IISP gets a boost with ITPC takeover

The Institute of Information Security Professionals (IISP) has received a major boost with news that it will take over the government's own security accreditation scheme.

The Institute of Information Security Professionals (IISP), a London-based professional membership organization, has received a major boost with news that it will take over the government's own security accreditation scheme.

The Infosec Training Paths and Competencies (ITPC) qualifications were launched six years ago by the Cabinet Office, and they were designed to offer recognised formal training and development for IT security professionals working for the U.K. government and related organisations. Nearly 300 professionals have gone through the scheme, and another 300 are registered and working toward ITPC accreditation. The scheme also embraces consultants registered under the CESG Listed Adviser Scheme (CLAS) programme.

The Cabinet Office has now passed responsibility for managing the ITPC to the IISP, which will work to merge its qualifications with those developed by ITPC. Holders of ITPC will automatically become associate members of IISP, and they will have the opportunity to progress to full membership.

IISP has three membership levels -- affiliate (beginners), associate (those with roughly two years experience and probably some formal qualification such as CISSP or MSc), and full (those who demonstrate a high level of competence and delivery.)

"This initiative with ITPC represents a huge step forward for the Institute," said Gerry O'Neill, IISP CEO. "It is a huge endorsement from HM Government at a time when information assurance is high on their agenda."

According to the Cabinet Office, registration for ITPC was closed last October in anticipation of it being subsumed by IISP.

The injection of ITPC holders will boost membership for the Institute. Current membership stands at around 1,000, including 150 who have been accredited as full members. The ITPC transition is expected to add a further 400 or 500.

The IISP was launched in January 2006 and initially attracted much enthusiasm and attention from security professionals in the U.K, who saw the need for a professional body to set standards and accredit practitioners. Progress, however, has been slow, although insiders say much work has been done in laying the foundations for a competency-based accreditation programme.

The drive for full membership has also been a slow process because it involves a paper assessment, an interview by two people and approval by an accreditation committee. But O'Neill said he was confident that the initial groundwork on developing a set of recognized competencies is paying off.

"Before I became CEO last April, I, too, was a bit frustrated at the apparent lack of progress," he said. "But once I was here, I could see the foundation that had been laid by the working groups drawn from industry, government and academia. We have defined 35 competences for assessment and accreditation, which range from the managerial/strategic down to technical and soft skills." He added that the ITPC, also being a competency-based scheme, mapped well with the IISP approach.

O'Neill also said that several corporations -- including the big-four consultancies and a number of large financial services -- are backing the IISP and making it a recognized qualification for staff. "It'll take the rest of this year before we see it appearing in recruitment adverts, but the momentum has started," he said. "Part of my task is to lift the veil of invisibility and show people what's possible and what we are doing."

IISP Competencies
The IISP divides the requirements of a professional approach to information security into the following types of skill and competence: ·
  • Technical
  • Process
  • Managerial
  • 'Soft skills' such as communication and influencing *Professional contribution

The intention is that each candidate will have a unique profile embodying a mix of these skills shown in the list below. The professional assessment for membership seeks to determine that the individual possesses the appropriate skill level (on a 1-4 scale) across the above spectrum, with minimum thresholds and core skills areas.

A1 – Governance
A2 – Policy and Standards
A3 – Information Security Strategy
A4 – Innovation and Business Improvement
A5 – Information Security Awareness and Training
A6 – Legal and Regulatory Environment
A7 – Third-Party Management B1 – Risk Assessment
B2 – Risk Management
C1 – Security Architecture
C2 – Secure Development
D1 – Information Assurance Methodologies
D2 – Secure testing
E1 – Secure Operations Management
E2 – Secure Operations and Secure Delivery
E3 – Vulnerability Assessment F1 – Incident Management
F2 – Investigation
F3 – Forensics
G1 – Audit and Review
H1 – Business Continuity Planning
H2 – Business Continuity Management
I1 – Research
I2 – Academic Research
I3 – Applied Research
J1 – Teamwork and Leadership J2 – Delivering
J3 – Managing Customer Relationships
J4 – Corporate Behaviour
J5 – Change and Innovation
J6 – Analysis and Decision-Making
J7 – Communication and Knowledge-Sharing
K1 – Contributions to the Community
K2 – Professional Contributions K3 – Professional Development

Further information can be found at www.instisp.org.

Read more on Security policy and user awareness