A blog entry by Gerry O’Neill, CEO of the Institute of Information Security Professionals, gives us an update on the IISP's progress towards defining and implementing a certification process for its members.
Gerry acknowledges a handful of existing certifications (such as CISSP, CISM, CISA and MSc) from which ISSP appears to have borrowed a few ideas (e.g. referring to a "common body of knowledge", presumably similar to the CISSP CBK?). He identifies certain characteristics of a profession, including "a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value." The ‘licence to practice’ idea works well for professions such as medicine, accountancy and law but these professions are clearly much older than information security. Whether the IISP can first establish itself as a recognised professional body, secondly impose regulations and standards on its members, and thirdly achieve broad acceptance by the general public and the authorities is an open question at this point. They have set themselves a worthwhile but extremely difficult task, attempting to shortcut the thousands of years that other professions have had to develop their professional practices.
While there will be a Disciplinary Committee to ensure compliance with the IISP Code of Conduct, I wonder whether they will also establish a professional practices and ethics board to assess claims from the public or authorities that its members are incompetent, incapable, unethical or otherwise unsuitable to be called information security professionals? Policing the members and upholding the highests professional standards is another important though difficult role for a professional body - it's an integrity issue for the individuals concerned, the professional body and indeed the profession as a whole.
The Institute has defined a list of 33 skills as a basis for both developing and assessing information security professionals. Three items in the list caught my eye: I1 Research, I2 Academic Research and I3 Applied Research. Most security certifications (other than MSc and similar academic qualifications) emphasise practical expertise and implementation skills rather than research. As a former research scientist myself, I welcome the emphasis on original research which will both help advance the profession and provide an entry route for students.
All in all, I'm interested to see this initiative develop and welcome the IISP extending its remit from the UK to the rest of the world, in due course.