1 Introduction

These notes accompany the short video lecture giving an overview of cybersecurity in the UK from the viewpoint of organisations (involved), careers, frameworks and standards. Watch the video for more remarks.

2 Context / caution

There are inevitably more organisations, courses, standards, etc. that we could include here. I am focussing on the ones that I see as particularly relevant or noteworthy in my day-to-day practice. In general, presence or absence on this list is not an endorsement or otherwise….

Declaration of interest: I am a member of two of the bodies mentioned below (BCS and CIISec). This project was funded by RAEng.

Links all last checked July 2022.

3 Organisations

• PSRB = professional, statutory and regulatory bodies
• PEI = professional engineering institutions

3.1 Professional bodies

• British Computer Society (BCS), “The Chartered Institute for IT” — “broad church” body offering a range of professional accreditation, plus various qualifications / certifications

• Chartered Institute of Information Security (CIISec) — formerly the Institute of Information Security Professionals (IISP). Specialist infosec body offering professional membership. Of particular note is its Skills Framework

• The Institution of Engineering and Technology (IET) — a “multidisciplinary professional engineering institution”, formed from two precursor bodies (IEE and IIE) themselves with a long history

• Engineering Council (EngC) — “The Engineering Council is the UK regulatory body for the engineering profession. We hold the national registers of over 229,000 Engineering Technicians (EngTech), Incorporated Engineers (IEng), Chartered Engineers (CEng) and Information and Communications Technology Technicians (ICTTech).” Importantly, BCS and IET are two of the PEIs or licensed member institutions

• Royal Academy of Engineering (RAEng) — “a charity delivering public benefit, a National Academy providing progressive leadership, and a Fellowship bringing together an unrivalled community of leaders from every part of engineering and technology”

• Association of Computing Machinery (ACM) — US-based learned society for computing, with world-wide reach

• Institute of Electrical and Electronics Engineers (IEEE) — US-based professional association, with world-wide reach

3.2 Governmental and regulatory

• The National Cyber Security Centre (NCSC), part of Government Communications Headquarters (GCHQ) — a successor to the Communications-Electronic Security Group (CESG) (will still see “CESG” on various documents and standards from time-to-time!), and incorporates some other national elements.

  • This is one of the best day-to-day resources with up-to-date advice. It includes material aimed at SMEs and individuals
  • NCSC has a “certified training scheme” (cf. CyBOK below) and its “Certificate Professional (CCP)” scheme.
  • Previously offered a scheme called “CESG Listed Advisor scheme” (CLAS) — you may see this mentioned, it no longer exists. Effectively replaced by CCP
  • NCSC has an “Assured Cyber Security Consultancy” scheme (for organisations)
  • For those working in the public sector, “CHECK” is a scheme approving penetration test companies.

• The UK government produces a range of materials on cyber security. Of particular note is the [National Cyber Strategy] (https://www.gov.uk/government/publications/uk-national-cyber-strategy-2022). Part of the government’s work include a January 2022 consultation on “Embedding standards and pathways across the cyber profession by 2025”. This relates to UKCSC (next item!)…

• The UK Cyber Security Council UKCSC — claims to be a “voice for the cyber security profession”

  • Of particular interest is their “careers route” page describing 16 cyber security specialisms. At the time of writing, this is incomplete (some are marked “coming soon”) but is still of value
  • UKCSC may end up producing a chartered status, although there are no details in public and it is unclear whether it would directly award chartered status to individuals or if (similar to CEng) it will license other bodies to award it

• Information Commissioner’s Office (ICO)

  • The UK’s regulator in relation to information rights
  • Enforces the Data Protection Act 2018 (incorporating the UK GDPR), Freedom of Information Act (2000) (and others)
  • Lots of clear, accessible resources in relation to data protection — strongly recommended (e.g., start with their for organisations section)

4 Standards, frameworks, other resources

• Cyber Essentials — one of the most useful schemes for organisations. Promotes a good standard of security hygiene and is effectively essential if wanting to sell products or services into the public sector

  • Based on a self-assessment questionnaire — more compliance-based than risk-based
  • The IASME consortium delivers Cyber Essentials
  • A “readiness toolkit” is available

• Cyber Essentials Plus — adds a technical audit to the Cyber Essentials scheme

• ISO/IEC 27000-series aka ISO27k — a set of standards published by the International Organization for Standardization

  • Essentially describes the standards required for an information security management system (ISMS)
  • The [British Standards Institution] is the UK’s national member of ISO
  • Large ecosystem of businesses providing training and assessment services
  • Some criticisms of the standards due to cost
  • Wikipedia lists the standards in this series

• The US National Institute of Standards and Technology (NIST) has a Computer Security Resource Center

  • A wide range of publications
  • The SP-800 is particularly well-regarded, e.g.,
    • SP 800-53 Security and Privacy Controls for Information Systems and Organizations
  • More recently (c.2018), the NIST Cybersecurity Framework (CSF)
    • Version 1.1 (PDF)
  • Free!

• European Union Agency for Cybersecurity (ENISA) — some excellent resources relating to data protection and technical controls

4.1 Education

• (ISC²) is one of many organisations providing certifications. Of particular interest for educators is Cybersecurity principles and learning outcomes for computer science and IT-related degrees. Although dating from 2015, the five core themes in this CPHC/(ISC)² paper

  • information and risk
  • threats and attacks
  • cybersecurity architecture and operations
  • secure systems and products
  • cybersecurity management

  provide a solid baseline for generalist ICT students

• UK academics will (should!) be award of the QAA subject benchmark statement on computing specifically mentions security both within the threshold for a bachelor’s honours degree as well as referring to it as a specific discipline

• Cyber Security Body of Knowledge (CyBok) — currently version 1.1 covering 21 knowledge areas — detailed

• Vendor-specific — vendors, such as Microsoft, Cisco and Amazon (AWS), provide (or license) training courses and certification. The value of these varies widely, with much depending on your actual practice

5 Infosec / cybersecurity aspects of careers

• Generalist ICT / computing — you need a solid understanding of general information security, particularly risks and when to call on an expert. The CPHC/(ISC)² paper above is a good baseline, along with an awareness of the ICO’s resources (e.g., when should a project be referred to data protection / information security specialists?)

• Specialist infosec / cybersecurity…

  • Don’t get over-focussed into “red team”ing and “pen test”… they’re just a small part of it
  • Recognise there are lots of interesting pathways — the UKCSC specialisms (above) illustrate the breadth of this disipline
  • Understand how it fits into businesses / organisations