Practitioner

Mapping

SFIA professional skills

  • Audit AUDT
  • Continuity management COPL
  • Data analytics DAAN
  • Information and data compliance PEDP
  • Information assurance INAS
  • Information security SCTY
  • Risk management BURM
  • Stakeholder relationship management RLMT

Competencies

  • How to support cyber security policy implementation and monitor internal cyber controls, reports on compliance and recommend actions in the context of the organisation and its regulatory environment.
  • How to conduct security classification of information assets and understand controls required commensurate with this.
  • How to conduct business impact assessments of high-risk systems, including identifying mitigations, keeping records, and contributing to the planning and enhancement of broader information assurance practices including continuity and disaster recovery.
  • How to undertake threat and risk assessments to manage cyber threats and vulnerabilities, including risk identification, assessment and formulating controls along with reporting to the business as required.
  • How to analyse, interpret and present data from a range of sources to support governance, risk and compliance functions.
  • How to foster and maintain relationships with a wide range of technical and business stakeholders including senior executives to support the cyber security governance, risk and compliance function.
  • How to draft clear briefs and reports for executive action or consideration.

70:20:10 examples

70: Suggested experiential learning

  • Create and review cyber security policy.
  • Coordinate and support information security management system and or governance, risk and cyber security committees.
  • Understand the context of information and be able to navigate and analyse a vast range of sources.
  • Analyse and present data to different stakeholders via different mechanisms e.g. dashboards, presentations.
  • Support responses to audits.
  • Monitor threats and conduct risk assessments and recommend mitigation.
  • Provide advice to a range of stakeholders on cyber governance, risk and compliance matters.
  • Deliver programs and monitor performance

20: Suggested professional development

  • Mentor and coach team members and peers.
  • Volunteer at industry events.
  • Develop skills in areas of interest to become a subject matter expert – e.g. governance vs risk vs compliance or a particular framework/s or emerging practice area such as third-party risk.
  • Supporting or delivering cyber awareness sessions.
  • Participate in and present at government cyber security communities of practice.
  • Continue to develop writing skills e.g. review or draft GRC documentation and receive feedback.

10: Example formal learning

  • Auditing an ISMS ISO/IEC 27001:2022ISO/IEC27701 Privacy Information Management (PIMS) Foundation Course
  • Certified Governance Risk and Compliance (CGRC)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Information Systems Auditor (CISA)
  • Essential 8 Assessment Course
  • Government writing courses
  • ITIL
  • Legislative/regulatory training where available (e.g. statutory interpretation, privacy legislation)
  • Vendor risk visualisation tool training
Last updated:
30 June 2025

More news

18 Feb 2026

A Message from the Premier

A Message from the Premier: National Press Club Speech

  • Government and law
  • Services
  • Community
View all news