The global skills and competency framework for the digital world

SFIA skills and information security

Information security is all pervasive. Here's an analysis and commentary on SFIA skills which have a potential relationship or dependency on security.


  • Some of the skills listed below are general ones where there is a relationship to information security that we should consider.
  • Others are more suited to specialist information security roles where the requirement to provide advice, guidance and technical security expertise to the organisation may come from a variety of business areas.
  • The analogy often used is that of health and safety.  Most areas of a business, regardless of the sector, are likely to have some involvement with health and safety if the workers are to be protected appropriately.  This could be driving machinery, lifting heavy goods or using laser printer refill cartridges. 
  • The same is true of information security and so it is a basic requirement that should be included in virtually every area of business until shown either to be met satisfactorily or, rarely, genuinely unnecessary.

This work has provided input to the creation of the worked example end to end operating model for security.

SFIA 8 review
This is a work in progress which is developed to support of SFIA 8 consultation. 
It will change over the duration of the SFIA 8 consultation.
Register here to receive updates.

Focus Area

SFIA skill name

1st words of the SFIA  skill  description

Rationale for inclusion

Governance of information security

Information governance

The overall governance of how all types of information, structured and unstructured, whether produced internally or externally, are used to support decision-making, business processes and digital services.

The security of the information that an organisation has is a fundamental aspect which, if not considered in detail with specialist security knowledge at the outset of the strategy development, will undoubtedly cause issues in the future which could include legal impacts. Specialist security advice on the methods that are available currently to deliver the business requirement securely must be sought at the very beginning.

Information systems coordination

Typically within a large organisation in which the information strategy function is devolved to autonomous units, …

The links between different systems, be they internal or external, are often the causes of the most serious vulnerabilities.  The old principle of “secure gardens” for information, where a wall was built around the system and everything inside was assumed secure, are no longer a suitable option.  Each system must be considered separate and independent from all others with the levels of trust between them positively determined and checked at frequent intervals. Achieving this will require detailed and highly technical specialist information security advice.

Information security

The selection, design, justification, implementation and operation of controls and management strategies to maintain the security …

The requirement to provide detailed specialist information security advice to those concerned with the security of information will be a fundamental role for the security specialist.

Information assurance

The protection of integrity, availability, authenticity, non-repudiation and confidentiality of information and data in storage and in transit.

Information assurance is a fundamental requirement for any organisation and, as such, must have the right technical expertise to ensure the requirements are fulfilled in an effective and cost-efficient manner utilising the latest security technologies. This is a specialist information security advisors’ role.


The application of mathematics, statistics, predictive modelling and machine-learning techniques to discover meaningful patterns and knowledge in recorded data.

Specialists will review the threat, vulnerability, attack and virus intelligence in order to try and predict from where the next cyber attack will emanate, initiated by whom and the potential effect on the organisation.  This is a specialist role which will significantly enhance the predictive capability of the organisation if done well utilising machine learning, AI and other innovative tools to assist.

Data visualisation

The process of interpreting concepts, ideas, and facts by using graphical representations.

Closely linked to the analytics skill, this provides the information security expert with a clearer picture of the very complex area of cyber attack.  The way threats are being actioned, by whom and the potential effects on the organisation can be shown in a clearly understood picture that can be shared with non-specialists in order to facilitate more effective business decisions to be made.  With this knowledge it is possible to try to pre-empt attacks and therefore mitigate the consequences of them.

Information content publishing

The evaluation and application of different publishing methods and options, recognising key features, including open source and proprietary options.

Depending on the information being published, security will usually have a role to play and information security specialist knowledge of the tools available to protect the published information is critical.  This could include, but is not limited to, issues such as: legal requirements (GDPR and Intellectual Property Rights); integrity requirements (the ability to prevent a fraudster changing pricing information on a web site); protection of brand including logos and web sites.


The provision of advice and recommendations, based on expertise and experience, to address client needs.

Information security consultancy is a highly specialised role with many difference aspects to it.  It will vary from the deep specialist often hired-in to assist with a specific issue or project, through to the more general advice and guidance on the way to address security overall.

Specialist advice

The development and exploitation of expertise in any specific area of information or communications technology, digital working, …

This is the basic skill that technical security specialists will require. The ability to provide specialist advice in any of the very significant number of technical areas into which security has become, in a manner by which non-specialists can understand and act upon, is a critical skill required by most if not all organisations.

IT management

The management of the IT infrastructure and resources required to plan for, develop, deliver and support IT services and products to meet the needs of a business.

The security manager for any information system needs to have the necessary knowledge, understanding and competence to deliver secure systems.  This will often be a role in its own right for larger organisations but is can be left to the IT manager in smaller ones.  Provided the skills set is sufficient for the need, then either way can be acceptable but it is not acceptable to assume the IT manager is also a security manager without appropriate training and experience.


The capability to identify, prioritise, incubate and exploit opportunities provided by information, communication and digital technologies.

Innovation in information security will come from two sources.  There will be the need to understand the latest methods and tools being utilised by the attackers and thereby develop mechanisms to detect, deter, protect and recover from attacks.  There will also be innovation working on the defensive side helping to remove or mitigate the risk of an attack or its impact.


The systematic creation of new knowledge by data gathering, innovation, experimentation, evaluation and dissemination.

Research into the threats, vulnerabilities and attacks that an organisation might be facing and to understand the best way of counteracting them, is crucial.  Information security specialists will also undertake work such as to review attack methods, including viruses, and reverse-engineer them to understand how they work in order to provide an effective countermeasure.

Knowledge management

The systematic management of vital knowledge to create value for the organisation by capturing, sharing, developing and exploiting the collective knowledge of the organisation …

Closely linked to analytics and data visualisation, building and maintaining an information security management system (akin to the service knowledge management system for service management) ensures the organisation has continuous service improvement at its heart. Learning from issues, errors and mistakes can all help to enhance the overall security of the organisation.

Enterprise and business architecture

The creation, iteration, and maintenance of structures such as enterprise and business architectures embodying the key principles, methods and models …

The information security architecture utilised within an organisation is a fundamental start to facilitating safe and secure operations and requires a specialist.  Having templates for the security of systems, the secure modelling for areas such as remote working, electronic trading and supplier connectivity, can all help to build the standardised systems that are easier and cheaper to operate and maintain. The fundamental requirement to meet the overarching business need helps to shape the way the various security technology can be implemented most effectively.

Business risk management

The planning and implementation of organisation-wide processes and procedures for the management of risk to the success or integrity of the business, ...

The risks from poor information security are not special in anyway but are simply another type of business risk that all organisations have to address as they would all other business risks. Information security risk management, by specialist in the field, is the critical first area of ensuring an organisation designs, develops and implements IT systems that have security by design and default. Risk management is the process of taking the security issues that might affect the organisation and reviewing them in light of the business requirements in order to develop a pragmatic, sensible and cost-effective solution managing the risk down to an level that is acceptable to the senior management.

Emerging technology monitoring

The identification of new and emerging technologies, products, services, methods and techniques.

Closely linked to innovation and knowledge management, it is essential to ensure that the latest innovations in both defensive and offensive technology are considered and used where appropriate.  They should be used to mitigate the latest threats posed by criminals and the wider offensive community as well as to enhance productivity where possible and appropriate. Information security specialists will be required to utilise emerging technology to the best effect.

Continuity management

The provision of service continuity planning and support, as part of, or in close cooperation with, the function which plans business continuity for the whole organisation.

Continuity management is a mainstay of information security providing a safety net for when things go wrong.  It is critical the security of the system, and any continuity elements such as backups, are considered as part of the overall system security with availability and integrity being two of the more important features to consider. Information security specialists will address these in combination with all other aspects of business continuity and disaster recovery.

Network planning

The creation and maintenance of overall network plans, encompassing the communication of data, voice, text and image, in the support of an organisation’s business strategy.

Understanding the way networks have been put together, combined with, for example, the ability to partition off sections of the network in the event of an incident, is a fundamental building block of security. The design of networks must have security as one of its mandatory requirements and this will be provided by an enterprise security architect.

Solution architecture

The design and communication of high-level structures to enable and guide the design and development of integrated solutions that meet current and future business needs.

The role of security architect is a specialist one which will drive the development of systems to a secure solution.  The security will be one of the first factors to be considered and this will be enhanced over time as the business needs and technologies change.

Data management

The management of practices and processes to ensure the security, quality, integrity, safety and availability of all forms of data and data structures that make up the organisation’s information.

Data must be managed securely if the organisation is to operate effectively and efficiently.  The nature of the data, in electronic format, can be considered as a subset of information overall and the combination of all types of information in all formats is a primary consideration of all information security professionals.

Methods and tools

The definition, tailoring, implementation, assessment, measurement, automation and improvement of methods and tools to support planning, development, testing, operation, management and maintenance of systems.

The tools and methods needed by information security professionals will vary but overall be aligned to the needs of the preservation of confidentiality, integrity, availability and non-repudiation. They will vary from the overarching assessment and audit of systems’ security through to specialist methods for analysing network traffic and undertaking penetration testing.

Change and transformation affecting, or affected by, information security

Project management

The management of projects, typically (but not exclusively) involving the development and implementation of business processes to meet identified business needs, acquiring and utilising the necessary resources and skills, within agreed parameters of cost, timescales, and quality.

Regardless of the main deliverables from a project, any product that has the creation, management, storage and/or disposal of information as one of its elements will require a major security input from specialists.  On occasion there will be projects which are specifically about security and which may require an in depth understanding of the principles and practices lying behind the selected solution.  In either case the security requirements should form part of the initial business requirements with an appropriate level of importance depending on the nature of the project and its deliverables.

Portfolio, programme and project support

The provision of support and guidance on portfolio, programme and project management processes, procedures, tools and techniques.

Any portfolio of change will have information that needs to be securely managed.  Sometimes there will be aspects of confidentiality but there will always be integrity and availability concerns.  The security of information within the portfolio, programme and project environments is a critical requirement to be advised by security specialists.

Business analysis

The methodical investigation, analysis, review and documentation of all or part of a business in terms of business goals, objectives, functions and processes, the information used and the data on which the information is based.

When a business operation or process is reviewed in order to consider its transformation into an IT-based system, the security of the business requirement is one of the elements that must be considered.  In many processes it will be straight forward, perhaps just the secure storage of the information used, whilst in others there will be an overriding need to ensure the security of sensitive information which then drives the nature of the solution the analysis helps to derive. There is also a need for security analysts to review security information (threats, vulnerabilities and solutions) in a methodical and comprehensive manner, utilising the analytics skill set, in order to help feed the information security knowledge management system.

Business modelling

The production of abstract or distilled representations of real world, business or gaming situations in traditional or trans-media applications, to aid the communication and understanding of existing, conceptual or proposed scenarios.

Closely linked to data analytics and data visualisation, the modelling of security threats, their defences and the attacks (when in progress) is a critical tool to facilitate effective decision-making of information security specialists so critical to successful survival in the security environment.

Requirements definition and management

The elicitation, analysis, specification and validation of requirements and constraints to a level that enables effective development and operations of new or changed software, systems, processes, products and services.

For any system being designed and developed, there must be a clear definition of the security requirements by an information security specialist.  This will be an early statement of the essential and optional elements that the system will need to have in order for the appropriate levels of all aspects of the security to be implemented. These non-functional requirements must form the foundation of the design since adding security at a later date will inevitably add cost and increase the chance of a poor implementation. The usual “trading” of requirements will also need to be carefully managed as the work progresses to ensure that there is a full understanding of the potential impacts of changes from a security aspect.

Organisational capability development

The provision of leadership, advice and implementation support to assess organisational capabilities and to identify, prioritise and implement improvements.

Whenever improvements and enhancements are made to an organisation, the systems on which the development relies must have security considerations taken into account.  This means that the capability development must include how the security will be managed and enhanced as part of the overall work.  It is also likely that at times there will be a need for the organisation to consider security enhancements in their own right and will required significant specialist technical input.

Organisational design and implementation

The planning, design and implementation of an integrated organisation structure and culture including the workplace environment, locations, role profiles, performance measurements, competencies and skills.

Information security must form part of the overall design for any organisation.  Information is now considered by most to be one of the most critical assets an organisation has, regardless of their sector.  To ensure its confidentiality, integrity and available for the organisation means the security element of any organisational design is paramount and requires an information security specialist’s input.

Change implementation planning and management

The definition and management of the process for deploying and integrating new digital capabilities into the business in a way that is sensitive to and fully compatible with business operations.



As with any change programme, the design and management of the security requirements must be effective and comprehensive if the end result is to reflect the information security requirements of the organisation. Closely linked to portfolio, programme and project management, the provision of a security specialist with responsibility for the overall security aspects of the changes is a critical consideration.

Business process testing

The planning, design, management, execution and reporting of business process tests and usability evaluations.

Often the move away from a paper-based system to an IT solution requires a lot of rethinking and testing to ensure that the business requirements are met.  There often also needs to be an equivalent amount of security testing by specilaists to ensure that, for example, the implicit security operations of the paper-based system such as signatures, can be reflected and operationalised effectively in the computer-based system.

Benefits management

Establishing an approach for forecasting, planning and monitoring the emergence and effective realisation of anticipated benefits.

Security benefits are just as real, and have an equivalent financial valuation, as any other benefits the new system might be targeting.  It is essential that the full understanding of what the security benefits might be, how they might materialise and how they can be measured, is determined by a specialist before embarking on the programme.  It may well be the case that the security benefits of the work outweigh other business or financial benefits.

Development and implementation of systems and software with a secure result

Systems design

The design of systems to meet specified requirements, compatible with agreed systems architectures, adhering to corporate standards and within constraints of performance and feasibility.

The design of a new system must include the security requirements for the information it will contain and use.  This includes not only the information related to the use of the system but also the information related to the design of the system itself.  The security aspects of how a system is protected and maintained, based on organisational templates and standards, are very sensitive and must be afforded an appropriate level of security. A specialist information security architect should be involved at all stages of the design process and the security requirements defined using a prioritisation process similar to that used for all the functional and non-functional requirements.

Software design

The specification and design of software to meet defined requirements by following agreed design standards and principles.

The design of new software must be based on sound security principles.  Security by design is an essential standard and, whilst it is rarely possible to ensure that software will also be secure throughout its life, there is a need to ensure that the start point and the principles on which it is designed are secure.  There must also be consideration of how vulnerabilities uncovered during its life will be managed and, at the design phase, a method of patching and updating that meets the security requirements appropriately should be determined. A specialist information security software architect should be involved at all stages of the design process and the security requirements, based on organisational templates, standards and models, defined using a prioritisation process similar to that used for all the functional and non-functional requirements.

Programming/ software development

The planning, designing, creation, amending, verification, testing and documentation of new and amended software components in order to deliver agreed value to stakeholders.

Security requirements, just like any other business requirements, must be included and tested at regular intervals.  If the new software is for a security application that clearly specialists will be required to ensure the appropriate methods are used.  If a general application is being developed it is prudent to ensure a security specialist checks the design and coding at regular intervals to ensure the basic requirements of security have been, and continue to be, met.

Real-time/embedded systems development

The architecture, design and development of reliable real time software, operating systems, tools and embedded systems.

This is an area of development where real technical information security specialists are required.  The potential conflict between security and safety will often cause significant problems and will require some potentially complex, expensive or original methods to address appropriately. Security by design and security by default are two requirements that sometimes are very difficult to meet in real-time/ embedded safety critical devices.

Animation development

The architecture, design and development of animated and interactive systems such as games and simulations.

As for any other system or software, the security of the development and the mechanisms for protecting both the users’ data and the system’s design data must be carefully considered, tested and implemented. Information security advice will be required during this process.

Network design

The production of network designs and design policies, strategies, architectures and documentation, covering voice, data, text, e-mail, facsimile and image, to support strategy and business requirements for connectivity, capacity, interfacing, security, resilience, recovery, access and remote access.

Working in combination with the information security design specialist, the development of templates, policies, strategies and architectures to meet the organisational security requirements is a critical part of this work.  With the rapid rate of change in technology, and in the range of attacks being faced by systems, it is critical that the design criteria are maintained and updated on a very regular basis.  Successful attacks are often achieved, in part, through tardy updating of systems and software. 


The planning, design, management, execution and reporting of tests, using appropriate testing tools and techniques and conforming to agreed process standards and industry specific regulations.

The testing of the security requirements for a secure system are clearly critical.  Indeed, the last test any system should pass before being allowed to be fully implemented in a live environment should be a security test such as a penetration test. To undertake this properly requires people with significant technical capability, as well as those who can follow the test scripts for the system and recommend changes, that will achieve the necessary acceptable results.

Safety engineering

The application of appropriate methods to assure safety during all lifecycle phases of safety-related systems developments, including maintenance and re-use.

As covered in real-time/ embedded systems development, there will often be a potential conflict between safety engineering practices and information security.  Fail safe is often the basis of safety engineering but that might fail to an insecure state that, if it can be produced by an external attacker, leaves the system open to abuse and harm. It is critical the security expert of the relevant area and the safety engineer understand each other’s issues and requirements in order to try and find a way of satisfying both, whilst not leaving the system open to insecure practices or to compromising on the business requirements of the system overall.

User research

The identification of users' behaviours, needs and motivations through ethnography, observation techniques, task analysis, and other methodologies that incorporate both the social and technological context.

It is often said that users are the most significant vulnerability (from an information security viewpoint) of any system.  Whilst it is true users do cause issues, too often it is through poor design, development or implementation that the user is able to take insecure actions. Understanding the user and determining what the usual course of their actions might be, helps the system designer and developer to build more robust systems that users find easy to use securely.  Any system that users find difficult or cumbersome to use, for whatever reason, will almost inevitably lead to users trying to find shortcuts and workarounds that will often promote a greater level of insecurity. Sociological security specialists are able to recommend practices to reduce the risk of users causing security issues.

User experience analysis

The identification, analysis, clarification and communication of the context of use in which applications will operate, and of the goals of products, systems or services.

The user experience will need to be based on the users’ expectations that have been developed by personal experience, use and training.  As the users become more knowledgeable and experienced in information security, they will begin to demand more from the systems they are required to use. The security input to these developments is crucial to enhance security and the user experience overall.

User experience design

The process of iterative design to enhance user satisfaction by improving the usability and accessibility provided when interacting with a system, product or service.

Whilst information security is unlikely to be the first requirement of the users helping to design a new system, it should be the basis on which any system is designed.  Security by design is a fundamental principle applicable to all and every system design and development. The user experience should always be based on the security requirements established by a specialist.

User experience evaluation

Validation of systems, products or services, to assure that the stakeholder and organisational requirements have been met, required practice has been followed, and systems in use continue to meet organisational and user needs.

The user testing of the business requirements should also include the user testing of the security requirements.  The final test should always be a penetration test or the equivalent by a security specialist to ensure that any changes made as a result of user validation have not compromised the overall security of the system.

Systems integration and build

The planning, implementation and control of activities to integrate/build components, subsystems and interfaces to create operational systems, products or services for delivery to customers, or for internal or interim purposes such as testing.

The expertise of information security specialists and testers should always be used when system integration and build is being undertaken.  The security testing of individual components of a system will show that each works securely but when the parts are brought together, there are often issues with the combination and with the way data is transferred between different parts. 

Porting/software configuration

The configuration of software products into new or existing software environments/platforms.

The requirements for the implementation of any system must include the security aspects and these need to be considered in the same way as any other business requirement.  It should be routine for the final checks to be by security-based specialists when a system is implemented or ported into a new or existing environment.

Hardware design

The specification and design of computing and communications equipment (such as semiconductor processors, HPC architectures and DSP and graphics processor chips), typically for integration into, or connection to an IT infrastructure or network.

The security of hardware is of similar importance as that of software.  If insecurities are built into the hardware, they will become vulnerabilities for any software utilising the infrastructure.  Information security specialists will check the way hardware is designed, built and configured to ensure that the appropriate level of confidence can be provided with the completed system.

Systems installation/decommissioning

The installation, testing, implementation or decommissioning and removal of cabling, wiring, equipment, hardware and associated software, following plans and instructions and in accordance with agreed standards.

The standards and protocols used to install, maintain and then decommission/ remove systems must include appropriate information security requirements.  The advice from an information security specialist will be required to ensure that poor practices do not detract from the overall security of the system.  The specialist should also be used to ensure that the testing ensures that the security elements are appropriately operational and effective. 

Delivery and operation

Availability management

The definition, analysis, planning, measurement, maintenance and improvement of all aspects of the availability of services, including the availability of power.

Availability is one of the basic requirements of information security and, as such, is a fundamental element of any system.  The information security advice from a specialist will help to ensure the appropriate factors are taken into account when determining the availability requirements. The ongoing maintenance of the system in a secure manner can be met by general information security advice that should be part of the system manager’s remit.

Service level management

The planning, implementation, control, review and audit of service provision, to meet customer business requirements.

High quality service level management is a prerequisite for effective information security.  Conversely high-quality information security practice is paramount if service management is to perform at a high level. These two practices should be embedded in one another and both organisations should work collaboratively and cooperatively to ensure the highest standards in both.

Service acceptance

The achievement of formal confirmation that service acceptance criteria have been met, and that the service provider is ready to operate the new service when it has been deployed.

Service acceptance criteria must include a very significant element of information security in its remit.  The information security specialist (sometimes called an accreditor) should have the final say on a system being permitted to operate in the live environment from a security perspective.

Configuration management

The planning, management, control and governance of organisational, project and service assets and artefacts.

Good configuration management is fundamental to effective security.  Whilst a competent configuration manager should be able to handle the security aspects of a system, they may need some help in identifying the critical elements of the security that make up the overall configuration.  They should also appreciate the significance of changing the configuration and ensure that the impact on security is always considered when such changes are made. The security of the configuration system itself and its ongoing integrity may require specialist security advice.

Asset management

The management of the lifecycle for all managed assets (hardware, software, intellectual property, licences, warranties etc) including security, inventory, compliance, usage and disposal…

The security of information assets is at the heart of all business systems and specialists in this area are essential for most organisations. Specialist advice may be required to understand fully the potential threats to and vulnerabilities of assets regardless of what they are.  For example, the storage of original source code or “gold build” disks may require different types or levels of security from those used for other types of business information or asset.

Change management

The management of change to the service infrastructure including service assets, configuration items and associated documentation.

Closely tied to configuration management, the security aspects and impacts of any change must be considered on every occasion.  This will require specialist advisors to consider the change and how it might be detrimental to the overall security of the system or asset.  Security by design and default should be the objective for all systems particularly after the implementation of changes.

Release and deployment

The management of the processes, systems and functions to package, build, test and deploy changes and updates (which are bounded as “releases”) into a live environment…

Specialist security advice must be one of the final checks carried out prior to any system being allowed to be deployed into a live environment.  This will include a number of different aspects not least of which would be the inclusion of penetration testing where any link to the internet is permitted. Including a security review into the formal release and deployment process is essential for effective security to be implemented.

System software

The provision of specialist expertise to facilitate and execute the installation and maintenance of system software such as operating systems, data management products, office automation products and other utility software.

Those responsible for the installation and maintenance of software must have a good understanding of the security principles on which the software has been developed.  They may not be security specialists themselves but must be able to address the security concerned and be confident to request specialist advice on occasions.

Capacity management

The planning, design and management of the capability, functionality and sustainability of service components (including hardware, software, network resources and software/infrastructure as a Service) to meet current and forecast needs in a cost-efficient manner aligned to the business.

Capacity management will always require specialist security advice in order to ensure the overall security posture of the system under review is maintained or enhanced as a result of the management of capacity.  It would be easy, for example, to add an additional storage facility into an existing system to increase its capacity without realising the security impact of such a change.  When reviewing the capacity and planning for significant changes, the overall security must be a major consideration and will require the expertise of security specialists.

Security administration

The provision of operational security management and administrative services.

It is clear that this is an information security specialist requirement which should drive a significant number of other areas within the IT organisation.  Particularly for larger organisations, there are likely to be a number of difference specialist disciplines within this overarching skill set.

Penetration testing

The assessment of organisational vulnerabilities through the design and execution of penetration tests that demonstrate how an adversary can either subvert the organisation's security goals or achieve specific adversarial objectives.

Penetration testing is very much a central part of the assessment and maintenance of information security in systems.  Usually, but not solely, aimed at those systems with an internet connection, checking for vulnerabilities in software, hardware or infrastructure is an essential element for all systems regardless of size, complexity or any other factor. The security specialists who undertake this work are, rightly, highly regarded and can deliver huge benefit to an organisation by the checking for, and then avoidance of, serious security issues in deployed systems.

Radio frequency engineering

The deployment, integration, calibration, tuning and maintenance of radio frequency (RF) and analogue elements of IT systems.

The security of RF transmission, regardless of their origin, is a specialist security area in its own right.  TEMPEST testing and related work ensures that the RF transmissions are not used as a method, for example, to attack or eavesdrop on legitimate users’ work.

Application support

The provision of application maintenance and support services, either directly to users of the systems or to service delivery functions.

The provision of support to users will always also include the security aspects of the application.  Whether this is related to issues concerning access, configuration or any other area, the provision of advice to users must include an awareness of the security of the application. It is not uncommon for criminals to utilise support services in order to attack the systems and so security in those providing the service must be central to their work.

IT infrastructure

The operation and control of the IT infrastructure (comprising physical or virtual hardware, software, network services and data storage) either on-premises or provisioned as cloud services) that is required to deliver and support the information systems needs of a business.

The operation of a system will always require an understanding and knowledge of the security of the system.  This will be provided by training and the people responsible for the service provision should have sufficient knowledge to be able to manage all aspects of the security.  There may be a requirement to request additional specialist advice if the security causes issues or if there is a suspicion of a security compromise of the system.

Database administration

The installation, configuration, upgrade, administration, monitoring and maintenance of databases.

Databases form the central core to many organisations’ IT facilities.  Therefore the security of these databases is critical and they can be the source of serious issues if security is compromised.  Specialists in the security of databases are required if the measures taken to protect the database are to be compatible with effective security and enhanced usability of the data.

Storage management

The planning, implementation, configuration and tuning of storage hardware and software covering online, offline, remote and offsite data storage (backup, archiving and recovery) and ensuring compliance with regulatory and security requirements.

The general security of any system should include its storage facilities.  It is therefore essential that security advice is obtained when designing the system and then continues throughout the life of the storage facility. Backup and recovery, linked to business continuity, are the mainstays of protecting information in the event of an incident and specialists will be required to ensure the appropriate services, policies and practices are in place and regularly tested to ensure effectiveness.

Network support

The provision of network maintenance and support services. Support may be provided both to users of the systems and to service delivery functions.

As with all support services, network support has a large element of security implicit in it. Full understanding of the network configuration should allow specialists security advisors to implement mechanisms such as segregation, redirection and throttling in order to address security attacks and issues with the network.

Problem management

The resolution (both reactive and proactive) of problems throughout the information system lifecycle, including classification, prioritisation and initiation of action, documentation of root causes and implementation of remedies to prevent future incidents.

Problem management will include issues which have a basis or implication for security.  It is likely there will be a specialist security advisor available to assist with any problems where security is a cause or where security is impacted by the problem that has been reported.

Incident management

The processing and coordination of appropriate and timely responses to incident reports, including channelling requests for help to appropriate functions for resolution, monitoring resolution activity, and keeping clients appraised of progress towards service restoration.

Incidents are more likely to have a security implication or cause than general problems.  It is therefore essential that there is a specialist security advisor available to assist with any incident and it is possible a forensic advisor may also be required if the incident could be criminal in nature.

Facilities management

The planning, control and management of all the facilities which, collectively, make up the IT estate.

The physical security of the estate on which IT systems are housed, or in use, is a specialist advisor role.  In the overall security of a system, specialist security advice will be required to ensure the continuing availability of the system should there be failures in the environmental services (air conditioning, power, etc.).  There may be specialist security advice required when designing buildings to house IT systems and this will establish fundamental requirements in a number of different areas including physical structure, access controls, power and data links.

Skills and quality

Learning and development management

The provision of learning and development processes (including learning management systems) in order to develop the professional, business and/or technical skills required by the organisation.

The provision of information security learning and development should be across all members of the organisation including external contractors and the like.  This is a critical part of the provision of security overall and must be a continuous process that starts on first joining and continues throughout the period of involvement with the organisation.  It must be provided by those suitably experienced in information security and must encompass personnel at all levels of the organisation from the most junior to the most senior.

Competency assessment

The assessment of knowledge, skills and behaviours by any means whether formal or informal against frameworks such as SFIA.

This process must include the specialist and general security skills and competencies of all personnel since information security must be seen as a fundamental aspect of all roles within an organisation if it is to avoid significant security incidents.

Learning design and development

The specification, design, creation, packaging and maintenance of materials and resources for use in learning and development in the workplace or in compulsory, further or higher education.

Specialist information security advice should be included when designing and developing any package of learning.  Even if the main topic is about the use of a system, the security aspects are as important as the usability.

Learning delivery

The transfer of business and/or technical skills and knowledge and the promotion of professional attitudes in order to facilitate learning and development.

The two main aspects of security learning are the more general for all personnel and the specific for those whose roles actively involve security on a day-to-day basis.  In either case the delivery of the learning must be undertaken by those with an appropriate level of specialist knowledge and understanding to be able to answer all the questions likely to be asked of them during the sessions.

Teaching and subject formation

The specification, design, development, delivery and assessment of curricula for computing and for information technology (including electronic communication), at any level of the education system from primary through to tertiary (all age ranges) and in the workplace.

Education at all levels and in all environments that includes any element of IT will also require security as a part of the curriculum.  Whilst at times this will be limited to simple user controls, there will be occasions where the security requirements of the system will override certain usability elements of the system.  This needs to be explained to delegates in a manner that allows them to appreciate the need and to comply with the security requirements and may require a security specialist to provide the necessary knowledge.

Performance management

The optimisation of performance of people, including determination of capabilities, integration into teams, allocation of tasks, direction, support, guidance, motivation, and management of performance.

This skill has a security aspect to it since it comes into the realm of legality when the monitoring of personnel forms part of the process.  Specialist security advice will also be required if personal or sensitive information relating to the subjects of the performance management processes is collected, stored or processed in anyway.


The overall resource management of the workforce to enable effective operation of the organisation. Provision of advice on any aspect of acquiring resources, including employees, consultants and contractors.

Some personnel in any organisation will need to have enhanced security clearance if they work in sensitive roles with respects to security. This might include vetting and other background check and these should be undertaken not only on first employment but at regular intervals throughout their time in the organisation and notably when their responsibilities increase. As a minimum, anyone with full or administrative access to the systems in use should be considered to be in a sensitive role.

Professional development

The facilitation of the professional development of individuals, including initiation, monitoring, review and validation of learning and development plans in line with organisational or business requirements.

As with any career development, the development of the security team needs to be undertaken with due diligence.  The difference is likely to be that those who work in information security frequently come into the profession from very different, sometimes after extended periods, in other areas. The career development of these people can be challenging.

Quality management

Quality management establishes within an organisation a culture of quality and a system of processes and working practices to deliver the organisation's quality objectives.

Information security forms part of the overall quality of all IT systems regardless of their business purpose. It is therefore essential that specialist security expertise is part of the quality management for any organisation. Ensuring the right standards and policies are set and then followed in all respects is an essential part of the management of quality from a security perspective.

Quality assurance

The process of ensuring, through independent assessment and review, that appropriate working practices, quality control activities, organisational processes and quality standards are in place and adhered to and that best practices are promoted throughout the organisation.

Information security assurance comes under a number of different skill areas including auditing, monitoring and compliance.  All of these must be undertaken by those specialists with the appropriate level of knowledge, expertise and experience to ensure the necessary assurance can be provided.


The development and operation of a measurement capability to support agreed organisational information needs.

The measurement of the effectiveness of processes that monitor and control security is as important as it is for any other business area of an organisation. Setting meaningful and appropriate key performance indicators for all the information security capabilities that are in operation, and ensuring continual improvement in them, is critical if the highest levels of information security are to be achieved.

Conformance review

The independent assessment of the conformity of any activity, process, deliverable, product or service to the criteria of specified standards, best practice, or other documented requirements.

Compliance with standards, industry codes of practice and regulatory requirements is a significant part of an organisation’s business operations regardless of the sector into which they fit.  The appropriate compliance monitoring and auditing in information security is often a fundamental requirement of the organisation notably in the finance, healthcare and public service arenas.

Safety assessment

The assessment of safety-related software systems to determine compliance with standards and required levels of safety integrity.

Information security and safety are frequently areas of potential conflict and it will be a specialist information security advisor who can determine the best way of managing that challenge. There are a diminishing number of operational technology systems that can be truly isolated from the effects of, and attacks derived from, the internet and so an ever-increasing awareness of how security can address notably safety systems is critical.

Digital forensics

The collection, processing, preserving, analysis, and presentation of forensic evidence based on the totality of findings including computer-related evidence in support of security vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations.

Incident management for information security incidents is now a very specialised role and requires extensive knowledge and experience if the evidence gathered is to be fit for court use.  Specialist companies offer the service but even within an organisation, there must be a good awareness of how a security incident will be managed since it is in effect a potential crime scene and must be dealt with in a similar manner to any other crime scene.

Relationships and engagement


The provision of policy, internal standards and advice on the procurement or commissioning of externally supplied and internally developed products and services.

The information security requirements of a contract are an essential part of any procurement activity.  If the contract is to acquire systems, services or people, then there must be a consideration of the security implications and requirements that form part of that contract.  Security advice should be available to the procurement team so they can ensure the contract adequately reflects the security needs of the organisation.


Supplier management

The alignment of an organisation’s supplier performance objectives and activities with sourcing strategies and plans, balancing costs, efficiencies and service quality.

Suppliers are increasingly becoming the norm for the provision of services related to information either cloud-based or otherwise.  In all cases suppliers’ information security measures are crucial if an organisation is to maintain high security for their information.  This may require contractual governance or the sharing of, for example, vulnerability and attack intelligence between multiple suppliers that are regarded as competitors, but it is to their mutual advantage to take the advice of security specialists to ensure the weakest link in the security chain is not a supplier or commercial partner.



Contract management

The overall management and control of the operation of formal contracts for supply of products and services.

Management of the security aspects of a contract will require specialist skills and potentially require permission for the organisation to audit and monitor the security measures of their suppliers. It is critical, in a security context, that a contract is seen as an agreement for organisations to work together for mutual advantage.


Relationship management

The systematic identification, analysis, management, monitoring and improvement of stakeholder relationships in order to target and improve mutually beneficial outcomes.

Information security specialists will be required to establish the policies with which any stakeholder, be they commercial partner or customer, will have to comply in order to maintain the overall security posture of the organisation. Sharing of threat intelligence is a prime example of where close liaison and cooperation between commercial partners is vital.


Customer service support

The management and operation of one or more customer service or service desk functions.

Customer service support is the at the front of information security and security incidents must be reported through the same mechanism as any other problem or incident. Ensuring that security incidents are recognised as such early and dealt with quickly and appropriately with the right level of decision-making in place is critical to successful information security outcomes. Security advice will be required in the service support function with more extensive specialist security advice readily available.



The identification of sales prospects and their qualification, the development of customer interest and the preparation (including managing the bid process), execution and monitoring of the sale of any product or service into an external or internal market.

Depending on what is being sold there may be information security requirements in the selling of goods and services notably if foreign countries are involved.  The transport of certain security goods, such as encrypted laptops, is governed by legal constraints in many countries and specialist security advice will be required to ensure all the criteria are met appropriately.


Sales support

The provision of technical advice and assistance to the sales force, sales agents, reseller/distributor staff and existing or prospective customers, either in support of customer development or sales activity or in fulfilment of sales obligations.

If the product or service sold has any information associated with it, and most do, then security advice will be required on an ongoing basis to assist the customer take full advantage of the product they have purchased.  If this is overseas, then there are likely to be significant issues covering for example regulation and legislation, that may require specialist information security knowledge to manage effectively.


Product management

The active management of products or services throughout their lifecycle (inception through to retirement) in order to address market opportunities and customer/user needs and generate the greatest possible value for the business.

If the product or service includes the maintenance for a period of time, then the information security aspects of the contract could be significant.  Where, for example, updates, enhancements, patching and similar are part of the support package, this will require significant specialist information security advice to ensure they meet the contractual and regulatory requirements in a secure and appropriate way.