SSCP Certification Exam Outline

1.1 - Comply with codes of ethics

• ISC2 Code of Ethics
• Organizational code of ethics

1.2 - Understand security concepts

• Confidentiality
• Integrity
• Availability
• Accountability
• Non-repudiation
• Least privilege
• Segregation of duties (SoD)

1.3 - Identify and implement security controls

• Technical controls (e.g., firewalls, intrusion detection systems (IDS), access control list (ACL)
• Physical controls (e.g., mantraps, cameras, locks)
• Administrative controls (e.g., security policies, standards, procedures, baselines)
• Assessing compliance requirements
• Periodic audit and review

1.4 - Document and maintain functional security controls

• Deterrent controls
• Preventative controls
• Detective controls
• Corrective controls
• Compensating controls

1.5 - Support and implement asset management lifecycle (i.e., hardware, software, and data)

• Process, planning, design and initiation
• Development /Acquisition (e.g., DevSecOps, testing)
• Inventory and licensing (e.g., open source, closed-source)
• Implementation/Assessment
• Operation/Maintenance/End of Life (EOL)
• Archival and retention requirements
• Disposal and destruction

1.6 - Support and/or implement change management lifecycle

• Change management (e.g., roles, responsibilities, processes, communications, audit)
• Security impact analysis
• Configuration management (CM)

1.7 - Support and/or implement security awareness and training (e.g., social engineering/phishing/tabletop exercises/awareness communications)

1.8 - Collaborate with physical security operations (e.g., data center/facility assessment, badging and visitor management, personal device restrictions)

2.1 - Implement and maintain authentication methods

• Single/Multi-factor authentication (MFA)
• Single sign-on (SSO) (e.g., Active Directory Federation Services (ADFS), OpenID Connect)
• Device authentication (e.g., certificate, Media Access Control (MAC) address, Trusted Platform Module (TPM))
• Federated access (e.g., Open Authorization 2 (OAuth2), Security Assertion Markup Language (SAML))

2.2 - Understand and support internetwork trust architectures

• Trust relationships (e.g., 1-way, 2-way, transitive, zero)
• Internet, intranet, extranet, and demilitarized zone (DMZ)
• Third-party connections (e.g., application programming interface (API), app extensions, middleware)

2.3 - Support and/or implement the identity management lifecycle

• Authorization
• Proofing
• Provisioning/De-provisioning
• Monitoring, Reporting, and Maintenance (e.g., role changes, new security standards)
• Entitlement (e.g., inherited rights, resources)
• Identity and access management (IAM) systems

2.4 - Understand and administer access controls

• Mandatory
• Discretionary
• Role-based (e.g., subject-based, object-based, Privileged Access Management (PAM))
• Rule-based
• Attribute-based

3.1 - Understand risk management

• Risk visibility and reporting (e.g., risk register, sharing threat intelligence, indicators of Compromise (IOC), Common Vulnerability Scoring System (CVSS), socialization, MITRE/ATT&CK model)
• Risk management concepts (e.g., impact assessments, threat modeling, scope)
• Risk management frameworks
• Risk tolerance (e.g., appetite, risk quantification)
• Risk treatment (e.g., accept, transfer, mitigate, avoid)

3.2 - Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)

3.3 - Perform security assessments and vulnerability management activities

• Risk management frameworks implementation
• Security testing
• Risk review (e.g., internal, supplier, architecture)
• Vulnerability management lifecycle (e.g., scanning, reporting, analysis, remediation)

3.4 - Operate and monitor security platforms (e.g., continuous monitoring)

• Source systems (e.g., applications, security appliances, network devices, hosts)
• Events of interest (e.g., errors, omissions, anomalies, unauthorized changes, compliance violations, policy failures)
• Log management (e.g., policy, integrity, preservation, architectures, configuration, aggregation, tuning)
• Security information and event management (SIEM) (e.g., real-time monitoring, analysis, tracking, audit)

3.5 - Analyze monitoring results

• Security baselines and anomalies (e.g., correlation, noise reduction)
• Visualizations, metrics, and trends (e.g., notifications, dashboards, timelines)
• Event data analysis
• Document and communicate findings (e.g., escalation)

4.1 - Understand and support incident response lifecycle (e.g., National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO))

• Preparation (e.g., defining roles, training programs)
• Detection, analysis, and escalation (e.g., incident communication, public relations)
• Containment
• Eradication
• Recovery (e.g., incident documentation)
• Post incident activities (e.g., lessons learned, new countermeasures, continuous improvement)

4.2 - Understand and support forensic investigations

• Legal (e.g., civil, criminal, administrative) and ethical principles
• Evidence handling (e.g., first responder, triage, chain of custody, preservation of scene)
• Reporting of analysis
• Organization Security Policy Compliance

4.3 - Understand and support business continuity plan (BCP) and disaster recovery plan (DRP)

• Emergency response plans and procedures (e.g., information system contingency, pandemic, natural disaster, crisis management)
• Interim or alternate processing strategies
• Restoration planning (e.g., Restore Time Objective (RTO), Restore Point Objectives (RPO), Maximum Tolerable Downtime (MTD))
• Backup and redundancy implementation
• Testing and drills (e.g., playbook, tabletop, disaster recovery exercises, scheduling)

5.1 - Understand reasons and requirements for cryptography

• Confidentiality
• Integrity and authenticity
• Data sensitivity (e.g., personally identifiable information (PII), intellectual property (IP), protected health information (PHI))
• Regulatory and industry best practice (e.g., Payment Card Industry Data Security Standards (PCI-DSS), International Organization for Standardization (ISO))
• Cryptography entropy (e.g., quantum cryptography, quantum key distribution)

5.2 - Apply cryptography concepts

• Hashing
• Salting
• Symmetric/Asymmetric encryption/Elliptic curve cryptography (ECC)
• Non-repudiation (e.g., digital signatures/certificates, Hash-based Message Authentication Code (HMAC), audit trails)
• Strength of encryption algorithms and keys (e.g., Advanced Encryption Standards (AES), Rivest-Shamir-Adleman (RSA)
• Cryptographic attacks and cryptanalysis

5.3 - Understand and implement secure protocols

• Services and protocols
• Common use cases (e.g., credit card processing, file transfer, web client, virtual private network (VPN), transmission of PII data)
• Limitations and vulnerabilities

5.4 - Understand public key infrastructure (PKI)

• Fundamental key management concepts (e.g., storage, rotation, composition, generation, destruction, exchange, revocation, escrow)
• Web of Trust (WOT) (e.g., Pretty Good Privacy (PGP), GNU Privacy Guard (GPG), blockchain)

6.1 - Understand and apply fundamental concepts of networking

• Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
• Network topologies
• Network relationships (e.g., peer-to-peer (P2P), client server)
• Transmission media types (e.g., wired, wireless)
• Software-defined networking (SDN) (e.g., Software-Defined Wide Area Network (SD-WAN), network virtualization, automation)
• Commonly used ports and protocols

6.2 - Understand network attacks (e.g., distributed denial of service (DDoS), man-in-the-middle (MITM), Domain Name System (DNS) cache poisoning)

• Countermeasures (e.g., content delivery networks (CDN), firewalls, network access controls, intrusion detection and prevention systems (IDPS))

6.3 - Manage network access controls

• Network access controls, standards and protocols (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1X, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+))
• Remote access operation and configuration (e.g., thin client, virtual private network (VPN), virtual desktop infrastructure)

6.4 - Manage network security

• Logical and physical placement of network devices (e.g., inline, passive, virtual)
• Segmentation (e.g., physical/logical, data/control plane, virtual local area network (VLAN), access control list (ACL), firewall zones, micro-segmentation)
• Secure device management

6.5 - Operate and configure network-based security appliances and services

• Firewalls and proxies (e.g., filtering methods, web application firewall (WAF), cloud access security broker (CASB))
• Network intrusion detection/prevention systems
• Routers and switches
• Traffic-shaping devices (e.g., wide area network (WAN) optimization, load balancing)
• Network Access Control (NAC)
• Data Loss Prevention (DLP)
• Unified Threat Management (UTM)

6.6 - Secure wireless communications

• Technologies (e.g., cellular network, Wi-Fi, Bluetooth, Near-Field Communication (NFC))
• Authentication and encryption protocols (e.g., Wi-Fi Protected Access (WPA), Extensible Authentication Protocol (EAP), Wi-Fi Protected Access 2 (WPA2), Wi-Fi Protected Access 3 (WPA3))

6.7 Secure and monitor Internet of Things (IoT) (e.g., configuration, network isolation, firmware updates, End of Life (EOL) management)

7.1 - Identify and analyze malicious code and activity

• Malware (e.g., rootkits, spyware, scareware, ransomware, trojans, virus, worms, trapdoors, backdoors, fileless, app/code/operatin3 system (OS)/mobile code vulnerabilities)
• Malware countermeasures (e.g., scanners, anti-malware, containment and remediation, software security)
• Types of malicious activity (e.g., insider threat, data theft, distributed denial of service (DDoS), botnet, zero-day exploits, web-based attacks, advanced persistent threat (APT))
• Malicious activity countermeasures (e.g., user awareness/training, system hardening, patching, isolation, data loss prevention (DLP))
• Social engineering methods (e.g., SPAM email, phishing/smishing/vishing, impersonation, scarcity, whaling)
• Behavior analytics (e.g., machine learning, Artificial Intelligence (AI), data analytics)

7.2 - Implement and operate endpoint device security

• Host-based intrusion prevention system (HIPS)
• Host-based intrusion detection system (HIDS)
• Host-based firewalls
• Application white listing
• Endpoint encryption (e.g., full disk encryption)
• Trusted Platform Module (TPM) (e.g., hardware security module management)
• Secure browsing (e.g., digital certificates)
• Endpoint detection and response (EDR)

7.3 - Administer and manage mobile devices

• Provisioning techniques (e.g., corporate owned, personally enabled (COPE), Bring Your Own Device (BYOD), Mobile Device Management (MDM))
• Containerization
• Encryption
• Mobile application management

7.4 - Understand and configure cloud security

• Deployment models (e.g., public, private, hybrid, community)
• Service models (e.g., Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS))
• Virtualization (e.g., hypervisor, Virtual Private Cloud (VPC))
• Legal and regulatory concerns (e.g., privacy, surveillance, data ownership, jurisdiction, eDiscovery, shadow information technology (IT))
• Data storage, processing, and transmission (e.g., archiving, backup, recovery, resilience)
• Third-party/Outsourcing requirements (e.g., service-level agreement (SLA), data portability/ privacy/destruction/auditing)
• Shared responsibility model

7.5 - Operate and maintain secure virtual environments

• Hypervisor (i.e., Type 1 (e.g., bare metal), Type 2 (e.g., software))
• Virtual appliances
• Containers
• Continuity and resilience
• Storage management (e.g., data domain)
• Threats, attacks, and countermeasures (e.g., brute-force attack, virtual machine escape, threat hunting)

In the foundational domain of the SSCP, AI integration centers on the fundamental shift in how we apply the pillars of information security to automated systems. Security administrators must now understand how “Algorithmic Integrity” ensures that AI outputs remain reliable and untampered. We incorporate AI by emphasizing the importance of ethical guidelines and transparency in automated processes, ensuring that as systems become more autonomous, they remain accountable to established security policies and organizational standards.

Furthermore, this domain addresses the lifecycle management of AI-enabled security controls. As a practitioner, you are tasked with supporting change management processes that account for the unique update cycles of Machine Learning (ML) models. This integration ensures that the security professional is not just a passive observer but an active participant in maintaining the functional security posture of AI-driven business tools.

Access control in the age of AI requires managing a new class of “intelligent” non-human entities. Within this domain, we focus on the identity management lifecycle for AI agents and service accounts that perform automated tasks. The integration covers the implementation of the Principle of Least Privilege for these agents, preventing them from accessing sensitive data tiers that fall outside their specific operational scope or training requirements.

Additionally, we include how AI enhances traditional access control mechanisms. By supporting the implementation of adaptive authentication and behavioral biometrics, SSCPs can utilize AI to detect anomalies in user access patterns in real-time. This dual-sided integration ensures that while you are securing the AI’s access to your systems, you are also leveraging AI to make your overall access control architecture more resilient and dynamic.

This domain shifts the practitioner’s focus toward the visibility and reporting of AI-specific risks. Organizations can integrate AI by training administrators to identify Indicators of Compromise (IoC) that are unique to ML environments, such as “Model Drift” or suspicious query patterns. Candidates have knowledge on security assessments that evaluate the vulnerability of AI endpoints, ensuring that these systems are captured within the organization’s broader risk register and vulnerability management lifecycle.

Monitoring also takes a significant leap forward with the inclusion of AI-driven analytics. SSCPs are tasked with analyzing results from correlation engines that use machine learning to reduce noise and highlight true security events. By incorporating these automated visualization and trend-analysis tools, practitioners can communicate findings more effectively and escalate critical risks before they result in a breach.

When a security incident occurs, speed is the most critical factor. In Domain 4, we integrate AI by focusing on the use of automated playbooks and AI-assisted triage during the initial response phase. Security practitioners can support forensic investigations where AI may have been either the target or the perpetrator, ensuring that evidence handling—such as the “chain of custody” for model logs—is conducted according to legal and ethical principles.

Recovery operations now account for the unique requirements of restoring AI-driven systems. This includes ensuring that backup and recovery procedures for ML models and their associated training data are robust. By integrating AI into incident response, we ensure that the modern security administrator can maintain business continuity even in environments where threats and defenses move at machine speed.

The cryptography domain addresses the essential role of encryption in protecting datasets that fuel AI. Integration in this domain focuses on securing “Data in Use” during the training and inference phases, utilizing modern cryptographic protocols to prevent data leakage. We also test the implications of quantum computing and advanced cryptanalysis on the long-term security of AI assets, ensuring that the practitioner can implement resilient key management for AI-related secrets.

Furthermore, we address the use of blockchain and other distributed ledger technologies to provide non-repudiation for AI decision-making. By applying cryptographic signatures to the outputs of AI models, SSCPs can help ensure that the provenance of an automated decision is verifiable and that the data has not been modified in transit, maintaining the trust required for autonomous operations.

As AI workloads scale, they place unique demands on network architecture. This domain integrates AI by focusing on the secure placement and configuration of network-based security devices that monitor AI traffic. Practitioners have knowledge of implementing micro-segmentation to isolate AI training clusters, preventing an adversary from using a compromised AI interface as a beachhead to move laterally across the organizational network.

We also cover the role of AI in defending the network perimeter. This includes the administration of AI-powered firewalls and intrusion prevention systems (IPS) that can detect and block sophisticated “Low and Slow” attacks. By securing the communication pathways for Internet of Things (IoT) devices and mobile endpoints that utilize AI, the SSCP ensures that the network remains a hardened environment for intelligent applications.

In the final domain, the SSCP Exam Outline focuses on the day-to-day administration of the systems that host AI applications. Integration involves managing the software supply chain for ML libraries and ensuring that application security testing accounts for AI-specific logic flaws. Practitioners are tasked with overseeing the secure deployment and patching of these systems, ensuring that “Model Hijacking” or inference attacks are mitigated at the application layer.

Mobile and cloud security also play a major role, as many AI services are delivered via these platforms. SSCPs have knowledge of administering containerized AI environments and manage the security of the APIs that connect these applications to the rest of the enterprise. This ensures that from the server to the endpoint, the entire application stack is resilient against both traditional vulnerabilities and modern, AI-augmented threats.