CLAS Changes Explained

As of the 1st June 2015, the CESG Listed Advice Scheme (CLAS) was replaced with the Certified Cyber Security Consultancy Scheme. The old CLAS has closed to new members.

What does it mean to be CLAS approved/ a Certified Cyber Security Consultant?

Once a practitioner is approved as a certified cyber security consultant they are recognised as a pre-approved, trusted advisor to any government department or supplier – including defence contractors and system integrators.

The services they provide meet CESG’s standards, with a proven track record of being consistently high quality. There will have been a demonstrated defined process to provide customers with tailored advice to meet their needs, and those accredited will act with integrity, honesty and proportionality – focused on protecting the confidentiality of their clients.

Consultancies which are certified will provide advice on a myriad of areas, including:

  • HMG Policies
  • HMG Standards
  • CESG Guidance
  • Risk Assessment and Management
  • Interconnections and Compliance

So what’s changed in the new scheme?

 The new Cyber Security Consultancy Scheme will provide a wider assessment across both public and private sector suppliers. Intended to better support multi-disciplinary  teams, the certification process is moving its focus towards companies, as opposed to individuals.

 The requirements for accreditation have been adapted to reflect the varied services which consultancies may supply; there are now 2 different sets of requirement criteria. The  first covers all professionals’ services, and the second is exclusively for consultancies. Companies must ensure they meet the 1st set of this criteria, irrespective of the services  they provide. They can then elect from 10 varying service offerings and corresponding core skills – built off the IA Specialist Skills Framework.

Additionally, the services provided by consultancies in the wake of these changes are due to improve – one of the new requirements of the scheme is that all companies should have at least one of their consultants operating at Senior Practitioner level. This is reflective of the greater necessity for high quality, tailored consultancy services, which can only be delivered by senior practitioners.

This is one of the most controversial changes to the system. Many believe that it’s not always essential for practitioners to require senior supervision for certain tasks – occasionally a Project Manager or Service Delivery Manager might be better suited.   However, the CESG feel that the new regulation will ensure that all services provided by an accredited consultancy will be of a guaranteed higher quality if there is a senior practitioner present.

The new scheme will also leverage the existing processes within companies, in order to determine the best, most scalable approach. The focus on the provision of better quality service is reflected in CESG’s commitment to actively seek feedback from their clients. This will ensure improved customer experience and hopefully facilitate the avoidance of situations in which project expectations are mismatched.

The launch of this scheme is a big step forward for UK Cyber Security. There’s only so much an organisation can and should do directly. This new scheme will significantly enhance the pool of trusted cyber security advice available from public providers. –Ciaran Martin, GCHQ’s Director General for Cyber Security

Looking Ahead

The demand for trusted security advice is only going to grow as we move forwards. Taking a new approach to accreditation will help to foster partnerships with commercial companies regardless of size, and ensure that those who possess a proven track record and an up to date awareness of the cyber threat environment will be made available for selection.