Cybercrime investigation CRIM

Investigates cybercrimes, collects evidence, determines incident impacts and collaborates with legal teams to protect digital assets.

Revision notes

Updates for SFIA 9

This is a new skill introduced in SFIA 9.
Theme(s) influencing the updates for this new skill: Support for cyber security working practices (both specialised and general).
Previous SFIA assessments or skills mapping of other SFIA skills are not impacted by this new skill.

Guidance notes

Cybercrime investigation focuses on identifying, tracking, and building cases against those engaged in criminal activities in cyber/digital environments.

This involves using investigative techniques to uncover criminal patterns, assess cybercrime impacts, and support prosecution efforts.

Activities may include, but are not limited to:

investigating suspicious activities and alleged cyber/digital crimes
collecting evidence from public networks, private systems, and hard-to-access environments like the deep and dark web
gathering and analysing data from systems, networks and devices
collecting and examining physical evidence such as documents, hardware devices and signs of physical interference
identifying clues indicating unauthorised access and evaluating target vulnerabilities
conducting victim and witness interviews and suspect interrogations to gather information
assessing the credibility and authenticity of evidence, and collaborating with legal teams to identify incidents requiring legal action and ensure evidence admissibility
documenting findings and preparing detailed investigative reports for stakeholders
coordinating responses to significant cybercrime incidents
analysing cybercrime trends and developing strategies to combat emerging threats and participating in cybercrime task forces and information sharing initiatives.

Understanding the responsibility levels of this skill

Where lower levels are not defined...

Specific tasks and responsibilities are not defined because the skill requires a higher level of autonomy, influence, and complexity in decision-making than is typically expected at these levels. You can use the essence statements to understand the generic responsibilities associated with these levels.

Where higher levels are not defined...

Responsibilities and accountabilities are not defined because these higher levels involve strategic leadership and broader organisational influence that goes beyond the scope of this specific skill. See the essence statements.

Developing skills and demonstrating responsibilities related to this skill

The defined levels show the incremental progression in skills and responsibilities.

Where lower levels are not defined...

You can develop your knowledge and support others who do have responsibility in this area by:

Learning key concepts and principles related to this skill and its impact on your role
Performing related skills (see the related SFIA skills)
Supporting others who are performing higher level tasks and activities

Where higher levels are not defined...

You can progress by developing related skills which are better suited to higher levels of organisational leadership.

Click to learn why SFIA skills are not defined at all 7 levels.

Show/hide extra descriptions and levels.

Levels of responsibility for this skill

Level 1

Level 1 - Follow: Essence of the level: Performs routine tasks under close supervision, follows instructions, and requires guidance to complete their work. Learns and applies basic skills and knowledge.

Cybercrime investigation: Level 2

Level 2 - Assist: Essence of the level: Provides assistance to others, works under routine supervision, and uses their discretion to address routine problems. Actively learns through training and on-the-job experiences.

Assists in cybercrime investigations under routine supervision.

Supports the collection of evidence related to cybercrime investigations.

Participates in monitoring suspicious activities.

Helps maintain evidence integrity and assists in preliminary interviews. Follows established protocols and guidelines.

Cybercrime investigation: Level 3

Level 3 - Apply: Essence of the level: Performs varied tasks, sometimes complex and non-routine, using standard methods and procedures. Works under general direction, exercises discretion, and manages own work within deadlines. Proactively enhances skills and impact in the workplace.

Conducts cybercrime investigations using standard procedures.

Collects and preserves various forms of evidence in cybercrime cases. Assesses credibility and checks for compliance with relevant investigative standards.

Analyses basic cyber threats and incidents, and prepares investigative reports. Identifies incidents that may have legal implications.

Conducts interviews and assists in interrogations.

Cybercrime investigation: Level 4

Level 4 - Enable: Essence of the level: Performs diverse complex activities, supports and guides others, delegates tasks when appropriate, works autonomously under general direction, and contributes expertise to deliver team objectives.

Oversees mid-level investigations, coordinating evidence collection and forensic analyses.

Assesses target vulnerabilities and operational impacts of cyber incidents.

Provides comprehensive reports and expert analysis for stakeholders.

Conducts interviews and interrogations, identifying potential legal implications and collaborating with legal professionals.

Cybercrime investigation: Level 5

Level 5 - Ensure, advise: Essence of the level: Provides authoritative guidance in their field and works under broad direction. Accountable for delivering significant work outcomes, from analysis through execution to evaluation.

Manages complex cybercrime investigations, overseeing all stages from detection to resolution.

Evaluates incidents involving advanced threats or significant breaches.

Develops and implements procedures for evidence handling and documentation. Collaborates with legal teams to ensure evidence supports potential legal proceedings.

Leads the development of response strategies, assessing vulnerabilities and operational capabilities. Oversees the implementation of tools and automation to enhance investigative processes.

Cybercrime investigation: Level 6

Level 6 - Initiate, influence: Essence of the level: Has significant organisational influence, makes high-level decisions, shapes policies, demonstrates leadership, promotes organisational collaboration, and accepts accountability in key areas.

Defines the organisational strategy for cybercrime investigations.

Establishes policies and standards for handling various forms of evidence in cybercrime cases, including the adoption and integration of tools and automation to improve efficiency and accuracy.

Oversees high-risk or sensitive investigations, managing cross-disciplinary teams. Conducts high-level interviews and interrogations, providing strategic insights on cybersecurity threats and vulnerabilities.

Engages with external stakeholders, including regulatory bodies and legal entities, to ensure compliance with legal and ethical standards.

Level 7

Level 7 - Set strategy, inspire, mobilise: Essence of the level: Operates at the highest organisational level, determines overall organisational vision and strategy, and assumes accountability for overall success.

New skill