Why did ACS develop a cybersecurity certification?
With heightened awareness of the need to lift cyber resilience in Australia, an ACS Cyber Taskforce headed by Dr Jill Slay was established to review global cybersecurity frameworks and identify best practice professional benchmarks.
On September the 6th 2017, the Hon Dan Tehan MP, Minister Assisting the Prime Minister for Cybersecurity launched an extension to the ACS Certified Professional and Certified Technologist schemes, recognizing the importance of cybersecurity to Australia’s growing digital economy.
Who can apply for certification?
All members of the ACS who are also working in a cybersecurity-based role are eligible to apply for certification. Members are assessed based on experience, education and related security-based vendor certifications.
How much does it cost to be a CP (Cyber Security) or CT (Cyber Security)?
For non-members, a membership application for the ACS is $374 incl. of GST and then a certification application is $346.50 incl. of GST is charged. For existing members (including current CP’s and CT's) the cost of the certification application is $346.50 incl. of GST.
Who was consulted from industry?
The cybersecurity certification was developed with input and industry consultation including the Australian Taxation Office, PWC, Austrac, CREST, AISA & RSA.
What is required to become a cybersecurity specialist?
Cybersecurity certification requires:
- That applicants work in a predominantly IT security based job role
- Have worked in tech for a minimum number of years based on Cyber CT/CP pathway
- For CP – an applicant must be able to demonstrate in-depth capability in 4 skills from the following list of level 5 (or higher) of the Skills Framework for the information Age (SFIA)
- IT Governance, Information Management, Information Security, Information Assurance, Business Risk Management, Penetration Testing, Security Administration, Programming/Software Development, Systems Software, Testing and Asset Management
- For CT - an applicant must be able to demonstrate in-depth capability in four skills from the following list of level 3 (or higher) of the Skills Framework for the information Age (SFIA)
- Information Management, Information Security, Information Assurance, Business Risk Management, Systems Development Management, Asset Management, Change Management, Security Administration, Incident Management, Conformance Management
- Demonstrates a breadth of tech knowledge
- Has an understanding of and commitment to the ACS Code of Professional Conduct
How important are Certified Professionals?
Professional certification is the best risk mitigation strategy for business and it allows Australia’s tech industry to maintain a high standard of professionalism.
Unlike vendor certifications, ACS Certified Professionals are certified using the Skills Framework for the Information Age (SFIA), comprised of 97 key skills within 6 key categories and 7 levels of competency.
This means that ACS certification uses specific core tech functionalities, is vendor agnostic and utilises a range of validation techniques.
How does the ACS assess Certified Professionals?
Our certifications (CT and CP) are undertaken by assessors who chart degree claims of applicants against a list of accredited universities. This is ranked on an international scale according to the Australian Qualifications Framework (AQF) in a database hosted by Department of Education, Employment & Workplace Relations (DEEWR).
In addition to university degrees or other recognised vendor qualifications, our Cybersecurity CT and CP designations cannot be obtained by the applicant without also providing evidence of work experience at an appropriate skilled level with varying duration requirements, and demonstration of having met professional development criteria (according to the ACS points allocation scheme).
CP Cybersecurity and alignment to our industry partners ISACA & ISC2
Vendor certifications from associations such as ISACA, organisations like (ISC)² as well as bodies like SANS, EC Council and CREST all offer security certifications.
One of the most well-known is the Certified Information Systems Security Professional (CISSP) from (ISC)² where candidates must possess a minimum of five years of direct full-time security work experience in two or more of the (ISC)² information security domains in order to be certified.
The Cybersecurity Taskforce, along with other broader industry consultations, undertook an environmental scan on global security certifications.
The resulting security certifications environmental scan showed that certifications from ISACA and ISC2 show equivalence for skills, qualifications and experience in the ACS cybersecurity specialisms.
For Certified Technologist (Cybersecurity) assessments, the following two certifications are considered equivalent for skills, qualifications and experience:
- Systems Security Certified Practitioner (SSCP) from ISC²
- Certified Information Systems Auditor (CISA) from ISACA
For Certified Professional (Cybersecurity) assessments, the following three certifications are considered equivalent for skills, qualifications and experience:
- Certified Information Systems Security Professional (CISSP) from ISC²
- Certified Secure Software Lifecycle Professional (CSSLP) from ISC²
- Certified Information Security Manager (CISM) from ISACA
ISACA and ISC2 certifications need to be current certifications, demonstrating ongoing CPD at the time of submitting for ACS assessment.
While obtaining any vendor certification is an accomplishment, a CISSP, CISA etc. does not demonstrate or validate how you apply the knowledge that is related to the certification. You could have a CISSP but work in a purely technical role at a relatively low level of responsibility.
ACS certification supports these industry certifications by encompassing the knowledge, skills and attributes of an individual, assessing certifications and qualifications alongside work experience, and communications skills benchmarked against 7 levels of responsibility.
How does a member apply for ACS cybersecurity certification?
If a member is not ACS certified, members can apply at the ACS certification landing page.
The assessment portal is in the process of being updated to allow those members who are already CT/CP to be able to apply for a cybersecurity specialism. In the interim, any ACS-certified members who wish to apply for cybersecurity certification should send an email to email@example.com to have their assessment initiated manually.
Can a member have two CP certifications or two CT certifications?
No. If a member upgrades their certification to the new ACS cybersecurity certification, their previously awarded CP or CT will be replaced by the new certification.
ACS cybersecurity certification shows you have met the requirements of the CP or CT as well as the validation of 4 SFIA skills related to cybersecurity in order to be awarded the new specialism.
In future, as ACS releases new specialisms (i.e Safety Critical Systems) members will be able to hold multiple specialisms but not a CP and a specialism(s).
Can an applicant nominate which skills they wish to be assessed against?
No. The assessor identifies the 3 or 4 listed skills as opposed to the applicant nominating them because many applicants will have a strong enough knowledge of SFIA to accurately nominate their skills. With years of experience in certification assessment, the assessors are best-placed to identify the applicant’s skills.