(ISC)²
The gold-standard security credential, covering all aspects of information security across 8 domains.
Avg Salary
$148k/yr
Difficulty
Expert
Prep Time
~250h
Exam Cost
$749
Skills Covered
Questions
125
Duration
180 min
Pass Score
70%
Format
Multiple choice
Security and Risk Management
6 objectives
Understand, adhere to, and promote professional ethics (ISC² Code of Ethics).
Understand and apply security concepts (confidentiality, integrity, availability, authenticity, non-repudiation).
Evaluate and apply security governance principles (alignment with organizational goals, legal/regulatory compliance).
Manage the information security function (security policies, standards, procedures, guidelines).
Develop, document, and implement a security policy based on risk assessment findings.
Implement threat intelligence in risk management and business continuity planning.
Asset Security
4 objectives
Identify and classify information and assets according to data classification policies.
Establish information and asset handling requirements throughout the data lifecycle.
Manage data lifecycle (collection, location, maintenance, retention, remanence, destruction).
Ensure appropriate retention and destruction of assets based on compliance requirements.
Security Architecture and Engineering
5 objectives
Research, implement, and manage engineering processes using secure design principles.
Understand the fundamental concepts of security models (BLP, Biba, Clark-Wilson, Brewer-Nash).
Select controls based on system security requirements and evaluate security capabilities.
Assess and mitigate vulnerabilities in security architectures, designs, and solution elements.
Apply cryptography concepts (symmetric, asymmetric, hashing, PKI, digital signatures, blockchain).
Communication and Network Security
3 objectives
Assess and implement secure design principles for network architectures (OSI/TCP-IP model).
Secure network components (firewalls, IDS/IPS, proxies, load balancers, wireless, VPN).
Implement secure communication channels according to design (voice, multimedia, remote access).
Identity and Access Management
5 objectives
Control physical and logical access to assets using authentication and authorization mechanisms.
Manage identification and authentication of people, devices, and services (MFA, biometrics, SSO, SAML, OAuth).
Federated identity with a third-party service (on-premise, cloud, hybrid).
Implement and manage authorization mechanisms (RBAC, ABAC, MAC, DAC, rule-based).
Manage the identity and access provisioning lifecycle (account reviews, privileged access).
Security Assessment and Testing
4 objectives
Design and validate assessment, test, and audit strategies.
Conduct security control testing (vulnerability assessments, penetration testing, log reviews).
Collect security process data (technical, administrative, management controls).
Analyze test output and generate reports for stakeholders.
Security Operations
5 objectives
Understand and support investigations and forensic analysis requirements.
Conduct logging and monitoring activities (IDS/IPS, SIEM, egress monitoring, threat intelligence).
Perform configuration management and apply patch management processes.
Implement and support incident management and disaster recovery plans.
Implement and manage detective and preventive measures (whitelisting, sandboxing, honeypots).
Software Development Security
4 objectives
Understand and integrate security in the Software Development Life Cycle (SDLC).
Identify and apply security controls in software development ecosystems (APIs, CI/CD, third-party libraries).
Assess the effectiveness of software security (code review, security testing, fuzzing, SAST/DAST).
Assess security impact of acquired software (COTS, open source, third-party, managed services).
Course Coming Soon
This certification prep course is being generated. Admins can create it now using the Course Factory.