The global skills and competency framework for the digital world


SFIA has a long track record of defining skills for cyber security professionals and also professionals which have security responsibilities as part of their role including secure by design.

Making SFIA easier to consumer

  • We have published a dedicated landing page to highlight SFIA's support for cybersecurity skills and to aid navigation
  • This includes extensive mappings to national and international cyber security frameworks
  • See SFIA - a framework for cyber security skills

SFIA cyber security evolution

SFIA skills cover a wide range of professional cyber security activities

  • SFIA skill descriptions span the professional landscape of cybersecurity, addressing needs for both specialist and non-specialist roles.
  • They outline the fundamental security skills and responsibilities central to dedicated cybersecurity jobs, along with the cybersecurity elements required in other roles and jobs.
  • This includes general skills adaptable to security contexts and the responsibilities and know-how for integrating security into diverse areas such as software development, infrastructure management, and managing the supply chain for technology.
  • SFIA facilitates a comprehensive embedding of secure practices across an organisation, ensuring all roles are equipped with the appropriate level of cybersecurity understanding and capabilities.

SFIA 9 changes for cyber security

Identity and access management (IAM)

Identity and access management has been part of the Security operations (SCAD) skill in previous versions of SFIA.

There are specialist roles and responsibilities associated with IAM which means it is better being separated from security operations.


We were asked to include cryptography - based on NICE competency areas.

  1. Should this be a standalone skill or something which is part of other skills. 

  2. As a standalone skill its quite hard to create something which sensibly covers tasks and responsibilities for research, design/architecture and operations.

  3. An alternative is to update the guidance notes of the 4 existing skills as below

    • update the references to cryptography in Security Operations SCAD:

      • The current reference to cryptography in SCAD is limited to "administering cryptographic and certificate management activities." This could be expanded to:
      • implementing, managing, and monitoring cryptographic solutions to protect data, ensure compliance, and manage cryptographic keys securely.
    • update three other SFIA skills to  reference tasks/activities related to cryptography:

      • Information Assurance (INAS):  assessing the effectiveness of cryptographic controls, ensuring their proper integration into the assurance framework, providing guidance on the selection and implementation of appropriate cryptographic methods and technologies.
      • Penetration Testing (PENT): assessing the strength and effectiveness of cryptographic implementations, identifying and exploiting weaknesses, and providing recommendations for remediation
      • Vulnerability Research (VURE): conducting research to identify and evaluate new or emerging cryptographic vulnerabilities and identify and share potential mitigations

Additional level 2 SFIA cyber security skills to support entry-level roles

We have introduced additional Level 2 skill descriptions in response to feedback from the global SFIA community.

These new descriptions aim to define the skills and expectations for entry-level roles.

This includes a wide range of skills  including cyber security-related skills

Key Features of Level 2 Descriptions:

  • Focus on assisting others with tasks
  • Emphasis on following standard procedures
  • Work performed under routine guidance and supervision


  • Level 2 descriptions go beyond mere awareness or knowledge of the domain.
  • Individuals at this level are actively learning while performing work tasks.
  • Professionals are expected to engage in hands-on work but without the full responsibility associated with Level 3 skills.
  • The value and impact of Level 3 skills are not reduced or underestimated.

See also SFIA level 1 to 3 expectations of employees and managers

New Additions:

Level 2 added to these SFIA skills - click to see the level 2 description Levels for this skill Concise description of the SFIA skill
Information security 2 - 7 Defining and operating a framework of security controls and security management strategies.
Information assurance 2 - 7 Protecting against and managing risks related to the use, storage and transmission of data and information systems.
Penetration testing 2 - 6 Testing the effectiveness of security controls by emulating the tools and techniques of likely attackers.
Digital forensics 2 - 6 Recovering and investigating material found in digital devices.
Audit 2 - 7 Delivering independent, risk-based assessments of the effectiveness of processes, the controls, and the compliance environment of an organisation.
Risk management 2 - 7 Planning and implementing organisation-wide processes and procedures for the management of risk to the success or integrity of the enterprise.
Continuity management 2 - 6 Developing, implementing and testing a business continuity framework.

Cybersecurity - combining skills frameworks and role frameworks

The illustration below shows how SFIA - a common language for skills - can be used to support a range of national and international cybersecurity role frameworks.

  • identify skills and adding levels of roles within the role frameworks
  • SFIA skills are available for all roles - not just cybersecurity specialists
  • Each of the images can be clicked for a pdf version of the diagrams

NICE work roles

UKCSC specialisms

ENISA European CSF

SFIA levelled roles for UKCSC specialisms SFIA levelled roles for UKCSC specialisms
 building security skills into every professional job for a security-minded culture ...

NICE Components 1.0.0

SFIA Partners in the field of cybersecurity