Principal registration awarded to JAG Secure

Written By :

Category :

Uncategorized

Posted On :

Share This :

post thumbnail placeholder

Insights

Principal registration awarded to JAG Secure

2 July 2026

Jordan Glover, founder and principal tester at JAG Secure, has been awarded Principal Cyber Security Professional (PriCSP) registration with the UK Cyber Security Council in the Security Testing specialism, assessed through The Cyber Scheme.

It is a title that is still new enough to be widely misunderstood, and it is worth setting out properly, because it is not another certification badge and it does not work like one.

The problem it exists to solve

Anyone in the United Kingdom can call themselves a penetration tester. There is no legal protection on the term, no barrier to putting it on a website and no requirement to demonstrate competence to anybody before taking money to test an organisation’s systems.

For buyers, that is a genuine problem. If you are commissioning a test and you are not technical yourself, you have very little to separate a competent supplier from a confident one. Both have a website. Both have logos on it. Both will tell you they are experienced.

Every profession where getting it wrong causes real harm resolved this a long time ago through professional registration. Engineering, accountancy, law and medicine each have a body that sets a standard, assesses people against it and holds a register of those who meet it. Cyber security did not, until recently.

A Royal Charter body

The UK Cyber Security Council holds a Royal Charter. That is the same constitutional footing the engineering and accountancy bodies stand on, and it is not decoration. It makes the Council the recognised professional body for cyber security in this country. It sets and maintains the standards for the profession, and it holds the register of the professionals assessed against them.

The Council works through defined specialisms rather than treating cyber security as one undifferentiated discipline, which matters, because it is not one. Security Testing is a specialism in its own right, alongside areas such as Governance and Risk Management, Audit and Assurance, and Incident Response. A registration therefore tells you what somebody has been assessed to do, not merely that they have been assessed.

What Principal recognises

Principal recognises an expert practitioner in a specialism. It is the level at which a professional is held accountable for the work itself rather than performing it under somebody else’s supervision, and it is awarded on the basis that they have demonstrated that standing against a defined national benchmark.

How it is assessed

This is what separates registration from certification, and it is worth being specific about.

There is no route where you sit an exam and receive the title. Applications are made through a Licensed Body approved by the Council, which for Security Testing means CREST or The Cyber Scheme. The assessment comes in two halves and both must be passed.

Part A is technical, and it is an examination. It is the half that most resembles what people expect. In this case the route was CSTL, the Cyber Scheme Team Leader qualification for web applications.

Parts B to E are not technical at all. They examine professional practice, judgement, conduct and how a practitioner actually operates. They are assessed on evidence drawn from real engagements and reviewed by a panel of peers, meaning people who do this work themselves and know exactly what that evidence should look like.

The second half is the interesting one. Plenty of qualifications will confirm that somebody can exploit a target under exam conditions. Very few examine how a tester behaves when something goes wrong on a live client system at four in the afternoon, how they decide what to report and how urgently, or whether they can explain a serious finding to a frightened non-technical audience without either patronising them or making it worse.

In a field where anyone can call themselves a tester, an independent panel examining how somebody operates, their judgement and their conduct, not simply what they can exploit, is a standard worth having.

Why it matters commercially

Beyond the principle, the registration carries a hard practical function that buyers should understand.

The NCSC’s CHECK scheme is how penetration testing is assured for United Kingdom government and public sector systems. The NCSC now uses the Council’s Security Testing framework to define the professional standard for that scheme, and every CHECK Team Leader is required to hold the Council’s Security Testing title at Principal level.

That requirement was not aspirational. The deadline was 31 March 2025, and any Team Leader who did not hold the registration by that date was no longer eligible to operate under the scheme. CHECK Team Members must reach the Practitioner level on the same basis by 31 March 2026. The previous position, where holding an NCSC approved examination was sufficient on its own, no longer exists.

For anyone commissioning testing, that changes the conversation. It gives you a single question that meaningfully separates suppliers, and an independent register standing behind the answer rather than a logo on a website.

An ongoing obligation

Registration is not a certificate to be filed and forgotten. It carries continuing professional development requirements and accountability under the Council’s codes of conduct and ethics. It is a standing commitment rather than a trophy, which is the entire point of it.

What it means for clients

Every JAG Secure engagement is scoped, tested, reported and retested by the same registered senior tester. The registration is independent confirmation of the standard that work is held to, assessed by peers against a national benchmark, and maintained rather than collected.

Thanks are due to The Cyber Scheme for a thorough assessment process. It was not a formality, and it should not have been.

Leave a Reply

Your email address will not be published. Required fields are marked *