UK NCSC hands running of CCP scheme to the UK Cyber Security Council

UK NCSC scales back its oversight of the cybersecurity skills development space with the UK Cyber Security Council taking over management of the Certified Cyber Professional scheme.

Cybersecurity awareness  >  A weary businessman holds hand to forehead at security training.
BraunS / Getty Images / Thinkstock

The UK National Cyber Security Centre (NCSC) is handing over administration of the Certified Cyber Professional (CCP) scheme to the UK Cyber Security Council. The move comes as the NCSC looks to scale back its management of the cybersecurity skills development space and transfer oversight to the Council as it establishes its own nationally recognised professional standards. A detailed timeline of activities is set to be announced at the CYBERUK 2022 event later this week.

NCSC scales back oversight of cybersecurity skills development

The CCP scheme was developed by the NCSC and is awarded to those who demonstrate their sustained ability to apply cybersecurity skills, knowledge and expertise in real-world situations. The CCP is a component of the NCSC’s wider work around identifying the knowledge needed to become a cybersecurity specialist, quality university courses, and organisations with the levels of specialist expertise to manage cybersecurity risks.

In a blog posting, the NCSC stated that by transferring the standards for cyber expertise it has been using in CCP to the UK Cyber Security Council, it is taking a significant step in recognising the role of the Council envisaged in the UK government’s National Cyber Strategy. “The NCSC recognises the role of the Council as the body that will set the standards for cybersecurity specialists in the UK, and we are absolutely committed to doing our part as the National Technical Authority for Cyber Security to ensure its success,” the NCSC added. “For the Council to be successful, we believe we need to start simplifying government involvement in this space.”

How the CCP scheme will change under the UK Cyber Security Council

The NCSC said that there will be little immediate change to the CCP as it hands oversight over to the Council. “The NCSC’s and the Council’s joint aim is to make the transfer of individuals holding qualifications into the new Council specialist standards as simple as possible,” it added. Specifically, the NCSC said:

  • The Council will take ownership of the relevant NCSC standards and oversight of the existing certifications, ensuring continuity of the scheme whilst the Council develops its own standards.
  • The NCSC will continue to recognise these qualifications until this is completed.
  • The Council will effectively become agents of the NCSC, running CCP as it is operated today.

In the longer-term, the CCP will evolve under the Council’s stewardship as it implements its own standards, starting with the risk management and security architecture specialisms, the NCSC stated. “This period of piloting will explore and define the route for certified specialists and role-based practitioners, to transfer to the Council framework as their existing CCP certifications expire.”

The Council has identified 16 specialisms to fall within its remit which include governance and risk management, secure system architecture and design, audit and assurance, and security testing. “The Council recognises that other specialisms also play a key role, and these will be incorporated once the processes have been properly proven. These processes will include identification or development of the relevant specialism standard, as well as formally identifying and on-boarding the body(s) that will oversee the implementation of the standard on behalf of the Council.”

Whilst this will mean the end of the existing CCP scheme, the ability to identify specialist expertise will continue to be met through the work of the Council, the NCSC said. “This means, for example, that we will no longer be carrying out technical interviews for the head consultants in our Certified Consultancy Scheme, but we will be looking to the CCP certificate (and then whatever the Council replaces it with) as evidence of technical competence.”

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022