Resources

Resources

Our Frameworks

Explore frameworks, guides, event recordings, and insights designed to support your professional development in cyber and information security.

The CIISec Capability Development Methodology (CDM) has been designed to help organisations develop, recruit, and retain talent. It can be adapted and tailored for your organisation and will align comfortably with your internal standards, as well as any external standards you may use.

At the heart of the methodology are the CIISec Skills, Knowledge and Roles Frameworks, developed over many years through collaboration with private and public sector organisations, world-renowned academics, security leaders and authoritative bodies.

Skills Framework v4

The CIISec Skills Framework is the industry standard for defining and assessing the skills and competencies needed in cyber and information security. First published in 2006, it continues to evolve with input from industry, government, academia and security leaders. Version 4 (updated April 2026) introduces updated terminology, clearer separation of technical and professional skills, and a new skill area — Human Centric Security — reflecting the vital role people play in cyber security.

Skills Framework v4 - Interactive

The CIISec Skills Framework is the industry standard for defining and assessing cyber and information security skills. Since 2006, it has been shaped by collaboration across industry, government, academia and security leaders. Explore Version 4 (updated April 2026) in this interactive PDF, featuring updated technical and professional skills and a new skill area — Human Centric Security — emphasising the critical role of people in cyber security.

Skills Framework v3

This framework describes the range of competencies expected of Information Security and Information Assurance Professionals in the effective performance of their roles. It was developed through collaboration between both private and public sector organisations and world-renowned academics and security leaders.

Roles Framework

This framework sets out the typical set of skills expected of cyber and information security professionals in the effective performance of their roles. It was developed through collaboration between both private and public sector organisations and world-renowned academics and security leaders.

Knowledge Framework

This framework expands upon the widely used CIISec Skills Framework allowing users to have a consistent view of cyber and information security. The Framework is also a baseline for the ICSF entry-level exam as a self-study material.

ABC Guides

For cyber security practitioners, the guides offer a ready-made resource to help communicate the importance of cyber security and best practice to wider business functions. For business professionals who may not be security specialists, the guides provide a clear introduction to your role in protecting the organisation against cyber threat.

Executive Board

Aimed at executive leaders, this guide stresses that security is not an end in itself but a means to enable the organisation to operate with minimal risk. Boards need clear, decision-worthy information, not technical detail or unnecessary alarm. Security professionals must understand business objectives and translate complex risks into actionable advice to build trust and enable informed decision-making.

HR

Designed for HR professionals, this guide highlights the critical relationship between HR and Security in creating secure working environments aligned with business values and goals. Through real-world examples, it shows how collaboration strengthens the business and provides practical advice on embedding security by focusing on culture, collaboration, and policy.

Training & Awareness

Providing guidance on training and awareness, this ABC resource emphasises the importance of measuring progress in building a strong security culture. Organisations should establish a baseline of cyber awareness, track results regularly, adapt where needed, and use metrics to demonstrate value to stakeholders and refine their programme over time.

Security Culture

Focusing on building a proactive security culture, this ABC Guide outlines the benefits of such a culture, presents a clear four-step development process, and offers practical tips to help organisations create a measurable culture linked to reducing risk.

Security Culture

The ABC Guide on Supplier Management - updated in 2026 -outlines the importance of addressing cyber risks associated with supplier relationships, emphasising the need for robust information security management throughout the procurement cycle. The guide highlights the complexities of supplier risk management, including the challenges posed by cloud services and the evolving regulatory landscape.

Supplier Management
Technical Supplement

As regulatory expectations tighten across the UK and EU, supplier management has become a core pillar of cyber resilience. This technical supplement expands on the ABC Guide to provide practical insight into meeting emerging obligations, strengthening third-party assurance, and embedding security into procurement, contracts and ongoing oversight. Designed for both security professionals and business leaders, it outlines the regulatory landscape, technical solutions and contractual controls required to manage supply chain risk effectively.

CIISec LIVE Recordings

Access recordings of the panels and plenary sessions from CIISec LIVE 2024, held in Bristol on 25 November 2024.

Why is good cyber hygiene so difficult to achieve

Requiring continuous vigilance, education and consistent behaviour across all levels of an organisation, achieving good cyber hygiene is not an easy task. The rapid pace of technological change, evolving cyber threats and the growing complexity of IT environments can further complicate efforts. Our expert panel will discuss the what, who and how of cyber hygiene, and what it means to different people and organisations.

How to build resilience in your supply chain

How do we ensure supply chains are as cyber resilient as they can be? What can organisations do to make themselves less vulnerable to the impact, and what should suppliers and customers be doing differently or better? These are just some of the questions our supply chain panel will look to answer as they share advice on how organisations should manage risk and build resilience to any incidents.

Building a futureproof CNI

Critical National Infrastructure (CNI), if compromised, poses serious risks to public health, security, and economic stability. But what makes CNI vulnerable to cyber attacks, what are the consequences of its failure, and what role do Governments have protecting these vital sectors? This session explores the importance, and challenges of, cultivating a risk resilience culture within CNI.

Is it really possibly to insure against cyber?

How should organisations go about buying cyber insurance? What is unique about cyber risks versus other insurable perils and what are insurers’ looking for from clients in terms of understanding and pricing risk?

From crisis to control: responding to a ransomware attack

When facing a ransomware attack, organisations must navigate a range of critical decisions. Within the first 24 hours, determining the response - report the incident to authorities, engage legal firms, and notify insurers - can be pivotal to the business. The outcome of a ransom demand is a complex issue involving ethical, legal, and strategic considerations.

Fireside chat - Cracking cybercrime: the cases that made the headlines

Ashley Winton has been at the forefront of high profile cases involving cybercrime and cybersecurity. Ashley joins CIISec CEO Amanda Finch on the LIVE stage to talk about some of his legal experiences and share his thoughts on the legal ramifications.

Exposing modern threats: are you at risk?

Modern day threat actors are political activists, serious and organised gangs or nation states. We often know how these operations work, what motivates them and how they infiltrate and bypass our alerting systems. Organisations must start to mimic these threats by encouraging security testers to deploy the full spectrum of attacks so the true extent of exposure is known.

IT/OT Convergence - cybersecurity threats and opportunities

OT systems, traditionally isolated and designed for reliability, are now exposed to IT-based threats like ransomware, malware, and data breaches. This workshop looks at the threats and opportunities this convergence poses to cybersecurity and the growing need for professionalism in OT cyber.

When facing a ransomware attack, organisations must navigate a range of critical decisions. Within the first 24 hours, determining the response - report the incident to authorities, engage legal firms, and notify insurers - can be pivotal to the business. The outcome of a ransom demand is a complex issue involving ethical, legal, and strategic considerations.

State of the Industry Profession

Our annual survey of members and the wider cyber and information security community to gather insights on key issues affecting the security profession.

2024

Our State of the Security Profession report, released in October 2024 analyses the responses of over 370 information security professionals from across the industry. The report covers topics such as demographic changes, career prospects, skill gaps and how to fill them, and the impact of AI on both the cyber industry and professionals.

2023

In the eighth edition of CIISec’s ‘State of the Profession,’ the current landscape is marked by economic uncertainty, high interest rates, and global political unrest, while technological advances such as AI are introducing new risks and opportunities for businesses and security professionals.

2022

Entering its seventh year, the ‘State of the Profession’ report highlights key trends and emerging challenges in the cyber and information security sector, providing actionable insights for professionals and organisations alike.

'Need to know' Guides

Below is a selection of our new 'Need to know' guides for you to download.

Deepfakes

An essential guide to understanding deepfakes, how they are created, and how to identify and mitigate the risks.

Ransomware

A practical overview of ransomware threats, how they operate, and the steps you can take to reduce your exposure.

Cloud Security

A clear introduction to cloud security risks, responsibilities, and best practices for protecting data and systems.

Data Protection

An introduction to your responsibilities, legal matters, and best practices for keeping your data private.

Phishing

What is phishing, how can you prevent it, and how can you protect yourself? This guide will give you the information you need to be safe online.

Password Security

Best practices for password security.