Frequently Asked Questions

Below are answers your most common questions about the scheme:

Q: Can I apply for more than one role or level?
A: Download and read the latest version of the “CESG Certification for IA Professionals" the reason we say to do this first is because it will help you to identify the CCP role(s) and level most appropriate to your skills.  Don’t just look at the role title as it maybe that another role, when you read the skills is better suited to you. 

Q: Can I apply for more than one role or level?

A: Yes, you can apply for as many roles as you believe you can support. However, we only permit one role per application form. The reason for this is because not only does each role have a different role headline statement which must be met but in many cases there is insufficient evidence to support both of the roles on one form and it is often the case that when the form is sent out to different assessors they return it commenting that the form favours one role over the other.

Q: I am unsure what level I should be applying for, can you help?
A: The Secretariat is unable to advise you on which level to apply for as the application form is based on your own work experience.

However for Senior and Lead level applications the Accreditation Committee (AC) has the ability to award you a certification for the level below if they believe you are not operating at the level you have applied for. The IISP will then provide you with detailed feedback which will explain why that decision was made and will be of use if you decide to reply for that level in the future.

If you are struggling to choose which role your evidence fits into the IISP can arrange for you to have a chat with one of our mentors who will be able to offer some guidance.

Q: My work is confidential how do I get around this?
A: The IISP do not expect you to share confidential information in the application forms. When describing your experience you are required to describe the situations and the actions you took without stating the names of projects, places or people.
Please be assured that our CCP assessors and interviewers all hold a level of Security clearance at either SC or Higher and are bound by an NDA the IISP issue when they join as Volunteer.

Q:How should my evidence be formatted?
A: You should provide two pieces of evidence against each skill. We advise that you write your evidence in the STAR (Situation 1-2 lines, Task 1-2 lines, Action 4-5 lines, Result 2-3 lines) format. This allows the assessors to get to the crux of your personal involvement in your work experience. Below is an example of how to format your evidence in the STAR model,


Having moved into my first home I am hosting my first Sunday lunch for my family.


I needed to cook a meal that was big enough to feed the whole family but provide food that everyone would enjoy. A traditional roast beef dinner wouldn’t be suitable as my parents, sister and her husband are all vegetarians.


At first when faced with the daunting task of catering for unfamiliar dietary requirements (my cat and I are proud meat eaters) I considered booking a table and letting the professionals take on the task! But then after a quick search online I came across a delicious nut roast recipe that I knew would be a success. The recipe seemed overly elaborate so I decided to cut out what I considered to be additional ingredients such as ‘green olives’ and ‘pomegranate seeds’. This recipe took more prepping than actually cooking so I decided to have it all prepped the night before ready to cook 15- 20 minutes before serving. By prepping it the night before and storing it in the fridge it meant I also had time to prepare a small beef dish for me and the cat.


Surprisingly I had managed to create two dishes to cater towards both my vegetarian family’s requirements and my own with little to no stress. This is something I am quite proud of as cooking does not come naturally to me. I enjoyed everyone’s reactions to my cooking and also having my sister and her partner offer to wash up afterwards!

Q: How do I submit my completed application form?
A: Please submit your completed application form via email to You must submit your application form in Word format so it can be anonymised prior to sending it out for assessment. Please submit the signed part 4 in PDF format.

Q: What is included in the CCP Certification fee?
A: From July 2015 the IISP have fallen in line with the other Certification Bodies (CBs) and are now charging the full 3 year CCP fee upfront. This fee includes: administration of the CCP Application, including an internal review, before it is sent for assessment; a Certificate; invitations to IISP CCP specific briefings; administering the annual CCP CPD and Surveillance; membership at the awarded level for the duration of the CCP and the benefits this brings. For those who have not yet moved to the three year fee, you must pay an annual CCP fee (which includes membership) for years 2 and 3.

Q: How long does my certification last for?
A: All CCP Certifications are valid for three years; your CCP Certificate shows the validation dates. Applicants will need to recertify every three years. To maintain your CCP certification an annual CCP CPD and Surveillance form should also be submitted on the anniversary of the award of all CCP Certifications held. 

Q, Will I receive Associate (A.Inst.ISP) or Full Membership (M.Inst.ISP) of the Institute if I am certified by this scheme?
A: The IISP include membership as a benefit of achieving a CCP Certification. Candidates who are certified at Practitioner or Senior Practitioner level will receive Associate membership of the IISP and will be able to use the post nominal A.Inst.ISP.  Similarly, candidates who are certified at Lead Practitioner level will receive Full Member status and will be able to use the post nominal M.Inst.ISP. 

In some cases those certified at Senior Practitioner may at the discretion of the Accreditation Committee (AC) be awarded Full Member status, it should be noted that there may be an upgrade fee to pay.


Q: I have noticed that some roles require candidates to hold qualifications or pass examinations. Please tell me more?
A: The IISP have the following prerequisites:

IA Auditor Role: we require you to hold or have attended one of the following:

Practitioner Level

Introduction to ISO 27001 Course
Implementing ISO 27001 Course
IIA Diploma (PIIA)

Senior / Lead Level        

ISO 27001 Lead Auditor (BS7799 Lead Auditor)
IIA Advance Diploma (MIIA)
IIA IT Auditing Certificate (QiCA)
CISA - Certified Information Systems Auditor

Note: The IISP will accept any of the prerequisites listed in the Senior and Lead table for Practitioner level. Those listed in the Practitioner table are the minimum requirements. 

IA Architect Role Senior / Lead:
 we require you to have passed the CREST Registered Technical Security Architect (CRTSA) examination run by our Consortium Partner CREST. Information on the CRTSA examination can be found here. If you require additional information please contact our Consortium Partner at info@crest-approved.orgAs an alternative to the CREST examination we will now be accepting the BCS PCIAA and SABSA Foundation, Practitioner and Master level qualifications. As an alternative to the CREST examination we will now be accepting the BCS PCIAA and SABSA Foundation, Practitioner and Master level qualifications.

Q: Can I apply for all 8 core skills for the SIRA role?
A: There are a minimum number of skills you must apply for at each level however you can apply for all 8. When completing the form please ensure you state which core skills you are applying for and would like to appear on your certificate in the box at the top of part 3 of the application form.

Q: Can I transfer my CCP certification to another Certification Body (CB)?
A: The processes for assessing candidates for CCP and the timeframe for the on-going re-validation process are subtly different for each CB.  This means that it is not practical to move from one CB to another during the 3 year period of certification.  
When your certification is due for renewal (after three years) then each CB will recognise your previous certification and essentially use their re-certification process to provide you with a new three year certificate.  This will entail looking at the last three years of work and related CPD etc. depending on the process for the relevant CB. 

You can of course at any time register with another CB to be re-assessed for an existing role or to add an additional certification to your current one(s) but this will be charged at the usual new assessment rate.

Q: What is required for recertification?
A: The IISP has tried to make the recertification process less onerous. Firstly, the IISP Guidance for completing the recertification application is within the form. With regard to evidence we require two pieces of evidence and this is only for the CORE skills for the role you are looking to recertify against. The evidence should be from the 3 year period during which you have held your CCP certification and we recommend when compiling your evidence that you use the STAR (Situation, Task, Action, Result) Model. We also require you to provide one piece of surveillance in Part 3 of the form that details how you have met the headline statement for the role and level being recertified.

You must then provide a client reference that validates that evidence. The onus is on you to submit the reference to the IISP with your application. The completed recertification form and reference will be reviewed by IISP CCP Certified assessors and referees may be contacted. Senior Applicants may be called for interview if additional verification is required and all Lead applicants will be interviewed. We can only recertify a role that has not yet expired, therefore we recommend application forms should be submitted and paid for at least 6 weeks before the expiry of the certification being recertified. 

Q: When should I submit my recertification form?
A: You will receive an email reminder 3 months before your certification is due to expire and we advise that you submit the form six weeks before that deadline. Submitting this early ensures that you do not experience a break in being certified. Please be aware that the IISP is not allowed to accept recertification forms after the expiry date of current certifications as per the NCSC guidelines.

Q: What is required as a reference for my recertification?
A: Please encourage your referee to write as detailed a reference as possible to support your recertification application. As a minimum we require as little as 1-2 lines from the referee to say they have read the evidence you have provided in Part 3 of the recertification form and agree with it. We ask that the referee is happy to be contacted should the assessor want more information. The reference must be submitted separately to the application in form of a word document or email.
Q: Can I submit my recertification form if I do not have my reference yet?
A: It is often the case that you have completed your recertification form but you are waiting to receive your reference before submitting it. To get the ball rolling you can submit your recertification form and settle the fee, the IISP will internally review and anonymise your form but it cannot be sent out for assessment until the reference is received.
Q: Where can I find more information?
A: Please email or call the IISP CCP Team on 0203 384 0399.