SSCP Exam Outline
SSCP Exam Outline
SSCP Exam Outline
The broad spectrum of topics included in the SSCP Common Body of Knowledge (CBK®) ensure its relevancy
across all disciplines in the field of information security. Successful candidates are competent in the following
seven domains:
Experience Requirements
Candidates must have a minimum of one year cumulative work experience in one or more of the seven
domains of the SSCP CBK. A one year prerequisite pathway will be granted for candidates who received a
degree (bachelors or masters) in a cybersecurity program.
A candidate that doesn’t have the required experience to become an SSCP may become an Associate of
(ISC)² by successfully passing the SSCP examination. The Associate of (ISC)² will then have two years to earn
the one year required experience. You can learn more about SSCP experience requirements and how to
account for part-time work and internships at www.isc2.org/Certifications/SSCP/experience-requirements.
Accreditation
SSCP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.
5. Cryptography 9%
Total: 100%
» Confidentiality » Privacy
» Integrity » Non-repudiation
» Availability » Least privilege
» Accountability » Segregation of duties (SoD)
» Deterrent controls
» Preventative controls
» Detective controls
» Corrective controls
» Compensating controls
1.7 Participate in implementing security awareness and training (e.g., social engineering/
phishing)
1.8 Collaborate with physical security operations (e.g., data center assessment, badging)
» Authorization
» Proofing
» Provisioning/De-provisioning
» Maintenance
» Entitlement
» Identity and access management (IAM) systems
» Mandatory
» Discretionary
» Role-based (e.g., attribute-, subject-, object-based)
» Rule-based
» Risk visibility and reporting (e.g., risk register, sharing threat intelligence/Indicators of
Compromise (IOC), Common Vulnerability Scoring System (CVSS))
» Risk management concepts (e.g., impact assessments, threat modelling)
» Risk management frameworks (e.g., International Organization for Standardization (ISO),
National Institute of Standards and Technology (NIST))
» Risk tolerance (e.g., appetite)
» Risk treatment (e.g., accept, transfer, mitigate, avoid, ignore)
3.2 Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)
» Security testing
» Risk review (e.g., internal, supplier, architecture)
» Vulnerability management lifecycle
» Source systems (e.g., applications, security appliances, network devices and hosts)
» Events of interest (e.g., anomalies, intrusions, unauthorized changes, compliance monitoring)
» Log management
» Event aggregation and correlation
» Preparation
» Detection, analysis and escalation
» Containment
» Eradication
» Recovery
» Lessons learned/Implementation of new countermeasure
4.3 Understand and support business continuity plan (BCP) and disaster recovery plan (DRP)
activities
» Confidentiality
» Integrity and authenticity
» Data sensitivity (e.g., personally identifiable information (PII), intellectual property (IP),
protected health information (PHI))
» Regulatory and industry best practice (e.g., Payment Card Industry Data Security Standards (PCI-DSS),
International Organization for Standardization (ISO))
» Hashing
» Salting
» Symmetric/Asymmetric encryption/Elliptic curve cryptography (ECC)
» Non-repudiation (e.g., digital signatures/certificates, Hash-based Message Authentication Code (HMAC),
audit trails)
» Strength of encryption algorithms and keys (e.g., Advanced Encryption Standards (AES),
Rivest-Shamir-Adleman (RSA), 256-, 512-, 1024-, 2048-bit keys)
» Cryptographic attacks, cryptanalysis, and countermeasures (e.g., quantum computing)
» Services and protocols (e.g., Internet Protocol Security (IPsec), Transport Layer Security
(TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), DomainKeys Identified Mail (DKIM))
» Common use cases
» Limitations and vulnerabilities
» Fundamental key management concepts (e.g., storage, rotation, composition, generation, destruction,
exchange, revocation, escrow)
» Web of Trust (WOT) (e.g., Pretty Good Privacy (PGP), GNU Privacy Guard (GPG), blockchain)
6.2 Understand network attacks (e.g., distributed denial of service (DDoS), man-in-the-middle
(MITM), Domain Name System (DNS) poisoning) and countermeasures (e.g., content
delivery networks (CDN))
» Network access controls, standards and protocols (e.g., Institute of Electrical and Electronics Engineers
(IEEE) 802.1X, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access-
Control System Plus (TACACS+))
» Remote access operation and configuration (e.g., thin client, virtual private network (VPN))
» Logical and physical placement of network devices (e.g., inline, passive, virtual)
» Segmentation (e.g., physical/logical, data/control plane, virtual local area network (VLAN), access control list
(ACL), firewall zones, micro-segmentation)
» Secure device management
» Firewalls and proxies (e.g., filtering methods, web application firewall (WAF))
» Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
» Routers and switches
» Traffic-shaping devices (e.g., wide area network (WAN) optimization, load balancing)