IISP Skills Framework V1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 22

IISP INFORMATION

SECURITY SKILLS
FRAMEWORK
This skills framework describes the range of competencies expected of
Information Security and Information Assurance Professionals in the
effective performance of their roles. It was developed by collaboration
between both private and public sector organisations and world-
reknown academics and security leaders. It defines the skills and
capability expected of security professionals in practical application
and not just an assessment of their knowledge. Not all roles require
detailed experience in all competency areas, and for more information
about how the framework can be applied, please contact the Institute.

The framework is copyright of the Institute of Information Security


Professionals and may be used in whole or in part only by our
membership, those aspiring to be members or those others expressly
licenced to use the material.

This is a maintained document and will continue to be updated based


on the experience of our members and licenced users.

V6.3 July, 2010

About the Institute of Information Security Professionals (IISP)


The Institute of Information Security Professionals was set up in 2006 in the UK
as an independent member-owned organisation to further the development of
knowledge, skills and professionalism in Information Security and Assurance. For
employers and professionals we offer the professional accreditations of Associate
and full member (M.Inst.ISP) of the Institute. We also provide services for
competency measurement , job role definition and benchmarking and capability
development to support our corporate members in their professional skills
programmes.

We continue to develop in our role as the voice of the Information Security


Profession.

The Institute can be contacted at:


Institute of Information Security Professionals
Unit 28, Basepoint Business Park, Evesham,
Worcs, WR11 1GP
+44 (0) 2033 840 399
www.iisp.org
email: info@iisp.org
The IISP Skills Framework – Scoring levels for Skills A-I

Definitions for Levels

The following definitions should be used when assessing your score


for competencies in the disciplines A – I.

Level 1: (Awareness)
Understands the skill and its application. Has acquired and can demonstrate basic
knowledge associated with the skill. Understands how the skill should be applied but
may have no practical experience of its application.

Level 2: (Basic Application)


Understands the skill and applies it to basic tasks under some supervision. Has
acquired the basic knowledge associated with the skill, for example has acquired an
academic or professional qualification in the skill. Understands how the skills should
be applied. Has experience of applying the skill to a variety of basic tasks.
Determines when problems should be escalated to a higher level. Contributes ideas
in the application of the skill. Demonstrates awareness of recent developments in the
skill.

Level 3: (Skilful Application)


Understands the skill and applies it to complex tasks with no supervision. Has
acquired a deep understanding of the knowledge associated with the skill.
Understands how the skill should be applied. Has experience of applying the skill to a
variety of complex tasks. Demonstrates significant personal responsibility or
autonomy, with little need for escalation. Contributes ideas in the application of the
skill. Demonstrates awareness of recent developments in the skill. Contributes ideas
for technical development and new areas for application of the skill.

Level 4: (Expert)
An authority who leads the development of the skill. Is an acknowledged expert by
peers in the skill. Has experience of applying the skill in circumstances without
precedence. Proposes, conducts, and/or leads innovative work to enhance the skill.

IISP Skills Framework V6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are
trademarks owned by The Institute of Information Security Professionals and may be used only with
express permission of the Institute.
Page 1 of 22
The IISP Skills Framework – Scoring levels for Skill J

The following definitions should be used when assessing your score for competencies in discipline J. Examples of experience within these
disciplines are shown in Appendix B, and should be consulted before completion.
Skill Level 1 Level 2 Level 3 Level 4
Teamwork and Works cooperatively Is encouraging and Encourages and challenges Inspires and involves others from
Leadership and professionally with supportive and provides a others. Provides a lead inside and outside the
others. lead within the local area. across an organisation. organisation, environment in
Task-based team working. which others may develop
leadership qualities.
Delivering Takes responsibility for Responsibility for an Responsible for ensuring Responsible for achievement of
completing own tasks. element of delivery against delivery is achieved against overall business goals in own
one or more business a portfolio of business professional or functional area.
objectives, balancing objectives, overcoming
priorities to achieve this. obstacles to achieve goals.
Managing Understands and aims Negotiates with customers Works with customers to Uses customer priorities to drive
Customer to meet customer to improve the service to ensure that their needs organisations’ plans, resolving the
Relationships requirements. them and to manage their drive business plans. conflicting demands of different
expectations. customers.
Corporate Understands local Understands the aims of Takes action to achieve Develops strategy and ensures
Behaviour objectives and own and related areas greater corporate efficiency, the long-term cost-effectiveness
organisations aims. Is across an organisation. in line with its strategic of an organisation by
cost-effective in own aims. understanding the influences
work. upon it.
Change and Is positive about Generates creative ideas, Contributes to change Is innovative and radical.
Innovation change, and suggests and demonstrates strategies and generates Champions considered, co-
improvements possible sensitivity in implementing new ideas or approaches, ordinated change through policy
in own area. local change. going beyond the local area. and planning.
Analysis and Is methodical when Makes effective decisions Makes effective decisions Makes effective strategic
Decision Making making decisions and in consultation with others and / or solves complex decisions and / or solves complex
solves problems which and/or solves complex problems in uncertain problems with strategic impact,
impact on own work. problems in immediate situations, or where the or no precedent.
area. impact is greater than in the
immediate working area.
Communications Communicates clearly Encourages and Is a persuasive Is influential and diplomatic in
and Knowledge and shares knowledge contributes to discussion. communicator. Sets a lead negotiations with other
Sharing with colleagues Is proactive in sharing in sharing knowledge organisations and formulates
practice. information in own work- effectively in diverse areas knowledge-sharing.
area. across an organisation.

IISP Skills Framework V6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only with
express permission of the Institute. Page 2 of 22
The Institute of Information Security Professionals Skills Framework Skills Definitions A - I

SECTION A Security Discipline - Information Security Management


Principle: Capable of determining, establishing and maintaining appropriate governance of (including processes, roles, awareness
strategies, legal environment and responsibilities), delivery of (including polices, standards and guidelines), and cost-effective
solutions (including impact of third parties) for information security within a given organisation).
Skills Group Example Skills Claimed Skills
Group Competency
A1 - Establishing frameworks to develop and maintain appropriate information security expertise within an
Governance organisation.
Gaining management commitment and resources to support the governance structure.
Incorporating physical, personnel and procedural issues into the overall security governance process.
Relating an organisation’s business needs to their requirements for information security.
Encouraging an information risk awareness culture within an organisation. For example, raising
awareness of how the various forms of social engineering can be used to compromise information.
Establishing frameworks for maintaining the security of information throughout its lifecycle.

A2 - Policy & Developing and maintaining organisational security policies, standards and processes using recognised
Standards standards (such the ISO 27000 family) where appropriate.
Developing and maintaining standards for appropriate personnel screening.
Developing and maintaining standards for appropriate physical storage of information.
Providing advice on the interpretation of policy.
Undertaking a gap analysis against relevant external policies, standards and guidelines, and initiating
remedial action where appropriate.

A3 – Balancing of cost against security risk for the business.


Information
Interpreting external requirements and standards in terms relevant to an organisation.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 3 of 22
Security Balancing technical, physical, personnel and procedural controls to address information risks in the
Strategy most effective way.

A4 – Recognises potential strategic application of information security and initiates investigation and
Innovation & development of innovative methods of protecting information assets, to the benefit of the organisation
Business and the interface between business and information security.
Improvement
Exploits opportunities for introducing more effective secure business and operational processes.

A5 – Identifying security awareness and training needs in line with security strategy, business needs and
Information strategic direction.
Security
Gaining management commitment and resources to support awareness and training in information
Awareness
security.
and Training
Identifying the education and delivery mechanisms needed to grow staff in information security
awareness and competence.
Managing the development or delivery of information security awareness and training programmes.

A6 –Legal & Familiar with legal and regulatory requirements that could affect organisation security policies, and
Regulatory where to turn for specific detail as needed.
Environment
Relating the legal and regulatory environment within which the business operates to the risk
management and security strategy tasks.
Ensuring security policies comply with all personal data protection laws and regulations relevant to the
business.
Ensuring security policies support compliance with corporate governance practices.
Identifying where security can provide business advantage by addressing specific legal or regulatory
needs.

A7 – Third Identifying and advising on the technical, physical, personnel and precedural risks associated with third
Party party relationships.
Management
Assessing the level of confidence that third party security capabilities/service operate as defined.
IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 4 of 22
Section B Security Discipline - Information Risk Management
Principle: Capable of articulating the different forms of threat to, and vulnerabilities of, information systems and assets.
Comprehending and managing the risks relating to information systems and assets.
Skills Group Example Skills Claimed Skills
Group
Competency
B1 – Risk Identification of assets that require protection.
Assessment
Identification of relevant threats to the assets.
Identification of exploitable vulnerabilities.
Assessing the level of threat posed by potential threat agents.
Producing an information security risk assessment.
Determining the business impact of a risk being realised.

B2 – Risk Developing information risk management strategies to reduce the risk.


Management
Including information risk management strategies in business risk processes.
Gaining management commitment to the support of the information risk elements of business risk
management.
Adapting the risk management strategy to address changes in the threat environment and in
business risk.
Selecting the most appropriate tools and techniques for auditing effectiveness of mitigation
measures in place.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 5 of 22
Section C Security Discipline - Implementing Secure Systems
Principle: Comprehends the common technical security controls available to prevent, detect and recover from security incidents and
to mitigate risk. Capable of articulating security architectures relating to business needs and commercial product
development that can be realised using available tools, products, standards and protocols, delivering systems assured to
have met their security profile using accepted methods
Skills Group Example Skills Claimed Skills
Group
Competency
C1 – Interpreting relevant security policies and risk profiles into secure architectural solutions that
Security mitigate the risks and conform to legislation.
Architecture
Presenting security architecture solutions as a view within broader IT architectures.
Relating security architectures to business needs and risks.
Working with recognised security architecture.
Devising standard solutions that address requirements delivering specific security functionality
whether for a business solution or for a product.
Minimising the risk to an asset or product through “standard” security architecture practices.
Delivering the security architecture that supports the risk management strategy using current
security technologies and techniques.
Maintain awareness of the security advantages and vulnerabilities of common products and
technologies.
Minimising the risk to an asset or product through the use of “standard” security technologies and
products.
Designing and developing processes for maintaining the security of an asset or product through its
full life cycle.
Maintain awareness of the security advantages and vulnerabilities of common products and
technologies.
Designing robust and fault-tolerant security mechanisms and components appropriate to the
perceived risks.
Selecting the appropriate security products, components and technologies to meet a security
requirement.
Selecting the most appropriate information interchange protocols that meet the security
requirements.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 6 of 22
C2 – Secure Implementing secure systems, products and components using an appropriate methodology.
Development
Defining and implementing secure development standards and practices including, where relevant,
formal methods.

Selecting and implementing appropriate test strategies to demonstrate security requirements


are met.

Defining and implementing appropriate processes for transfer of a product/system to


operation/sale/live use.
Defining and implementing appropriate secure change and fault management processes.

Minimising the risk to an asset or product through the ‘standard’ design and
development processes.

Verifying that a developed component, product or system meets its security criteria
(requirements and/or policy, standards & procedures).

Analysing problem reports for signs of anomalous security issues, coordinating research
into vulnerabilities and instigating corrective action where necessary.
Specifying and/or implementing processes that maintain the required level of security of a
component, product, or system through its lifecycle.
Managing a system or component through a formal security assessment.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 7 of 22
SECTION D Security Discipline - Information Assurance Methodologies and Testing
Principle: Develops and applies standards and strategies for verifying that measures taken mitigate identified risks.
Skills Group Example Skills Claimed Skills
Group
Competency
D1 – Developing methodologies for assessing the correct implementation of mitigation measures.
Information
Assessing the level of assurance provided by a security mechanism, system or product in
Assurance
accordance with one or more recognised methodologies and standards.
Methodologies
Assessing whether a process is “fit for purpose” and meets the security requirements.

D2 – Security Testing processes for vulnerabilities, highlighting those that are not addressed by security policies,
Testing standards and procedures and advising on corrective measures.
Applying recognised testing methodologies, tools and techniques, developing new ones where
appropriate.
Assessing the robustness of a system, product or technology against attack.
Applying commonly accepted governance practices and standards when testing in an operational
environment.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 8 of 22
SECTION E Security Discipline - Operational Security Management
Principle: Capable of managing all aspects of a security programme, including reacting to new threats and vulnerabilities, secure
operational and service delivery consistent with security polices, standards and procedures, and handling security
incidents of all types according to common principles and practices, consistent with legal constraints and obligations.
Skills Group Example Skills Claimed Skills
Group
Competency
E1 - Secure Establishing processes for maintaining the security of information throughout its existence.
Operations
Establishes and maintains Security Operating Procedures in accordance with security policies,
Management
standards and procedures.
Coordinating penetration testing on information processes against relevant policies.
Assessing and responding to new technical, physical, personnel or procedural vulnerabilities.
Managing implementation of information security programmes, and co-ordinating security
activities across the organisation.

E2 - Secure Securely configuring information and communications equipment in accordance with relevant
Operations & security policies, standards and guidelines.
Service
Maintaining security records and documentation in accordance with Security Operating Procedures.
Delivery
Administering logical and physical user access rights.
Monitoring processes for violations of relevant security policies (e.g. acceptable use, security, etc.)

E3 – Analysing internal problem reports for signs of anomalous security issues.


Vulnerability
Monitoring, collating and filtering external vulnerability reports for organisational relevance,
Assessment
ensuring that relevant vulnerabilities are rectified through formal change processes.
Engaging with the Change Management process to ensure that vulnerabilities are mediated.
Ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilities
until appropriate remediation or mitigation is available.
Producing warning material in a manner that is both timely and intelligible to the target
audience(s).

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 9 of 22
SECTION F Security Discipline - Incident Management
Principle: Capable of managing or investigating an information security incident at all levels.
F1 – Incident Engaging with the overall organisation Incident Management process to ensure that security
Management incidents are handled appropriately.
Defining and implementing processes and procedures for detecting breaches of security policy.
Defining and implementing processes for carrying out investigations into breaches of security
policy.
Establishing and maintaining a Computer Security Emergency Response Team or similar to deal
with breaches of security policy.
Co-ordinating the response to a breach of security policy.
Providing a full security response where third parties, managed service providers, etc. are
involved.

F2 – Working within the legal constraints imposed by the jurisdictions in which an organisation
Investigation operates.
Carrying out an investigation into a breach of information security using all relevant sources of
information including access logs, systems logs, camera footage, etc.
Assessing the need for Forensic activity, and coordinating the activities of specialist Forensic
personnel within the overall response activities.
Engaging with the organisational Problem Management processes to ensure that Forensic services
are deployed appropriately.
Providing a full security investigation capability where third parties, managed service providers,
etc are involved.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 10 of 22
F3 - Forensics Seizing evidence in accordance with legal guidelines and in the most effective manner to minimise
disruption to the business and maintaining evidential weight.
Deploying specialist equipment to monitor for attempted system compromise.

Analysing system information (e.g. system logs, network traffic, hard disks, virtual memory, etc.)
for evidence of breaches of security policy or law.
Analysing software for malicious intent (malware).

SECTION G Security Discipline - Audit, Assurance & Review


Principle: Capable of defining and implementing the processes and techniques used in verifying compliance against security
policies, standards, legal and regulatory requirements.
Skills Group Example Skills Claimed Skills
Group
Competency
G1 - Audit & Verifying that information processes meet the security criteria (requirements or policy, standards
Review and procedures).
Defining and implementing processes to verify on-going conformance to security requirements.
Carrying out security compliance audits in accordance with an appropriate methodology.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 11 of 22
SECTION H Security Discipline - Business Continuity Management
Principle: Capable of defining the need for, and of implementing processes for establishing business continuity.
Skills Group Example Skills Claimed Skills
Group
Competency
H1 - Business Establishing the need for a Business Continuity Management (BCM) Process or Function.
Continuity
Determining the events and external surroundings that can adversely affect an organisation.
Planning
Providing cost-benefit analysis to justify investment in controls to mitigate risks.
Determining and guiding the selection of possible business operating strategies for minimising
disruption.
Designing, developing, and implementing Business Continuity and Crisis Management Plans.
Preparing a programme to create and maintain corporate awareness and enhance the skills
required to develop and implement the Business Continuity Management Programme.
Developing processes that maintain the currency of continuity capabilities and plan documents in
accordance with the organisation’s strategic direction.
Developing, co-ordinating, and evaluating, plans to communicate with internal stakeholders,
external stakeholders and the media.

H2 - Business Developing and implementing procedures for responding to and stabilising the situation following
Continuity an incident or event.
Management
Establishing and managing an Emergency Operations Centre to be used as a command centre
during the emergency.
Mounting pre-plan and co-ordinate plan exercises, and evaluating and documenting plan exercise
results.
Verifying that the plan will prove effective by comparison with a suitable standard, and of
reporting results in a clear and concise manner.
Establishing applicable procedures and policies for co-ordinating continuity and restoration
activities with external agencies while ensuring compliance with applicable statutes or regulations.
Co-ordinating, evaluating, and exercising plans to communicate with internal stakeholders,
external stakeholders and the media.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 12 of 22
SECTION I Security Discipline - Information Systems Research
Principle: Original investigation in order to gain knowledge and understanding relating to information security, including the
invention and generation of ideas, performances and artefacts where these lead to new or substantially improved
insights; and the use of existing knowledge in experimental development to produce new or substantially improved
devices, products and processes.
Skills Example Skills Claimed Skills
Group Group
Competency
I1 – Research Defines research goals and generates original and worthwhile ideas in a specialised field within
information security. Develops, reviews and constructively criticises ideas, makes observations and
conducts tests.
Presents papers at conferences, writes journal papers of publication quality and/or presents
reports of an equivalent technical standard to research clients – all relating to advancing
knowledge in one or more fields of information security.
Contributes to the development of the employing organisation’s research policy and supervises the
work of research functions.

I2 - Academic Development of new crypto algorithms.


Research
Development of improved theories of information.
Development of new ways for protecting information in specific environments (e.g. when being
communicated).

I3 – Applied Investigation of vulnerabilities in current and potential technologies and techniques.


Research
Development of secure development tools, such as formal methods tools.
Development of improved assurance methods.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 13 of 22
The Institute of Information Security Professionals Skills Framework Skills Definition J
J
Skill Level 1 Level 2 Level 3 Level 4
J1 - Works cooperatively and Is encouraging and Encourages and challenges Inspires and involves others
Teamwork professionally with others. supportive and provides a others. Provides a lead across from inside and outside the
and For example…. lead within the local area. an organisation. For organisation. For example….
Leadership For example…. example….
♦ Is co-operative, and open ♦ Openly celebrates success, ♦ Challenges prejudice, ♦ Inspires others to achieve,
to requests and recognises intolerance, cynicism and and sets a good example
accomplishments complacency in others ♦ Resolves major
♦ Is aware of impact of own
organisational or
behaviour on others ♦ Empowers colleagues by ♦ Encourages others to take
professional conflicts in a
giving them the information sensible risks, and is
♦ Respects and values positive and constructive
and authority needed to supportive if honest mistakes
others for their qualities and manner
complete tasks result
differences and is sensitive
♦ Contributes to and / or
to their differing needs and ♦ Creates and leads formal, ♦ Encourages further
leads teams within their
views informal or virtual teams opportunities for flexible ways
profession
and/or creates collaborative of working
♦ Encourages and supports
links with related teams ♦ Provides technical
team spirit and morale, ♦ Encourages team identity
leadership in their
helping work to be ♦ Addresses, and seeks to and commitment in others
professional field at national
enjoyable and stimulating resolve, conflict within
♦ Initiates the setting up of and / or international level
for all teams
formal, informal or virtual
♦ Leads others in strategic
♦ Takes a lead when ♦ Provides support and teams or support and / or
decisions directly affecting
appropriate feedback to encourage and encourages others to do so;
them
develop colleagues follows through to conclusion
♦ Plays a full part and helps
♦ Ensures that the
everyone to achieve team ♦ Identifies and enables ♦ Contributes to multi-agency
organisation builds on and
goals development opportunities or cross-disciplinary teams
uses the differences and
for others
♦ Provides technical leadership strengths of the individuals
♦ Supports and encourages in their professional field within it
task-based team working within the organisation.
♦ Takes action to provide an
♦ Develops others through environment in which
coaching, mentoring and others may develop
advising colleagues leadership qualities

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only
with express permission of the Institute. Page 14 of 22
J2 -Delivering Responsible for completing Responsible for an element Responsible for ensuring Responsible for
own tasks. For example…. of delivery against one or delivery is achieved against a achievement of overall
more business objectives, portfolio of business business goals in own
balancing priorities to objectives, overcoming professional or functional
achieve this. For example…. obstacles to achieve goals. For area. For example….
example….
♦ Monitors progress against ♦ Tackles complex tasks ♦ Plans ahead for self and / ♦ Puts in place
objectives and/or new problems, or others to achieve business mechanisms to identify
breaking down the task into objectives problems and monitor
♦ Shows a 'can-do', discrete steps progress against plans
self-motivated attitude ♦ Identifies key performance
♦ Plans, prioritises and sets criteria, to monitor ♦ Plans for future skills, and
♦ Takes responsibility for effectiveness of the work
milestones and deadlines, identifies training and
own actions and learns from
to ensure delivery of development and resourcing
mistakes ♦ Sets realistic deadlines,
business objectives needs in own area
and warns early on if they
♦ Appreciates knock-on cannot be met.
♦ Manages time ♦ Ensures that
effect if work isn't finished
effectively, balancing organisational goals are
on time ♦ Focuses on goals and is
competing demands identified in accordance
not set back by obstacles
♦ Keeps calm under with the corporate plan and
pressure ♦ Aligns work with business
♦ Identifies personal and / or reflected in own and
objectives
team (formal, informal or others’ objectives
♦ Delivers high quality virtual) objectives from the
♦ Focuses on achieving the
results to the best of business plan ♦ Is prepared to take risks
objective, using own
ability, aiming for success, and be accountable for
professional and / or
not merely the avoidance of ♦ Effectively uses diverse their own and others’
managerial knowledge
failure talents, technology and decisions and actions
and experience effectively
resources to deliver
within agreed parameters ♦ Uses own professional
♦ Resolves problems, even if
and/or managerial
beyond direct responsibility
♦ Uses own professional and knowledge and experience
♦ Takes the initiative to / or managerial knowledge to shape delivery against
obtain information and experience to drive business objectives.
necessary for delivery forward delivery

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used
only with express permission of the Institute. Page 15 of 22
J3 - Managing Understands and aims to Negotiates with customers Works with customers to Uses customer priorities to
Customer meet customer to improve the service to ensure that their needs drive drive organisational plans,
Relationships requirements. For them and to manage their business plans. For example…. resolving the conflicting
example…. expectations. For example…. demands of different
customers. For example….
♦ Seeks to quickly satisfy ♦ Seeks to improve the ♦ Works with customers to ♦ Uses customers' strategic
customers' needs provision of a high quality adopt a creative approach to goals and outcomes to drive
and tailored service exploit new opportunities the area/Department's
♦ Is responsive to customer
policies and plans
requests ♦ Negotiates achievable and ♦ Ensures that long- and
♦ Demonstrates knowledge efficient solutions with short-term customer needs ♦ Demonstrates
customers drive plans understanding of the links
of the customer-base and
between customers'
understands their ♦ Is open to new ways of ♦ Works with customers to strategic goals and policies
requirements serving customers if their understand their aims and
needs require it needs ♦ Shows awareness of the
♦ Makes realistic
commitments to customers pressures under which
♦ Maintains regular contact ♦ Actively manages customer
customers operate and
with customers to base
♦ Explains when customer their impact
understand and anticipate
expectations cannot be met
their needs ♦ Identifies and seeks to
resolve conflicts between
♦ Builds customer
different customers'
awareness of capability
strategies and priorities
♦ Explains to customers
why their expectations
cannot be met

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used
only with express permission of the Institute. Page 16 of 22
J4 - Understands local objectives Understands the aims of Takes action to achieve Develops strategy and
Corporate and organisational aims. Is own and related areas greater corporate efficiency, in ensures the long-term
Behaviour cost-effective in own work. across the organisation. line with strategic aims. For cost-effectiveness of the
For example…. Maximises the cost- example…. organisation by
effectiveness of area or understanding the
team. For example…. influences upon it. For
example….
♦ Demonstrates knowledge ♦ Works within ♦ Looks beyond local needs to ♦ Contributes to policy and
of how own job contributes organisational policies, the common good strategy formulation and
to the organisation’s aims. procedures, security and the creation of
legal constraints ♦ Seeks to be aware of issues programmes and projects
♦ Appreciates organisational that are of corporate
in line with strategic plans.
aims, and the regulations ♦ Identifies issues facing importance
and laws that govern its own and related work areas, ♦ Demonstrates an
♦ Remains committed
actions, and acts in and the organisation as a understanding of, and acts
even when in personal
accordance with them whole on, vital strategic issues,
disagreement with a policy
responding appropriately
♦ Strives for excellence ♦ Ensures colleagues
♦ Shows an understanding to external threats and
while ensuring best value understand how their work
of, and interprets for others, opportunities
and fitness for purpose♦ contributes to
relevant policy or security
Departmental aims ♦ Builds a wide-ranging
♦ Measures performance by issues
network of internal and
value added, not resources ♦ Provides feedback on
consumed♦ ♦ Builds extensive informal external senior
the costs and implications
networks of contacts across contacts, drawing on
of proposals and issues
the Department and / or them as appropriate
♦ Prioritises and monitors external organisations
allocation of local resources
♦ Keeps up-to-date with
and improves efficiency ♦ Takes account of resources political influences on
and strategic aims in making the organisation and
plans information security
profession
♦ Seeks to maximise the
benefits from activities ♦ Delivers greater efficiency
through flexible use and
♦ Changes or stops activities
monitoring of
that are no longer cost-
organisational resources.
effective

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used
only with express permission of the Institute. Page 17 of 22
J5 - Change Is positive about change, and Generates creative ideas, Contributes to change Is innovative and radical.
and suggests improvements and demonstrates strategies and generates new Champions considered,
Innovation in own area. For example…. sensitivity in implementing ideas or approaches, going co-ordinated change
local change. For example…. beyond the local area. For through policy and
example…. planning. For example….
♦ Looks for opportunities to ♦ Demonstrates personal ♦ Provides direction in times of ♦ Encourages a culture in
be innovative, suggesting commitment to change and uncertainty which people see change
how to do things better is open-minded and forward as natural and positive
looking ♦ Builds in flexibility to
♦ Responds constructively cope with the unexpected ♦ Contributes to
and flexibly to change or ♦ Seeks to remove barriers organisational change,
feedback to change ♦ Considers potential risks and
aiming to impact most
implications in the design and
on performance and
♦ Takes change ♦ Works effectively in / or implementation of new
reduce bureaucracy
forward when possible uncertain circumstances or ideas or approaches
without clear parameters ♦ Ensures change is
♦ Readily picks up and ♦ Maintains own expertise
pertinent, co-ordinated,
applies relevant new skills, ♦ Contributes own learning and keeps up to date with
communicated and
attending training if (both formal and developments in relevant
followed through
necessary experience) to areas
development of new ideas ♦ Uses expertise to direct
♦ Openly discusses mistakes ♦ Generates new and creative
own and others' learning
to enable avoidance in the ♦ Generates innovative ideas or approaches and development
future solutions to technical, (technical, managerial and /
managerial and / or or organisational) in seeking ♦ Identifies ways in which
organisational problems / to develop the organisation’s to increase innovation
issues, looking beyond the capability. within area or organisation
superficial
♦ Encourages others ♦ Thinks laterally. Is
♦ Consults others, and to innovate innovative and radical,
acknowledges their opinions breaking new ground
♦ Manages change sensitively
and feelings, in making and
and positively, and ♦ Considers impact on
communicating change
encourages a positive others when planning
♦ Builds a positive, blame- attitude to change in others new initiatives
free environment to
encourage learning from
mistakes

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used
only with express permission of the Institute. Page 18 of 22
J6 - Analysis Is methodical when making Makes effective decisions in Makes effective decisions Makes effective strategic
and Decision decisions and solves Making consultation with others and and/or solves complex decisions and/or solves
problems which impact on or solves complex problems problems in uncertain complex problems with
own work. For example…. in immediate area. For situations, or where the strategic impact, or no
example…. impact is greater than in the precedent. For example….
immediate working area.
For example….
♦ Has an objective and ♦ Seeks, identifies and ♦ Establishes policy guidelines ♦ Evaluates and
methodical approach to exploits relevant information that provide a sound basis for challenges policy
analysis of information decisions
♦ Interprets relevant data, ♦ Considers the wider
♦ Identifies relevant and key points, even ♦ Identifies, and is well- implications of decisions
information to contribute to without a clearly identified briefed on, issues likely to or proposals
the decision-making process starting point, to make come to prominence
recommendations and
♦ Grasps, and acts on, key
♦ Takes timely decisions, ♦ Assimilates and interprets points from a wide range
support an argument
despite limited information, complex information to of issues
or when under pressure ♦ Evaluates options, identify trends,
inconsistencies and risks ♦ Makes decisions based
benefits and risks in making
♦ Draws on past experience on risk management,
decisions
to make an informed ♦ Uses knowledge and rather than risk avoidance
decision without being ♦ Develops quality solutions experience to assess requests
limited by preconceptions based on an understanding and plans, and back up
of known requirements, arguments
♦ Uses others’ knowledge, limitations and constraints
capabilities and skills to ♦ Takes unpopular decisions
achieve goals where ♦ Enlists others' support, when necessary to achieve
appropriate seeking willing agreement the required outcome
in making decisions
♦ Judges when to empower
♦ Takes account of others to make decisions
constructive feedback when
revising decisions

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used
only with express permission of the Institute. Page 19 of 22
J7 - Communicates clearly and Encourages and contributes Is a persuasive Is influential and diplomatic
Communications shares knowledge with to discussion. Is proactive in communicator. Sets a lead in in negotiations with other
and Knowledge colleagues. For example…. sharing information in own sharing knowledge effectively departments/organisations
Sharing work-area. For example…. in diverse areas across the and formulates knowledge-
organisation. For example…. sharing strategies. For
example….

♦ Presents effectively
♦ Communicates accurately ♦ Chooses content, language ♦ Uses persuasive logic to and influentially to a
and clearly and style to suit the win support or change views range of audiences
audience
♦ Writes in clear plain ♦ Chairs meetings effectively ♦ Is persuasive and
English ♦ Produces work to a high and facilitates negotiated diplomatic in inter-
standard, with well- agreement departmental discussions,
♦ Is constructive when
reasoned arguments and or with other organisations
challenging others' ideas ♦ Addresses and discusses
clear conclusions or senior customers,
or decisions issues and concerns, keeping
without disclosing
♦ Accurately relays key key stakeholders informed
♦ Chooses the most sensitive information
points of meetings or
effective communication ♦ Takes responsibility for
documents to others ♦ Establishes clear fallback
method for the situation conveying bad or unwelcome
and individual news diplomatically positions in negotiation,
♦ Encourages and makes
compromising where
useful contributions to open necessary
♦ Records and shares debate or complex ♦ Uses, promotes and
information and knowledge discussions develops ways in which to
securely with all that can ♦ Brings in knowledge-
capture and share knowledge
benefit from it sharing strategies and
♦ Willingly shares and information effectively
shares experiences
information, good practice, yet securely, within local
♦ Listens and learns with other business
knowledge and expertise areas or in diverse areas
effectively from others areas/organisations
with those who could benefit across the organisation
♦ Follows corporate at all levels ♦ Articulates knowledge and
♦ Actively addresses problems
knowledge management experience to influence
♦ Chooses or sets up associated with information
guidance / good practice discussions on projects,
appropriate methods of flow, storage and overload.
programmes or policy
storage and dissemination
of information which ♦ Promotes, contributes to,
balance the need to share and enables departmental
with the need to know communications and
knowledge sharing
initiatives

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used
only with express permission of the Institute. Page 20 of 22
IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved.


The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used
only with express permission of the Institute. Page 21 of 22

You might also like