Study at City
  1. Courses
  2. Applying
  3. Fees and funding
  4. Living in London
  5. Visit us
  6. Student support
  7. International students
  8. Order a prospectus
  9. Ask a student
  1. Continuing Professional Development
Study at City

Management of Information Security and Risk: Assurance Cases CPPD

Key information

Choose a start date
To be confirmed
To be confirmed
To be confirmed
To be confirmed
Course code:
To be confirmed
To be confirmed
Application deadline:
To be confirmed
To be confirmed

Course overview

Assurance cases, as a generalisation of safety case to security and dependability, are a powerful approach to justifying and communicating the trustworthiness of a complex system.  We have defined an assurance case as: "a documented body of evidence that provides a convincing and valid argument that a system is adequately dependable for a given application in a given environment". Assurance cases are based on the key concept of claims, arguments and evidence. There is a need for methods to define and structure claims (e.g. that the security properties are satisfied, that hazards have been mitigated, that vulnerabilities have been addressed, and that business continuity is being supported), and show how these are discharged with compelling arguments commensurate with the criticality of the system being assessed, while providing supporting evidence (such as from testing, analysis).

Assurance cases are often embedded within a safety and security management process and often within a regulatory or licensing process that provides for independent challenge and review. Assurance cases can play a pivotal role in audits and reviews, as well as in incident management and investigation, where they can play a role in on-going processes, as well as use evidence from previous incident occurrences in the context of new assurance cases. It is important to understand the range of standards that can be applied and their role and limitations.

The module will be delivered in block mode consisting of two blocks:

  • Thursday: 5pm-9pm
  • Friday: 9am-5pm
  • Saturday: 9am-5pm

The second block is delivered 6 weeks after the first block.

This module is taken from the MSc in Management of Information Security and Risk.

Course outcomes

Course outcomes

  • The nature of the assurance and evaluation problem for computer based systems
  • Deriving and structuring of claims in an assurance case; claim expansion from architecture; from dependability attributes.
  • The role of standards, policies and regulations in deriving claims and argument strategies
  • Evidence and arguments for different attributes
  • Reviewing and assessing cases; improving communication. Developing cases for a range of stakeholders - from "boardroom to back office"
  • Cases for specific classes of systems. Issues of scalability
  • The use of tools for assurance cases (e.g. ASCE).



Prerequisite knowledge

You should have a first or second class BSc honours degree (or equivalent non-UK qualification).

You should also have approximately five years of relevant professional experience (absolute minimum of two years in exceptional circumstances).

You should also have basic competence and familiarity with mathematics and good professional English.



Assessment is coursework based consisting of a mixture of one or more of the following:

  • reports
  • essays
  • presentations
  • peer reviews
  • group work.