SSCP Certification Exam Outline


1.1 - Comply with codes of ethics

  • ISC2 Code of Ethics
  • Organizational code of ethics

1.2 - Understand security concepts

  • Confidentiality
  • Integrity
  • Availability
  • Accountability
  • Privacy
  • Non-repudiation
  • Least privilege
  • Segregation of duties (SoD)

1.3 - Identify and implement security controls

  • Technical controls (e.j., session timeout, password aging)
  • Physical controls (e.g., mantraps, cameras, locks)
  • Administrative controls (e.g., security policies, standards, procedures, baselines)
  • Assessing compliance
  • Periodic audit and review

1.4 - Document and maintain functional security controls

  • Deterrent controls
  • Preventative controls
  • Detective controls
  • Corrective controls
  • Compensating controls

1.5 - Participate in asset management lifecycle (hardware, software and data)

  • Process, planning, design and initiation
  • Development/Acquisition
  • Inventory and licensing
  • Implementation/Assessment
  • Operation/Maintenance
  • Archiving and retention requirements
  • Disposal and destruction

1.6 - Participate in change management lifecycle

  • Change management (e.g., roles, responsibilities, processes)
  • Security impact analysis
  • Configuration management (CM)

1.7 - Participate in implementing security awareness and training (e.g., social engineering/phishing)

1.8 - Collaborate with physical security operations (e.g., data center assessment, badging)

2.1 - Implement and maintain authentication methods

  • Single/Multi-factor authentication (MFA)
  • Single sign-on (SSO) (e.g., Active Directory Federation Services (ADFS), OpenID Connect)
  • Device authentication
  • Federated access (e.g., Open Authorization 2 (OAuth2), Security Assertion Markup Language (SAML))

2.2 - Support internetwork trust architectures

  • Trust relationships (e.g., 1-way, 2-way, transitive, zero)
  • Internet, intranet and extranet
  • Third-party connections

2.3 - Participate in the identity management lifecycle

  • Authorization
  • Proofing
  • Provisioning/De-provisioning
  • Maintenance
  • Entitlement
  • Identity and access management (IAM) systems

2.4 - Understand and apply access controls

  • Mandatory
  • Discretionary
  • Role-based (e.g., attribute-, subject-, object-based)
  • Rule-based

3.1 - Understand the risk management process

  • Risk visibility and reporting (e.g., risk register, sharing threat intelligence/Indicators of Compromise (IOC), Common Vulnerability Scoring (CVSS))
  • Risk management concepts (e.g., impact assessments, threat modelling)
  • Risk management frameworks
  • Risk tolerance (e.g., appetite)
  • Risk treatment (e.g., accept, transfer, mitigate, avoid)

3.2 - Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)

3.3 - Participate in security assessment and vulnerability management activities

  • Security testing
  • Risk review (e.g., internal, supplier, architecture)
  • Vulnerability management lifecycle

3.4 - Operate and monitor security platforms (e.g., continuous monitoring)

  • Source systems (e.g., applications, security appliances, network devices, and hosts)
  • Events of interest (e.g., anomalies, intrusions, unauthorized changes, compliance monitoring)
  • Log management
  • Event aggregation and correlation

3.5 - Analyze monitoring results

  • Security baselines and anomalies
  • Visualizations, metrics, and trends (e.g., notifications, dashboards, timelines)
  • Event data analysis
  • Document and communicate findings (e.g., escalation)

Domain 4:
Incident Response and Recovery

4.1 - Support incident lifecycle e.g., National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO)

  • Preparation
  • Detection, analysis and escalation
  • Containment
  • Eradication
  • Recovery
  • Lessons learned/implementation of new countermeasure

4.2 - Understand and support forensic investigations

  • Legal (e.g., civil, criminal, administrative) and ethical principles
  • Evidence handling (e.g., first responder, triage, chain of custody, preservation of scene)
  • Reporting of analysis

4.3 - Understand and support business continuity plan (BCP) and disaster recovery plan (DRP)

  • Emergency response plans and procedures (e.g., information system contingency, pandemic, natural disaster, crisis management)
  • Interim or alternate processing strategies
  • Restoration planning
  • Backup and redundancy implementation
  • Testing and drills

5.1 - Understand cryptography

  • Confidentiality
  • Integrity and authenticity
  • Data sensitivity (e.g., personally identifiable information (PII), intellectual property (IP), protected health information (PHI))
  • Regulatory and industry best practice (e.g., Payment Card Industry Data Security Standards (PCI-DSS), International Organization for Standardization (ISO))

5.2 - Apply cryptography concepts

  • Hashing
  • Salting
  • Symmetric/Asymmetric encryption/Elliptic curve cryptography (ECC)
  • Non-repudiation (e.g., digital signatures/certificates, Hash-based Message Authentication Code (HMAC), audit trails)
  • Strength of encryption algorithms and keys (e.g., Advanced Encryption Standards (AES), Rivest-Shamir-Adleman (RSA), 256-, 512-, 1024-, 2048-bit keys)
  • Cryptographic attacks, cryptanalysis, and countermeasures (e.g., quantum computing)

5.3 - Understand and implement secure protocols

  • Services and protocols
  • Common use cases
  • Limitations and vulnerabilities

5.4 - Understand public key infrastructure (PKI)

  • Fundamental key management concepts (e.g., storage, rotation, composition, generation, destruction, exchange, revocation, escrow)
  • Web of Trust (WOT)

6.1 - Understand and apply fundamental concepts of networking

  • Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
  • Network topologies
  • Network relationships (e.g., peer-to-peer (P2P), client server)
  • Transmission media types (e.g., wired, wireless)
  • Software-defined networking (SDN) (e.g., Software-Defined Wide Area Network (SD-WAN), network virtualization, automation)
  • Commonly used ports and protocols

6.2 - Understand network attacks (e.g., distributed denial of service (DDoS), man-in-the-middle (MITM), Domain Name System (DNS) poisoning) and countermeasures (e.g., content delivery networks (CDN))

6.3 - Manage network access controls

  • Network access controls, standards and protocols (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1X, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+))
  • Remote access operation and configuration (e.g., thin client, virtual private network (VPN))

6.4 - Manage network security

  • Logical and physical placement of network devices (e.g., inline, passive, virtual)
  • Segmentation (e.g., physical/logical, data/control plane, virtual local area network (VLAN), access control list (ACL), firewall zones, micro-segmentation)
  • Secure device management

6.5 - Operate and configure network-based security devices

  • Firewalls and proxies (e.g., filtering methods, web application firewalls (WAF)) Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
  • Network intrusion detection/prevention systems
  • Routers and switches
  • Traffic-shaping devices (e.g., wide area network (WAN) optimization, load balancing)

6.6 - Secure wireless communications

  • Technologies (e.g., cellular network, Wi-Fi, Bluetooth, Near-Field Communication (NFC))
  • Authentication and encryption protocols (e.g., Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), Extensible Authentication Protocol (EAP))
  • Internet of Things (IoT)

7.1 - Identify and analyze malicious code and activity

  • Malware (e.g., rootkits, spyware, scareware, ransomware, trojans, virus, worms, trapdoors, backdoors, fileless)
  • Malware countermeasures (e.g., scanners, anti-malware, code signing)
  • Malicious activity (e.g., insider threat, data theft, distributed denial of service (DDoS), botnet, zero-day exploits, web-based attacks, advanced persistent threat (APT))
  • Malicious activity countermeasures (e.g., user awareness, system hardening, patching, sandboxing, isolation, data loss prevention (DLP))

7.2 - Implement and operate endpoint device security

  • Host-based intrusion prevention system (HIPS)
  • Host-based firewalls
  • Application white listing
  • Endpoint encryption (e.g., whole disk encryption)
  • Trusted Platform Module (TPM)
  • Secure browsing
  • Endpoint Detection and Response (EDR)

7.3 - Administer Mobile Device Management (MDM)

  • Provisioning techniques (e.g., corporate owned, personally enabled (COPE), Bring Your Own Device (BYOD))
  • Containerization
  • Encryption
  • Mobile application management (MAM)

7.4 - Understand and configure cloud security

  • Deployment models (e.g., public, private, hybrid, community)
  • Service models (e.g., Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS))
  • Virtualization (e.g., hypervisor)
  • Legal and regulatory concerns (e.g., privacy, surveillance, data ownership, jurisdiction, eDiscovery)
  • Data storage, processing, and transmission (e.g., archiving, recovery, resilience)
  • Third-party/outsourcing requirements (e.g., service-level agreement (SLA), data portability, data destruction, auditing)
  • Shared responsibility model

7.5 - Operate and maintain secure virtual environments

  • Hypervisor
  • Virtual appliances
  • Containers
  • Continuity and resilience
  • Attacks and countermeasures
  • Shared storage