The global skills and competency framework for the digital world

SFIA View: Skills for security professionals

Skills for security professionals

(new)

Information security SCTY

(unchanged)

Defining and operating a framework of security controls and security management strategies.

Enterprise and business architecture STPL

(unchanged)

Aligning an organisation's technology strategy with its business mission, strategy, and processes and documenting this using architectural models.

Governance GOVN

(unchanged)

Defining and operating a framework for making decisions, managing stakeholder relationships, and identifying legitimate authority.

Risk management BURM

(unchanged)

Planning and implementing organisation-wide processes and procedures for the management of risk to the success or integrity of the enterprise.

Audit AUDT

(unchanged)

Delivering independent, risk-based assessments of the effectiveness of processes, the controls, and the compliance environment of an organisation.

Information assurance INAS

(unchanged)

Protecting against and managing risks related to the use, storage and transmission of data and information systems.

Continuity management COPL

(unchanged)

Developing, implementing and testing a business continuity framework.

Incident management USUP

(unchanged)

Coordinating responses to incident reports, minimising negative impacts and restoring service as quickly as possible.

Vulnerability research VURE

(unchanged)

Conducting applied research to discover, evaluate and mitigate new or unknown security vulnerabilities and weaknesses.

Threat intelligence THIN

(unchanged)

Developing and sharing actionable insights on current and potential security threats to the success or integrity of an organisation.

Security operations SCAD

(modified)

Manages and administers security measures, leveraging tools and intelligence to protect assets, ensuring compliance and operational integrity.

Vulnerability assessment VUAS

(unchanged)

Identifying and classifying security vulnerabilities in networks, systems and applications and mitigating or eliminating their impact.

Digital forensics DGFS

(unchanged)

Recovering and investigating material found in digital devices.

Penetration testing PENT

(unchanged)

Testing the effectiveness of security controls by emulating the tools and techniques of likely attackers.

Research RSCH

(unchanged)

Systematically creating new knowledge by data gathering, innovation, experimentation, evaluation and dissemination.

Information and data compliance PEDP

(modified)

Implementing and promoting compliance with information and data management legislation.