Version 9 of the Skills Framework for the Information Age (SFIA) was released in late 2024, refreshing all skills including those for cyber, AI, data and introducing new skills for other business functions. With the latest version, ISC2 has five certification courses and six credentials (the CC has just been mapped, more to come on that!) mapped to the framework.
This article will break down how the CISSP is mapped to the SFIA framework and what this means for credential holders and those looking to hire.
SFIA Overview
SFIA is a seven-level global framework that defines the professional skills, behaviors and knowledge needed to work in the digital age. International frameworks such as SFIA, U.S. National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity, and the European Cybersecurity Skills Framework (ECSF) from ENISA, provide a structure for understanding cybersecurity work.
While NICE and ECSF are role-based frameworks, SFIA, is skill-based with responsibility, skills and behaviors forming the building blocks of roles which can be assembled into career paths. SFIA provides a well-established and trusted skills and competency framework for information and cybersecurity. The seven levels of responsibility in SFIA reflect levels of responsibility in professional employment and are defined in terms of the five responsibility attributes (autonomy, influence, complexity, business skills and behaviors, and knowledge). The way these attributes correspond to an individual’s role determines their SFIA level.
The seven levels of responsibility are
- Follow
- Assist
- Apply
- Enable
- Ensure
- Initiate, influence
- Set strategy, inspire, mobilize
How the CISSP Credential Maps to SFIA
The CISSP aligns most closely with several SFIA skills in the cybersecurity and risk areas, from Level 5 (Ensure or advise) through Level 6 (Initiate and influence). The credential maps to 18 skills within Strategy and Architecture, Development and Implementation, and Delivery and Operation from a set of 147 skills covering the full breadth of business activities.



How the CISSP Course Maps to SFIA
The CISSP course is also mapped to SFIA, however there is a difference in how learning mapping is done compared to the credential itself.
SFIA focuses on demonstrated competency in the workplace, however, successfully completing the CISSP course demonstrates knowledge acquisition – not full competence – in the three additional areas of Change and Transformation, People and Skills, and Relationship and Engagement. All 30 skills across the six areas are mapped between Levels 5 and 6.






Conclusion
As a CISSP holder, your knowledge, skills and abilities are recognized in high levels of responsibility across the SFIA framework. And taking the CISSP course supports professional development in recognized skill areas like risk management and information security.
For those writing job descriptions or developing career paths, CISSP holders would be appropriate for roles in Level 4 (Practitioner) up to Level 6 (Strategic Leader).
The CISSP mapping to the SFIA framework is another example of how the certification has established global recognition at a high level in the profession.