document.body.classList.toggle('menu-open', show); // Add 'menu-open' class to body.

Cyber security in the UK: shedding some light on its confusing state

th4ts3cur1ty.company - Stephen
Written by Stephen Ridgway
January 13, 2025
How confident are you that you understand who’s responsible for what when it comes to cyber security in the UK?
After all, the NCSC (National Cyber Security Centre), UK Cyber Security Council, CREST, and IASME are key organisations within the UK cyber security ecosystem; each with distinct but complementary roles.

The different companies operating in cyber security in the UK

Here’s an overview of the relationships and functions of the different companies that are responsible for various roles within UK cyber security:

1. NCSC (National Cyber Security Centre)

Role: The NCSC is part of GCHQ, and acts as the UK’s authority on cyber security. It provides guidance, incident response support, and helps protect national critical infrastructure from cyber threats.

Relationship to others: The NCSC sets national standards and collaborates with organisations like IASME, CREST, and the UK Cyber Security Council to promote cyber security best practices. It endorses certification schemes and accreditations delivered by organisations like IASME and CREST.

2. UK Cyber Security Council

Role: The UK Cyber Security Council is an independent body responsible for advancing the professional standards and development of the actual profession of cyber security in the UK. It sets competency frameworks, ethics, and qualifications standards for cyber security practitioners.

Relationship to others: The Council works closely with the NCSC and accrediting bodies like CREST and IASME to align the profession with national security priorities. It helps unify the profession by recognising and promoting certifications and training schemes provided by organisations such as CREST.

3. CREST

Role: CREST is a not-for-profit accreditation body representing the technical cyber security industry. It provides certifications for cyber security professionals and accredits organisations offering penetration testing, incident response, and other security services.

Relationship to others: CREST certifications and services are recognised and often recommended by the NCSC for specific activities like penetration testing. CREST aligns its certifications and professional standards with the UK Cyber Security Council’s competency frameworks.

4. IASME Consortium

Role: IASME is a certification body focused on enabling organisations (especially SMEs) to achieve recognised cyber security standards, such as Cyber Essentials and IASME Governance.

Relationship to others: IASME is the sole partner of the NCSC for delivering the Cyber Essentials scheme, a foundational cyber security certification. It collaborates with the UK Cyber Security Council and aligns with its professional frameworks to ensure the certifications support national cyber security goals.

How they work together

  1. NCSC as the National Authority: Sets strategic cyber security objectives and endorses certifications delivered by IASME (Cyber Essentials) and standards followed by CREST (technical certifications).
  2. UK Cyber Security Council as the profession’s voice: Ensures that professional qualifications and standards (such as those from CREST) are aligned with national objectives and competency frameworks.
  3. CREST and IASME as Accrediting Bodies: Deliver certifications and services recognised by the NCSC and supported by the Council to strengthen the workforce and organisational resilience within cyber security in the UK.

In summary, while the NCSC oversees and directs the national cyber security strategy, the UK Cyber Security Council focuses on professional development, and CREST and IASME serve as key delivery partners for certifications and industry standards. They work together to create a coherent and effective ecosystem for cyber security in the UK.

Are there any other organisations involved?

Yes, there are several other organisations involved in the UK cyber security ecosystem. While the NCSC, UK Cyber Security Council, CREST, and IASME play prominent roles, other key organisations also contribute to enhancing the UK’s cyber security across different sectors. Here are some notable examples:

Professional associations and accreditation bodies for cyber security in the UK

  1. BCS (The Chartered Institute for IT)
    Focuses on advancing the IT profession, including cyber security. Provides certifications and supports professional development in line with the UK Cyber Security Council’s frameworks.
  2. CIISec (Chartered Institute of Information Security)
    A professional body dedicated to information security practitioners. Develops skills frameworks, professional certifications, and supports career progression in cyber security. Works closely with the UK Cyber Security Council.
  3. ISACA UK Chapter
    Part of the global ISACA organisation, which focuses on IT governance, risk management, and cyber security. Offers globally recognised certifications like CISM, CISA, and CRISC.
  4. (ISC)² UK Chapter
    Known for its certifications like CISSP and CCSP, which are widely recognised in cyber security. Collaborates with other bodies to promote education and awareness.

Standards and certification organisations

  1. BSI (British Standards Institution)
    Develops and publishes standards, including those related to cyber security (e.g., ISO 27001 for information security management systems). Provides auditing and certification services to organisations adopting these standards.
  2. Cyber Security Information Sharing Partnership (CiSP)
    A government initiative to promote information sharing about cyber security threats between public and private sectors.
  3. UKAS (United Kingdom Accreditation Service)
    Accredits organisations like CREST and IASME to ensure they meet recognised standards in their certification and auditing processes.

Government and regulatory bodies

  1. Ofcom and Ofgem
    Regulate the telecommunications and energy sectors, respectively, with increasing focus on cyber security resilience in these critical industries.
  2. ICO (Information Commissioner’s Office)
    The UK’s data protection regulator, responsible for enforcing GDPR and other privacy laws.
    Works to ensure organisations adopt robust cyber security measures to protect personal data.
  3. CMA (Competition and Markets Authority)
    Focuses on promoting competition and tackling cyber fraud and online scams.
  4. Police Cyber Units
    Includes the National Crime Agency (NCA) and its National Cyber Crime Unit (NCCU), as well as regional cyber crime units that investigate and respond to cyber crimes.

Industry and sector-specific initiatives

  1. TechUK
    Represents the technology sector in the UK, including cyber security providers. Works with government and other bodies to shape policy and promote best practices.
  2. Financial Sector Initiatives (e.g. UK Finance)
    Focuses on cyber security within the banking and financial services sectors. Partners with the NCSC to tackle threats specific to financial institutions.
  3. CISP (Cyber Security Information Sharing Partnership)
    Encourages threat information sharing between public and private sector organisations to strengthen cyber security resilience.

Academic and training providers

  1. Academic Centres of Excellence in Cyber Security Research (ACE-CSR)
    Universities recognised by the NCSC for their world-leading cyber security research.
  2. CyberFirst
    An NCSC-led initiative focusing on developing the next generation of cyber security talent through training, scholarships, and outreach.
  3. Higher Education institutions and Apprenticeship providers
    Deliver degrees, professional certifications, and apprenticeships in cyber security.

Industry-specific membership bodies

  1. The Security Institute
    Supports physical and information security professionals with training and certifications.
  2. Logically-secured organisations
    E.g. the Forum of Incident Response and Security Teams (FIRST), which promotes global collaboration on incident response.

Collaborative forums

  1. Cyber Security Alliance
    A consortium of organisations (including CREST, CIISec, IASME, and others) working together to promote the profession and ecosystem of cyber security in the UK.
  2. Global Forum on Cyber Expertise (GFCE)
    While global, this group has UK-based initiatives to improve cyber security capacity and knowledge sharing.

Cyber security in the UK: conclusion

These organisations, along with the core players mentioned earlier, form an interconnected network. Together, they address diverse aspects of the UK’s cyber security, from governance, certification, and incident response to research, education, and regulation.

Simples!

Like what you see? Share with a friend!

th4ts3cur1ty.company - Stephen

This article is written by

Stephen Ridgway

COO & Co-Founder

Stephen may speak with the charm of Hugh Grant and possess the refined air of an aristocrat with his pipe, but beneath that exterior lies the work ethic of a Victorian coal miner. With decades of experience, he excels in implementing strategic technical defences in zero-downtime environments. His expertise extends to building and overseeing security operations, guiding large teams, and nurturing talent to foster growth.

Stephen approaches every challenge with a smile, a rarity in major incident response, earning him the nickname “the smiling assassin.”