Information & Cyber Security Foundation (ICSF)

ICSF Examination Syllabus

v1.1 June 2020

Table of Contents
Introduction to the Certification 3

Objectives of the Examination 3

Eligibility for the Examination 4

Format of the Examination 4

Additional time 4

Syllabus Detail 5

Question Weighting 11

CIISEC Skills Levels and Knowledge Framework 11

Skills Levels 11
Knowledge Framework 11

Syllabus References 13
International Standards 13
North American (NIST) Standards 14
Other Cyber Security Organisations and Information 15
Related Legislation 15
Recommended Reading 16

Change History
Version Date Description
V0.1 March 2019 Draft syllabus
V1.0 August 2019 1st Release
V1.1 June 2020 Changed from Certified to Accredited Affiliate

v1.1 June 2020 Page 2 of 16

Introduction to the Certification
The Chartered Institute of Information Security (CIISEC) has developed a Knowledge
Frameworki which is intended to provide a grounding in information security to anyone who:
 requires a basic understanding of information security in order to enhance their current
role, or;
 wishes to enter an information security or related function, or;
 already has responsibilities for information security and wishes to further develop their
knowledge and skills, or;
 wishes to ensure that their information is adequately protected.
Certification is awarded to those who have passed the CIISEC examination based on this
Knowledge Framework, and assigns them the title of Accredited Affiliate (AfCIIS), which can
in time lead to full membership.
This document describes the examination syllabus covering the range of concepts,
approaches and techniques that are applicable to the CIISEC Accredited Affiliate Certification,
for which candidates must demonstrate their knowledge and understanding of these aspects
of information security.
The examination is assessed against levels 1 and 2 of the CIISEC Skills Framework, which is
briefly described later in this document.

The ICSF entry level exam is the official starting point for new people entering the Cyber
profession and can also be used to baseline groups of people with the minimum amount of
knowledge required in 45 cyber skill areas, for example Apprentices, Graduates, Underwriters,
Technical Staff. It lowers the cost barrier of entry and the technical barrier of entry to the
Cyber profession by providing topical access to the “Cyber Security Body of Knowledge
(CyBOK)” for Levels 1 and 2. This exam opens the gates to the profession, to everyone and
should be the first professional qualification in Cyber as one starts their career or enters an
information security or related function.

The CIISEC Knowledge Framework (195 pages) is provided to each examinee to self-study
before the exam, therefore a formal training course is not required but is still available.
An optional exam prep day can also be delivered to private groups at one of the QA
training centres or on client premises.

Objectives of the Examination

Candidates should be able to demonstrate knowledge and understanding of the CIISEC
Knowledge Framework. Key areas are:
 Threat, Vulnerability, Risk Assessment and Management; B
 Governance and Information Security Management; A
 Security Architecture and Controls; C
 Information Security Framework; A
 Security Lifecycle; C
 Operational Compliance. E

v1.1 June 2020 Page 3 of 16

Eligibility for the Examination
Candidates must either have studied the CIISEC Knowledge Framework, or have attended
an accredited training course. Knowledge of Information and Communications Technology
(ICT) would be an advantage.

Prerequisites
There are no prerequisites for this exam although a general knowledge of IT would be
beneficial.

Format of the Examination

Type of A ‘closed book’, ONLINE, proctored examination consisting of 100 multiple
examination: choice questions.
Duration of
examination: Two hours.
Pass Mark: 65/100 (65%)
Distinction Mark: 80/100 (80%)

Additional time
When booking the examination, candidates may request additional time. An additional 30
minutes will be permitted for those candidates:
 for whom English is not their first language. Paper dictionaries only may be used.
 who suffer some recognised disability such as dyslexia or visual impairment.

Successful Candidates
Successful candidates will earn the following:
 Information & Cyber Security Foundation (ICSF) certificate
 Accredited Affiliate membership to the Chartered Institute of Information Security (1
year) – Join and participate in the Cyber community
 Able to use the post-nominal: AfCIIS

v1.1 June 2020 Page 4 of 16

Syllabus Detail
1. Introduction.
This syllabus is related directly to the various sections of the CIISEC Knowledge Framework. It
is not designed to be read or studied in any particular order.
2. Knowledge Areas
2.1. Goals and Principles
The primary goal of cyber and information security is to preserve the confidentiality,
integrity, and availability of information and information systems. If there is a significant
failure in one or more of them the result could be a loss of reputation, privacy, life and
financial loss.
The principles behind an organisation’s Information Security Management System (ISMS)
should be to design, implement, and maintain a coherent set of policies, processes, and
controls that keep the risks associated with its information assets at a tolerable level
whilst managing the cost and inconvenience. The goals of cyber and information security
are to:
• Understand the current risk appetite of the enterprise with respect to cyber and
information security.
• Understand the security threats and potential consequences and damage to
information, information systems, devices, and individuals.
• Create and follow policies and procedures that keep cyber and information risks,
consequences and damage at or below a tolerable level.
• Create, securely deploy and maintain suitable controls to minimise risks and
vulnerabilities to reduce the threat potential and business impact.
• Effectively and efficiently detect and deal with cyber and information security
incidents.
2.2. Threat, Vulnerability, Risk Assessment and Management
Risk assessment is fundamental to information security. It begins by identifying the threats
and vulnerabilities facing an organisation, and then assessing their likelihood and potential
impact.
2.2.1. Risk Management
Risk management is the overall process of identifying and mitigating risks to the
organisation’s information assets. It incorporates Context Establishment; Risk
Assessment, which is further broken down into risk identification, risk analysis and
risk evaluation); Risk Treatment; Communication and Consultation; and Monitoring
and Review.
2.2.2. Threat Modelling
Threat models or threat scenarios are based on a structured approach for analysing
the security of a system. The two common methods are the use of Attack Trees and
Microsoft’s STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service and Elevation of Privilege) tool.
2.2.3. Vulnerability Assessment/Management and Penetration Testing
Assessing the likelihood of a successful attack requires the identification of
vulnerabilities in systems and networks. Much of this work can be achieved by

v1.1 June 2020 Page 5 of 16

 examining information from a variety of sources, and can be verified through
controlled penetration testing.
2.2.4. Threat Intelligence
Threat intelligence is information that has been aggregated, transformed and
analysed, to provide the necessary context for decision-making processes. The
principle behind threat intelligence is to provide the ability to recognise and act upon
indicators of attack and compromise scenarios in a timely manner.
2.3. Governance and Information Security Management
This section of the syllabus deals with the overall governance of information security
within the organisation, and also the process of information security management by
which this is achieved.
2.3.1. Governance
Corporate governance refers to the mechanisms, processes and relationships by
which organisation are controlled and directed. Governance structures identify the
rights and responsibilities among different participants in the organisation, such as
the board of directors, managers, shareholders, creditors, auditors, regulators, and
other stakeholders.
2.3.2. Information Security Management
Information security management is the means by which information security
(confidentiality, integrity and availability) can be achieved. The standard ISO/IEC
27001 describes a way to manage information security, by creating an Information
Security Management System (ISMS).
2.4. Security Architecture and Controls
Information security risks are treated by the use of controls. This section of the syllabus
deals not only with the various types of control, but also the means by which the
organisation can select the most appropriate type.
2.4.1. Type of Controls
Security controls fall into four distinct categories – Preventative, Deterrent, Detective
and corrective – and within those categories are of four different types – Physical,
Procedural, Personnel and Technical controls.
2.4.2. Security Architecture
Security architecture addresses potential risks involved in a certain scenario or
environment and assists the security architect in specifying when and where to apply
security controls. In a security architecture, the security design principles are defined
and the placement of security controls are generally documented.
2.4.3. Design Patterns
A design pattern is the re-usable form of a solution to a design problem. The term
design pattern was originally used by building architects, who abstracted common
design patterns in architecture and formalised a way of describing the patterns in a
pattern language.
2.4.4. Security Design Principles

v1.1 June 2020 Page 6 of 16

 To improve software development processes and the resultant applications a book
entitled Building Secure Software was published in 2002. In it were ten guiding
principles described that help software developers produce more secure software.
2.4.5. Physical Controls
Physical security controls can be defined as the measures taken to ensure the safety
and material existence of something or someone against theft, espionage, sabotage,
or harm. It is the first step in the layered approach of information security.
2.4.6. Procedural Controls
Procedural security controls cover the rules, regulations and policies that an
organisation puts in place to help mitigate risks. As opposed to other controls,
procedural controls rely on users to follow rules or perform certain steps that are not
necessarily enforced by technical or physical means.
2.4.7. Personnel Controls
Personnel security controls is a system of policies and procedures which are used to
mitigate the risk of staff and other “insiders” from exploiting their legitimate access
to assets for unauthorised purposes.
2.4.8. Cloud Computing
Cloud computing is a model for enabling convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
2.4.9. Internet of Things
The Internet of Things (IoT) is a system of interrelated computing devices, physical
devices, vehicles, buildings, sensors and actuators that are networked together – and
are internet reachable.
2.4.10. Industrial Control Systems
Industrial Control Systems (ICS) refer to real-time industrial process control systems
used to centrally monitor and control remote or local industrial equipment such as
motors, valves, pumps and relays, robotics, etc. ICS systems can be used to control
and monitor a very wide range of applications such as chemical plant processes, oil
and gas pipelines, electrical generation and transmission equipment, manufacturing
facilities, water purification and distribution, etc.
2.4.11. Cryptography
Cryptography is the science of applying a complex mathematical operation to some
data, whether it is a message or data being transmitted or residing on a disk.
Cryptography means literally hidden or secret writing. It involves changing normal
information into another form that hides it and makes it secret.
2.4.12. Technical Controls
Technical controls incorporate Access Control, Auditing and Alerting. Content
Control, Cryptographic Services, Detection, Identification and Authentication,
Security Management and Trusted Communications. Each type is dealt with in detail.
2.5. Information Security Framework

v1.1 June 2020 Page 7 of 16

 The legal and regulatory framework surrounding information security is complex. This
section of the syllabus aims to guide the reader through the various sources, and explain
their interrelationship and purpose.
2.5.1. Legislation
Legislation in the UK is the result of an Act of Parliament. There are many Laws that
impact information security, some of which are home-grown, and others that have
been implemented as a result of international Law or European Union Directives.
2.5.2. Regulations
Regulations are similar to legislation, although they are produced separately from
Acts of Parliament. Adherence to regulations is mandatory, and failure to do so can
result in penalties, in the same way as failure to observe the Law
2.5.3. Policies
Policies are described as “Intentions and direction of an organisation as formally
expressed by its top management”. Which means that they are things that must be
adhered to, but an organisational level rather that at a national level.
2.5.4. Standards
The Standards relating to information security are predominantly developed both
locally in the UK, the USA, and also internationally. Failure to adopt or adhere to a
Standard usually results in a failure in a system or process. In some cases,
organisations can be assessed against a Standard as a means of achieving
certification.
2.5.5. Guidelines
Whilst Standards dictate what should be done, guidelines explain how to achieve
them. As with Standards, organisations ignoring them may find that systems and
processes do not work in the way they may have intended.
2.5.6. Procedures
A procedure is a set of detailing working instructions that describes what, when, how
and by whom something should be done. Procedures are mandatory and they usually
support polices and standards.
2.5.7. Security Awareness
Effective information security begins and ends with security awareness and
appropriate training for members of staff with responsibility for information security
related functions. A comprehensive information security program not only focuses
on physical and technical security practices and methods, but also on the human
aspects of security threats and common methods employed by malicious parties to
take advantage of those without security awareness and training.
2.5.8. Security Strategies
A security strategy details the series of steps necessary for an organisation to
identify, remediate and manage risks while staying compliant with applicable
legislation and regulations. It should be aligned with an Information Security
Management System (ISMS) as it provides both strategic and operational frameworks
in particular as regards governance.
2.6. Security Lifecycle

v1.1 June 2020 Page 8 of 16

 This section of the syllabus examines the full lifecycle of a system from its initial
development, through its deployment and then finally then its maintenance.
2.6.1. Security Development Lifecycle
The Security Development Lifecycle is a software development process that helps
developers build more secure software and address security compliance
requirements.
2.6.2. Secure Coding
Secure coding incorporates a number of principles – Input Validation, Least Privilege,
Data Sanitisation, Buffer Overflow checks, Compiler Warnings and Secure Coding
Standards.
2.6.3. Testing
Development teams should always perform tests on a development or pre-
production systems, whereas vulnerability assessments and penetration tests are
frequently performed on production systems.
2.6.4. Hardening
Hardening is also known as secure configuration and sometimes as lockdown. It is the
secure configuration of an operating system, device, service or an application to
remove vulnerabilities that are present in a standard build.
2.6.5. Independent Assurance
Organisations can gain assurance of security functionality and resistance to threats
for both products and services. Assurance may be gained from independent sources,
namely – Product Assurance, System Assurance and Cryptographic Assurance.
2.6.6. Deployment and Release Management
Release Management is a discipline that encompasses managing, planning, designing,
building, configuring, testing and scheduling of hardware and software releases
through different stages and environments until they are deployed into production.
2.6.7. Patch Management
The process of applying patches is termed patch management. The main objective of
a patch and vulnerability management process is to detect vulnerabilities and then
patch them in a timely fashion.
2.6.8. Change Management
As with all system modifications, patches and updates must be performed and
tracked through the change management system. It is highly unlikely that an
enterprise-scale patch management program can be successful without proper
integration with the change management system and organisation.
2.6.9. Data Security Lifecycle
The “Data Security Lifecycle” (DSL) was created to understand where data is at all
times. Understanding where enterprise data resides, and the path it takes between
systems, is imperative to comply with legal and regulatory requirements but also to
ensure that appropriate controls are being deployed
2.7. Operational Compliance

v1.1 June 2020 Page 9 of 16

 This section of the syllabus examines how organisations can establish whether their ISMS
is being effectively and efficiently operated and managed, whilst complying with relevant
legal, statutory and regulations.
2.7.1. Auditing
Auditing is an integral part of the overall information security management process,
and is defined as the “Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to determine the extent to
which the audit criteria are fulfilled.”
2.7.2. Compliance Monitoring
Compliance monitoring defines and implements processes to verify on-going
conformance to security and regulatory requirements. This is accomplished through
undertaking security compliance checks against technical, physical, procedural and
personnel controls using appropriate methodologies and technologies.
2.7.3. Protective Monitoring
Protective monitoring enables the efficient, automatic monitoring, alerting and
reporting of system changes and significant system events. It is a management
function, supported by systems and technology allowing an organisation to monitor
how information systems are used, misused or compromised.
2.7.4. Incident Management
Information security incidents come as network attacks from hackers, virus
outbreaks or simply from someone not following procedures. The impact of such an
incident might be a confidentiality breach or maybe a denial of service attack. Robust
incident management can help resolve these in a timely and efficient manner.

v1.1 June 2020 Page 10 of 16

Question Weighting
Syllabus area Number of
questions
Threat, Vulnerability, Risk Assessment and Management 20
Governance and Information Security Management 10
Security Architecture and Controls 30
Information Security Framework 15
Security Lifecycle 15
Operational Compliance 10
Total 100

CIISEC Skills Levels and Knowledge Framework

Skills Levels
The CIISEC Skills Framework contains in detail the knowledge that a practitioner should have at
Levels 1 and 2. The definitions of these two levels are as follows:
Level 1: (Knowledge) Basic knowledge of principles/follow good user practice
Has acquired and can demonstrate basic knowledge associated with the skill, e.g. through training or
self-tuition.

Level 2: (Knowledge and Understanding) Knowledge and Understanding of basic principles

Understands the skill and its application.
Knowledge
Has acquired and can demonstrate the basic knowledge associated with the skill, for example has
attended a training course or completed an academic module in the skill. Understands how the skill
should be applied.
Practice
Can explain the principles of the skill and how it should be applied. This might include experience of
applying the skill to basic tasks in a training or academic environment, for example through
participation in syndicate exercises, undertaking practical exercises in using the skill, and/or passing
a test or examination. Should be aware of recent developments in the skill.

Knowledge Framework
The objectives of the Knowledge Framework are to:
1. To define the knowledge at Levels 1 and 2 required by professionals in Cyber Security and
Information Security.
2. To assist CIISEC interviewers and assessors understanding the requirements of knowledge
and understanding for each of the Security Disciplines.

v1.1 June 2020 Page 11 of 16

 3. To provide a topical access to the “Cyber Security Body of Knowledgeii” for Levels 1 and 2.
4. To promote a consistent view of Cyber Security and Information Security.
5. To provide a foundation for curriculum development, course accreditation and for individual
professional certification. In particular to define the knowledge required to pass a Level 1
examination.
6. To inform organisations and managers deciding which competencies and skills that
practicing Cyber Security and Information Security professionals should possess in various
roles ranging from apprentice to expert.

v1.1 June 2020 Page 12 of 16

Syllabus References
The following references are not a complete list of the Standards, Guidelines and Legislation relating
to information security, but they will provide much of the background material supporting the
Knowledge Framework. Candidates should be aware however, that ISO and BS Standards are not
free of charge, unlike the American NIST Standards. ISO Standards are available on the BSI Shop
website: https://shop.bsigroup.com
International Standards
ISO/IEC 27000:2018 Information technology — Security techniques — Information security
management systems — Overview and vocabulary.
ISO/IEC 27001:2013 Information technology — Security techniques —Information security
management systems —Requirements.
ISO/IEC 27002:2013 Information technology — Security techniques —Information security
management systems — Code of practice for information security
controls.
ISO/IEC 27005:2018 Information technology — Security techniques — Information security
risk management.
ISO/IEC 27006:2015 Information technology — Security techniques — Requirements for
bodies providing audit and certification of information security
management systems.
ISO/IEC 27014:2013 Information technology — Security techniques — Governance of
information security.
ISO/IEC 27033:2015 Information technology — Security techniques — Network security —
Part 1: Overview and concepts.
ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security
incident management -- Part 1: Principles of incident management.
ISO/IEC 27035-2:2016 Information technology -- Security techniques -- Information security
incident management -- Part 2: Guidelines to plan and prepare for
incident response.
ISO/IEC 24760:2011 Information technology -- Security techniques -- A framework for
identity management -- Part 1: Terminology and concepts.
ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for
IT security -- Part 1: Introduction and general model.
ISO/IEC 15408-2:2008 Information technology -- Security techniques -- Evaluation criteria for
IT security -- Part 2: Security functional components.
ISO/IEC 15408-3:2008 Information technology -- Security techniques -- Evaluation criteria for
IT security -- Part 3: Security assurance components.
ISO Guide 73:2009 Definitions of generic terms related to Risk Management.
ISO 31000:2009 Risk management – Principles and guidelines.
ISO 31010:2009 Risk Management – Risk Assessment Techniques.

v1.1 June 2020 Page 13 of 16

North American (NIST) Standards
NIST SP 800-30 Guide for Conducting Risk Assessments. (September 2012)
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
30r1.pdf
NIST SP 800-40 Rev 3 . Guide to Enterprise Patch Management Technologies. (July 2013)
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
40r3.pdf
NIST SP 800-50 Building an Information Technology Security Awareness and Training
Program
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
50.pdf
NIST SP 800-82 Rev 2 Guide to Industrial Control Systems (ICS) Security. (May 2015)
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
82r2.pdf
NIST SP 800-88 Rev 1 Guidelines for Media Sanitization
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
88r1.pdf
NIST SP 800-145 The NIST Definition of Cloud Computing (September 2011)
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
145.pdf
NIST SP 800-175A Guideline for Using Cryptographic Standards in the Federal
Government: Directives, Mandates and Policies (August 2016).
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
175A.pdf
NIST SP 800-175B Guideline for Using Cryptographic Standards in the Federal
Government: Cryptographic Mechanisms (August 2016).
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
175B.pdf
NIST SP 500-292 NIST Cloud Computing Reference Architecture. (September 2011)
https://www.nist.gov/publications/nist-cloud-computing-reference-
architecture?pubid=909505

v1.1 June 2020 Page 14 of 16

Other Cyber Security Organisations and Information
The CIISEC
NIST
BSI
NCSC
ITIL
IoT Security Foundation
COSO 2017
OCEG Red Book v3.0 2015
Related Legislation
Data Protection Act 1998
Computer Misuse Act 1990
Regulation of Investigatory
Powers Act 2000
Investigatory Powers Act
2016
Freedom of Information Act
2000
Copyright, Designs and
Patents Act 1998
Human Rights Act 1998
Companies Act 2006
Sarbanes Oxley Act 2002
Gramm-Leach-Bliley Act
1999
NIS Directive
Information
Commissioner’s Office
Privacy and Electronic
Communications
Regulations
v1.1 June 2020
The Chartered Institute of Information Security
https://www.CIISEC.org
The National Institute of Standards and Technology
https://www.nist.gov/
The British Standards Institute
https://www.bsigroup.com/
National Cyber Security Strategy 2016-2021
https://www.gov.uk/government/uploads/system/uploads/attachment
data/file/567242/nationalcybersecuritystrategy2016.pdf
Information Technology Infrastructure Library
https://www.axelos.com/best-practice-solutions/itil/what-is-itil
IoT Security Foundation Guidelines
https://iotsecurityfoundation.org/best-practice-guidelines/
Enterprise Risk Management Integrated Framework
https://www.coso.org/Pages/default.aspx
A Governance, Risk and Compliance Capability Model
https://go.oceg.org/grc-capability-model-red-book
http://www.legislation.gov.uk/UKPGA/1998/29/contents
http://www.legislation.gov.uk/ukpga/1990/18/contents
http://www.legislation.gov.uk/ukpga/2000/23/contents
http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted
http://www.legislation.gov.uk/ukpga/2000/36/contents
http://www.legislation.gov.uk/ukpga/1988/48/contents
http://www.legislation.gov.uk/ukpga/1998/42/contents
http://www.legislation.gov.uk/ukpga/2006/46/contents
https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html
https://www.congress.gov/bill/106th-congress/senate-bill/00900
NIS Directive (EU) 2016/1148 of the European Parliament and of the
Council of 6 July 2016
Concerning measures for a high common level of security of network
and information systems across the Union
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016L1148&rid=1
https://ico.org.uk/
Privacy and Electronic Communications Regulations 2003
http://www.legislation.gov.uk/uksi/2003/2426/contents/made
Page 15 of 16
 Privacy and Electronic Communications (EC Directive) (Amendment)
Regulations 2004
http://www.legislation.gov.uk/uksi/2004/1039/contents/made
The Privacy and Electronic Communications (EC Directive) (Amendment)
Regulations 2015
http://www.legislation.gov.uk/uksi/2015/355/contents/made
The Privacy and Electronic Communications (EC Directive) (Amendment)
Regulations 2016
http://www.legislation.gov.uk/uksi/2016/524/contents/made
The Privacy and Electronic Communications (EC Directive) (Amendment)
(No. 2) Regulations 2016
http://www.legislation.gov.uk/uksi/2016/1177/contents/made
General Data Protection The General Data Protection Regulation (GDPR) (Regulation (EU)
Regulation 2016/679)
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Recommended Reading
The following publications are recommended reading to accompany the Knowledge Framework.
Information Security Management Principles - 2nd Edition. Andy Taylor (Editor), David Alexander, Amanda
Finch, David Sutton. BCS, 2013. ISBN 978-1-78017-175-3.

i
[CIISEC will provide a hyperlink to download the Knowledge Framework to each registered examinee]
ii
https://www.cybok.org

v1.1 June 2020 Page 16 of 16