerability/ problem, carrying out analysis and evaluating the results.
- Evaluating a cyber security requirement, developing a requirements specification, analysing the market, selecting, and implementing the solution.
- Leading and delivering complex scoping engagements involving multiple technologies, 3rd party supply assurance and location/jurisdiction complexity.
A-3 Have led, managed, or coordinated continuous improvement to cyber security.
A-3:
- Evaluated and/or audited an organisation’s cyber security strategy and implemented improvements.
- Applied an improvement methodology to define and implement efficiencies across the organisation’s cyber security operations.
Competence: B
COMMUNICATIONS & INTERPERSONAL SKILLS
Chartered Cyber Security Professionals should demonstrate that they have effective communications and interpersonal skills to operate at all levels within and without an organisation, with their peers and those who have little or no knowledge of cyber security.
This competence is about being able to communicate and discuss all aspects of cyber security at all levels, both within and without an organisation. This includes the ability to discuss and communicate cyber security, with attention to detail, to those with little or no knowledge and to convert the technical language of cyber into that understood by the organisation.
Criteria
The individual shall demonstrate that they:
B-1 Have the ability to question and listen, summarise and explain cyber security appropriately.
B-1:
- Any activity where understanding and eliciting all the necessary information to carry out an appropriate cyber security business/risk balance and advise accordingly.
B-2 Provide and explain cyber security advice, direction and/or expert opinion, in a way that can clearly be understood by the intended audience.
B-2:
- How a cyber security problem was communicated, analysed and recommended using the language of the organisation and in doing so subsequently affected a positive change.
- How a business requirement and priorities were translated into cyber security consequences and agreed mitigations.
- The preparation of reports, drawings, budgets, and specifications etc. as part of a bidding process for a cyber security product or service.
B-3 Have good personal and social skills that demonstrate empathy, diversity, and inclusivity.
B-3:
- Creating, maintaining and enhancing productive working relationships within an organisation or with a customer including a degree of conflict resolution.
- Demonstrating creativity by taking a variety of perspectives, taking account of unpredictable adversaries, threat behaviours and approaches and developing collaborative solutions.
- Working with a team to develop collective cyber security goals during a changing interpersonal situation
- Provision of support during a cyber security incident, ensuring the needs of others were met, especially from a diversity and inclusion perspective.
B-4 Have excellent oral and written communication skills for both technical and non-technical audiences.
B-4:
- Provision and explanation of cyber security advice, direction and/or expert opinion, in a way that was clearly understood by the intended audience.
- Contributing to a published scientific cyber security paper or article as an author.
- Presenting a published cyber security academic paper at an academic conference.
Competence: C
COLLABORATIVE MANAGEMENT, LEADERSHIP & MENTORING
Chartered Cyber Security Professionals should demonstrate that they have developed effective management skills and are able to demonstrate their ability to lead and mentor groups and individuals in a personal, technical, or business cyber security environment.
This competence is about being able to establish, manage and mentor individuals and teams in a cyber security context and in a number of challenging environments. The competence should not only demonstrate the ability to lead in an organisational context but also the ability to lead or exert influence that contributes to the wider knowledge and understanding of cyber security.
Criteria
The individual shall demonstrate that they:
C-1 Are able to manage resource, people, budgets in complex and/or high-pressure cyber security environments.
C-1:
- Being accountable or having responsibility for delivering a complex Security Testing activity with significant risk.
- The successful management of an organisational cyber security team during a major incident.
- The planning and budgeting of a cyber vulnerability and analysis project from concept through to commissioning,
- The planning, execution, and delivery of a complex cyber security research project with external research partners.
- Led teams conducting Security Testing and/or investigations using forensic techniques and tools. Experienced in using multiple forensic tools and techniques.
C-2 Are able to lead, manage and develop people through coaching and mentoring. Creates and leads formal or informal teams and / or creates collaborative links with teams. Provides support and feedback to encourage and develop colleagues. Advises and influences others.
C-2:
- Supervising Security Testing and vulnerability analysis teams and researchers and assisting in getting the research published.
- Developing and delivering cyber security education at MSc level or in some other way exerting influence that contributes significantly to the field).
- Identifying and developing both formal and informal cyber security training plans teams / individuals and providing the time and opportunity to undertake the training, including performance feedback.
- Where human behaviours in the context of cyber risk and risk related decisions were identified and managed effectively.
C-3 Have excellent organisational and time management skills.
C-3:
- Established a new cyber security team / organisation within in a high-pressure environment that was working effectively within the time constraints allowed.
- Prioritised a number of cyber security testing activities in a way that delivered the most effective security posture in the minimum amount of time relative to the risk observed.
- The consistent setting and meeting of deliverable deadlines in cyber security activities.
C-4 Maintain a productive, professional, and secure working environment.
C-4:
- How cyber security testing activities were carried out in a way that considered the best interests of the individuals and organisations affected by the work.
- How a secure collaboration space was established to develop a cyber security testing solution for a diverse set of stakeholders.
Competence: D
INTEGRITY
Chartered Cyber Security Professionals should demonstrate that they have the highest level of integrity, morals, and ethical values.
This competence is about demonstrating a core commitment to the cyber security profession. Those involved in the cyber security profession need to hold the trust of society given the potential to apply security skills to cause as well as reduce harm. This competence is also about demonstrating their commitment to complying with codes of conduct, adherence to standards and acting in accordance with legal and regulatory requirements.
Criteria
The individual shall demonstrate that they:
D-1 Have personal and professional honesty and integrity.
D-1:
- Provide examples of carrying out their cyber security testing responsibilities in an ethical manner.
- Provide examples where unethical behaviour / poor practice in others, especially where this might cause harm, was challenged and managed.
- Where diligence in their own performance and advice produced an awareness of their professional limitations.
- Identifying and respecting privacy and ethical considerations raised during their cyber security activities whilst adhering to organisation policies and objectives.
- Where an awareness of privacy and ethics issues gave rise to an impact on trust and confidence and how this was managed.
D-2 Comply with codes of conduct of their professional membership organisation.
D-2:
- The escalation of ‘prominent issues’ discovered that required confidential whistleblowing within the business, a client business, or externally to law enforcement.
- Identifying specific aspects of the code that are particularly relevant to either the current or previous cyber security role.
D-3 Understand and comply with the appropriate legal and regulatory requirements.
D-3:
- Identification of legal parameters within which a cyber security professional had to work, that required compliance.
- Identification of non-UK legal & regulatory requirements during a cyber security testing activity that required compliance.
- Activities where legal frameworks covering transfers of personal data from UK to non-UK countries.
- Where cyber security testing activities for Defence / Government that would otherwise be considered breaches of law, but which were made lawful were conducted by state agencies principally in the interests of national security, and for the prevention and detection of serious crime.
D-4 Are able to identify and implement appropriate standards.
D-4:
- Identification, implementation, and conformance to appropriate standards during a cyber security activity.
- Identification of applicable non cyber security standards that were implemented as part of a cyber security activity.
Competence: E
PERSONAL COMMITMENT
Chartered Cyber Security Professionals should demonstrate that they are committed to the continued development of themselves and the cyber security profession.
Criteria
The individual shall demonstrate that they:
E-1 Carry out and record Continuing Professional Development (CPD) or an acceptable equivalent.
E-1:
- Provision of a log of existing CPD activities and a plan for future CPD activities aligned to either changes in role or advancements in technology.