NIS2 Mapping:
Suggested SANS Courses to the ECSF
WORK ROLE SUMMARY STATEMENT MISSION RISK ASSESSMENT CYBER INCIDENTS CRITICAL INFRASTRUCTURE REPORTING
Oversees and assures compliance with cybersecurity- and data-
Manages an organisation’s LDR512: Security Leadership Essentials for Managers LDR551: Building and Leading Security Operations Centers ICS410: ICS/SCADA Security Essentials LDR419: Performing a Cybersecurity Risk Assessment
Chief Information related legal, regulatory frameworks and policies in line with the
cybersecurity strategy and its
organisation’s strategy and legal requirements. Contributes to
Security Officer implementation to ensure that digital LDR514: Security Strategic Planning, Policy, and Leadership LDR553: Cyber Incident Management ICS418: ICS Security Essentials for Managers LDR514: Security Strategic Planning, Policy, and Leadership
the organisation’s data protection related actions. Provides legal
(CISO) systems, services and assets are
adequately secure and protected.
advice in the development of the organisation’s cybersecurity LDR521: Security Culture for Leaders SEC402: Cybersecurity Writing: Hack the Reader SEC402: Cybersecurity Writing: Hack the Reader SEC566: Implementing and Auditing CIS Controls
governance processes.
Monitor the organisation’s Analyses, evaluates and mitigates the impact of cybersecurity FOR508: Advanced Incident Response, FOR508: Advanced Incident Response, FOR508: Advanced Incident Response,
Cyber Incident cybersecurity state, manage incidents incidents. Monitors and assesses systems’ cybersecurity state. Threat Hunting, and Digital Forensics Threat Hunting, and Digital Forensics FOR578: Cyber Threat Intelligence Threat Hunting, and Digital Forensics
Responder during cyber-attacks and assure the According to the organisation’s Incident Response Plan, restores
FOR572: Advanced Network Forensics: FOR572: Advanced Network Forensics: ICS515: ICS Visibility, Detection, and Response SEC450: Blue Team Fundamentals:
continued operations of ICT systems. systems’ and processes’ functionalities to an operational state.
Threat Hunting, Analysis, and Incident Response Threat Hunting, Analysis, and Incident Response Security Operations and Analysis
Cyber Legal, Manages an organisation’s Oversees and assures compliance with cybersecurity- and data-related
Policy, and cybersecurity strategy and its legal, regulatory frameworks and policies in line with the organisation’s LDR512: Security Leadership Essentials for Managers LDR512: Security Leadership Essentials for Managers ICS410: ICS/SCADA Security Essentials LDR514: Security Strategic Planning, Policy, and Leadership
implementation to ensure that digital strategy and legal requirements. Contributes to the organisation’s data
Compliance systems, services and assets are protection related actions. Provides legal advice in the development of LDR514: Security Strategic Planning, Policy, and Leadership LDR553: Cyber Incident Management ICS418: ICS Security Essentials for Managers SEC566: Implementing and Auditing CIS Controls
Officer adequately secure and protected. the organisation’s cybersecurity governance processes.
Manages cyber threat intelligence life cycle including cyber threat
information collection, analysis and production of actionable
Cyber Threat Collect, process, analyse data and
intelligence and dissemination to security stakeholders and the CTI FOR578: Cyber Threat Intelligence FOR578: Cyber Threat Intelligence FOR578: Cyber Threat Intelligence FOR578: Cyber Threat Intelligence
information to produce actionable
Intelligence community, at a tactical, operational and strategic level. Identifies and
intelligence reports and disseminate
Specialist monitors the Tactics, Techniques and Procedures (TTPs) used by cyber SEC497: Practical Open-Source Intelligence (OSINT) FOR589: Cybercrime Intelligence ICS515: ICS Visibility, Detection, and Response FOR589: Cybercrime Intelligence
them to target stakeholders.
threat actors and their trends, track threat actors’ activities and observe
how non-cyber events can influence cyber-related actions.
Designs solutions based on security-by-design and privacy-by-
Plans and designs security-by-design design principles. Creates and continuously improves architectural SEC530: Defensible Security Architecture and Engineering:
Cybersecurity LDR512: Security Leadership Essentials for Managers FOR578: Cyber Threat Intelligence FOR578: Cyber Threat Intelligence
solutions (infrastructures, systems, models and develops appropriate architectural documentation and Implementing Zero Trust for the Hybrid Enterprise
Architect assets, software, hardware and specifications. Coordinate secure development, integration and
SEC549: Enterprise Cloud Security Architecture ICS515: ICS Visibility, Detection, and Response FOR589: Cybercrime Intelligence
services) and cybersecurity controls. maintenance of cybersecurity components in line with standards SEC566: Implementing and Auditing CIS Controls
and other related requirements.
Conducts independent reviews to assess the effectiveness of
processes and controls and the overall compliance with the AUD507: Auditing & Monitoring Networks, AUD507: Auditing & Monitoring Networks, AUD507: Auditing & Monitoring Networks, AUD507: Auditing & Monitoring Networks,
Cybersecurity Perform cybersecurity audits on the organisation’s legal and regulatory frameworks policies. Evaluates, Perimeters and Systems Perimeters and Systems Perimeters and Systems Perimeters and Systems
Auditor organisation’s ecosystem. tests and verifies cybersecurity-related products (systems, hardware,
software and services), functions and policies ensuring, compliance SEC566: Implementing and Auditing CIS Controls SEC566: Implementing and Auditing CIS Controls ICS410: ICS/SCADA Security Essentials SEC566: Implementing and Auditing CIS Controls
with guidelines, standards and regulations.
Designs, develops and conducts awareness, training and educational
programmes in cybersecurity and data protection-related topics.
Cybersecurity LDR433: Managing Human Risk SEC402: Cybersecurity Writing: Hack the Reader ICS410: ICS/SCADA Security Essentials LDR514: Security Strategic Planning, Policy, and Leadership
Improves cybersecurity knowledge, Uses appropriate teaching and training methods, techniques and
Educator skills and competencies of humans. instruments to communicate and enhance the cybersecurity culture,
SEC402: Cybersecurity Writing: Hack the Reader SEC403: Secrets to Successful Cybersecurity Presentation ICS418: ICS Security Essentials for Managers SEC566: Implementing and Auditing CIS Controls
capabilities, knowledge and skills of human resources. Promotes the
importance of cybersecurity and consolidates it into the organisation.
Provides cybersecurity-related technical development, integration,
Develop, deploy and operate testing, implementation, operation, maintenance, monitoring and SEC568: Combating Supply Chain Attacks
Cybersecurity cybersecurity solutions (systems, support of cybersecurity solutions. Ensures adherence to specifications with Product Security Testing LDR551: Leading and Building Security Operations Centers ICS410: ICS/SCADA Security Essentials SEC401: Security Essentials: Network, Endpoint and Cloud
assets, software, controls and and conformance requirements, assures sound performance and
Implementor services) on infrastructures and resolves technical issues required in the organisation’s cybersecurity- SEC501: Advanced Security Essentials – LDR553: Cyber Incident Management ICS418: ICS Security Essentials for Managers SEC566: Implementing and Auditing CIS Controls
products. related solutions (systems, assets, software, controls and services), Enterprise Defender
infrastructures and products.
Research the cybersecurity Conducts fundamental/basic and applied research and facilitates SEC402: Cybersecurity Writing: Hack the Reader FOR508: Advanced Incident Response, ICS410: ICS/SCADA Security Essentials LDR419: Performing a Cybersecurity Risk Assessment
Cybersecurity Threat Hunting, and Digital Forensics
domain and incorporate results in innovation in the cybersecurity domain through cooperation with other
Researcher cybersecurity solutions. stakeholders. Analyses trends and scientific findings in cybersecurity. SEC403: Secrets to Successful Cybersecurity Presentation SEC501: Advanced Security Essentials – Enterprise Defender ICS418: ICS Security Essentials for Managers SEC566: Implementing and Auditing CIS Controls
Continuously manages (identifies, analyses, assesses, estimates,
Manage the organisation’s mitigates) the cybersecurity-related risks of ICT infrastructures,
Cybersecurity cybersecurity-related risks aligned to systems and services by planning, applying, reporting and LDR419: Performing a Cybersecurity Risk Assessment LDR419: Performing a Cybersecurity Risk Assessment ICS410: ICS/SCADA Security Essentials LDR419: Performing a Cybersecurity Risk Assessment
the organisation’s strategy. Develop, communicating risk analysis, assessment and treatment.
Risk Manager ICS418: ICS Security Essentials for Managers SEC566: Implementing and Auditing CIS Controls
maintain and communicate the risk Establishes a risk management strategy for the organisation LDR514: Security Strategic Planning, Policy, and Leadership LDR553: Cyber Incident Management
management processes and reports. and ensures that risks remain at an acceptable level for the
organisation by selecting mitigation actions and controls.
Connects artefacts to natural persons, captures, recovers, identifies
Ensure the cybercriminal and preserves data, including manifestations, inputs, outputs and
Digital Forensics FOR500: Windows Forensic Analysis FOR498: Digital Acquisition and Rapid Triage FOR578: Cyber Threat Intelligence FOR498: Digital Acquisition and Rapid Triage
investigation reveals all digital processes of digital systems under investigation. Provides analysis,
Investigator evidence to prove the malicious reconstruction and interpretation of the digital evidence based on
FOR500: Windows Forensic Analysis ICS515: ICS Visibility, Detection, and Response FOR500: Windows Forensic Analysis
activity. a qualitative opinion. Presents an unbiased qualitative view without
FOR585: Smartphone Forensic Analysis In-Depth
interpreting the resultant findings.
Plans, designs, implements and executes penetration testing activities
Assess the effectiveness of security SEC560: Enterprise Penetration Testing
and attack scenarios to evaluate the effectiveness of deployed or
controls, reveals and utilise SEC504: Hacker Tools, Techniques, and Incident Handling ICS612: ICS Cybersecurity In-Depth ICS515: ICS Visibility, Detection, and Response
Penetration planned security measures. Identifies vulnerabilities or failures on
cybersecurity vulnerabilities,
Tester technical and organisational controls that affect the confidentiality, SEC660: Advanced Penetration Testing, Exploit Writing,
assessing their criticality if exploited SEC560: Enterprise Penetration Testing ICS613: ICS Penetration Testing and Assessments SEC560: Enterprise Penetration Testing
integrity and availability of ICT products (e.g. systems, hardware, and Ethical Hacking
by threat actors.
software and services).
