Securing Information
Strengthening Business

CLAS Consultancy is dead – long live the CCSC scheme?

Certified Cyber Security Consultancy







There is a new name in the information assurance (IA) consultancy world. It’s the Certified Cyber Security Consultancy (CCSC) scheme – launched in June 2015, and sponsored by CESG, with the first cohort of consultanciesrecently being announced.

What’s the objective of the new CCSC scheme?

CCSC has been developed to certify services provided by consultancies, rather than individual consultants. By introducing CCSC, CESG aims to establish the wider credentials of consultancy companies to deliver high-quality, tailored and expert cyber security advice.

In a similar objective to CLAS (CESG Listed Adviser Scheme), the new scheme has been designed to help government, the wider public sector and industry obtain the right cyber security consultancy services and by doing so help them protect their information and conduct business online safely.

Speaking at the launch of CCSC, Ciaran Martin, GCHQ’s Director General for Cyber Security said:

“The launch of this scheme is a big step forward for UK cyber security. There’s only so much an organisation like GCHQ can and should do directly. This new scheme will significantly enhance the pool of trusted cyber security advice available from private providers”. Ciaran Martin, GCHQ

Consultancies will be assessed and certified by CESG, as the Information Security Arm of GCHQ, and must meet CESG’s standards in order to achieve certification. The assessment tests that the company is of good standing, has practical experience and knowledge of the customer set and understands and maintains awareness of the cyber threat environment.

The first companies to achieveCESG cyber security certification

The first cohort of seven CESG Certified Cyber Security Consultancies was announced in mid-February 2016. Mainly SMEs, they will provide consultancy to government and industry under the Security Architecture, Risk Management and Risk Management service categories.

Our congratulations go to the successful applicants and we look forward to hearing of their continued success.

Why isn’t Ascentor listed yet?

We consistently keep abreast of new developments and participate in consultations to ensure our industry is professional and appropriately regulated. But we need to see real business benefit to our customers before signing up to a new scheme. Whilst CCSC continues to develop, we will be focusing our time and effort on delivering IA excellence to our clients.

Our approach is to confirm the real business risks, put them into context then design and implement the most appropriate controls to mitigate them. We are also busy sharing our IA Inside model and encouraging those involved in IA to think about it early in the project lifecycle rather than leaving it to the last minute. Rest assured, as and when CCSC is suitably mature and being requested by our customer base, we will take part.

For further information

If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.

If you’d like to discuss how ourconsultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.


Office: 01452 881712


Other posts you might like

Ten Top Tips for writing Information Risk Appetite Statements

What’s the Difference Between Cyber Security and Information Assurance (and does it matter?)

The Human Face of Information Risk Re-visited

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals. Big enough to be of interest in terms of data held and yet often small enough not