The Cyber Extended Project Qualification
(The CyberEPQ).

Brought to you by CIISec

Chartered Institute of Information Security

Break into a Cyber Security career with the CyberEPQ.

Enrol for 2025-26

What is the CyberEPQ?

The CyberEPQ is the UK’s first and only Extended Project Qualification (EPQ) in Cyber Security. Developed in 2016 by a consortium of education and Cyber Security partners, it provides a starting point for anyone considering a career in Cyber Security, either as a pathway to further learning at university, an apprenticeship or even for those considering a change of career.

The CyberEPQ underpinning knowledge is guided by the National Occupational Standards (NOS) and aligned with the Chartered Institute of Information Security (CIISec) and the Cyber Security Body of Knowledge (CyBOK) Skills and Knowledge Framework.

This Level 3 qualification which is accredited by City and Guilds is worth up to 28 UCAS points. The taught elements are delivered using a distance learning platform called the Moodle. Students can be enrolled as school-based learners where they are supervised by their teachers or independent learners who will be allocated a supervisor by CIISec.

Delivered online
8 Core Modules
5 Specialist & 2 Innovation Modules
Extensive video content
Downloadable Resources
Quizzes & Games

Who is the CyberEPQ for?

The CyberEPQ is open to anyone over the age of 14 but is best suited to study alongside A levels in Years 12 and 13.

It has been designed to bridge the gap in Cyber Security qualifications between GCSE Computer Studies and a degree in Cyber Security. It also assists in training potential Cyber Security professionals and those who are looking for a change in career who want to move into the industry.

The CyberEPQ is not just for those interested in Computer Science. Whatever your academic interests, CIISec actively encourages a diverse mix of students onto the course, regardless of background.

Topics & Scheme Structure

The course consists of 8 mandatory Core Modules. Students must then choose 1 final module from a choice of 5 specialist or 2 innovation modules

Introduction to Cyber Security (Core Module)

In this module, you will be introduced to the topic of Cyber Security, including a brief history of ethical hacking, Confidentiality, Integrity & Availability (The CIA Triad) of data as well as the Computer Misuse Act.

History of Computing & Cryptography (Core Module)

Take a look at computing from the breaking of the Enigma code at Bletchley Park, the world’s first programmable computer – Colossus, through to the development of mainframes, personal computers and the development of the internet.

Explore the study of techniques of secret writing, especially code and cipher systems, as well as the procedures, processes & methods of making and using secret writing as codes or ciphers.

Cybercrime (Core Module)

In this module, you will explore Cybercrime, which is used to describe two closely linked, but distinct ranges of criminal activity, namely cyber-dependent crimes and cyber-enabled crimes. Cyber-dependent crimes can be committed only through the use of Information and Communications Technology (ICT) devices where the devices are both the tool for committing the crime and the target of the crime. Whereas, cyber-enabled crimes refer to traditional crimes which can be increased in scale or reach by the use of computers, computer networks or other forms of ICT.

Risk Assessment, Management & Governance Parts 1 & 2 (Core Modules)

Risk Management, the process of identifying, assessing and controlling threats to an organisation’s capital and earnings is looked at over two modules. These threats or risks could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.

IT security threats and data-related risks, and the risk management strategies to alleviate them, have become a top priority for digitized companies. As a result, a risk management plan increasingly includes companies’ processes for identifying and controlling threats to its digital assets, including proprietary data, a customer’s personally identifiable information (PII) and intellectual property.

Governance refers to the actions, processes, traditions and institutions by which authority is exercised and decisions are taken and implemented. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks.

You will also examine how ethics are critical to any sound cyber security defence strategy.

Security Testing & Vulnerability Assessment (Core Module)

Security Testing is a type of software testing that uncovers vulnerabilities, threats and risks in a software application and prevents malicious attacks from intruders. The purpose of Security Tests is to identify all loopholes and weaknesses of the software system which might result in a loss of information, revenue or reputation at the hands of employers or outside of the organisation. The main goal of Security Testing is to identify the threats in the system and measure its potential vulnerabilities so the threats can be encountered and the system does not stop functioning or cannot be exploited. It also helps in detecting all possible security risks in the system and helps developers to fix the problems through coding.

In this module, you will also learn about Vulnerability Assessment which is a risk management process used to identify, quantify and rank possible vulnerabilities to threats in a given system. It is not isolated to a single field and is applied to systems across different industries such as: IT systems; Energy and other Utility systems; Transportation; Communication systems.

Digital Forensics (Core Module)

Explore Digital Forensics which is the process by which information is extracted from data storage media e.g. devices, remote storage and systems associated with computing, imaging, image comparison, video processing and enhancement (including CCTV), audio analysis, satellite navigation, communications), rendered into a useable form, processed and interpreted to obtain intelligence for use in investigations, or evidence for use in criminal proceedings.

Identity & Access Management (Core Module)

This is a collective term that covers products, processes and policies used to manage user identities and regulate user access within an organisation.

This module looks at authentication, authorisation and accountability (AAA) which refers to a common security framework for mediating network application access. AAA intelligently controls access to computer resources by enforcing strict access and auditing policies. This process ensures that access to network and software application resources can be restricted to specific, legitimate users.

Explore in brief detail Artificial Intelligence (AI) and Machine Learning (ML). AI makes it possible for machines to learn from their experiences, adjusting to new inputs and performing human-like tasks Most AI applications rely heavily on deep learning and natural language processing which is referred to in general as Machine Learning.

Also study GDPR which is designed to ensure that the integrity of any personal data that is collected, managed, stored or processed by an organisation is fully protected. It brings mandatory requirements for data controllers and processors. These provide further safeguards, ranging from the need to gain an individual’s consent to store and use their data – and their right to know what personal data is held about them – right through to the need for some companies to appoint Data Protection Officers.

GDPR also introduces much heavier penalties for breaches of the regulation by companies that fail to comply. The onus is on individual firms to understand the risks associated with any personal data they hold or use and to take the necessary measures to mitigate those risks.

You will also investigate how the UK enacted the GDPR into law as the Data Protection Act 2018 (GDPR 2018)

Human Aspects of Cyber Security – Optional Specialist Module

Discover how human factors of cyber security represent the actions or events when human error results in a successful hack or data breach. Sharing of passwords, poor patch management, double-clicking on unsafe URLs and organisational access through a personal device are just a few human errors that can lead to a security threat, many of which could be mitigated.

You will explore how by defining the anti-requirements or abuse frames which make explicit potential adversarial behaviour of attackers and design mechanisms, they can protect an organisation. Security is not a zero-sum game, meaning the gain of the attacker does not equal the loss of the defender. Therefore, understanding the goals, assets and risks for the organisation is not enough. It is important to understand the goals of potential attackers and the gain they may achieve by having access to the organisation’s assets.

Incident Response Management – Optional Specialist Module

You will look at Incident Response Management which is an organised strategy for addressing and managing the after effects of a security breach or cyber-attack, also known as an incident involving IT, computer incident or security. The purpose is to control the situation in a way that limits harm and reduces the time and cost of recovery.

Pentesting – Optional Specialist Module

Examine Penetration Testing (Pentesting) which is a method of testing, measuring and enhancing established security measures on information systems and support areas.

In this way, organisations can gain assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.

Penetration Testing should be viewed as a method for gaining assurance in an organisation’s vulnerability assessment and management process, not as a primary method for identifying vulnerabilities.

Security Audit, Compliance & Assurance – Optional Specialist Module

Explore Audit Compliance functions which are meant to reasonably ensure that the company is complying with all applicable laws, rules and regulations, as well as internal codes of conduct, policies and procedures. The Internal Audit function is designed to monitor and evaluate the company’s internal control environment as to its adequacy, efficiency and effectiveness.

Security Assurance can be defined as the confidence that a system meets its security requirements and is resilient against security vulnerabilities and failures. The confidence indicated by the security assurance represent the level of trust we give to a system that is safe to use.

Software Security & Architecture – Optional Specialist Module

In this module you will learn about Software Security. This is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks.

Security is necessary to provide integrity, authentication and availability. Software systems can be attacked to steal information, monitor content, introduce vulnerabilities and damage the behaviour of software.

Look at Security Architecture which refers to a set of security principles, methods and models designed to align to a company’s objectives and help keep the organisation safe from cyber threats. Security Architecture translates the business requirements to executable security requirements.

Modern businesses need to have a robust security architecture framework to protect their most important information assets. The strengthening of Security Architecture will close common weaknesses which can drastically reduce the risk of an attacker succeeding in breaching a company’s systems.

Artificial Intelligence & Cyber Security – Optional Innovation Module

In this module you will explore in more detail what Artificial Intelligence (AI) is and be able to give examples of how it is used. You will be able to explain how AI can be used to protect and attack systems. This will then develop your understanding of how AI itself can be at risk from cyber-attacks.

Quantum Computing & Cyber Security – Optional Innovation Module

In this module you will be looking at the differences between classical computers and quantum computers and learning how a quantum computer works. You will be able to discuss the applications for quantum computing in cyber security and explain what quantum safe cryptography is and how organisations can prepare for it.

CyberEPQ Testimonials

“In our first year of running the CyberEPQ, we have already seen how beneficial the course has been to our students. Students chose a wide variety of essay topics that truly engaged their inquisitiveness. Some of their presentations felt like we were sat in training sessions with Cyber Security experts. Many are now planning a future in cyber security. I can’t wait to see how our next cohort develops over the course.”

— Andy Pape, Head of Computer Science at Thomas Tallis School, London.

“The CyberEPQ is a very engaging course which the students find worthwhile and enjoyable. It provides a good snapshot of what is possible in this exciting industry and gives students a chance to stand out from the crowd. I would highly recommend this qualification to any tech-motivated student.”

— Ifatgar Ahmed, Curriculum Director for Computing at UTC Sheffield

“The CyberEPQ from CIISec is a wonderful opportunity to staff and students alike, and I heartily recommend it. The team at CIISec provide comprehensive advice and support, with separate regular meetings for students and staff that mean all parties are fully supported. The Moodle modules are very engaging and my students have all learned a great deal from them.

The format of the course, with students writing a 5,000 word essay and giving a 10 minute presentation, not to mention the project management and reflective nature of the course, means that all students gain a great insight into what it is like to work on larger NEA projects and the independent study skills they will need at university.

As a direct result of getting engaged with the CyberEPQ, I have made contact with lost of professionals, locally, nationally and even internationally, all of whom have been generous with their time for my students. I never dreamed that my students would interview Professors of AI and Quantum Computing or senior cyber security staff from the Home Office, but this has all been possible through the CyberEPQ!”

Some Returning Schools

Enrolment Fees

Fully Funded Option

£0
including City & Guilds registration fee *

  • Attends a state school in England
  • In Year 12 or 13
  • Has a teacher who will act as a course supervisor

* City & Guilds registration fee is repayable by school if student withdraws

School-Based Learners

£200
including City & Guilds registration fee

  • Applies to students from independent schools, or students from state schools that do not fit the eligibility criteria for the fully funded option
  • Has a teacher who will act as a course supervisor

Independent Learners

£550
including City & Guilds registration fee

  • Applies to students who do not have a supervisor provided by their school, college, or workplace.
  • CIISec supervisor will be appointed

Frequently Asked Questions

What qualification will I gain from the CyberEPQ?

It is a level 3 qualification which is the equivalent to half an A level and worth up to 28 UCAS points depending on final awarded grade. It is accredited by City and Guilds

What support can be expected throughout the course?

The CyberEPQ is an independent research project but students will be supported throughout the journey in a number of ways. Each student will have a supervisor, either based in their school or provided remotely by CIISec. The supervisor should have regular check-ins with their students, providing feedback and completing elements of the Production Log, Presentation and the marking of the project.

Alongside email communications from CIISec, students and supervisors will be invited to participate in regular support calls which will pay particular focus to preparation for suggested milestones and fixed deadlines. The calls are recorded and distributed, along with any slides used, so that they can be accessed at any point.

How is the course structured?

Once enrolled, students need to work through the online learning content on the Moodle. There are 8 core modules that must be completed and then students need to choose one final module, either from five specialist modules or two innovation modules. Each time a module is completed, the student must complete their reflective journal entry. This will be invaluable in helping to choose a project topic.

As with a standard EPQ, students must submit a formal project proposal which must be approved before embarking on their work.

The main project requires students to write a 5,000 word essay and complete the project by delivering a presentation. The presentation should not just focus on the project title but also reflect on the learning journey as a whole, including time and project management.

Can final submission be deferred?

The course is available over a number of different timetables to try and accommodate as many students as possible. Sometimes, circumstances arise which mean that students do not make the final submission with their original cohort.

Deferring to a following cohort is possible but it should be borne in mind that this could mean that the final grade is awarded one whole year later than originally planned. City and Guilds only have one point of submission for the CyberEPQ each year and final awarded grades will only be available on A level results day each August.

Can a student withdraw completely from the CyberEPQ?

Initially, CIISec will attempt to defer any student wishing to withdraw as time pressures are a common factor for this decision.

If a student does wish to withdraw completely from the course, they can do so but should be aware that, if they are a fully funded student, their City and Guilds registration fee will need to be repaid to CIISec. This is because once registration is allocated, CIISec is not able to transfer this to another student.

Students that are not funded and who have paid for the course will only receive a refund or partial refund if the withdrawal request is received by CIISec within two weeks of enrolment. Any request for a refund or partial refund made after this time will be at CIISec’s discretion.

Standard EPQs allow students to create an artefact / performance etc instead of an essay. Is this the same for the CyberEPQ?

The preferred option for the CyberEPQ is to produce a 5,000 word essay and the overwhelming majority of students follow this route. Other options are available but still require a 1,000 word report to be written alongside whatever is produced.

Why is a CyberEPQ more beneficial than a standard EPQ?

The CyberEPQ has many benefits to students. The content is regularly reviewed and updated and aligns with the National Occupational Standards in Information Security as well as the Chartered Institute of Information Security’s Skills Framework.

As part of our Fred Piper Award Scheme, CyberEPQ supervisors can nominate up to two students for the CyberEPQ Student of the Year award with the winning student being announced at our prestigious annual event, CIISec Live. CyberEPQ Supervisors can also nominate themselves for CyberEPQ Supervisor of the Year too.

Each student that receives a final grade will also be eligible to receive one free year of membership to CIISec. Those receiving a grade of A* to B can also use the post nominals AfCIIS and will be eligible to become student accredited affiliate members. Students receiving C to E grades are eligible to become affiliate members.

During the one year of free membership, CyberEPQ graduates will be offered a bespoke programme of monthly webinars, invited to join the CyberEPQ Alumni group on LinkedIn and to attend an end of year summer event, celebrating their achievements but also providing essential networking opportunities with industry and academic partners.

Once the free membership year has ended, students will be encouraged to continue their membership of CIISec either directly or via one of our Academic or Corporate Partners.

Do Supervisors need to be Cyber experts?

Supervisors do not need to have specialist cyber knowledge and supervising the CyberEPQ is the same as that for a standard EPQs. Should a specific cyber question arise, CIISec has a bank of cyber professionals that can help.

As the CyberEPQ is a national cohort, Supervisors will be required to complete our training for marking and standardisation to ensure fairness and consistency in marking across the cohort.

Our partners, sponsors and supporters

City and Guilds
University Technical Colleges
Cyber First
Heart of Worcestershire College

Find us on social media, and start your own conversation with #cyberepq

Sign up to our mailing list for news and updates

Your data will only be used by CIISec to send you relevant news. Your data will never be shared with third parties unless you provide your consent for us to do so. Your data will be held securely and monitored under EU data protection law. You may unsubscribe at any time using the options provided in-email or by proactively contacting our administration team at [email protected]

© Chartered Institute of Information Security. Privacy Policy Refund Policy Site by Dgtl