IA Professional Assessment Standards – Re-certification
Applicant Name: / Assessor 1:Date: / Assessor 2 (if applicable):
Role(s) and level(s)certified for: / CESG Framework version number candidate was assessed against:
Section 1: Headline Role Statements
These statements define the expectations for the role and must be assessed explicitly. Compliance with the relevant statement(s) is mandatory.
Use a scale of 1 – 4 (1 – not demonstrated, 2 – occasionally demonstrated, 3 – frequently demonstrated, 4 – consistently demonstrated)
Role / Level / Standard / Desk Check Evidence / Post interview evidence / Agreed levelLevel / Level
Accreditor / Practitioner / Makes routine accreditation decisions (Where empowered to do so), accepting residual risk on behalf of their organisation where it is clearly within the normal risk appetite as declared by the Senior Information Risk Owner (SIRO) or the Board.
Accreditor / Senior Practitioner / Leads accreditation decision making for complex or risky information systems.
Accreditor / Lead Practitioner / Ensures that the accreditation process supports and enables the business objectives and follows SPF outcomes, or other sector specific, or local arrangements.
IA Auditor / Practitioner / Undertakes assigned routine or ad hoc audits to test compliance with IA policies or standards.
IA Auditor / Senior Practitioner / Leads audit activity to meet complex audit objectives and takes responsibility for the audit findings.
IA Auditor / Lead Practitioner / Proposes and delivers information risk driven audit programmes to
Senior Information Risk Owners or an IA Board.
IA Architect / Practitioner / Represents security requirements in the design and implementation of IS architectures.
IA Architect / Senior Practitioner / Enables the design and implementation of secure IS architectures.
IA Architect / Lead Practitioner / Influences the security of enterprise or solution architectures across the public sector or across the whole of a public sector organisation or private sectors.
Security and Information Risk Advisor / Practitioner / Assists customers in the routine application and interpretation of security or IA policies and practices.
Security and Information Risk Advisor / Senior Practitioner / Enables provision of the Security & Information Risk Advisor service across a range of business units, sites, projects or other change activities.
Security and Information Risk Advisor / Lead Practitioner / Influences management of security and information risk across large organisations or across multiple client organisations.
IT Security Officer / Practitioner
(ISSO) / Assists implementation of effective IT security in accordance with local policy.
IT Security Officer / Senior Practitioner
(ISSM) / Enables effective IT security across a wide portfolio of IS.
IT Security Officer / Lead Practitioner
(ITSO) / Influences corporate IT security.
Communications Security / Practitioner
(Comsec practitioner) / Assists in the implementation of Comsec policy or monitoring compliance with it.
Communications Security / Senior Practitioner
(Comsec Manager) / Manages compliance with Comsec policy.
Communications Security / Lead Practitioner (ComSO) / Ensures compliance with IS4 across the DSO’s area of responsibility.
Penetration Tester / Practitioner / Applies knowledge and contributes to the successful delivery or penetration testing services.
Penetration Tester / Senior Practitioner / Enables the successful delivery of penetration testing services.
Penetration Tester / Principle / Ensures the successful delivery of penetration testing services.
Penetration Tester / Lead Practitioner / Initiates and influences the application of penetration testing services throughout an organisation.
Section 2: SFIA Responsibility Levels
Please refer to the CESG Certification Framework for guidance on the level of skill required and the way it may be demonstrated specifically for each role.
SFIA attributes of responsibility 1: Autonomy
PractitionerProficiency Descriptions / Senior Practitioner
Proficiency Descriptions / Lead Practitioner
Proficiency Descriptions / Agreed Level
- Works under routine supervision.
- Uses minor discretion in resolving problems or enquiries.
- Works without frequent reference to others
- Works under general direction within a clear framework of accountability.
- Exercises substantial personal responsibility and autonomy.
- Plans own work to meet given objectives and processes.
- Has defined authority and responsibility for a significant area ofwork, including technical, financial and quality aspects.
- Establishes organisational objectives and delegates responsibilities.
- Is accountable for actions and decisions taken by self and subordinates.
Practitioner/Senior/Lead (select appropriate option for each role)
Evidence
SFIA attributes of responsibility 2: Influence
PractitionerProficiency Descriptions / Senior Practitioner
Proficiency Descriptions / Lead Practitioner
Proficiency Descriptions / Agreed Level
- Interacts with and may influence immediate colleagues.
- May have some external contact with customers and suppliers.
- May have more influence in own domain.
- Influences team and specialist peers internally.
- Influences customers at account level and suppliers.
- Has some responsibility for the work of others and for the allocation of resources.
- Participates in external activities related to own specialism.
- Makes decisions which influence the success of projects and team objectives.
- Influences policy formation on the contribution of own specialism to business objectives.
- Influences a significant part of own organisation and influences customers/suppliers and industry at senior management level.
- Makes decisions which impact the work of employing organisations, achievement of organisational objectives and financial performance.
- Develops high-level relationships with customers, suppliers and industry leaders.
Practitioner/Senior/Lead (select appropriate optionfor each role)
Evidence
SFIA attributes of responsibility 3: Complexity
PractitionerProficiency Descriptions / Senior Practitioner
Proficiency Descriptions / Lead Practitioner
Proficiency Descriptions / Agreed Level
- Performs a range of varied work activities in a variety of structured environments.
- Performs a broad range of complex technical or professional work activities, in a variety of contexts.
- Performs highly complex work activities covering technical, financial and quality aspects.
- Contributes to the formulation of IT strategy.
- Creatively applies a wide range of technical and/or management principles.
Practitioner/Senior/Lead (select appropriate optionfor each role)
Evidence
SFIA attributes of responsibility 4: Business Skills
PractitionerProficiency Descriptions / Senior Practitioner
Proficiency Descriptions / Lead Practitioner
Proficiency Descriptions / Agreed Level
- Understands and uses appropriate methods, tools and applications.
- Demonstrates a rational and organised approach to work.
- Is aware of health and safety requirements.
- Identifies and negotiates own development opportunities.
- Has sufficient communications skills for effective dialogue with colleagues.
- Is able to work in a team.
- Is able to plan, schedule and monitor own work within short time horizons.
- Absorbs technical information when it is presented systematically and applies it effectively.
- Selects appropriately from applicable standards, methods, tools and applications.
- Demonstrates an analytical and systematic approach to problem solving.
- Communicates fluently orally and in writing,and can present complex technical information to both technical and non-technical audiences.
- Facilitates collaboration between stakeholders who share common objectives.
- Plans, schedules and monitors workto meet time and quality targets and in accordance with relevant legislation andprocedures.
- Rapidly absorbs new technical information and applies it effectively.
- Has a good appreciation of the wider field of information systems, their use in relevant employment areas and how they relate to the business activities of the employer or client.
- Maintains an awareness of developing technologies and their application and takes some responsibility for personal development.
- Absorbs complex technical information and communicates effectively at all levels to both technical and non-technical audiences.
- Assesses and evaluates risk.
- Understands the implications of new technologies.
- Demonstrates clear leadership and the ability to influence and persuade.
- Has a broad understanding of all aspects of IT and deep understanding of own specialism(s).
- Understands and communicates the role and impact of IT in the employing organisation and promotes compliance with relevant legislation.
- Takes the initiative to keep both own and subordinates' skills up to date and to maintain an awareness of developments in theIT industry.
Practitioner/Senior/Lead (select appropriate optionfor each role)
Evidence
Section 3: Referees
A minimum of two referees must be contacted. Copy and insert additional tables for further referees.
Referee 1
Referee name: / Telephone number:Date of Interview: / Assessor:
Role applicable to (if applying for multiple roles):
Can the referee verify that the applicant meets the required headline statement(s) for the relevant role(s) detailed in Section 1 of this document?
Can the referee verify that the applicant met the relevant responsibility level(s) as detailed in section 2 of this document?
Referee 2
Referee name: / Telephone number:Date of Interview: / Assessor:
Role applicable to (if applying for multiple roles):
Can the referee verify that the applicant meets the required headline statement(s) for the relevant role(s) detailed in Section 1 of this document?
Can the referee verify that the applicant met the relevant responsibility level(s) as detailed in section 2 of this document?
Section 4: Continuing Professional Development (CPD)
Date of Review: / Assessor:Role applicable to (if applying for multiple roles):
The following activities demonstrate continuing professional development in the role(s):
Section 5: Recommendation
For all the roles applied for, does the applicant meetall four SFIA attributes of responsibility (autonomy, influence, complexity and business skills). Note, good evidence of only 3 of the 4can beaccepted subject to there being no evidence that the applicant was actually weak in this attribute.
Yes No
For all the roles applied for, does the applicant meet the headline statement and all of the core skills, including any mandatory requirements within these? Yes No
For all the roles applied for, does the applicant meet 75% of all the relevant skills? Yes No
For all the roles applied for, does the applicant demonstrate adequate and appropriate activities to illustrate continuing professional development in all roles? Yes No
Assessor recommendation:
Role and level / Re-certification successful?Skill
(for Security and Information Risk Advisor and IA Auditor roles only) / Core Skill? / Skill / Core Skill?
/
A1 – Governance / E1 – Secure Operations Management
A2 – Policy & Standards / E2 – Secure Ops & Service Delivery
A3 – Information Security Strategy / E3 – Vulnerability Assessment
A4 –Innovation and Business Improvement / F1 – Incident Management
A5 – IS Awareness and Training / F2 – Investigation
A6 – Legal & Regulatory Environment / F3 – Forensics
A7 – Third Party Management / G1 – Audit and Review
B1 – Risk Assessment / H1 – Business Continuity Planning
B2 – Risk Management / H2 – Business Continuity Management
C1 – Security Architecture / I1 – Research
C2 – Secure Development / I2 – Academic Research
D1 – IA Methodologies / I3 – Applied Research
D2 – Security Testing
Assessor comments (if applicable):
Assessor(s) signature(s)______Date: ______
Certification Confirmation:Decision:-
Signature: ______Date: ______
© APM Group Limited 2014
IA Professional Assessment Standards – Re-certification – August 2015
Version 1.1 (Status – Live)Owner – ProductOwner
Page 1 of 13