The ECF-C is aimed at persons (referred as ‘Relevant Practitioners’) engaged by AIs undertaking cybersecurity roles. Under the ECF-C, a ‘Relevant Practitioner’ is defined as:

“a new entrant or an existing practitioner engaged by an authorised institution to perform in roles ensuring operational cyber resilience”.

The following categories of staff are excluded from the definition of ‘Relevant Practitioners’:

(a) Those who are not required to perform the three key roles specified under the ECF-C (i.e. IT Security Operations and Delivery, IT Risk Management and Control, and IT Audit); and

(b) Those who performing key roles solely in the information technology operating function of an AI, such as system developers, system operators, helpdesk operators, and IT support.

The qualification structure of the ECF-C comprises the following two levels based on the year of work experience of Relevant Practitioners in performing the tasks:

(a) Core Level - This level is applicable for entry-level staff with less than 5 years of relevant work experience in the cybersecurity function.

(b) Professional Level - This level is applicable for staff with 5 and above years of relevant work experience in the cybersecurity function.

The qualification structure is driven by the key roles based upon the three lines of defence concept under cyber risk governance:

(i) first line of defence: IT Security Operations and Delivery

(ii) second line of defence: IT Risk Management and Control

(iii) third line of defence: IT Audit

Grandfathering arrangement is not applicable for the ECF on Cybersecurity.

To support and facilitate the talent development in the cybersecurity related sector specifically in banking, The Hong Kong Institute of Bankers (HKIB) has developed a learning programme – the “ECF on Cybersecurity (Core Level)” to help individuals attain the Core Level of the competency standards set by the ECF on Cybersecurity. It will facilitate the building of professional competencies and capabilities for relevant practitioners in cybersecurity related sector in banking through attaining a professional qualification by achieving the required competency level.

Programme Intended Learning Outcomes

Upon completion of the programme, participants should be able to

• Describe the foundation of various network protocols and their hierarchical relationship in hardware and software.
• Apply the principles and knowledge of international standards to enhance network and system security.
• Apply cybersecurity related monitoring measures for managing different types of cybersecurity threats.
• Conduct a security incident response process and present an analysis of the results for management’s review.
• Assess security risks in the cyber environment and IT systems by applying the IT Risk Management and Control principles.
• Conduct IT audits and security testing to assess cybersecurity risk protection.

The chapter outline of the training programme is as follows:

The Programme is open to members and non-members of the HKIB. Candidates must fulfil the stipulated minimum entry requirements:

- A Bachelor’s Degree awarded by a recognised university or equivalent; OR

- An Associate Degree (AD) / Higher Diploma (HD) in a banking and finance, computer studies/science, information systems/technology discipline or equivalent; OR

- Relevant professional qualifications; OR

- Mature applicants with either

• At least five years of work experience in banking and finance, information systems/technology or equivalent; OR

• Two years of work experience in banking and finance, information systems/technology with a recommendation from the employer. ^Note

Note: The recommended staff member should have the knowledge and skills to complete the training activities and achieve the intended learning outcomes. The employer should make the recommendation based on the competency of the potential learner. For example, in addition to 2 years of banking and finance experience, the recommended staff member also possesses other relevant traits and skills such as exhibiting a strong work ethic or transferable skills that the employer finds desirable. The recommendation may also include comments on the career advancement prospects of the staff member.

Applicant should complete and sign the Application Form, together with the appropriate programme and/or examination fee, and return by email or by hand to HKIB Office on or before the corresponding enrolment deadline.

Late entries for training programmes will be accepted up to 7 days after the stipulated application deadlines. An additional late entry fee of HKD200 will apply.

Late entries examinations will be accepted up to 14 days after the stipulated application deadlines. An additional late entry fee of HKD200 will apply.

A relevant practitioner who performs the relevant tasks in cybersecurity function, completed the "ECF on Cybersecurity (Core Level)" training and passed the corresponding examination is eligible to apply for the certification of ACsP which is issued by HKIB and recognised by HKMA.

You may download the Guidelines of Certification and Certification Application Form for reference.

To ensure the Relevant Practitioners maintain their competency levels by updating their existing knowledge and skill set, they are required to fulfill the CPD requirements as stated by HKMA.

As a general guideline, Relevant Practitioners are expected to maintain a minimum of 20 CPD hours each year and a minimum of 120 CPD hours over every 3 years period.

No CPD is required in the year when the ACsP Professional Qualifications is granted. The CPD requirement starts in the following calendar year and pay for annual certification fee is also required.

Individuals who completed the training and passed at the relevant examinations are eligible to apply exemption to the relevant module under another HKIB programme, namely the Advanced Diploma Programme for Certified Banker (QF Level 4). Upon the completion of the programme and satisfaction of the required years of work experience, they may also be awarded the Certified Banker (Stage I) Professional Qualifications. Advanced Diploma Programme for Certified Banker (QF Level 4) is a CB professional banking qualification programmes developed and offered by HKIB. It is intended to raise the professional competency of banking and financial practitioners in Hong Kong to meet modern demands, while providing a transparent standard with international recognition.