CyBOK SFIA mapping

References to CyBOK © Crown Copyright, The National Cyber Security Centre 2021, licensed under the Open Government Licence: http://www.nationalarchives.gov.uk/doc/opengovernment-licence/.

The Cyber Security Body Of Knowledge (CyBOK) is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.

• The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic.

On this page:

1. Background to the SFIA-CyBOK Mapping
2. Introduction to SFIA for CyBOK Users
3. SFIA Levels of Responsibility
4. Progression in SFIA levels is about responsibility accountability and impact
   • How SFIA levels differ from Bloom’s taxonomy
5. Knowledge types and SFIA level application
6. Diagrams and illustrations
   • Illustration of career levels in the cyber security specialisms
   • Illustrative career paths for the UKCSC specialisms
   • Applying SFIA skills to cyber security focus areas
   • Combining skills frameworks and role frameworks for cyber security - NICE work roles, UKCSC Specialisms, ENISA
   • CyBOK and SFIA in professional working environment
7. Mapping CYBOK and SFIA
8. The mapping of the 21 CyBOK Knowledge Areas to SFIA skills

---

Background to the SFIA-CyBOK Mapping

Introduction

This document maps the Cyber Security Body of Knowledge (CyBOK) knowledge areas to the Skills Framework for the Information Age (SFIA) to help both academic and industry audiences connect theoretical/foundational cyber security knowledge with professional competencies in practice.

For industry professionals using SFIA

• SFIA provides structured professional competencies across seven levels of responsibility, from following procedures to setting enterprise strategy.
• This mapping shows how the knowledge areas outlined in CyBOK can deepen understanding of why certain practices work, enabling more effective application of SFIA skills, particularly at responsibility levels where judgment and adaptation are crucial.

For academics and educators familiar with CyBOK

• CyBOK organises cyber security knowledge into structured knowledge areas designed primarily to codify “the foundational knowledge in cyber security for education and professional training”.
• This mapping demonstrates how that conceptual knowledge supports measurable professional competencies in industry roles, showing the practical application of theoretical concepts across different levels of organisational responsibility.

The integration value

• Combining CyBOK's theoretical depth with SFIA's structured competency framework helps develop professionals who can both execute effectively and make sound strategic judgments
• The theoretical understanding enables better adaptation of standard practices and communication of why certain practices are needed

Introduction to SFIA for CyBOK Users

SFIA Foundation and the SFIA community

• Global adoption – SFIA is used in 200+ countries, with cyber security applications in the UK, US, Canada, Australia, NZ and beyond.
• Trusted governance – stewarded by the not-for-profit SFIA Foundation, with updates driven by a design authority and international consultation.
• Diverse contributors – community includes governments, universities, professional bodies, employers, and practitioners.
• Open and accessible – free for individuals and most employers, with translations into 11 languages and supporting resources.
• Practical support – guidance notes, example role profiles, mappings to standards and other frameworks

Understanding SFIA Skill Structure

Before examining the mapping, it's important to understand how SFIA skills are defined. Unlike simple skill lists, each SFIA skill provides:

• Detailed guidance explaining the scope of activities and typical responsibilities
• Level descriptions showing progression from basic assistance to strategic leadership
• Collaboration context identifying which other skills typically work together
• Business integration showing how technical skills connect to organisational outcomes

This structure means SFIA skills describe comprehensive professional competencies that integrate technical knowledge, business understanding, and leadership capabilities.

Structure and content of the SFIA Framework

• Seven levels of responsibility – a progression from following instructions (Level 1) to setting strategy (Level 7).
• Over 140 professional skills – covering not only cybersecurity but also business, data, digital, and organisational skills that cyber roles depend on.
• Includes definitions and of business skills/behavioural factors such as communication, decision-making, collaboration, leadership, problem-solving
• Task/activity/competency orientation – skills are described as tasks and outcomes at each level, not just as knowledge statements.
• Reusability across contexts – the same SFIA skill can apply in cyber, software, data, or business settings, making cross-domain mobility clear. This supports secure-by-design responsibilities.
• Integration with knowledge; CyBOK = knowledge, SFIA = competency; they reinforce each other rather than duplicate. The mapping of SFIA skills and CyBOK knowledge areas to the UK Cyber Security Council’s specialisms provides an illustration of this.

SFIA Levels of responsibility

SFIA provides a structured approach to defining and developing professional skills and competencies. At its core, SFIA uses a seven-level structure to describe both professional skills and generic attributes, creating a consistent framework for assessing and developing capabilities. Full details at How SFIA works - Levels of responsibility and skills.

The seven levels of responsibility range from Level 1 (the lowest) to Level 7 (the highest). Each level represents increasing expertise and responsibility in professional roles.

Each level is carefully defined to be:

• Progressive (Building on the previous level's requirements),
• Distinct (Clearly differentiated from adjacent levels), and
• Consistent (Using uniform criteria across all skills).

The levels are characterised by specific behaviours, values, knowledge and characteristics that indicate an individual's operational capability at that level. The concise essence statements provide a distilled view of the unique characteristics of each level. They help users easily distinguish between levels and understand progression without needing to dive into detailed descriptions.

Progression in SFIA levels is about responsibility accountability and impact

We can illustrate this by looking at one of the SFIA skills@

• The full skill description is here  Information security (SCTY)
• The short description of this SFIA skill is "Defining and operating a framework of security controls and security management strategies"
• The table below summarises the responsibility and impact at each level of the Information security skill - from SFIA level 2 to level 7.
• Note how the progression moves from implementing existing controls to setting enterprise strategy. A Level 7 professional doesn't necessarily know more technical details about specific security techniques than a Level 4 specialist - they apply broader judgment about organisational risk and strategy.

SFIA level	Focus of responsibility	Typical impact
2 – Assist	Supports the implementation and monitoring of defined security controls under supervision.	Contributes to consistent, reliable execution of established security procedures.
3 – Apply	Applies and maintains specific controls, identifying and escalating security risks when needed.	Maintains safe and effective security operations through competent, independent application of controls.
4 – Enable	Guides others in applying controls and conducts security risk and impact analysis.	Strengthens team performance and assurance through expert advice and proactive risk management.
5 – Ensure, advise	Leads the development and application of security strategies, policies, and architectures to manage identified risks.	Delivers organisation-wide security outcomes by combining strategic guidance with active oversight of complex operations.
6 – Initiate, influence	Shapes corporate security policy and aligns it with business strategy.	Integrates security into strategic planning, driving organisational alignment and capability.
7 – Set strategy, inspire, mobilise	Directs enterprise information security strategy and governance.	Builds organisational resilience through strategic leadership and alignment of security with business vision.

---

Understanding CyBOK structure for SFIA users

CyBOK is primarily intended as a guideline for curriculum developers, not as a direct learning resource for practitioners. Key structural elements include:

Knowledge areas vs. Professional skills

• CyBOK organises theoretical knowledge into domains such as "Risk Management & Governance" or "Software Security." These describe what needs to be understood conceptually, not how that understanding is applied in professional roles. 
• SFIA skills such as "Information Security (SCTY)" describe professional competencies that draw upon multiple CyBOK knowledge areas.

Academic vs. Industry focus

• CyBOK emphasises theoretical foundations, research findings, and conceptual frameworks.
• SFIA emphasises professional application, business integration, and organisational impact. The mapping shows how theoretical depth supports practical competency.

Curriculum design tool

• CyBOK helps educators design comprehensive cyber security curricula.
• Although some industry professionals may reference specific knowledge areas for deep understanding, it is professional education and certification programs that are most influenced by CyBOK's knowledge organization.

---

Knowledge types and SFIA level application

→ more details in this "Briefing' for Employers"

Most cybersecurity roles require a mix of knowledge types:

1. Procedural knowledge: knowing how to follow steps, use tools, and perform defined tasks.
   
2. Declarative or conceptual knowledge: knowing about systems, frameworks, and principles — the “why” that sits behind procedures.
   
3. Conditional knowledge: knowing when and why to act, making decisions, using judgment in context.

The relationship between CyBOK knowledge domains and SFIA competencies varies by responsibility level:

Procedural knowledge

• What it involves: Following established procedures, implementing standard practices, applying known solutions and tools
• Knowledge sources: Organisational procedures, vendor tool training, entry-level certifications, on-the-job learning
• CyBOK relevance: The content of the CyBOK knowledge areas should not be expected to cover procedural knowledge. The scope of each CyBOK Knowledge area can help in identifying what conceptual understanding may be useful to provide context to procedures and practices, but detailed theoretical knowledge is often not required. 
• Example: Following incident response playbooks, implementing configured security controls, using SIEM tools

Conceptual knowledge

• What it involves: Understanding principles, adapting practices to context, explaining why approaches work
• Knowledge sources: Professional certifications, university education, industry frameworks - often influenced by CyBOK knowledge areas
• CyBOK relevance: Knowledge domains provide theoretical foundations that enable effective adaptation and guidance
• Example: Customising risk frameworks for organisational context, designing security architectures for specific requirements

Judgment/Decision-making knowledge

• What it involves: Strategic decisions, knowing when standard approaches don't apply, organisational adaptation
• Knowledge sources: Professional experience, mentoring, executive education, cross-industry exposure
• CyBOK Relevance: Theoretical frameworks help recognise when and why adaptations are needed, but judgment primarily comes from experiential learning
• Example: Setting enterprise security strategy, making risk appetite decisions, designing governance structures

How knowledge sources support SFIA skills

The knowledge required for effective performance of SFIA skills can come from multiple sources:

Formal Education and Professional Development

• University degrees with curricula often influenced by CyBOK knowledge areas
• Industry certifications (CISSP, CISM, Security+) covering both theoretical and practical aspects
• Professional training on specific frameworks and standards
• CyBOK knowledge areas – used as a reference for identifying theoretical understanding needed

Industry standards and frameworks

• Technical standards (ISO 27001, NIST Cybersecurity Framework, industry-specific requirements, NICE cybersecurity work roles, UKCSC specialisms)
• Best practice frameworks (ITIL, TOGAF, COSO) for integration with broader organisational practices
• Regulatory requirements (GDPR, HIPAA, sector-specific compliance)

Organisational context

• Business knowledge (strategy, processes, financial constraints, stakeholder expectations)
• Technical environment (current infrastructure, planned changes, vendor relationships)
• Cultural factors (risk appetite, change readiness, communication preferences)

Professional experience

• Practical implementation experience with various technologies and approaches
• Cross-functional collaboration with legal, finance, operations, and other business areas
• Leadership and communication skills for influencing stakeholders and driving change

---

 We can apply the SFIA levels to typical career levels found in the cyber security domain.

---

 We can also apply the SFIA levels to typical industry roles - e.g. the diagram below shows SFIA levels mapped to the UK Cyber Security council (UKCSC) specialisms. The actual roles and levels will be dependent on the employer and the nature of their business and operating model.

---

Because SFIA is a broad-based framework it includes skills for  specialist cyber security roles but also adjacent roles and specialisms who apply secure working practices within their roles. 

---

SFIA is a neutral and agnostics skills framework. It can be applied to a wide range of role frameworks. We have mappings of SFIA skills to the roles defined in all the major cybersecurity frameworks including UKCSC, NICE and ENISA.

---

CyBOK and SFIA are complementary.

---

---

Mapping CyBOK Knowledge Areas to SFIA skills

Key Principles of the Mapping

CyBOK as theoretical foundation

CyBOK knowledge areas provide conceptual depth that enhances professional judgment but don't define professional competencies. The theoretical understanding helps professionals know when and why to adapt standard practices, communicate more effectively with other disciplines, and make sound decisions in novel situations.

SFIA as professional application

SFIA skills describe how theoretical knowledge manifests in professional roles, integrating technical understanding with business context, stakeholder management, and organisational leadership. Higher SFIA levels require broader judgment informed by theoretical principles but applied to organisational dynamics.

Multiple knowledge sources required

Effective professional performance requires integration of theoretical knowledge (which may be influenced by CyBOK KAs), industry standards, regulatory requirements, organisational context, and professional experience. Learning based on CyBOK KAs provides one important component but not a complete foundation.

Progression from procedure to decision-making and judgment

Lower SFIA levels primarily require procedural knowledge and standard practice application. Higher levels increasingly require conceptual understanding and judgment capabilities that benefit from theoretical depth, whether gained through formal education, professional development, or study of knowledge domains outlined in CyBOK.

Using this mapping

For professional development planning

• Identify which CyBOK knowledge areas provide theoretical foundation for your target SFIA skills
• Understand what additional business and interpersonal skills are needed beyond technical knowledge
• Recognise when and how theoretical depth supports progression to higher responsibility levels

For curriculum design

• See how academic knowledge areas translate to industry-relevant professional competencies
• Understand what business context and professional skills complement theoretical knowledge
• Design programs that prepare students for specific SFIA professional skills and responsibility levels

For organisational capability assessment

• Assess whether staff have sufficient theoretical foundation for their SFIA responsibility level
• Identify professional development needs that combine technical depth with business skills
• Understand collaboration patterns between different SFIA skills and knowledge domains

For career planning

• Understand how academic preparation relates to industry role requirements
• Identify knowledge gaps that may limit progression to higher responsibility levels
• Plan professional development that combines theoretical depth with practical business skills

The mapping of CyBOK Knowledge Areas to SFIA skills

1. Risk Management & Governance
2. Law & Regulation
3. Human Factors
4. Privacy & Online Rights
5. Malware & Attack Technologies
6. Adversarial Behaviours
7. Security Operations & Incident Management
8. Forensics
9. Cryptography
10. Operating Systems & Virtualisation Security
11. Distributed Systems Security
12. Formal Methods for Security
13. Authentication, Authorisation & Accountability
14. Software Security
15. Web & Mobile Security
16. Secure Software Lifecycle
17. Applied Cryptography
18. Network Security
19. Hardware Security
20. Cyber-Physical Systems Security
21. Physical Layer & Telecommunications Security