Evidence Form for IA Professional Certification

List here the roles and levels for which you are applying.

1.

2.

3.

If applying for the Security and Information Risk Advisor role please also list the core competences you have chosen – four for Practitioner level, five for Senior Practitioner level and six for Lead Practitioner level.

If applying for the IA Auditor role, please list the three core competences you have chosen – you must include G1 and then three more from the remaining five for all levels of application.

You are required to provide two pieces of evidence against each competence, and not just the core skills. These should be directly related to a role or assignment given in your CV or other documentation and cross-referencing to the relevant part of your CV should also be provided. If applying for more than one role you may need to provide more pieces of evidence for some or all competences in order to provide sufficient evidence to support all the roles.

For more information about each of the competences and the standard required for each role/level use the CESG Certification Framework document which is available for download from the Resources section.

ID / IISP Skill / Level 1 / Level 2 / Level 3 / Level 4 / My Evidence /
A1 / Governance / Understands local arrangement for Information Governance (IG) / Applies IG standards or process to local area and to clients beyond it / Develops IG standards or processes; applies IG principles across the organisation / Leads development of IG at the organisation level or has influence at national or international standards level / 1.
2.
A2 / Policy & Standards / Understands the need for policy and standards to achieve Information Security (IS) / With supervision and aligned with business objectives, authors or provides advice on IS policy or standards / Without supervision, advances business objectives through development or interpretation of a range of IS policies or standards / A recognised expert in IS policy and standard development / 1.
2.
A3 / Information Security Strategy / Understands the purpose of IS strategy to realise business benefits / Contributes to development or implementation of IS strategy under supervision / Influences investment decisions or risk appetites through contribution to development or implementation of IS strategy / A recognised expert in IS strategy development or implementation / 1.
2.
A4 / Innovation & Business Improvement / Is aware of business benefits of good IS / Applies IS to achieve business objectives with some supervision / Supports realisation of strategic business benefits through innovative application of IS / Develops and promotes new concepts for business improvement through IS which are widely adopted across the public sector or an industry sector / 1.
2.
A5 / Information Security Awareness & Training / Understands the role of security awareness and training in maintaining information security / Materially contributes to improving security awareness with some supervision / Delivers or manages the delivery of training on multiple aspects of IS / A recognised authority on the development of IS Awareness & Training / 1.
2.
A6 / Legal & Regulatory Environment / Is aware of major pieces of legislation relevant to IS and of regulatory bodies relevant to the sector in which they work / Understands applicable legislation and regulations relating to IS in the context of own or client organisations / Influences business practices affecting IS through the application of legislation and regulations / Is an authority on an area of legislation or regulation relevant to IS / 1.
2.
A7 / Third Party Management / Is aware of the need for organisations to manage the information security of third parties / With supervision, contributes to developing or maintaining compliance by third parties to contracting authority's IS policies and standards / Enhances organisational IS through broad influence on third party management / Advances best practice in third party management with respect to information security / 1.
2.
B1 / Risk Assessment / Demonstrates awareness of the causes of information risk and their implications / Understands how to produce risk assessments / Produces complex risk assessments that influence senior risk owners, managers or other stakeholders / Influences development of risk assessment methodologies across and beyond an organisation / 1.
2.
B2 / Risk Management / Demonstrate awareness of techniques to manage information risk / Contributes to management of risks to information systems with supervision / Advises management on information risk across a business unit or organisation / Advances the practice of information risk management across the public sector or an industry sector or internationally / 1.
2.
C1 / Security Architecture / Is aware of the concept of architecture to reduce information risk / Applies architectural principles to security design with some supervision / Applies architectural principles to complex systems or to bring structure to disparate systems / Extends the influence of security architecture principles across the public sector or an industry sector / 1.
2.
C2 / Secure Development / Is aware of the benefits of addressing security during system development / Contributes to the development of secure systems with some supervision / Applies & improves secure development practices used across multiple projects, systems or products / Is an authority on the development of secure systems / 1.
2.
D1 / Information Assurance Methodologies / Is aware of the existence of methodologies, processes and standards for providing Information Assurance / Applies an IA methodology or standard with some supervision / Verifies risk mitigation using IA methodologies / Enhances the capability of IA methodologies to realise business benefits across the public sector or an industry sector / 1.
2.
D2 / Security Testing / Is aware of the role of testing to support IA / Effectively applies testing methodologies, tools or techniques with some supervision / Provides assurance on the security of a product or process through effective testing / Advances assurance standards across a product range, technology or industry sector through rigorous security testing / 1.
2.
E1 / Secure Operations Management / Is aware of the need for secure management of information systems / Monitors the application of SyOPs with some supervision / Manages the development of SyOPs for use across multiple information systems or manages compliance with them / An authority on Security Operations Management, working across the public sector or an industry sector / 1.
2.
E2 / Secure Operations & Service Delivery / Is aware of the need for Information systems and services to be operated securely / Effectively applies SyOPs with some supervision / Develops SyOPs for use across multiple information systems or maintains compliance with them / Influences SyOPs used across the public sector or an industry sector / 1.
2.
E3 / Vulnerability Assessment / Is aware of the need for vulnerability assessment to maintain Information Security / Obtains and acts on vulnerability information in accordance with Security Operating Procedures / Ensures that information risk managers respond appropriately to relevant vulnerability information / Is an authority on the use or impact of vulnerability assessments across the public sector or an industry sector / 1.
2.
F1 / Incident Management / Is aware of the benefits of managing security incidents / Contributes to security incident management / Manages security incidents / Is an authority on security incident management across the public sector or an industry sector / 1.
2.
F2 / Investigation / Is aware of the basic principles of investigations / Contributes to investigations into security incidents / Leads investigations into security incidents or manages a team of investigators or provide skills support / Is an authority on security investigations / 1.
2.
F3 / Forensics / Is aware of the capability of forensics to support investigations / Contributes to forensic activities, with some supervision / Manages forensic capability or provides skilled support / Is an authority on forensics / 1.
2.
G1 / Audit and Review / Understands basic techniques for testing compliance with security criteria (policies, standards, legal and regulatory requirements) / Audits compliance with security criteria in accordance with an appropriate methodology / Influences senior information risk owners or business managers through information risk driven auditing / Advances the influence of security auditing across the public sector or across an industry sector / 1.
2.
H1 / Business Continuity Planning / Understands how Business Continuity Planning and Management contributes to information security / Contributes to the definition of business continuity processes to maintain information security / Leads definition or implementation of business continuity processes to maintain information security across a business unit or organisation / Is an authority on information security aspects of Business continuity / 1.
2.
H2 / Business Continuity Management / Understands how Business Continuity Planning and Management contributes to information security / Contributes to the definition of business continuity processes to maintain information security / Leads definition or implementation of business continuity processes to maintain information security across a business unit or organisation / Is an authority on information security aspects of Business continuity / 1.
2.
I1 / Research / Not defined / Not defined / Not defined / Not defined / 1.
2.
I2 / Academic Research / Not defined / Not defined / Not defined / Not defined / 1.
2.
I3 / Applied Research / Understands the fundamental concepts of applied research but does not yet have the knowledge needed to apply this skill in an operational context / Performs research activities under supervision / Leads research tasks, working independently and coaching others / Acknowledged as a leader in the research community / 1.
2.

For IA Architects only

ID / SFIA Skill / Level 2 / Level 3 / Level 4 / Level 5 / My Evidence /
STPL / Enterprise Architecture / Not defined / Not defined / Not defined / Contributes to the creation and review of a systems capability strategy. / 1.
2.
ARCH / Solution Architecture / Not defined / Not defined / Not defined / Uses appropriate tools, including logical models of components and interfaces, to contribute to the development of systems architectures in specific business or functional areas. / 1.
2.
EMRG / Emerging Technology Monitoring / Not defined / Not defined / Not defined / Monitors the market to gain knowledge and understanding of currently emerging technologies. / 1.
2.
BSMO / Business Modelling / Understands the purpose and benefits of modelling / Conversant with techniques covering full range of modelling situations. / Conducts advanced modelling activities for significant change programmes and across multiple business functions / Produces models in support of business strategy. / 1.
2.
REQM / Requirements Definition & Management / Uses established techniques as directed to identify current problems and elicit, specify and document business functional, data and non-functional requirements for simple subject areas with clearly defined boundaries. / Defines scope and business priorities for small-scale changes and may assist in larger scale scoping exercises. / Facilitates scoping and business priority-setting for change initiatives of medium-size and complexity. / Facilitates scoping and business priority-setting for change initiatives of medium size and complexity. / 1.
2.
DESN / Systems Design / Undertakes complete design of simple applications using simple templates and tools. / Specifies user/system interfaces, and translates logical designs into physical designs taking account of target environment, performance requirements and existing systems. / Recommends/designs structures and tools for systems which meet business needs. / Specifies and designs large or complex systems. / 1.
2.
NTDS / Network Design / Not defined / Not defined / Not defined / Produces outline system designs and specifications, and overall architecture, topologies, configuration databases and design documentation of networks and networking technology within the organisation. / 1.
2.

© APM Group Limited

Evidence Form – April 2015

Version 2.4 (Live) Page 1 of 13 Owner – Product Owner