Certified Cyber Security Consultancy is CESG's approach to assessing the services provided by consultancies and confirming that they meet CESG's standards. This is a new approach to help Government, the wider public sector and industry get the right cyber security consultancy services to help them protect their information and to do business online with citizens safely. Certified Cyber Security Consultancy will provide a pool of consultancy services, delivered by industry companies and evaluated by CESG, to meet growing demand for high quality, tailored, expert advice.
This approach replaces the CESG Listed Advice Scheme (CLAS), which focussed on individual consultants. Certified Consultancy builds on the strength of CLAS but certifies the competence of suppliers to deliver a wider and more complex range of cyber security consultancy services to both the public and private sectors.
CESG has set the standard for "what good looks like" for cyber security consultancy and will evaluate all companies against this rigorous standard. Companies certified through this scheme will offer cyber security consultancy with CESG's explicit endorsement, giving customers access to the very best industry experts and confidence in the services they procure.
The Certified Cyber Security Consultancies are assessed according to the services that they offer - here are some examples of the types of service which may be offered:
Within these categories, there may still be a wide variety in the type of service offered. Prospective customers may wish to select a consultancy based upon the information provided or invite a short list to tender against their requirements.
- Governance - helping customers to understand what good governance looks like and how to improve it in the context of their business;
- Policy and Standards - providing advice and guidance on polices, standards and procedures required to support the customer's approach to IA and cyber security;
- Information Security Strategy - helping the customer to develop a strategic approach to IA and cyber security;
- Legal and Regulatory Environment - helping the customer to understand the legal and regulatory landscape in the context of their business and cyber security;
- Risk Assessment - undertaking and documenting risk assessments on behalf of customers to help them identify and tackle relevant IA and cyber security risks;
- Risk Management - recommending how to manage IA and cyber security risks;
- Security Architecture - designing and developing security architectures that take account of business outcomes;
- Information Assurance Methodologies - helping customers to understand how to achieve, and maintain confidence in, the application of IA and cyber security;
- Incident Management - advising customers on the best approach to incident management for their business; &
- Audit & Review - conducting checks, reviews and audits and providing reports to show compliance with internal and external IA and cyber security polices and procedures.
Are security clearances required? CESG sponsors security clearances for named individuals of certified consultancies but there is no obligation for their staff to be cleared. If security clearances are required, stipulate this in any invitation to tender.
Does the service provider have cyber security expertise in your sector of interest? Business objectives and threat levels vary significantly between sectors and drive different working practices.