IT - Information Security Qualifications
Formal qualifications are increasingly important for information security professionals. The most widely recognized include qualifications from ISACA, the Information Systems Audit and Controls Association, (ISC)2, the International Information Systems Security Certification Consortium, and ISEB, the Information Systems Examinations Board. Examinations are available in many languages and at many centres around the world.
Details of examining bodies, with appropriate links, are provided on this site. Many courses can be booked online here, and all the official study and exam guides for these qualifications can also be ordered directly from our online shop for immediate delivery.
The two ISACA qualifications, both of which are ANSI-accredited, are:
CISA - Certified Information Systems Auditor (Official CISA Review Manual)
CISM - Certified Information Security Manager (Official CISM Review Manual)
The six (ISC)2 qualifications are:
CISSP - Certified Information Systems Security Professional (CISSP exam guide)
ISSAP - Information Systems Security Architecture Professional
ISSMP - Information Systems Security Management Professional
ISSEP - Information Systems Security Engineering Professional (ISSEP exam guide)
CAP - Certification and Accreditation Professional (official CAP text book)
SSCP - Systems Security Certified Practitioner (SSCP exam guide)
From an information security perspective, the key ISEB qualification is the ISO 27001-based Certificate in Information Security Principles.
The CISSP, ISSEP and CAP qualifications are all ANSI-accredited.
Here is more detailed information about these certifications and the organizations that provide them:
International Information Systems Security Certification Consortium (ISC)²
(ISC)² is a not-for-profit organisation that developed the information security common body of knowledge (“CBK”) and a certification programme for information systems security professionals. There are prequalification requirements in terms of professional experience. (ISC)² offers the following qualifications:
Certified Information Systems Security Professional (CISSP)
The CISSP certification provides information security professionals with an objective measure of competence and a globally recognised standard of achievement. The CISSP credential suits mid- and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers.
(Official CISSP textbook)
Systems Security Certified Practitioner (SSCP)
The SSCP certification is for information security technicians who have implementation experience. The SSCP credential is ideal for those working toward or who have already attained positions as Senior Network Security Engineers, Senior Security Systems Analysts or Senior Security Administrators.
(SSCP Prep Guide)
(SSCP Prep Guide)
Certification and Accreditation Professional (CAP)
The CAP credential is specifically designed for security professionals involved in certification and accreditation. This qualification supports those formalising processes used to assess risk and establish security requirements, as well as ensuring information systems possess security appropriate for their level of exposure to potential risk.
(Official CAP textbook)
(Official CAP textbook)
CISSP Concentrations
ISSAP Concentration in Architecture
ISSEP Concentration in Engineering (Official ISSEP Study Guide)
ISSMP Concentration in Management
For experienced information security professionals with an existing (ISC)² qualification in good standing, (ISC)² Concentrations demonstrate in-depth knowledge of a subject area.
More information about (ISC)² qualifications is at www.isc2.org
British Computer Society (BCS)/Information Systems Examination Board (ISEB)
The British Computer Society (BCS) is the UK's Chartered Engineering Institution for Information Systems Engineering. Through the Information Systems Examinations Board (ISEB), the BCS provides industry-recognised qualifications that measure competence, ability and performance in information security.
Certificate in Information Security Management Principles (CISMP)
This qualification, which is based on ISO 27001, provides a base level of knowledge for individuals who are thinking of moving into a security or security-related function. It also offers the opportunity to those for whom security responsibility is already part of their day-to-day role to enhance or refresh their knowledge. (Official BCS CISMP textbook)
More information about the CISMP can be found at www.bcs.org
Information Systems Audit and Control Association (ISACA)
The Information Systems Audit and Control Association (ISACA) was founded in the United States. It is an international association of professionals involved in information systems audit, control, quality assurance and security, is well known for the computer audit qualification CISA and has chapters all round the globe.
Certified Information Systems Auditor (CISA)
CISA is a certification for information systems (IS) audit, control and security professionals. It recognises an individual's achievements in conducting information system audits. Candidates looking to gain the CISA certification must sit an examination, submit evidence of a minimum of 5 years IS auditing, security or control work and agree to abide by ISACA’s Code of Professional Ethic. (Official CISA Review Manual)
Certified Information Security Manager (CISM)
The CISM certification program is for experienced information security managers and those who have information security management responsibilities. It is for security professionals who manage, design, oversee and/or assess an enterprise’s information security. The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services. (Official CISM Review Manual)
More information about the CISA & CISM qualifications can be found at www.isaca.org
SANS Institute
The SANS (SysAdmin, Audit, Network, Security) Institute was established in the US in 1989 as a cooperative research and education organisation. It enables more than 165,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face. SANS is supported by security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community.
Global Information Assurance Certification (GIAC)
The SANS Institute founded GIAC in 1999 in order to validate the skills of security professionals. SANS training and GIAC certifications address a range of skill sets including entry-level Information Security Officer and broad-based Security Essentials, as well as advanced subject areas like Audit, Intrusion Detection, Incident Handling, Firewalls and Perimeter Protection, Forensics, Hacker Techniques, Windows and Unix Operating System Security. GIAC is unique in measuring specific skill knowledge areas instead of general purpose security knowledge.
More information about SANS and GIAC can be found at www.sans.org and www.giac.org
International Register of Certificated Auditors (IRCA)
IRCA was formed in 1984 as part of the UK government's enterprise initiative, designed to make industry and business more competitive through the implementation of quality principles and practices. This structure included IRCA, an accreditation body (now UKAS), a national standards-making body (BSI Standards) and a number of commercial certification bodies. IRCA is the world's original and largest international certification body for auditors of management systems.
Information Security Management Systems (ISMS) Auditor
IRCA offers five grades of certification, and most auditors progress from provisional auditor to the auditor grade and then to either lead or principal grades (these last two are considered the most advanced grades).
More information about the IRCA Auditor certifications can be found at www.irca.org
British Standards Institute (BSI)
BSI Group is a leading business services provider that operates on a worldwide basis. It provides independent certification (registration) of management systems and products; product testing services; the development of private, national and international standards; performance management software solutions; management systems training and information on standards and international trade.
ISO 27001:2005 Lead Auditor
This qualification is appropriate for those wishing to audit an Information Security Management System (ISMS) in accordance with ISO 27001:2005, as well as existing security auditors who wish to expand their auditing skills and possibly for consultants who wish to provide advice on ISO 27001:2005 systems certification.
Internal Auditor - ISO/IEC 27001: 2005 Information Security Management
This qualification is aimed at personnel who already have an understanding of ISO/IEC 27001:2005. It is suited to managers who are co-ordinating audit activities and individuals who have been given the responsibility to audit an Information Security Management System.
More information about BSI certifications can be found at www.bsi-global.com
Cabinet Office - Central Sponsor for Information Assurance (CSIA)
The CSIA is a unit of the UK Government's Cabinet Office and works with partners in the public and private sectors, as well as its international counterparts, to help safeguard the UK's IT and telecommunications services. The CSIA provides a central focus for information assurance in the UK.
Infosec Training Paths and Competencies (ITPC)
ITPC qualifications offer recognised formal training and development for IT security professionals working for the UK government and related organisations. The scheme develops and supports infosec core competency profiles for key security roles within UK government and related sectors. ITPC is the ‘recommended qualification’ for the CESG Listed Adviser Scheme (CLAS) consultants undertaking work for government clients.
More information about the ITPC qualification can be found at www.cabinetoffice.gov.uk
Communications-Electronics Security Group (CESG)
CESG is the Information Assurance (IA) arm of the UK's GCHQ. CESG offers a range of products and services including technical consultancy and advice, policy documentation, product evaluation and training, primarily to UK government and the armed forces, the wider public sector, and industries forming part of the Critical National Infrastructure.
CESG Listed Adviser Scheme (CLAS)
CLAS is a partnership linking the Information Assurance knowledge of the CESG with the expertise and resources of the private sector. CLAS consultants are approved to provide Information Assurance advice on systems processing protectively marked information up to, and including, SECRET. The scheme is particularly relevant to consultants dealing with Government clients.
CHECK - IT Health Check
To become a CHECK Team Leader you must pass the CHECK Service Assault Course (CSAC) which is a rigorous assessment designed to assess IT security consultants against a skill set baseline of practical penetration testing. The CSAC can only be taken by security professionals working for a CHECK approved service provider.
More information about CLAS and CHECK can be found at www.cesg.gov.uk/clas and www.cesg.gov.uk/site/check/index.cfm
International Council of Electronic Commerce Consultants (EC-Council)
The EC-Council is a member supported professional organisation. The purpose of the EC-Council is to support and enhance the role of individuals and organisations who design, create, manage or market e-Business solutions.
Certified Ethical Hacker (CEH)
The CEH program certifies individuals in the specific discipline of ethical hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. (Official CEH Review Guide)
More information about the CEH and other qualifications offered by the EC-Council can be found at www.eccouncil.org
CompTIA Certification UK
CompTIA certification programs are recognised industry standards for foundation-level information technology IT skills. Best known for the A+ certification, CompTIA offers certifications in key technology areas. Many of the certifications are electives or prerequisites toward advanced certifications, such as Microsoft's MCSA and Novell's CNE.
CompTIA Security+
The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years on-the-job networking experience, with emphasis on security. The exam covers industry-wide topics, including communication security, infrastructure security, cryptography, access control, authentication, external attack and operational and organisation security. (CompTIA Security+ exam guide)
More information about the CompTIA Security+ qualification can be found at www.comptia-certification.co.uk
Postgraduate Degree Courses in Information Security
There are a number of academic courses in information security. A broad selection of those available in the UK is listed below.
Open University - Information Security Management: www3.open.ac.uk
Royal Holloway, University of London - MSc in Information Security: www.isg.rhul.ac.uk
Royal Holloway, University of London - PhD in Security: www.isg.rhul.ac.uk
Westminster University - MSc in IT Security: www.wmin.ac.uk
Loughborough University - MSc in Security Management: www.lboro.ac.uk
UCL, Adastral Park – MSc in Information Security: www.mscinfosec.adastral.ucl.ac.uk
University of Salford - MSc in Information Security: www.isi.salford.ac.uk
University of Glamorgan - MSc in Information Security & Computer Crime: www.glam.ac.uk
Sheffield Hallam University - MSc in Information Systems Security: www.shu.ac.uk
Southampton University - MSc in Corporate Risk & Security Management: www.management.soton.ac.uk
