The Skills Framework for the Information Age (SFIA) has been in use since 2000, although its development dates back to the 1990s. It is a seven-level global framework that defines the professional skills, behaviors and knowledge needed to work in the digital age.

The SFIA framework is updated through a global collaboration of organizations and individuals interested in developing the professional workforce. Version 9 has been released, refreshing all skills including those for cyber, AI, data and introducing new skills for other business functions. ISC2 have now refreshed their SFIA mapping to include the addition of the CGRC credential, as well as five ISC2 certification courses.

What is SFIA

SFIA was created as an employer-led collaboration to address the issue with frameworks at the time being unsuitable for professional workforce development. SFIA provided a vocabulary to express and detail the professional skills used by people working in digital and other related functions. In 2025, this encompasses nearly every business you can think of, as global spending on digital transformation is expected to hit $3.9 trillion by 2027, according to Markets and Markets.

Like ISC2 certifications, the SFIA framework is updated every three years. Updates to the framework can include new skills, or defining skills at new levels, with the focus being on covering all skill/level combinations that are found in the workplace. The seven levels of responsibility in SFIA are defined in terms of the five responsibility attributes:

  • Autonomy
  • Influence
  • Complexity
  • Business skills and behaviors
  • Knowledge

The way these attributes correspond to an individual’s role determines their SFIA level, rather than a job title, which can vary significantly across the business world depending on an organization’s size and scope.

Why SFIA Matters

The importance of SFIA continues to grow as digitalization impacts every facet of business, government and consumer life. Similar to the U.S. National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity, or the European Cybersecurity Skills Framework (ECSF) from ENISA, international standards help to provide a structure for understanding of cybersecurity work.

While NICE and ECSF are role-based frameworks, SFIA, in contrast, is skill-based and responsibility, skills and behaviors are the building blocks of roles. But these various frameworks work together to help guide both organizations and professionals alike in understanding the intricacies of the cybersecurity workforce. The power of SFIA is that it can be used to drive a skills-based workforce – role/job design, career path design, upskilling, reskilling and job mobility.

NICE & SFIA have collaborated to make it easy for organizations to validate the skills and knowledge of an individual. Employers can use it to benchmark skills and levels of responsibility for a particular role and identify career for their workforce. Practitioners are able to use SFIA to help them define clear career pathways for their career, as well as identify individual skill gaps to close. And professional bodies can use SFIA as the basis of globally relevant professional certification and registration.

The SFIA framework is used across the world by government bodies, professional bodies, large and small businesses and individuals. It is available in 13 languages. Australia and New Zealand governments have taken out whole-of-country SFIA licenses because it is much cheaper and quicker to adopt and use SFIA rather than build their own. SFIA provides a common reference across public and private sectors, across the region and throughout the supply chain. As well as its use across commonwealth or national government institutions in Australia, it is widely used across public and private sector in the U.K., EU, Middle East, U.S., Canada, South America and Africa.

SFIA V9, along with the mappings of nine ISC2 credential and certification trainings under the U.S. Department of Defense (DoD) Directive 8140 Cyber Workforce Qualification Provider Marketplace, is continued reinforcement of the quality and relevancy of ISC2 certifications and education. Learners and credential holders can be confident in the fact that their accomplishments are recognized on a global scale and with detailed and relevant skill and level alignments.

The significance of closing the skills gap cannot be overestimated. The latest ISC2 Cybersecurity Workforce Study found that nearly 60% of respondents agree that skills gaps have significantly impacted their ability to secure the organization, with 58% stating it puts their organizations at a significant risk. Additionally, 64% of respondents believe that skills gaps can have a more significant negative impact than a staffing shortage.

SFIA v9 includes several noteworthy updates, including the addition of new skills across various disciplines like cybersecurity, cloud and AI. It also includes updated definitions for existing skills, refinements for clearer understanding of responsibility levels, and a more significant focus on entry-level roles with new skills and guidance for lower levels. These updates – as with all SFIA triennial updates – focus on delivering a more clear and accurate reflection of the ever-evolving digital landscape as well as cybersecurity as an evolving field.

ISC2 Certifications and SFIA v9

The certifications mapping from SFIA version 8 to version 9 includes the addition of the CGRC credential alongside the previously mapped CISSP, CCSP, CSSLP and SSCP.

The CISSP, CSSLP and CGRC credentials cover the security aspects of SFIA skills at levels 5 and 6. The CCSP covers level 5, with the SSCP at levels 3 and 4. More details are shown in the chart below.

ISC2 certifications mapped to SFIA skills

ISC2 Courses and SFIA v9

The mappings of ISC2 certification training courses to the SFIA framework provide a sound basis for employers to see their value, and how they play a significant part in developing the skills of their workforce. As with the credential mapping, the CISSP, CCSP, CSSLP, CGRC and SSCP courses are all mapped.

This means that following the completion of one of these courses, a practitioner could be expected to have learned the information necessary for the SFIA skills related to the training. The skills and levels of those attributes are detailed in the chart below.

Impact for ISC2 Members and Learners

The latest version of SFIA recognizes the value and significance that globally recognized, and accredited, training courses play in establishing a practitioner’s knowledge, skills and abilities to fulfil their cybersecurity role. Additionally, the inclusion of the CGRC credential underscores the growing importance of education and certification in the spaces surrounding managing governance and risks, while maintaining compliance with the growing slate of industry and government regulations.

Related Insights