Much information assurance (IA) knowledge is common to multiple roles and it would be natural for many IA specialists to perform multiple roles in the course of a career. For small organisations, an IA specialist may perform multiple roles in one post.

Security and information risk advisor

To provide business-driven advice on the management of security and information risk consistent with the UK Government's IA policy or other sector specific guidance.

Level Standard
Practitioner Assists customers in the routine application and interpretation of security or IA policies and practices
Senior practitioner Enables provision of the security and information risk advisor service across a range of business units, sites, projects or other change activities
Lead practitioner Influences management of security and information risk across a large organisation or across multiple client organisations


Cyber security / IA architect

Drives beneficial security change into the business through the development or review of architectures so that they; fit business requirements for security, mitigate the risks and conform to the relevant security policies and balance information risk against cost of countermeasures.

Level Standard
Practitioner Represents security requirements in the design and implementation of information system (IS) architectures
Senior practitioner Enables the design and implementation of secure IS architectures
Lead practitioner Influences the security of enterprise or solution architectures across the public sector or across the whole of a public sector organisation, or private sectors


IA accreditor

 Accreditation provides a risk owner with the basis to make an informed business decision on whether they should accept the risks associated with a given capability, balanced against the business opportunities it presents.

Level Standard
Practitioner Makes routine accreditation decisions (where empowered to do so), accepting residual risk on behalf of their organisation where it is clearly within the normal risk appetite as declared by the Senior Information Risk Owner (SIRO) or the Board
Senior practitioner Leads accreditation activity for complex or risky information systems
Lead practitioner Ensures that the accreditation process supports and enables the business objectives and follows SPF outcomes, or other sector specific, or local arrangements


Cyber security / IA auditor

Assess an organisation’s compliance with security objectives, policies, standards and processes and provide impartial assessment and reports covering security investigations, information risk management and investment decisions to improve an organisation’s information risk management.

Level Standard
Practitioner Undertakes assigned routine or ad hoc audits to test compliance with IA policies or standards
Senior practitioner Leads audit activity to meet complex audit objectives and takes responsibility for the audit findings
Lead practitioner Proposes and delivers information risk driven audit programmes to senior information risk owners or an IA Board


IT security officer 

Provides governance, management and control of IT security.

Level Standard
Practitioner Assists implementation of effective IT security in accordance with local policy
Senior practitioner Enables effective IT security across a wide portfolio of IS
Lead practitioner Influences corporate IT security


Communications security (ComSO)

To manage cryptographic systems as detailed in the UK Government's IA Standard No. 4 (IS4), Management of Cryptographic Systems (reference [h]), and in relevant product specific Security Procedures, or in accordance with sector specific guidance such as PCI/DSS or tScheme.

Level Standard
Practitioner Assists in the implementation of Comsec policy or monitoring compliance with it
Senior practitioner Manages compliance with Comsec policy
Lead practitioner Ensures compliance with IS4 (reference [h]) across the DSO’s area of responsibility