Comment: Information Assurance Professionals – You Are Competent, but Are You Certified?

APM's Richard Pharro discusses CESG's new framework for certifying information assurance specialists
APM's Richard Pharro discusses CESG's new framework for certifying information assurance specialists
Richard Pharro, The APM Group
Richard Pharro, The APM Group

The UK Cyber Security Strategy, published in November 2011 by The Cabinet Office, states that one of the government’s key objectives is to encourage, support and develop education for information assurance (IA) professionals. I am delighted to say that The APM Group has been appointed by CESG, the UK’s National Technical Authority for Information Assurance, to develop and deliver a new certification scheme for people working in government IA roles.

The scheme has been developed because the government wants to secure the huge economic and social benefits represented by cyberspace. We also need to ensure that our cyber activities are not disrupted by attacks. Staying secure in cyberspace can seem complex, difficult and expensive. There are over 20,000 malicious emails on UK government networks each month, and 1,000 of these deliberately target the government. These kinds of attacks are increasing: the number of emails with malicious content detected by government networks in the whole of 2010 was double the number seen in 2009.

Without a clear and shared understanding of the nature and scale of threats, the case for investing in protection and prevention can be undermined. Information assurance therefore plays an important role in reducing our vulnerabilities in cyberspace. We need cross-cutting knowledge, skills and capabilities to underpin all our cybersecurity objectives to take advantage of the economic and social opportunities represented by cyberspace.

Part of the government’s strategy is to develop information assurance professionals so the UK continues to retain an edge in this area, together with the underlying research and development to keep producing innovative solutions. A key initiative is to drive up the skills levels of information assurance and cybersecurity professionals. Specialist training and certification has been developed to meet these objectives.

CESG has developed a framework for certifying information assurance specialists who meet competency and skill requirements for specified IA roles. The APM Group is one of the organizations to be awarded the status of Certification Body by CESG to help develop the new certification scheme. The other two are BCS and an IISP consortium – each has its own style of assessment. The APM Group certification process is entirely online, making the application and assessment process easy. We have developed a secure administrative system accredited by CESG on which to run the scheme. The origins of the new certification scheme are rooted in the IISP and SFIA frameworks, which determine competence in all areas of information assurance.

The purpose of certification is to enable better matching between public sector requirements for information assurance specialists and the competencies of the staff or contractors undertaking common IA roles. The six roles are:

  • IA accreditor
  • IA auditor
  • Communications security officer/crypto custodian
  • IT security officer/information security system manager/information security system officer
  • Security and information risk advisor
  • Security architect

The certification scheme managed by The APM Group features three levels for each of these roles. The levels include Practitioner, Senior Practitioner and Lead Practitioner. The lowest level is suitable for a team member, the Senior Practitioner Level would be for a senior team leader, and the top level would be appropriate for a strategic advisor working in a board-level environment.

At the higher levels there is a requirement for increased awareness of non-technical skills, such as influencing, business skills and autonomy – as would be expected for people working at the board level.

We expect that applicants applying for one role will spend up to three hours completing the application form, and the assessment will last approximately one hour, for which further preparation will be required. Lead Practitioner level candidates must prepare a presentation and have an interview. It is possible to apply for certification in more than one role at the same time, but this will require further time at each stage.

Our assessors are recognized as having the right level of experience and knowledge, combined with the appropriate assessment skills.

CLAS Consultants

CLAS consultants will be required to gain a certification from one of the three bodies and to maintain it for the duration of their CLAS membership. There is an additional process managed by CESG after gaining the certification to get into the CLAS community.

All certifications are awarded for a period of up to three years, with some form of validity check during the period to ensure continued professional and business development. After three years there is a re-assessment process.

Applicants may apply for more than one role at an additional cost.

Benefits for Information Assurance Community

The certification process will give information assurance specialists the opportunity to have their competence independently verified. The IA role definitions will also help people plan their professional development. The APM Group has a long history of working with the Office of Government Commerce – now part of The Cabinet Office – to deliver its qualification schemes for project, program and service management specialists.

I believe the introduction of the information assurance certification scheme is timely and appropriate. It is our mission to help knowledge-based workers prove their knowledge and extend their skills, so we’ll be aiming to set high standards that will become the industry benchmark.

We are not aware of anything like this scheme anywhere else in the world, so we hope the UK is regarded as the leader in this field. With the huge talent and skill available from CESG and GCHQ in the world of IT and security, the UK should be justly proud of this initiative. We’re all working together to improve the overall competence of information assurance and security in the world.

The APM Group is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24–26 April 2012 at Earl’s Court, London. The event provides an unrivalled free education program, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. Visit the Infosecurity Europe website for further information.


As CEO of The APM Group (APMG), Richard Pharro conceived the idea of accreditation and certification associated with PRINCE2 in 1995. Since then, APMG has expanded its portfolio of products to include ITIL, ISO/IEC 20000, and the new Information Assurance Scheme in Partnership with CESG.

Pharro is a chartered director and civil engineer who, in his early career, worked on projects in the UK and the Middle East. He spent several years with the London Docklands Development Corporation on the regeneration of East London. His book, The Relationship Manager – The Next Generation of Project Management, was published by Gower in January, 2003.

What’s hot on Infosecurity Magazine?