Assesses and documents the impacts, threats and opportunities to the organisation of specific technologies, products, services, methods and techniques. Considers their applicability within business and IT strategy, and their potential to influence strategy.
SFIA Skills: Strategy and architecture
Implementation and controls (IRMG)(Level 4)
Ensures implementation of information, and records management policies and standard practice, ensuring that information is protected, available and accessible, and can be retrieved as required. Complies with all relevant information and data security policies and procedures.
Evaluation and selection (ARCH)(Level 6)
Establishes policy and strategy for the selection of data architecture components and takes responsibility for the strategy and methods used in implementing a data architecture in a significant area of the organisation. Manages the organisation’s data strategies, policies, standards and practices, ensures that they are applied correctly, and promotes consistency.
Data architecture development (ARCH)(Level 6)
Leads development of data architectures for complex solutions, ensuring consistency with specified requirements agreed with both external and internal customers. Takes full responsibility for ensuring that data architectures balance functional and non-functional (e.g. service quality and systems management) requirements within a significant area of the organisation.
Initiatives and assignments (INOV) (Level 6)
Initiates investigation and development of innovative methods of exploiting IT assets, to the benefit of organisations and the community. Carries out analysis at a strategic level and develops business proposals to exploit technology in line with the organisation’s mission, objectives and strategy.
Idea stimulation (INOV) (Level 6)
Leads the communication and an open flow of creative ideas between interested parties and the set-up of innovation networks and communities.
Coordination (ARCH)(Level 6)
Manages or co-ordinates the applicable architecture function within an organisation.
Technical assurance (ARCH)(Level 6)
Takes responsibility for the technical integrity of designs, ensuring for example that reusable elements are recognised, and that work is not unnecessarily duplicated. Ensures that all changes are managed effectively and contributes to formal reviews and evaluations when projects and programmes end.
Change programmes (ARCH)(Level 6)
Within a business change programme, manages the programme’s target design, policies and standards, working proactively to achieve stable, viable designs, and ensuring consistency of design across projects within the programme. Defines the migration path from current mode of operation to the future mode.
Idea stimulation (INOV) (Level 5)
Encourages and motivates innovation communities, teams and individuals to share creative ideas and learn from failures. Manages and facilitates the communication and open flow of creative ideas between interested parties and the set-up of innovation networks and communities.
Technical exceptions (ARCH)(Level 5)
Monitors technical progress, informing project management of major technical issues and making recommendations on their resolution. Advises on the impact of technical exceptions (including requests for changes, deviations from specifications, etc), and ensures that there is proper technical assessment of all exceptions. Informs project management of major technical issues and makes recommendations on their resolution.
Innovation initiatives (INOV) (Level 5)
Investigates and develops innovative methods of exploiting IT assets, to the benefit of the organisation and the community. Develops business proposals to exploit technology in line with the organisation’s mission, objectives and strategy, clearly articulating, and formally reporting benefits.
Technical assurance (ARCH)(Level 5)
Advises on appropriate technical assurance criteria, and the conduct of quality reviews of technical products. Ensures change control is applied to specifications and designs. Ensures the adequacy and effective use of quality control procedures in relation to solution architecture components.
Change programmes (ARCH)(Level 5)
Within a business change programme, leads the preparation of technical plans and in liaison with business assurance and project staff, ensures that appropriate technical resources are made available.
Change programmes (ARCH)(Level 4)
Supports a change programme or project through the preparation of technical plans and application of design principles that comply with enterprise and solution architecture standards (including security).
Technical assurance (ARCH)(Level 4)
Participates in quality reviews (e.g. fitness for purpose, quality attributes, non-functional requirements, risk) of solution architecture components.
Restricted Transfers (IG)(Level 6)
Advises on restricted transfers including any additional safeguards and ensures copies of safeguards are available to persons whose data is to be or has been transferred overseas.
Control and owners (PEDP) (Level 6)
Maintains an overview of the organisation’s information assets, identifies the information asset owners and implements internal audits including controls on storing, security, maintaining records of processing activities, data protection impact assessments, transfers, contracts and handling access to personal data.
Regulatory compliance (Level 7) (IG)
Responsible for business strategy compliance with information governance policies. Takes steps to ensure the organisation complies with all relevant data security regulations including UK GDPR and confidentiality. Identifies the impact of any relevant statutory, internal or external regulations on the organisation’s use of personal information and develops approaches for compliance. Leads and plans activities to communicate and implement information management and privacy strategies. Oversees privacy notices, ROPAs and supports the DPO with the applicability of DPIAs as appropriate.
Regulatory compliance (Level 5)
Reviews and assists own organisation to maintain a privacy notice and record of processing activities (ROPA). Advises and, where necessary, assists on the application of data protection impact assessments (DPIA) and maintain records for compliance within regulatory access requirements.
Regulatory compliance (Level 6)
Identifies the impact of any relevant statutory, internal or external regulations on the organisation’s use of personal information and develops strategies for compliance. Leads and plans activities to communicate and implement information management and privacy strategies. Monitors and advises on application of privacy notice, ROPA and application of DPIAs. Acts as contact point for regulatory authority (Commissioner) on issues relating to processing, prior consultations and other matters as appropriate.
Information governance culture (IG) (Level 7)
Obtains organisational commitment to information governance at the highest level. Establishes a culture where information governance is the responsibility of every employee.
Data and information security culture (INAS)(Level 7)
Obtains organisational commitment to data information security at the highest level. Establishes a culture where data and information security is the responsibility of every employee.
Influencing partners (IG)(Level 7)
Influences key partner organisations to maintain information governance policies and practices in line with those of own organisation.
Business plans (IG)(Level 7)
Has significant input to development of business plans, ensuring that information governance is integrated into business strategy and policies.
Implementation and processes (IG)(Level 7)
Ensures that the organisation implements processes to take forward the information governance strategy and policies and complies with DSPT.
Strategy (IG)(Level 7)
Takes overall responsibility for establishing and managing information governance strategy and policies in accordance with external and internal legislation and guidance relevant to the organisation.
Advice and guidance (IG) (Level 7)
Leads and guides provision of information governance requirements across all the organisation’s information and information systems.
Budget management (Level 6)
Sets, negotiates, agrees and manages all financial budgets and targets, ensuring there is adequate funding for all targets and plans, especially to meet development and capacity needs. Monitors and communicates the budget versus actual history.
Review findings (AUDIT)(Level 4)
Collates and analyses evidence regarding the interpretation and implementation of control measures, and/or conformance to standards, and prepares and communicates the audit report.
Risk assessment (IG)(Level 4)
Carries out risk assessments as directed, using standard processes for identifying potential information governance risks.
Policies (IG)(Level 4)
Interprets and applies approaches for the assessment of complex information artefacts and data flows against information governance policies and business objectives.
Advice and guidance (IG) (Level 4)
Provides information governance advice and guidance, sometimes complex, to colleagues and suppliers to ensure they effectively, legally and safely manage and share records and information. Encourages and coaches less experienced information governance colleagues.
Threats and breaches (IG) (Level 5)
Responds to major data security breaches in line with security and information governance policies and recommends appropriate control improvements. Supports any investigation that takes place as a result of a breach. Supports action to categorise and limit damage, according to the organisation’s security policy, which may include escalation and reporting the incident to the Information Commissioner’s Office, and records the incident and action taken.
Threats and breaches (IG) (Level 6)
Ensures the identification and monitoring of data security and data protection trends and proactively assesses impact on business strategies, benefits and risks. Manages assessment of threats to confidentiality, integrity, availability and relevant compliance. Contributes to data security control reviews, business risk assessments and reviews that follow significant breaches of data security controls.
Implementation and processes (IG)(Level 6)
Supports the development, implementation and monitoring of organisational policies and processes relating to information governance.
Performance measures(IG)(Level 6)
Determines appropriate and practical performance measures to ensure that information governance priorities set by the business can be effectively monitored.
Best practice (INAS)(Level 6)
Assesses legal and best practice issues, and promotes awareness of national and international laws, including those relating to confidentiality, privacy and copyright.
Budget management (Level 5)(FEDIP)
Postholder manages a delegated budget. Works with capital budgets, operating budgets and cash budgets. Integrates budget data and processes from multiple and diverse areas and participates in establishing procedures for planning, implementing and monitoring budgets.
Risk assessment (IG)(Level 5)
Maintains oversight of complex data protection and confidentiality risk assessments and develops mitigating strategies for highly complex or strategic scenarios. Oversees application of the principles of risk assessment, risk management processes and decision making as they relate to information governance.
Threats and breaches (IG) (Level 3)
Responds to data security breaches in line with security and information governance policies. Supports any investigation that takes place as a result of a breach. Supports action to categorise and limit damage, according to the organisation’s security policy, which may include escalation and reporting the incident to the Information Commissioner’s Office, and records the incident and action taken.
Risk assessment (IG)(Level 2)
Supports risk assessment following standard procedures. Maintains and monitors risk assessment documentation.
Incident Response (Level 6)(IG)
Cooperates with the supervisory authority. Acts as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36. Consults, where appropriate, with regard to any other matter. Advises the organisation on risk mitigations and required actions.
Cooperation and relationships (PEDP) (Level 6)
Instigates and encourages cooperation where opportunities and requirements to work with subject matter experts exist to build effective relationships within the organisation. Demonstrates how collaborative working will increase the organisation’s effectiveness, reduce risk and create trust and resilience with the general public. Areas to work with should include legal, public relations, learning and development, procurement, information security, IT, security, data management and architecture.
Restricted Transfers (IG)(Level 4)
Advises on restricted transfers including any additional safeguards and ensures copies of safeguards are available to persons whose data is to be or has been transferred overseas.
Incident response (PEDP) (Level 6) (IG)
Assesses and manages the risk for any potential personal data breaches and cyber incidents. Sets in motion the agreed procedures to identify breach, including with third parties, works within statutory timeline, mitigates risk, and maintains communications with Data Protection Officer (DPO), or equivalent when not required, to comply with statutory notification to the regulatory authority (Commissioner) if breach confirmed.
Policies, procedures and governance (PEDP) (Level 6)
Consults, collaborates and offers expert advice on developing organisational policies, procedures, best practice, privacy policies, standards and guidelines ensuring recognised data protection definitions and practices are applied throughout the organisation. Has due regard to the risk associated with processing operations, taking into account the nature, context and purpose of processing.
IG Cyber Threat Understanding (IG)(Level 6)
Provides an IG perspective on cyber threats.
Incident Response (PEDP) 5
Assesses and manages the risk for any potential personal data breaches and cyber incidents. Sets in motion the agreed procedures to identify breach, including with third parties, works within statutory timeline, mitigates risk, and maintains communications with Data Protection Officer (DPO), or equivalent when not required, to comply with statutory notification to the regulatory authority (Commissioner) if breach confirmed.
Review findings (Level 2)
Collates evidence to support reviews of compliance with standards, statutory controls, or management directives.
Information sharing (PEDP)(Level 6)
Advises on information sharing requirements including agreements and ad hoc disclosures for example police requests.
Data protection by design and default (PEDP)(Level 6)
Monitoring compliance with data protection and default through DPIAs and associated documentation.
Training and raising awareness (PEDP)(Level 6)
Influencing culture through training and raising the awareness of staff.
Internal compliance (PEDP)(IG)(Level 6)
Monitors compliance of the organisation (or its processors) in relation to the protection of personal data, including the assignment of responsibilities to manage functions under UK GDPR.
Individual rights requests (PEDP)(IG)(Level 6)
Monitors the organisation’s compliance with individual rights requests.
Review findings (AUDIT)(Level 7)
Assess collated audit review findings. Identifies and proposes significant control improvement programmes.
Data security and protection toolkit (Level 6)
Is accountable for ensuring that the Data Security & Protection Toolkit (DSPT) is completed and used effectively within the organisation to protect the security of information assets and ensure personal information is handled correctly.
Information asset management (IRMG)(IG)(Level 6)
Maintains an overview of the organisation’s information assets and supports information asset owners in managing their assets to support organisational priorities and in line with appropriate regulation, good practice and organisational policies.
Caldicott Guardian/SIRO and DPO advice and support (IRMG)(Level 6)
Provides highly complex and strategic advice and support to the Caldicott Guardian and Senior Information Risk Owners. Provides support to the DPO.
Review findings (AUDIT)(IG)(Level 6)
Contributes to formal reports to management on the effectiveness and efficiency of control mechanisms and the extent of compliance of systems with standards, regulations and/or legislation.
Cyber threat understanding (THIN)(Level 5)
Maintains an understanding of the local threat environment and applies this knowledge to inform and provide context for wider activities. Uses local threat information in decision-making and planning.
Information governance culture (IG) (Level 6)
Champions organisational commitment to positive information governance culture. Promotes and supports a culture where information governance is a responsibility of every employee.
Information asset management (IRMG)(IG)
Manages the process of information asset management. Supports and trains information asset owners to create and maintain an inventory of data and information assets, which are subject to relevant legislation.
Caldicott Guardian/SIRO and DPO advice and support (IRMG)(Level 5)
Provides complex advice and support to the Caldicott Guardian and Senior Information Risk Owners. Provides support to the Head of Information Governance and the DPO.
Individual rights requests (PEDP)(IG)(Level 5)
Processes straight forward subject access requests in accordance with GDPR requirements as applicable. Maintains compliance with appropriate timeframes, any allowed charges or refusals.
Policies (IG)(Level 3)
Follows standard approaches for the assessment of information artefacts and data flows against information governance policies and business objectives.
Caldicott Guardian/SIRO and DPO advice and support (IRMG)(Level 4)
Provides straightforward advice and support to the Caldicott Guardian and Senior Information Risk Owners. Provides support to the DPO as required.
Information Governance Audit (PEDP) (Level 5)
Principles, practices, tools and techniques of information governance auditing and the Data Security and Protection Toolkit.
Review findings (Level 3)
Collates evidence and examines for compliance with standards, statutory controls, or management directives. Identifies, escalates and documents issues of non-compliance.
Access requests (Level 4)
Supports the processing of subject access requests in accordance with GDPR requirements.
Regulatory compliance (Level 5)
Reviews and assists own organisation to maintain a privacy notice and record of processing activities (ROPA). Advises and, where necessary, assists on the application of data protection impact assessments (DPIA) and maintain records for compliance within regulatory access requirements.
Advice and guidance (Level 3)(IG)
Provides straight forward information governance advice and guidance to colleagues and suppliers to ensure they effectively manage information.
Data security and protection toolkit (IG)(Level 4)
Uses the Data Security & Protection Toolkit (DSPT) to provide assurance that information assets are secure and handling personal information correctly.
Compliance analysis and reporting (Level 3)(QUAS)
Examines records for evidence that appropriate testing and other quality control activities have taken place and determines compliance with organisational directives, standards and procedures. Identifies non-compliances, non-conformances and abnormal occurrences, and inputs findings to compliance reports.
Strategy formulation (Level 6)
Sets out the business architecture for the organisation aligning to business functions, the business strategy and the competitive landscape. Describes the architecture in different ways for different audiences by creating specific architecture views. Demonstrates stakeholder concerns are addressed and gains agreement for the proposed architecture.
Environmental scanning (Level 6)
Taking account of the business objectives and culture of the employing organisation, evaluates major options for providing IT services effectively and efficiently and recommends solutions such as outsourcing, new approaches to recruitment and retention, and global supply contracts. Develops and presents business cases for high-level initiatives to executive management for approval, funding, and prioritisation.
Strategy formulation (Level 5)
Creates, manages and maintains a business operating model that includes information, organisational, process, performance, people skills, economic and systems architecture.
Environmental scanning (Level 5)
Maintains an awareness of current and emerging digital information and communications technologies, processes and methods. Identifies and evaluates potential opportunities to establish relevance and feasibility for inclusion in strategy formulation.
Leadership (Level 6)(Methods and tools)
Sets direction and leads in the introduction and use of techniques, methods and tools, to meet business requirements. Leads the development of organisational capabilities for methods and tools to ensure consistent adoption and adherence to policies and standards.
Policies and standards (Level 6)
Develops organisational policies, standards, and guidelines for methods and tools.
Advice and guidance (Level 6)
Develops organisational policies, standards, and guidelines for methods and tools. Sets direction and leads in the introduction and use of techniques, methodologies and tools.
Policies and standards (Level 5)
Contributes to organisational policies, standards and guidelines for methods and tools providing advice, guidance and expertise in the promotion and adoption of methods and tools in adherence to policies and standards.
Advice and guidance (Level 5)
Provides advice, guidance and expertise to promote the adoption of methods and tools, their effective use and adherence to policies and standards. Ensures that new methods and tools migrate to effective operation by promoting understanding of the effects of new methods and tools among non-users, delivering education and training for those using, or affected by, methods and tools.
Advice and guidance (Level 4)
Provides advice and guidance to support adoption of methods and tools, and the adherence to policies and standards.
Advice and guidance (Level 3)
Provides support on the use of existing methods and tools.
Compliance analysis and reporting (Level 5)
Evaluates, appraises and identifies non-compliances with organisational standards, QMS and/or quality plans and determines whether appropriate quality control has been applied.
Compliance analysis and reporting (Level 4)
Collates, collects and examines records. Analyses the evidence to ensure compliance with organisational standards for activities, processes, data, products or services. Investigates and documents the internal control of specified aspects of automated, partly automated, or manual processes. Assesses compliance with relevant standards and drafts all or part of formal compliance reports.
Compliance analysis and reporting (Level 3) (QUAS-F)
Supports the examination of records for evidence that appropriate testing and other quality control activities have taken place. Supports the identification of non-compliances, non-conformances and abnormal occurrences.