+44[0] 1992 711 963

Cyber Security Technologist (2021) Level 4


  • Cyber Security Engineer
  • Cyber Risk Analyst
  • Cyber Defend & Respond

This role is found in all sectors and organisations that employ technology, for example Digital, Telecoms, Technology, Business Services, Defence, Government, Finance, Health, Retail, Critical National Infrastructure, Transport and Automotive sectors; and in all types and sizes of organisations including large corporations, public sector bodies, academic institutions, charities and small and medium enterprises (SME).

The broad purpose of the job is to apply an understanding of cyber security to protect organisations, systems, information, personal data and people from attacks and unauthorised access.

Fighting cyber security threats is a multi-billion-pound industry, and one that continues to grow as threats from the likes of malware, ransomware, phishing, DDoS attacks and hacking increases. Organisations, both large and small, are turning to cyber security professionals to help them keep their commercial and financial data, websites, infrastructure sites and their customers’ details safe.

With almost all personal data now stored online, cyber security attacks have the potential to completely ruin businesses – not to mention people’s lives – in the process. There are often news stories about high-profile attacks, such as those on the NHS, Yahoo and LinkedIn, meaning that organisations are becoming increasingly concerned with any potential leaks that could occur. In fact, nearly half of all UK businesses experienced some form of attack in the last 12 months. As a cyber-security technologist, you will be part of the response to those attacks.

Cyber Security Technologists all require an understanding of security concepts and technology and how to mitigate risks arising from threats. The specific tasks undertaken vary depending on what needs to be achieved by the team at any particular time. Some tasks may be very technical, others may be more analytical, business or user focused. All roles in this occupation work to achieve required cyber security outcomes in a legal and regulatory context in all parts of the economy. They develop and apply practical knowledge of information security to deliver solutions that fulfil an organisations requirement.

The Cyber Security Technologist standard has three distinct options. At the end of the apprenticeship you will be competent in either:

  1. The Cyber Security Engineer is the most technology focused role in the occupation and will typically design, build and test secure networks or security products or systems with a particular focus on the security aspects of the design.

Typical job titles include: Cyber Security Engineer, Cyber Security Consultant, Cyber Security Architect, Cyber Security Analyst, Cyber Security Specialist, IT Security Technician, and Embedded Engineer.

  1. The Cyber Risk Analyst Focuses on risk assessment, analysis and giving advice on risk mitigations. The roles may support formal security governance, regulatory & compliance (GRC).

Typical job titles include: Cyber Security Consultant, Cyber Security Analyst, Cyber Risk Analyst, Intelligence Researcher, Cyber Security Specialist, Information Security Analyst, Governance & Compliance Analyst, Information Security Assurance & Threat Analyst, and Information Security Auditor.

  1. The Cyber Defender & Responder is more operationally focused, configuring and operating secure systems to prevent security breaches or monitoring systems to detect and respond to security breaches.

Typical job titles include: Cyber Security Analyst, Cyber Security Operator, Forensics & Incident Response Analyst, Cyber Security Administrator, Information Security Officer, Secure Operations Centre (SOC) Analyst, Network Intrusion Analyst, Incident Response Centre (IRC) Analyst and Network Operations Centre (NOC) Security Analyst.

In their daily work, an employee in this occupation interacts with a broad range of people from their own organisation and externally including suppliers and customers, technical specialists, non-specialists, peers and senior representatives. The roles are typically office or computer room/lab based. Some employers will also have security clearance requirements, which may impose residency or nationality restrictions. An employee in this occupation will be responsible for their own work, work as part of a team including different levels of technical and non-technical skills, and may also be required to supervise work, budgets and other staff.

Common Core occupation duties

Duty 1: Identify cyber vulnerabilities in a system to ensure security is maintained.

Duty 2: Identify security threats and hazards to a system, service or processes to inform risk assessments and design of security features

Duty 3: Research and investigate attack techniques and recommend ways to defend against them

Duty 4: Support cyber security risk assessments, cyber security audits and cyber security incident management

Duty 5: Develop security designs with design justification to meet the defined cyber security parameters.

Duty 6: Configure, deploy and use computer, digital network and cyber security technology.

Duty 7: Develop programme codes or scripts for a computer or other digital technology for example an industrial control system

Duty 8: Write reports, give verbal reports and presentations in the context of the cyber security role

Duty 9: Manage cyber security operations processes in accordance with organisational policies and standards and business requirements.

Duty 10: Participate in cyber war gaming and simulations (technical & non-technical).for example to better understand cyber-attack and defence, rehearse responses, test and evaluate cyber security techniques

Duty 11: Keep up to date with industry trends and developments to enhance relevant skills and take responsibility for own professional development


Cyber Security Engineer dutiesCyber Risk Analyst dutiesCyber Defend & Respond duties
Duty 12 Work from a given design requirement to design, build and test digital networksDuty 13 Analyse security requirements and develop a security case taking account of all applicable laws and regulations.Duty 17 Manage local response to non-major cyber security incidents
Duty 13 Analyse security requirements and develop a security case taking account of all applicable laws and regulations.Duty 15 Conduct cyber security risk assessmentsDuty 18 Monitor technology systems (for example computer networks and computer systems) in real time to detect cyber security incidents, breaches and intrusions
Duty 14 Implement structured and reasoned security controls in a digital system in accordance with a security caseDuty 16 Conduct cyber security auditsDuty 19 Integrate and correlate information from a variety of sources and form an informed judgment on whether an indicator constitutes a likely security incident, breach or intrusion.
Duty 22 Prevent security breaches using a variety of tools techniques and processes.Duty 21 Develop information security policies to achieve security outcomes within a defined scopeDuty 20 Respond to a suspected security incident, breach or intrusion in accordance with organisation procedures any defined service level agreements or performance targets.
Duty 23 Design and implement security awareness campaignsDuty 22 Prevent security breaches using a variety of tools techniques and processes.


Length of end-point assessment period

The EPA will be completed within an EPA period lasting typically 4 months, starting when the EPAO has confirmed that all gateway requirements have been met.

Assessment method 1: Professional discussion underpinned by portfolio (This assessment method has 1 component.)


This assessment will take the form of a professional discussion which must be appropriately structured to draw out the best of the apprentice’s competence and cover the KSBs assigned to this assessment method. It will involve questions that will focus on the KSBs mapped to this method of assessment.

The rationale for this assessment method is that a professional discussion allows a two-way dialogue between the apprentice and independent assessor. It is commonplace for Cyber Security Technologists to engage in detailed technical discussions, so this assessment method mirrors their day to day work.

A professional discussion is a well-recognised method of assessment which is widely used within the digital sector. It allows for knowledge, skills and behaviours that may not naturally occur as part of another assessment method to be assessed and more easily discussed. The apprentice can draw upon other supporting evidence in the portfolio and can effectively determine the authenticity of that supporting evidence.

After the gateway, the EPAO will send the portfolio to the independent assessor a minimum of 10 days before the intended date of the Professional Discussion to allow the independent assessor to review the portfolio and generate appropriate questions.

For the professional discussion underpinned by portfolio the apprentice will be required to submit a portfolio of evidence. The requirements for this are:

  • apprentices must compile a portfolio of evidence during the on-programme period of the apprenticeship.
  • it should contain evidence related to the KSBs that will be assessed by the professional discussion. Each KSB being assessed should be evidenced more than once. Evidence in the portfolio should be presented under the following section headings:
    • Section 1: Cyber security concepts and its importance to business and society (K3)
    • Section 2: Rationale for security objectives (S6)
    • Section 3: Ethical principles, codes of practice, law & regulation (K8, K9)
    • Section 4: Preventing security breaches & continuous improvement (S9, S15)
    • Section 5: Following organisations policies & processes (K6, S7)
    • Section 6: Operation of security management systems & incident response (K7, K15)
  • evidence should be mapped against the KSBs assessed by the Professional Discussion (see mapping of KSBs)
  • evidence may be used to demonstrate more than one KSB; a qualitative as opposed to quantitative approach is suggested
  • evidence sources may include:
    • workplace documentation/records, for example workplace policies/procedures, records
    • witness statements
    • annotated photographs
    • video clips (maximum total duration 5 minutes); the apprentice must always be in view and identifiable
    • This is not a definitive list; other evidence sources are allowed.
  • the portfolio should not include any methods of self-assessment 
  • any employer contributions should focus on direct observation of performance (for example witness statements) rather than opinions 
  • the evidence provided should be valid and attributable to the apprentice; the portfolio of evidence must contain a statement from the employer and apprentice confirming this 
  • the portfolio of evidence must be submitted to the EPAO at the gateway 
  • the portfolio of evidence can be electronic or paper-based (or a mixture of both).

The portfolio is not directly assessed. It underpins the professional discussion assessment method and therefore should not be marked by the EPAO. EPAOs should review the portfolio of evidence in preparation for the professional discussion but are not required to provide feedback after this review of the portfolio.

Assessment method 2 component 1: Scenario demonstrations


Apprentices must complete 4 scenario demonstrations in which they will demonstrate the KSBs assigned to this assessment method. The scenarios will be simulated and provided remotely online by the EPAO. Each scenario demonstrations will typically be completed over a minimum of 2 consecutive working days with an allotted amount of time as specified below:

  • Attack and Threat Research: 1 hour 45 minutes
  • Risk Assessment: 2 hours
  • Set up and configure a system with security features: 3 hours
  • Computer programme/script writing: 1 hour

The products of each scenario will be submitted to the assessor and these will be assessed. The scenario outputs will be supplemented with questioning.

The scenario demonstrations as well as the questioning component must be completed within 10 days, starting from when the apprentice undertakes his first scenario demonstration.

The apprentice will be presented with scenarios relevant to their normal sphere of work, or sufficiently similar to be equivalent in complexity, but which may use cyber challenges that are in a different business domain to the one in which they normally work.

Scenario demonstrations allow a demonstration of competence and involve direct testing under controlled conditions. Undertaking the scenario demonstrations in a controlled environment allows for pre-determined independent assessor training and assessment resources to be developed and helps to guarantee the required demand and challenges that appear during this end-point assessment method.

In this occupation, an observation of practice in a live setting was not selected, as the apprentice is not likely to cover the breadth and depth of practice required within a reasonable EPA period. Scenario demonstrations avoid situations where occupational activities are not available or do not occur on the day and avoids issues around confidentiality or exposing an organisation’s confidential information. The apprentice will be presented with scenarios where they will be able to demonstrate how they can apply their knowledge, skills and behaviours.

Assessment method 2 Component 2 – Questioning

The scenario demonstrations will be supplemented by questioning following the independent assessors review of all 4 scenario demonstration outputs.

The independent assessor should have 5 days to review the scenario demonstration outputs and generate appropriate questions. The independent assessor is responsible for generating suitable questions in line with the EPAO’s training and standardisation process.

The purpose of questioning is to help the assessor assess the apprentice’s understanding of underpinning reasoning for their actions within the scenarios for the KSBs assigned to this method as evidenced in the scenario demonstration activity. Questioning should not be used to extend the scope of the assessment and should focus on the outputs of each scenario demonstration. Those KSBs that the apprentice did not have the opportunity to demonstrate during the scenario demonstration outputs can instead be covered by questioning, although these should be kept to a minimum.

Questioning must last 45 minutes and is in addition to the total time for the scenario demonstration (component 1). The independent assessor has the discretion to increase the duration of questioning by up to 10% to allow the apprentice the opportunity to respond to their final question. The time for questioning can be allocated across the scenarios according to the judgment of the assessor of where questions will add the most value in increasing their understanding of the competence of the apprentice.

The independent assessor must use the full time available for questioning to allow the apprentice the opportunity to evidence occupational competence at the highest level available unless the apprentice has already achieved the highest grade available.

The independent assessor must ask a minimum of 9 questions typically focussed on scenarios 1 to 3 at their discretion. Follow up questions may be asked where clarification is required.

During the questioning component, apprentices must be provided with a copy of the outputs from their scenario demonstrations to refer to and to aid recall. This can be done via paper based outputs of via a screen share facility.

Assessment method 3: Project Report (This assessment method has 1 component.)


Apprentices will conduct a project and submit a 2,000-word project report to the EPAO. The project is compiled after the apprentice has gone through the gateway.

The work-based project should be designed to ensure that the apprentice’s work meets the needs of the business, is relevant to their role and allows the relevant KSBs to be demonstrated for the EPA. Therefore, the project’s subject, title and scope will be agreed between the employer and the EPAO at the gateway. The employer will ensure it has a real business application and the EPAO will ensure it meets the requirements of the EPA (including suitable coverage of the KSBs assignment to this assessment method).

Cyber Security Technologists work in a project-based environment and are responsible for carrying out cyber security activities and implementation of cyber security solutions. The project will address a cyber security engineering issue, a risk assessment issue, or a defend and respond issue, tailored to the cyber security specialism of the apprentice’s employer which reflects the normal working practices within the role. As part of the role they will be expected to complete project reports and the project will reflect the areas their report would cover within the industry. Each project will focus on the specialism undertaken by the apprentice within the Cyber Security Technologist standard and may be based on any of the following:

  • a specific problem
  • a recurring issue
  • an idea/opportunity

Examples of project titles for each option within the occupational standard are listed below for illustrative purposes:

Cyber Security Engineer Option

  • design and configure a network to meet a requirement and troubleshoot to optimise performance
  • analyse requirements and build a security system to provide effective defence against cyber threats.

Risk Analyst Option

  • undertake a cyber-risk assessment and produce a report
  • participate in a cyber-security audit and produce a report
  • undertake a cyber-security culture assessment and design and implement a security awareness campaign
  • undertake a security policy review and produce a report

Cyber Defender & Responder Option

  • develop an incident response plan for approval within an organisations’ governance arrangements for incident response.
  • manage local response to non-major incidents in accordance with a defined procedure.
  • detect and analyse a security incident with action plan responses.
  • implement security tool configuration in response to threat intelligence The above projects are suggestions, other appropriate projects are permitted

All project reports (irrespective of the option chosen) should include:

  • an introductory section (text only, i.e. no diagrams, screen shots or figures) that explains:
    • description of the project 
    • approach 
    • project outcomes 
    • how the KSB are evidenced through the project

For Cyber Security Engineer Option: the Project report must cover the following additional headings:

  • design of the network
  • evidence that the network works to meet the requirement
  • network optimisation metrics against performance requirements
  • requirements analysis and its link to the eventual system, including security features
  • schematics to show the build-up of a system to the design from provided components
  • configuration metrics to show how the system meets the security requirements
  • demonstration of how the security features are effective

For Cyber Risk Analyst Option: the Project Report must cover the following additional headings:

  • description of the role taken in a cyber-security risk assessment and audit
  • a report explaining the conduct of the risk assessment & audit
  • a report considering the cyber policies and cyber awareness campaign 

For Cyber Security Defender and Responder Option: the Project Report must cover the following additional headings:

  • incident manager report of an incident response
  • incident response plan submitted for approval
  • detection of a security incident and action taken
  • analysis of a security incident and action taken
  • evidence of the implementation of tool configuration in response to threat intelligence

The project report must map, in an appendix, how it evidences the relevant KSBs for this assessment method.

Assessment method 4 – Knowledge Test (This assessment method has 1 component.)


A knowledge test is a controlled assessment which consists of a series of questions in which apprentices are asked to provide a response.

This will allow the KSBs which may not naturally occur in every workplace or may take too long to observe to be assessed and the assessment of a disparate set of knowledge requirements. The test is mapped to knowledge statements that could not be fully assessed in the other three assessment methods.

Test Format

The knowledge test will consist of 40 multiple-choice questions. The multiple-choice questions will have four options of which one will be correct. The questions must be varied, to avoid the test becoming too predictable, yet allow assessment of the relevant KSBs.

The knowledge test can be:

  • computer based
  • paper-based

Apprentices must have a maximum of 60 minutes to complete the test.

The test is closed book, which means that the apprentice cannot refer to reference books or materials

Please enable JavaScript in your browser to complete this form.
Translate »