Text size
  • Small
  • Medium
  • Large
Contrast
  • Standard
  • Blue text on blue
  • High contrast (Yellow text on black)
  • Blue text on beige

Roles explained

The roles are outlined below. There is no prescribed career path through the roles.

Much IA knowledge is common to multiple roles and it would be natural for many IA specialists to perform multiple roles in the course of a career. For small organisations, an IA specialist may perform multiple roles in one post.

Security & Information Risk Advisor

To provide business driven advice on the management of security and information risk consistent with HMG IA policy or other sector specific guidance.

Level Standard
Practitioner: Assists customers in the routine application and interpretation of security or IA policies and practices
Senior Practitioner: Enables provision of the Security & Information Risk Advisor service across a range of business units, sites, projects or other change activities
Lead Practitioner: Influences management of security and information risk across a large organisation or across multiple client organisations

 
Cyber Security / IA Architect

Drives beneficial security change into the business through the development or review of architectures so that they; fit business requirements for security, mitigate the risks and conform to the relevant security policies and balance information risk against cost of countermeasures.

Level Standard
Practitioner: Represents security requirements in the design and implementation of IS architectures
Senior Practitioner: Enables the design and implementation of secure IS architectures
Lead Practitioner: Influences the security of enterprise or solution architectures across the public sector or across the whole of a public sector organisation, or private sectors

 
IA Accreditor

 Accreditation provides a risk owner with the basis to make an informed business decision on whether they should accept the risks associated with a given capability, balanced against the business opportunities it presents.

Level Standard
Practitioner: Makes routine accreditation decisions (where empowered to do so), accepting residual risk on behalf of their organisation where it is clearly within the normal risk appetite as declared by the Senior Information Risk Owner (SIRO) or the Board.
Senior Practitioner: Leads accreditation activity for complex or risky information systems
Lead Practitioner: Ensures that the accreditation process supports and enables the business objectives and follows SPF outcomes, or other sector specific, or local arrangements.

 
Cyber Security / IA Auditor

Assess an organisation’s compliance with security objectives, policies, standards and processes and provide impartial assessment and reports covering security investigations, information risk management and investment decisions to improve an organisation’s information risk management.

Level Standard
Practitioner: Undertakes assigned routine or ad hoc audits to test compliance with IA policies or standards
Senior Practitioner: Leads audit activity to meet complex audit objectives and takes responsibility for the audit findings
Lead Practitioner: Proposes and delivers information risk driven audit programmes to senior information risk owners or an IA Board

 
IT Security Officer
 

Provides governance, management and control of IT security.

Level Standard
Practitioner: Assists implementation of effective IT security in accordance with local policy
Senior Practitioner: Enables effective IT security across a wide portfolio of IS
Lead Practitioner: Influences corporate IT security

 
Communications Security (ComSO)

To manage cryptographic systems as detailed in HMG IA Standard No. 4 (IS4), Management of Cryptographic Systems (reference [h]), and in relevant product specific Security Procedures, or in accordance with sector specific guidance such as PCI/DSS or tScheme.

Level Standard
Practitioner: Assists in the implementation of Comsec policy or monitoring compliance with it
Senior Practitioner: Manages compliance with Comsec policy.
Lead Practitioner: Ensures compliance with IS4 (reference [h]) across the DSO’s area of responsibility.