Discover your certification today Browse
Open page navigation
cyber securitydata protectioninformation analysisinformation assuranceinformation gathering

Certified Cyber Professional (CCP) - the certification framework by NCSC for competent Information Assurance (IA) professionals.

Please bear with us whilst we update this website and relevant information, to the new NCSC branding.

Statement released by the National Cyber Security Centre (NCSC) 31 May 2017

"The National Cyber Security Centre (NCSC) is committed to the CCP scheme which over the last 5 years has set the skills benchmark for cyber security professionals. The growing demand for cyber security expertise in the private and public sectors means that CCP needs to evolve to help the NCSC meet the challenge of making the UK the safest place to live and work online.

"The first step we’re making in CCP's evolution is to review what evidence people will need to present to demonstrate their competence and gain certification in future. For those already certified this will be done in a way that allows a transitional period. We will keep you informed of our progress."

GCHQ's Certified Professional (CCP) scheme, delivered through the NCSC, is a certification framework for competent Information Assurance (IA) professionals. Individuals can choose to be certified in one or more specified IA roles, at several levels of competency.

CCP certification will enable you to demonstrate to an employer that you possess the competencies, knowledge and skills needed to be an IA professional. CCP has been acknowledged as HMG’s standard for cyber security professionals. NCSC is the UK Government’s National Technical Authority for Information Assurance. APMG is working with NCSC to deliver the Certified Professional scheme.

Why was CCP Introduced?

CCP enables improved matching between the public and private sector requirements for IA professionals and the capability and competencies of individuals to perform common IA roles.

The framework was developed by CESG (now NCSC) in consultation with government departments, industry, academia, members of the CESG Listed Advisor Scheme (CLAS), and the NCSC approved certification bodies.

With the growing prevalence of cyber-criminals and more frequent attacks on organizations’ sensitive information assets, the UK Government has made it a top priority to strengthen the UK’s cyber security defences.

NCSC is working in co-operation with other government departments to address the UK’s shortage of skilled cyber-security professionals – Certified Professional was developed as part of this initiative.

Who is CCP for?

CCP is aimed at IA professionals working in both the private and public sectors. It allows for knowledge, experience and skills to be demonstrated at several levels of competence. Certified Professional can help organizations when selecting IA professionals for assignments and it can be used to guide professional development of employees.

Benefits for Certified Professionals

  • Independent verification and formal recognition of your IA skills and competence.
  • Better matching between public and private sector requirements for IA expertise and the competence of individuals providing such expertise.
  • Clearer career path development.
  • You are part of a recognized and growing professional body from which employers can recruit.
  • CCP is a requirement for NCSC approved IA/cyber security consultancy.

Benefits for Employers

  • Provides employers with the confidence that Certified Professional individuals will have been independently and rigorously assessed.
  • Certified Professionals will have demonstrated their expertise in IA/cyber security.
  • Use of the scheme in-house to ensure development of own practitioners.
  • Use of the scheme to influence suppliers to employ certified professionals to help reduce exposure to supply chain risks and gain confidence in supplier’s ability to manage risks to your and their information effectively.
Testimonial

IA Roles

Candidates interested in the CCP scheme can choose to be certified in one, or more of the following IA roles:

  • Accreditor
  • IA Auditor
  • Communications Security Officer/Crypto Custodian
  • IT Security Officer/Information Security System Manager/ Information Security System Officer
  • Security and Information Risk Advisor
  • IA Architect.

​The certification scheme features three levels for each of these roles. The levels are Practitioner, Senior Practitioner, and Lead Practitioner.

Certification Process

Our assessment process for all roles and levels will be interview based, incorporating feedback from referees who you have worked for or alongside, in order to determine whether you meet the competencies expected of the role. The entire process is online.

RELATED PRODUCTS

Triumphant lady atop a mountain

APMP® - Bid & Proposal Management

Championing those that win business

View more
Hot air balloons ascending into the clouds

Cloud Computing

Smooth ascension into the cloud

View more
Satellite overlooking earth

CDCAT® Insurance Services

Gain full awareness before accepting cover

View more

TESTIMONIALS

"As ONR's lead for auditing and regulating Cyber Security and Information Assurance across the whole of the UK’s civil nuclear sector, I need to be assured that the sector is staffed by competent professionals who have been rigorously and independently assessed for their knowledge, skills and experience. CCP provides that verification."

Robert Orr, Head of Cyber Security & Information Assurance Regulation, Office for Nuclear Regulation

“The Certified Professional (CCP) certification is increasingly seen as a de-facto standard for Cyber Security and IA practitioners in UK industry and public services. Appropriate CCP recognition also meets ONR's regulatory expectations for Suitably Qualified and Experienced cyber security and information assurance Professionals (SQEP) who are working in, or providing support to, the UK civil nuclear industry."

Robert Orr, Head of Cyber Security & Information Assurance Regulation, Office for Nuclear Regulation

HAVE A QUESTION?

FAQs

Who is APMG?

The APM Group is a global business providing accreditation and certification services. Through its international network of Accredited Consulting and Training Organizations we help end users develop their professional skills and organizations improve their processes through the adoption of worldwide best practice. The APM Group is the only organization offering professional qualifications in Programme and Project management with third party independent accreditation through the United Kingdom Accreditation Service (UKAS). We run the Best Management Practice Accreditation and Certification Schemes in partnership with the Cabinet Office and TSO, the official publisher. These schemes include PRINCE2® (PRojects IN Controlled Environments), MSP® (Managing Successful Programmes), M_o_R® (Management of Risk), P3O® (Portfolio, Programme and Project Offices) and ITIL® (IT Infrastructure Library).

Why Should I get my certification with APMG?

APMG has over 12 years of experience in assessing individuals. We are applying our knowledge and capability in assessing with the knowledge of our panel of assessors who are highly experienced information assurance professionals. APMG’s certification scheme assesses competence through evidence statements, peer and client feedback and an interview at all levels. We have built an NCSC (National Cyber Security Centre) -accredited secure online system specifically for handling CCP applications and, as the assessments will be via interview, we offer the flexibility to hold interviews at evenings and weekends as well as during the working day.

Are there any pre-requisites to the scheme?

Currently the scheme is only available to individuals working in the United Kingdom who have a UK address. The scheme is aimed at individuals already working in the information assurance industry so prior knowledge and experience is essential in order to demonstrate competence in the applicable role. 

How will the assessment be done? What is the assessment process?

At Practitioner level a minimum of one technical assessor will conduct an assessment interview based on the evidence provided. For the Senior Practitioner, Principal and Lead Practitioner levels a minimum of two assessors will conduct the assessment - one a technical expert and one focused on the non-technical ‘business awareness & people skills’ areas required at these levels. All interviews will use technology (telephone or conference calls) unless this is not deemed appropriate for a valid reason.

Lead Practitioner applicants are required to give a presentation lasting 15-20 minutes, and the interview will be conducted after the presentation.

If I request a face to face interview, where will I need to travel to?

If, in exceptional circumstances, an applicant requires a face-to-face interview, this will be arranged at an agreed location on a date and time that is mutually convenient to both the applicant and the assessor(s). This is likely to delay the overall process.

How long will it take to get certified? How long does the process take?

From the time a fully completed application has been received our SLA is 30 days to confirming our certification decision. This may be extended if there are special requirements such as higher classifications of evidence needing to be provided or if face-to-face interviews are required.

When will the assessments be carried out?

There will be a number of time slots available throughout the day from which you will be able to select one that is convenient. The first interview time is 7am and the last interview slot is 7pm – interviews can be offered 7 days a week.

What happens if my evidence is classified?

APMG’s online processing system is accredited to CIL3 by NCSC (formerly CESG) and can accept evidence below SECRET.

How long is the certification valid for?

The certification will last 3 years after which a re-assessment will be carried out. This re-assessment will be based on all the information already held by APMG and the updates provided during the 3 year period. At the 18 month mark a review of the certification held will be carried out to ensure the code of conduct and professional development requirements are being met. Information can be supplied to update the application at any time after the initial assessment.

Will I get a certificate? How secure is the certificate?

If you are awarded certification you will not receive a paper certificate. Your certificate will be held in a secure online location and you will be able to access it using separate login credentials to your online application. The certificate will have a 2d index printed on it; this will show the correct name that should appear on the certificate ensuring it has not been tampered with.

Can I apply for more than one role on my application?

Yes, however you will be expected to apply for a main (or ‘primary’) role and the assessment process will be based on the requirements for that role. The main/primary role must be the highest level role that you are applying for. Additional roles can be included at an additional fee at the time of initial assessment. Additional evidence will be required for each of the additional roles.

Who will conduct the assessments? Who are your assessors?

All of our assessors hold the appropriate security clearance depending on the level required for the application. They are all experienced professionals in their own fields, some technical and some related to the softer skills of Senior and Lead Practitioners. They include IA/cyber security consultants, commercial and public sector employees, High Risk Gateway review team leaders, Best Practice authors and assessors from other related certification schemes. They will have been trained by the APMG auditor team who are in turn accredited by the UK Accreditation Service (UKAS).

Are there any additional requirements during the period of certification?

IA Professionals will be required to undergo re-validation at the mid-point of their certificate (i.e. 18 months after certification). The re-validation process will look at CPD and experience since certification was awarded. There is a fee for the cost of the re-validation and this fee covers all roles for which certification is held.

How much is it?

The application fee at Practitioner level is £400, Senior Practitioner is £600 and Lead Practitioner is £700.

There is an additional fee of £150 payable for re-validation which will take place 18 months after the date of certification. The re-validation fee is a single fee of £150 and covers all roles for which individuals are certified for.

What can I call myself after I certify? Do I get letters after my name?

You will be able to call yourself a Certified Professional for the specific role(s) and level(s) for which you have been certified. The following post nominals can also be used:-

  • CCP - for Practitioner level
  • SCCP - for Senior level
  • LCCP - for Lead level

 

Must I be of a certain seniority level?

Anyone can apply but an individual must meet the role Headline statement and provide evidence for each of the required skill competency levels for each role applied for. Details will be found in ‘CESG Certification for IA Professionals' at the following link : http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx