IISP Skills Framework V1
IISP Skills Framework V1
IISP Skills Framework V1
SECURITY SKILLS
FRAMEWORK
This skills framework describes the range of competencies expected of
Information Security and Information Assurance Professionals in the
effective performance of their roles. It was developed by collaboration
between both private and public sector organisations and world-
reknown academics and security leaders. It defines the skills and
capability expected of security professionals in practical application
and not just an assessment of their knowledge. Not all roles require
detailed experience in all competency areas, and for more information
about how the framework can be applied, please contact the Institute.
Level 1: (Awareness)
Understands the skill and its application. Has acquired and can demonstrate basic
knowledge associated with the skill. Understands how the skill should be applied but
may have no practical experience of its application.
Level 4: (Expert)
An authority who leads the development of the skill. Is an acknowledged expert by
peers in the skill. Has experience of applying the skill in circumstances without
precedence. Proposes, conducts, and/or leads innovative work to enhance the skill.
The following definitions should be used when assessing your score for competencies in discipline J. Examples of experience within these
disciplines are shown in Appendix B, and should be consulted before completion.
Skill Level 1 Level 2 Level 3 Level 4
Teamwork and Works cooperatively Is encouraging and Encourages and challenges Inspires and involves others from
Leadership and professionally with supportive and provides a others. Provides a lead inside and outside the
others. lead within the local area. across an organisation. organisation, environment in
Task-based team working. which others may develop
leadership qualities.
Delivering Takes responsibility for Responsibility for an Responsible for ensuring Responsible for achievement of
completing own tasks. element of delivery against delivery is achieved against overall business goals in own
one or more business a portfolio of business professional or functional area.
objectives, balancing objectives, overcoming
priorities to achieve this. obstacles to achieve goals.
Managing Understands and aims Negotiates with customers Works with customers to Uses customer priorities to drive
Customer to meet customer to improve the service to ensure that their needs organisations’ plans, resolving the
Relationships requirements. them and to manage their drive business plans. conflicting demands of different
expectations. customers.
Corporate Understands local Understands the aims of Takes action to achieve Develops strategy and ensures
Behaviour objectives and own and related areas greater corporate efficiency, the long-term cost-effectiveness
organisations aims. Is across an organisation. in line with its strategic of an organisation by
cost-effective in own aims. understanding the influences
work. upon it.
Change and Is positive about Generates creative ideas, Contributes to change Is innovative and radical.
Innovation change, and suggests and demonstrates strategies and generates Champions considered, co-
improvements possible sensitivity in implementing new ideas or approaches, ordinated change through policy
in own area. local change. going beyond the local area. and planning.
Analysis and Is methodical when Makes effective decisions Makes effective decisions Makes effective strategic
Decision Making making decisions and in consultation with others and / or solves complex decisions and / or solves complex
solves problems which and/or solves complex problems in uncertain problems with strategic impact,
impact on own work. problems in immediate situations, or where the or no precedent.
area. impact is greater than in the
immediate working area.
Communications Communicates clearly Encourages and Is a persuasive Is influential and diplomatic in
and Knowledge and shares knowledge contributes to discussion. communicator. Sets a lead negotiations with other
Sharing with colleagues Is proactive in sharing in sharing knowledge organisations and formulates
practice. information in own work- effectively in diverse areas knowledge-sharing.
area. across an organisation.
A2 - Policy & Developing and maintaining organisational security policies, standards and processes using recognised
Standards standards (such the ISO 27000 family) where appropriate.
Developing and maintaining standards for appropriate personnel screening.
Developing and maintaining standards for appropriate physical storage of information.
Providing advice on the interpretation of policy.
Undertaking a gap analysis against relevant external policies, standards and guidelines, and initiating
remedial action where appropriate.
A4 – Recognises potential strategic application of information security and initiates investigation and
Innovation & development of innovative methods of protecting information assets, to the benefit of the organisation
Business and the interface between business and information security.
Improvement
Exploits opportunities for introducing more effective secure business and operational processes.
A5 – Identifying security awareness and training needs in line with security strategy, business needs and
Information strategic direction.
Security
Gaining management commitment and resources to support awareness and training in information
Awareness
security.
and Training
Identifying the education and delivery mechanisms needed to grow staff in information security
awareness and competence.
Managing the development or delivery of information security awareness and training programmes.
A6 –Legal & Familiar with legal and regulatory requirements that could affect organisation security policies, and
Regulatory where to turn for specific detail as needed.
Environment
Relating the legal and regulatory environment within which the business operates to the risk
management and security strategy tasks.
Ensuring security policies comply with all personal data protection laws and regulations relevant to the
business.
Ensuring security policies support compliance with corporate governance practices.
Identifying where security can provide business advantage by addressing specific legal or regulatory
needs.
A7 – Third Identifying and advising on the technical, physical, personnel and precedural risks associated with third
Party party relationships.
Management
Assessing the level of confidence that third party security capabilities/service operate as defined.
IISP Skills Framework v6.3
Minimising the risk to an asset or product through the ‘standard’ design and
development processes.
Verifying that a developed component, product or system meets its security criteria
(requirements and/or policy, standards & procedures).
Analysing problem reports for signs of anomalous security issues, coordinating research
into vulnerabilities and instigating corrective action where necessary.
Specifying and/or implementing processes that maintain the required level of security of a
component, product, or system through its lifecycle.
Managing a system or component through a formal security assessment.
D2 – Security Testing processes for vulnerabilities, highlighting those that are not addressed by security policies,
Testing standards and procedures and advising on corrective measures.
Applying recognised testing methodologies, tools and techniques, developing new ones where
appropriate.
Assessing the robustness of a system, product or technology against attack.
Applying commonly accepted governance practices and standards when testing in an operational
environment.
E2 - Secure Securely configuring information and communications equipment in accordance with relevant
Operations & security policies, standards and guidelines.
Service
Maintaining security records and documentation in accordance with Security Operating Procedures.
Delivery
Administering logical and physical user access rights.
Monitoring processes for violations of relevant security policies (e.g. acceptable use, security, etc.)
F2 – Working within the legal constraints imposed by the jurisdictions in which an organisation
Investigation operates.
Carrying out an investigation into a breach of information security using all relevant sources of
information including access logs, systems logs, camera footage, etc.
Assessing the need for Forensic activity, and coordinating the activities of specialist Forensic
personnel within the overall response activities.
Engaging with the organisational Problem Management processes to ensure that Forensic services
are deployed appropriately.
Providing a full security investigation capability where third parties, managed service providers,
etc are involved.
Analysing system information (e.g. system logs, network traffic, hard disks, virtual memory, etc.)
for evidence of breaches of security policy or law.
Analysing software for malicious intent (malware).
H2 - Business Developing and implementing procedures for responding to and stabilising the situation following
Continuity an incident or event.
Management
Establishing and managing an Emergency Operations Centre to be used as a command centre
during the emergency.
Mounting pre-plan and co-ordinate plan exercises, and evaluating and documenting plan exercise
results.
Verifying that the plan will prove effective by comparison with a suitable standard, and of
reporting results in a clear and concise manner.
Establishing applicable procedures and policies for co-ordinating continuity and restoration
activities with external agencies while ensuring compliance with applicable statutes or regulations.
Co-ordinating, evaluating, and exercising plans to communicate with internal stakeholders,
external stakeholders and the media.
♦ Presents effectively
♦ Communicates accurately ♦ Chooses content, language ♦ Uses persuasive logic to and influentially to a
and clearly and style to suit the win support or change views range of audiences
audience
♦ Writes in clear plain ♦ Chairs meetings effectively ♦ Is persuasive and
English ♦ Produces work to a high and facilitates negotiated diplomatic in inter-
standard, with well- agreement departmental discussions,
♦ Is constructive when
reasoned arguments and or with other organisations
challenging others' ideas ♦ Addresses and discusses
clear conclusions or senior customers,
or decisions issues and concerns, keeping
without disclosing
♦ Accurately relays key key stakeholders informed
♦ Chooses the most sensitive information
points of meetings or
effective communication ♦ Takes responsibility for
documents to others ♦ Establishes clear fallback
method for the situation conveying bad or unwelcome
and individual news diplomatically positions in negotiation,
♦ Encourages and makes
compromising where
useful contributions to open necessary
♦ Records and shares debate or complex ♦ Uses, promotes and
information and knowledge discussions develops ways in which to
securely with all that can ♦ Brings in knowledge-
capture and share knowledge
benefit from it sharing strategies and
♦ Willingly shares and information effectively
shares experiences
information, good practice, yet securely, within local
♦ Listens and learns with other business
knowledge and expertise areas or in diverse areas
effectively from others areas/organisations
with those who could benefit across the organisation
♦ Follows corporate at all levels ♦ Articulates knowledge and
♦ Actively addresses problems
knowledge management experience to influence
♦ Chooses or sets up associated with information
guidance / good practice discussions on projects,
appropriate methods of flow, storage and overload.
programmes or policy
storage and dissemination
of information which ♦ Promotes, contributes to,
balance the need to share and enables departmental
with the need to know communications and
knowledge sharing
initiatives