My certification journey
Published - Estimated reading time: 8 minutes
As in many industries there are a range of cybersecurity certificates available, offered by a number of different organisations. What certificates to pursue is often discussed by those looking to get into cyber, but also people already in cybersecurity looking to progress their career further. I often refer people to Paul Jerimy’s Security Certification Roadmap as a place to try and start making sense of it all. At the same time I think it is important to remember that these aren’t Pokemon, you don’t need to acquire them all! At the very least the cost of exam fees alone would be significant, but realistically there is unlikely to be any benefit in completing a large set.
ISO27001 Lead Implementer
The first certification I achieved relevant to security was sponsored by my employer at the time, The Mining Remediation Authority (known at the time as The Coal Authority, a non-departmental government body here in the UK). My role as Information Assurance & BCP manager meant that information security was my primary responsibilty, and was going to be immediately beneficial to my work.
This was a residential course provided by BSI, a week long with teaching followed by exam on the last day. Focus was put on what was fundamental in delivering a suitable program of works to be prepared for ISO27001 audit & certification. We used our own organisations to discuss different business requirements, something that absolutely makes the topic much more relevant.
In my opinion this course is aimed at those who are already in a corporate role where they will benefit from structured and instructor led learning. The price tag is currently £2600 + VAT with options of classroom or online, certainly worth the value to an organisation looking to certify but unlikely to be something an individual will self fund.
ISO22301 Lead Implementer
Following my completion of the ISO27001 course the next obvious item for me to complete was the Business Continuity standard.
Again this was a residential course provied by BSI, also a week long with an exam on the final day. I actually think that this course was more helpful to me at the time because it covered areas which I hadn’t formalised (proper planning for an organisation wide recovery, as opposed to single function) or tested properly (and wouldn’t until the COVID pandemic).
Again this is likely a course and certification for those who are part of an organisation looking to build its own resilience and formal structure around that. I suspect that business continuity, and not just disaster recovery, is an area the vast majority of businesses and public organisations could improve upon.
Cyber Essentials Certified Practitioner
Cyber Essentials is a UK government recommendaiton for minimum standard of cyber security, created by the National Cyber Security Centre. As I was working for a government organisation when this started rolling out we were required to make sure our supply chain met this standard, or a more mature approach such as ISO27001. At the same time our organsiation also was part of the supply chain to other government bodies, meaning we were expected to reach the same standard as well.
As a single day in person course (accreditation was achieved by completing Cyber Essentials in your organisation), and Cyber Essentials being a baseline standard, the topics were not particularly complex or deep so easily covered in that space of time. That said I am still quite confident that actually many small (and probably larger) organisations could benefit from checking themselves against the requirements of Cyber Essentials, the clue is in the name after all.
This certification has since lapsed following my departure from The Coal Authority.
Certified Security Operations Manager (CSOM)
There was a gap in my studies and certification when I changed roles, moving first into a GRC role and then moving over to Security Operations. After I had a few years under my belt I decided to validate that experience & knowledge that I’d gained, and the CSOM offered by Security Blue Team was likely a good fit. As I was one of the early wave to sign up I did benefit from the price being 50% off, but if you aren’t in a hurry similar discounts have been available on prior Black Friday / Cyber Monday dates in the past couple of years.
Set up as a self paced online portal based learning approach meant this time that I was able to do this at my leisure. The content was easy to work through and presented as a combination of text, videos and practical hands on exercises over 4 knowledge domains. The exam is then a two part approach, a practical exam in a lab and then a theory exam. These are combined with a requirement to submit evidence that you have the required 2 years of relevant experience. I believe that this is trying to keep the CSOM in line with SBT’s other certificates, which are very practical, whilst also blending the validation of applied skill beyond the course theoretical from organisations such as ISC2.
In my opinion this is aimed at those who are perhaps currently senior security operations analysts looking to move into a leadership role, new security operations managers or those looking to move from an adjacent field like a Network Operations Centre (NOC). For those who have led a SOC and managed incident response teams there will be less for you naturally, but I did find it beneficial to realign on the metrics, maturity and measuring success domain.
Blue Team Level 1 (BTL1)
To build my team’s specific skills in active cyber defence, and having completed the CSOM prior, it made sense for us to complete the BTL1 course (as mentioned in my Training for a SecOps Team blog post). Of course as a people leader I felt I should also take the course, I feel often doing what is asked of them sets a good example. Plus, I wanted to make sure my technical skills remained reasonably strong for when we need to do incident response and it becomes an “all hands to the pump” moment.
Broken into a set of 6 knowledge domains, this course is reasonably hands on with labs and quizzes throughout the content. There is a balance of theory alongside the practical content which means this course can be worked through in something around 30 to 40 hours. If you are not familiar with some tools (eg Splunk) then it is worth spending time outside the course to learn them, and applying the theory or examples from labs to more complex scenarios is definitely beneficial.
Definitely aimed at the early in cyber career and more cyber defence focused people this course offers a pretty decent primer on the kind of work an analyst might be asked to look at and do in a SOC. The price point is fairly reasonable, and the certificate is gaining traction in the wider community so becoming more recognised.
ISC2 Certified Information Systems Security Professional (CISSP)
After a reasonable break I decided to take on the CISSP, this was one I had been considering for quite a while. Launched in the mid 90s the CISSP holds some weight in the industry. It is often listed as desirable, or even required, in job adverts by many companies for information security leadership roles.
There are a lot of resources out there for those looking to take the CISSP exam.
- The official study guide
- Several other books on the topic
- Youtube channels
- Reddit /r/cissp
The most useful tool for me though was the Quantum Exams CISSP practice exams. It helped me reduce my feelings of imposter syndrome, because the exam was the biggest unknown quantity. In the end though the exam took me just over an hour to answer enough questions and be told I had provisionally passed the CISSP.
More on that in a future post, because really its not something that can be summed up in a few paragraphs.
In my experience there are a lot of people who think that the CISSP means that you have “made it” in the industry. Whilst it certainly does require you to have a good wealth of knowledge and have experience which can be vouched for, I wouldn’t say it is a defining pinnacle in itself. Indeed the requirement to earn 120 CPEs over the course of 3 years to maintain the CISSP indicates to me that it is part of an ongoing growth.
If you are early, or even mid career, there are likely other certification which will help you grow more. The CISSP is not going to make you the best in a given niche but rather a more rounded professional. This is why there is often the mantra of “Think like a manager” when sitting the exam, whilst it has technical aspects to it the needs of the organisation are also considered. However if you are looking for a recognised qualification then as I mentioned earlier this is a widely recognised and desirable item to add to your CV.
Last updated 22 April 2026