SSCP Exam Outline Sept17
SSCP Exam Outline Sept17
SSCP Exam Outline Sept17
The broad spectrum of topics included in the SSCP Common Body of Knowledge (CBK) ensure its relevancy
across all disciplines in the field of information security. Successful candidates are competent in the following
7 domains:
• Access Controls
• Security Operations and Administration
• Risk Identification, Monitoring, and Analysis
• Incident Response and Recovery
• Cryptography
• Network and Communications Security
• Systems and Application Security
Experience Requirements
Candidates must have a minimum of 1 year cumulative work experience in 1 or more of the 7 domains of the
SSCP CBK. A 1-year experience waiver will be granted for a candidate who received a degree (bachelors or
masters) in a cybersecurity program.
A candidate that doesn’t have the required experience to become an SSCP may become an Associate of
(ISC)² by successfully passing the SSCP examination. The Associate of (ISC)² will then have 2 years to earn the
1 year required experience.
Accreditation
SSCP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.
5. Cryptography 9%
Total: 100%
» Single/multifactor authentication
» Single sign-on
» Device authentication
» Authorization
» Proofing
» Provisioning
» Maintenance
» Entitlement
» Mandatory
» Non-Discretionary
» Discretionary
» Role-based
» Attribute-based
»» Confidentiality »» Privacy
»» Integrity »» Non-repudiation
»» Availability »» Least privilege
»» Accountability »» Separation of duties
» Deterrent controls
» Preventative controls
» Detective controls
» Corrective controls
» Compensating controls
» Lifecycle
» Hardware
» Software
» Data
» Technical controls
» Operational controls
» Managerial controls (e.g., security policies, baselines, standards, and procedures)
2.8 Participate in Physical Security Operations (e.g., security assessment, cameras, locks)
» Risk Visibility and Reporting (e.g., risk register, sharing threat intelligence)
» Risk management concepts (e.g., impacts, threats, vulnerabilities)
» Risk assessment
» Risk treatment (accept, transfer, mitigate, avoid)
» Audit findings
» Events of interest
» Logging
» Source systems
» Discovery
» Escalation
» Reporting and feedback loops (lessons learned)
» Incident response
» Implementation of countermeasures
4.2 Understand and support forensic investigations (e.g., first responder, evidence handling,
chain of custody, preservation of scene)
4.3 Understand and Support Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
» Emergency response plans and procedures (e.g., information system contingency plan)
» Interim or alternate processing strategies
» Restoration planning
» Backup and redundancy implementation
» Testing and drills
» Hashing
» Salting
» Symmetric/asymmetric encryption
» Digital signatures
» Non-repudiation
» Fundamental key management concepts (e.g., key rotation, key composition, cryptographic attacks)
» Public key infrastructure
» Administration and validation (e.g., key creation, exchange, revocation, escrow)
» Web of Trust (e.g., PGP)
» Implementation of secure protocols (e.g., IPSec, SSL/TLS, S/MIME)
» Converged communications
» Attacks and countermeasures
7.2 Implement and Operate Endpoint Device Security (e.g., virtualization, thin clients, thick
clients, USB devices)
» Operation models (e.g., public, private, hybrid) » Data storage and transmission (e.g., archiving,
recovery, resilience)
» Service models (e.g., DNS, email, proxy, VPN)
» Third-party/outsourcing requirements (e.g.,
» Virtualization (e.g., hypervisor) SLA, data portability, data destruction, auditing)
» Legal and privacy concerns (e.g., surveillance,
data ownership, jurisdiction, eDiscovery)
» Application vulnerabilities
» Architecture or design vulnerabilities
Legal Info
For any questions related to (ISC)²’s legal policies, please contact the (ISC)2 Legal
Department at legal@isc2.org.
Any Questions?
(ISC)² Candidate Services
311 Park Place Blvd, Suite 400
Clearwater, FL 33759
(ISC)² Americas
Tel: +1.727.785.0189
Email: info@isc2.org
(ISC)² EMEA
Tel: +44 (0)203 300 1625
Email: info-emea@isc2.org
v823 13