The roles are outlined below. There is no prescribed career path through the roles.
Much information assurance (IA) knowledge is common to multiple roles and it would be natural for many IA specialists to perform multiple roles in the course of a career. For small organisations, an IA specialist may perform multiple roles in one post.
Security and information risk advisor
To provide business-driven advice on the management of security and information risk consistent with the UK Government's IA policy or other sector specific guidance.
|Practitioner||Assists customers in the routine application and interpretation of security or IA policies and practices|
|Senior practitioner||Enables provision of the security and information risk advisor service across a range of business units, sites, projects or other change activities|
|Lead practitioner||Influences management of security and information risk across a large organisation or across multiple client organisations|
Cyber security / IA architect*
Drives beneficial security change into the business through the development or review of architectures so that they; fit business requirements for security, mitigate the risks and conform to the relevant security policies and balance information risk against cost of countermeasures.
|Practitioner||Represents security requirements in the design and implementation of information system (IS) architectures|
|Senior practitioner||Enables the design and implementation of secure IS architectures|
|Lead practitioner||Influences the security of enterprise or solution architectures across the public sector or across the whole of a public sector organisation, or private sectors|
* Please note: BCS are not currently able to offer Lead Cyber Security / IA Architect.
Accreditation provides a risk owner with the basis to make an informed business decision on whether they should accept the risks associated with a given capability, balanced against the business opportunities it presents.
|Practitioner||Makes routine accreditation decisions (where empowered to do so), accepting residual risk on behalf of their organisation where it is clearly within the normal risk appetite as declared by the Senior Information Risk Owner (SIRO) or the Board|
|Senior practitioner||Leads accreditation activity for complex or risky information systems|
|Lead practitioner||Ensures that the accreditation process supports and enables the business objectives and follows SPF outcomes, or other sector specific, or local arrangements|
Cyber security / IA auditor
Assess an organisation’s compliance with security objectives, policies, standards and processes and provide impartial assessment and reports covering security investigations, information risk management and investment decisions to improve an organisation’s information risk management.
|Practitioner||Undertakes assigned routine or ad hoc audits to test compliance with IA policies or standards|
|Senior practitioner||Leads audit activity to meet complex audit objectives and takes responsibility for the audit findings|
|Lead practitioner||Proposes and delivers information risk driven audit programmes to senior information risk owners or an IA Board|
IT security officer
Provides governance, management and control of IT security.
|Practitioner||Assists implementation of effective IT security in accordance with local policy|
|Senior practitioner||Enables effective IT security across a wide portfolio of IS|
|Lead practitioner||Influences corporate IT security|
Communications security (ComSO)
To manage cryptographic systems as detailed in the UK Government's IA Standard No. 4 (IS4), Management of Cryptographic Systems (reference [h]), and in relevant product specific Security Procedures, or in accordance with sector specific guidance such as PCI/DSS or tScheme.
|Practitioner||Assists in the implementation of Comsec policy or monitoring compliance with it|
|Senior practitioner||Manages compliance with Comsec policy|
|Lead practitioner||Ensures compliance with IS4 (reference [h]) across the DSO’s area of responsibility|