Domain Description

1 Security and Risk Management

1.1 Understand, adhere to, and promote professional ethics
1.1.1 ISC2 Code of Professional Ethics
1.1.2 Organizational code of ethics
1.2 Understand
Confidentiality,andintegrity,
apply security concepts authenticity, and nonrepudiation (5
and availability,
1.2.1 Pillars of Information Security)
1.3 Evaluate
Security
Alignment and
controlapply
of the security
frameworks
security governance
(e.g., to
function principles
International
business Organization
strategy, goals,for
mission, and
1.3.1 Standardization
objectives (ISO), National Institute of Standards and
Organizational processes (e.g., acquisitions, divestitures, governance Technology
1.3.2 (NIST), Control Objectives for Information and Related Technology (COBIT),
committees)
Sherwood Applied Business Security Architecture (SABSA), Payment Card
1.3.3 Organizational
Industry (PCI), roles
Federal andRisk
responsibilities
and Authorization Management Program
1.3.4 (FedRAMP))
1.3.5 Due care/due
Understand diligence
legal, regulatory, and compliance issues that pertain to
1.4 information security in a holistic context
1.4.1 Cybercrimes and data breaches
1.4.2 Licensing and Intellectual Property requirements
1.4.3 Import/export controls
Issues related to privacy (e.g., General Data Protection Regulation (GDPR),
1.4.4 Transborder data flowPrivacy Act, Personal Information Protection Law,
California Consumer
1.4.5 Protection of Personal Information Act)
1.4.6 Contractual, legal, industryfor
Understand requirements standards, and types
investigation regulatory requirements criminal,
(i.e., administrative,
1.5 civil, regulatory,
Develop, document, industry
and standards)
implement security policy, standards, procedures,
1.6 and guidelines
Identify, analyze, assess, prioritize, and implement Business Continuity (BC)
1.7 requirements
1.7.1 Business Impact Analysis (BIA)
1.7.2 External dependencies
1.8 Contribute to and enforce personnel security policies and procedures
1.8.1 Candidate screening and hiring
1.8.2 Employment agreements and policy driven requirements
1.8.3 Onboarding, transfers, and termination processes
1.8.4 Vendor, consultant, and contractor agreements and controls
1.9 Understand and apply risk management concepts
1.9.1 Threat and vulnerability identification
1.9.2 Risk analysis, assessment, and scope
1.9.3 Risk response and treatment (e.g., cybersecurity insurance)
1.9.4 Applicable types of controls (e.g., preventive, detection, corrective)
1.9.5 Control assessments (e.g., security and privacy)
1.9.6 Continuous monitoring and measurement
1.9.7 Reporting (e.g., internal, external)
1.9.8 Continuous improvement (e.g., risk maturity modeling)
 Risk frameworks (e.g., International Organization for Standardization (ISO),
National Institute of Standards and Technology (NIST), Control Objectives for
Information and Related Technology (COBIT), Sherwood Applied Business
1.9.9 Security Architecture (SABSA), Payment Card Industry (PCI))
1.1 Understand and apply threat modeling concepts and methodologies
1.11 Apply
Risks supply chain
associated riskthe
with management
acquisition (SCRM)
of products concepts
Risk mitigations (e.g., third-party assessment andand services minimum
monitoring, from suppliers
1.11.1 and providers (e.g., product tampering, counterfeits, implants)
security requirements, service level requirements, silicon root of trust,
1.11.2 physically unclonable
Establish and maintainfunction, software
a security bill of education,
awareness, materials) and training
1.12 program
Methods and techniques to increase awareness and training (e.g., social
1.12.1 engineering, phishing,
Periodic content reviews security champions,
to include emerging gamification)
technologies and trends (e.g.,
1.12.2 cryptocurrency, artificial intelligence (Al), blockchain)
1.12.3 Program effectiveness evaluation
2 Asset Security
2.1 Identify and classify information and assets
2.1.1 Data classification
2.1.2 Asset classification
2.2 Establish information and asset handling requirements
2.3 Provision information and assets securely
2.3.1 Information and asset ownership
2.3.2 Asset inventory (e.g., tangible, intangible)
2.3.3 Asset management
2.4 Manage data lifecycle
2.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
2.4.2 Data collection
2.4.3 Data location
2.4.4 Data maintenance
2.4.5 Data retention
2.4.6 Data remanence
2.4.7 Data destruction
2.5 Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support)
2.6 Determine data security controls and compliance requirements
2.6.1 Data states (e.g., in use, in transit, at rest)
2.6.2 Scoping and tailoring
2.6.3 Standards selection
Data protection methods (e.g., Digital Rights Management (DRM) data loss
2.6.4 prevention (DLP), cloud access security broker (CASB))
3 Security
Research,Architecture
implement, and andmanage
Engineering
engineering processes using secure
3.1 design principles
3.1.1 Threat modeling
3.1.2 Least privilege
3.1.3 Defense in depth
3.1.4 Secure defaults
3.1.5 Fail securely
3.1.6 Segregation of Duties (SoD)
3.1.7 Keep it simple and small
3.1.8 Zero trust or trust but verify
3.1.9 Privacy by design
3.1.10 Shared responsibility
3.1.11 Secure access
Understand theservice edge concepts of security models (e.g., Biba, Star
fundamental
3.2 Model, Bell-LaPadula)
3.3 Select controls
Understand basedcapabilities
security upon systems security requirements
of Information Systems (IS) (e.g., memory
3.4 protection, Trusted Platform Module (TPM), encryption/decryption)
Assess and mitigate the vulnerabilities of security architectures, designs, and
3.5 solution elements
3.5.1 Client-based systems
3.5.2 Server-based systems
3.5.3 Database systems
3.5.4 Cryptographic systems
3.5.5 Industrial Control
Cloud-based Systems
systems (e.g.,(ICS)
Software as a Service (SaaS), Infrastructure as a
3.5.6 Service (IaaS), Platform as a Service (PaaS))
3.5.7 Distributed systems
3.5.8 Internet of Things (IoT)
3.5.9 Microservices (e.g., application programming interface (API))
3.5.10 Containerization
3.5.11 Serverless
3.5.12 Embedded systems
3.5.13 High-Performance Computing systems
3.5.14 Edge computing systems
3.5.15 Virtualized systems
3.6 Select and determine cryptographic solutions
3.6.1 Cryptographic life cycle (e.g.,
Cryptographic methods (e.g., keys, algorithm
symmetric, selection)elliptic curves,
asymmetric,
3.6.2 quantum)
3.6.3 Public Key Infrastructure (PKI) (e.g., quantum key distribution)
3.6.4 Key management practices (e.g., rotation)
3.6.5 Digital signatures and digital certificates (e.g., non-repudiation, integrity)
3.7 Understand methods of cryptanalytic attacks
3.7.1 Brute force
3.7.2 Ciphertext only
3.7.3 Known plaintext
3.7.4 Frequency analysis
3.7.5 Chosen ciphertext
3.7.6 Implementation attacks
3.7.7 Side-channel
3.7.8 Fault injection
3.7.9 Timing
3.7.10 Man-in-the-Middle (MITM)
3.7.11 Pass the hash
3.7.12 Kerberos exploitation
3.7.13 Ransomware
3.8 Apply security principles to site and facility design
3.9 Design site and facility security controls
3.9.1 Wiring closets/intermediate distribution frame
3.9.2 Server rooms/data centers
3.9.3 Media storage facilities
3.9.4 Evidence storage
3.9.5 Restricted and work area security
3.9.6 Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
3.9.7 Environmental issues (e.g., natural disasters, man-made)
3.9.8 Fire prevention, detection, and suppression
3.9.9 Power (e.g., redundant, backup)
3.1 Manage the information system lifecycle
3.10.1 Stakeholders needs and requirements
3.10.2 Requirements analysis
3.10.3 Architectural design
3.10.4 Development /implementation
3.10.5 Integration
3.10.6 Verification and validation
3.10.7 Transition/deployment
3.10.8 Operations and maintenance/sustainment
3.10.9 Retirement/disposal
4 Communication and Network Security
4.1 Apply secure design
Open System principles(OSI)
Interconnection in network architecturesControl
and Transmission
4.1.1 Protocol/Internet Protocol
Internet Protocol (IP) (TCP/IP)
version 4 and models
6 (IPv6) (e.g., unicast, broadcast,
4.1.2 multicast,
Secure anycast)
protocols (e.g., Internet Protocol Security (IPSec), Secure Shell
4.1.3 (SSH), Secure Sockets Layer (SSL)]/Transport Layer Security (TLS))
Converged protocols (e.g., Internet Small Computer Systems Interface
4.1.4 Implications
(iSCSI), Voice of over
multilayer protocols
Internet Protocol (VoIP), InfiniBand over Ethernet,
4.1.5 Compute Express Link)
Transport architecture (e.g., topology, data/control/management plane, cut-
4.1.6 through/store-and-forward)
Performance metrics (e.g., bandwidth, latency, jitter, throughput, signal-to-
4.1.7 noise ratio)
4.1.8 Traffic flows (e.g., north-south, east-west)
4.1.9 Physical
Logical segmentation(e.g.,
segmentation (e.g.,virtual
in-band, out-of-band,
local air-gapped)
area networks (VLANs), virtual
Micro-segmentation (e.g., network overlays/encapsulation; distributed
4.1.10 private networks (VPNs), virtual routing and forwarding, virtual
firewalls, routers, intrusion detection system (IDS)/intrusion prevention domain)
4.1.11 system (IPS), zero trust)
4.1.12 Edge networks (e.g., ingress/egress, peering)
4.1.13 Wireless networks (e.g., Bluetooth, Wi-Fi, Zigbee, satellite)
4.1.14 Cellular/mobile networks (e.g., 4G, 5G)
4.1.15 Content
Softwaredistribution networks
defined networks (CDN)
(SDN), (e.g., application programming interface
4.1.16 (API), Software-Defined Wide-Area Network, network functions virtualization)
4.1.17 Virtual Private
Monitoring andCloud (VPC) (e.g., network observability, traffic flow/shaping,
management
4.1.18 capacity management, fault detection and handling)
4.2 Secure network components
4.2.1 Operation
Transmission of infrastructure (e.g., redundant
media (e g. physical power,
security of warranty,
media, support)
signal propagation
4.2.2 quality)
4.2.3 Network Access Control (NAC) systems (e.g., physical, and virtual solutions)
4.2.4 Endpoint security (e.g., host-based)
4.3 Implement secure communication channels according to design
4.3.1 Voice, video, and collaboration (e.g., conferencing, Zoom rooms)
4.3.2 Remote access (e.g., network administrative functions)
4.3.3 Data communications (e.g., backhaul networks satellite)
4.3.4 Third-party connectivity (e.g., telecom providers, hardware support)
5 Identity and Access Management (IAM)
5.1 Control physical and logical access to assets
5.1.1 Information
5.1.2 Systems
5.1.3 Devices
5.1.4 Facilities
5.1.5 Applications
5.1.6 Services
Design identification and authentication strategy (e.g., people, devices, and
5.2 services)
5.2.1 Groups and Roles
Authentication, Authorization and Accounting (AAA) (e.g., multi-factor
5.2.2 authentication (MFA), password-less authentication)
5.2.3 Session management
5.2.4 Registration, proofing, and establishment of identity
5.2.5 Federated Identity Management (FIM)
5.2.6 Credential management systems (e.g., Password vault)
5.2.7 Single sign-on (SSO)
5.2.8 Just-ln-Time
5.3 Federated identity with a third-party service
5.3.1 On-premise
5.3.2 Cloud
5.3.3 Hybrid
5.4 Implement and manage authorization mechanisms
5.4.1 Role-based access control (RBAC)
5.4.2 Rule based access control
5.4.3 Mandatory access control (MAC)
5.4.4 Discretionary access control (DAC)
5.4.5 Attribute-based access control (ABAC)
5.4.6 Risk
Accessbased access
policy control (e.g., policy decision point, policy enforcement
enforcement
5.4.7 point)
5.5 Manage the identity and access provisioning lifecycle
5.5.1 Account access review (e.g., user, system, service)
5.5.2 Provisioning and deprovisioning (e.g., on/off boarding and transfers)
5.5.3 Role definition and transition (e.g., people assigned to new roles)
5.5.4 Privilege escalation (e.g., use of sudo, auditing its use)
5.5.5 Service accounts management
5.6 Implement authentication systems
6 Security Assessment and Testing
6.1 Design and validate assessment, test, and audit strategies
6.1.1 Internal (e.g., within organization control)
6.1.2 External (e.g., outside organization control)
6.1.3 Third-party (e.g., outside of enterprise control)
6.1.4 Location (e.g., on-premise, cloud, hybrid)
6.2 Conduct security controls testing
6.2.1 Vulnerability assessment
6.2.2 Penetration testing (e.g., red, blue, and/or purple team exercises)
6.2.3 Log reviews
6.2.4 Synthetic transactions/benchmarks
6.2.5 Code review and testing
6.2.6 Misuse case testing
6.2.7 Coverage analysis
Interface testing (e.g., user interface, network interface, application
6.2.8 programming interface (API))
6.2.9 Breach attack simulations
6.2.10 Compliance checks
6.3 Collect security process data (e.g., technical and administrative)
6.3.1 Account management
6.3.2 Management review and approval
6.3.3 Key performance and risk indicators
6.3.4 Backup verification data
6.3.5 Training and awareness
6.3.6 Disaster Recovery (DR) and Business Continuity (BC)
6.4 Analyze test output and generate report
6.4.1 Remediation
6.4.2 Exception handling
6.4.3 Ethical disclosure
6.5 Conduct or facilitate security audits
6.5.1 Internal (e.g., within organization control)
6.5.2 External (e.g., outside organization control)
6.5.3 Third-party (e.g., outside of enterprise control)
6.5.4 Location (e.g., on-premise, cloud, hybrid)
7 Security Operations
7.1 Understand and comply with investigations
7.1.1 Evidence collection and handling
7.1.2 Reporting and documentation
7.1.3 Investigative techniques
7.1.4 Digital forensics tools, tactics, and procedures
7.1.5 Artifacts (e.g., data, computer, network, mobile device)
7.2 Conduct logging and monitoring activities
7.2.1 Intrusion detection and prevention system (IDPS)
7.2.2 Security information and event management (SIEM)
7.2.3 Continuous monitoring and tuning
7.2.4 Egress monitoring
7.2.5 Log management
7.2.6 Threat intelligence (e.g., threat feeds, threat hunting)
7.2.7 User andconfiguration
Perform Entity Behavior Analytics (UEBA)
management (CM) (e.g., provisioning, baselining,
7.3 automation)
7.4 Apply foundational security operations concepts
7.4.1 Need-to-know/least privilege
7.4.2 Segregation of Duties (SoD) and responsibilities
7.4.3 Privileged account management
7.4.4 Job rotation
7.4.5 Service-level agreements (SLA)
7.5 Apply resource protection
7.5.1 Media management
7.5.2 Media protection techniques
7.5.3 Data at rest/data in transit
7.6 Conduct incident management
7.6.1 Detection
7.6.2 Response
7.6.3 Mitigation
7.6.4 Reporting
7.6.5 Recovery
7.6.6 Remediation
7.6.7 Lessons learned
7.7 Operate and maintain detection and preventative measures
7.7.1 Firewalls (e.g., next generation, web application, network)
7.7.2 Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
7.7.3 Whitelisting/blacklisting
7.7.4 Third-party provided security services
7.7.5 Sandboxing
7.7.6 Honeypots/honeynets
7.7.7 Anti-malware
7.7.8 Machine learning and Artificial Intelligence (Al) based tools
7.8 Implement and support patch and vulnerability management
7.9 Understand and participate in change management processes
7.1 Implement recovery strategies
7.10.1 Backup storage strategies (e.g., cloud storage, onsite, offsite)
7.10.2 Recovery site strategies (e.g., cold vs. hot, resource capacity agreements)
7.10.3 Multiple processinghigh
System resilience, sitesavailability (HA), Quality of Service (QoS), and fault
7.10.4 tolerance
7.11 Implement disaster recovery (DR) processes
7.11.1 Response
7.11.2 Personnel
7.11.3 Communications (e.g., methods)
7.11.4 Assessment
7.11.5 Restoration
7.11.6 Training and awareness
7.11.7 Lessons learned
7.12 Test disaster recovery plan (DRP)
7.12.1 Read-through/tabletop
7.12.2 Walkthrough
7.12.3 Simulation
7.12.4 Parallel
7.12.5 Full interruption
7.12.6 Communications (e.g., stakeholders, test status, regulators)
7.13 Participate in Business Continuity (BC) planning and exercises
7.14 Implement and manage physical security
7.14.1 Perimeter security controls
7.14.2 Internal security controls
7.15 Address personnel safety and security concerns
7.15.1 Travel
Security training and awareness (e.g., insider threat, social media impacts,
7.15.2 two-factor authentication (2FA) fatigue)
7.15.3 Emergency management
7.15.4 Duress
8 Software
Understand Development
and integrateSecurity
security in the Software Development Life Cycle
8.1 (SDLC)
Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps,
8.1.1 Scaled
MaturityAgile Framework)
models (e.g., Capability Maturity Model (CMM), Software Assurance
8.1.2 Maturity Model (SAMM))
8.1.3 Operation and maintenance
8.1.4 Change management
8.1.5 Integrated Product Team
8.2 Identify and apply security controls in software development ecosystems
8.2.1 Programming languages
8.2.2 Libraries
8.2.3 Tool sets
8.2.4 Integrated Development Environment
8.2.5 Runtime
8.2.6 Continuous Integration and Continuous Delivery (Cl/CD)
8.2.7 Software Configuration Management (CM)
Application security testing (e.g., static application security testing (SAST),
8.2.8 Code
dynamicrepositories
application security testing (DAST), software composition analysis,
8.2.9 interactive application security testing (IAST))
8.3 Assess the effectiveness of software security
8.3.1 Auditing and logging of changes
8.3.2 Risk analysis and mitigation
8.4 Assess security impact of acquired software
8.4.1 Commercial-off-the-shelf (COTS)
8.4.2 Open source
8.4.3 Third-party
8.4.4 Managed services
Cloud services (e.g.,
(e.g., enterprise
Software as a applications)
Service (SaaS), Infrastructure as a
8.4.5 Service [IaaS], Platform as a Service (PaaS))
8.5 Define and apply secure coding guidelines and standards
8.5.1 Security weaknesses and vulnerabilities at the source-code level
8.5.2 Security of application programming interfaces (API)
8.5.3 Secure coding practices
8.5.4 Software-defined security
Chapter
1, 2. 3. 4. 19
19
19
19
1
1
1
1
1
1
1
1
4
4
4
4
4
4
4
19
1
3
3
3
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1
1
1
1
2
2
2
2
5, 16
5
5
5
5
16
16
16
16
5
5
5
5
5
5
5
5
5
5
5
5
5
5
1, 6, 7, 8, 9, 10, 14, 16, 20, 21
1, 8, 9, 16
1
16
1
8
8
16
8
8
8
9
8
8
8
8
6, 7, 9, 16, 20
9
9
20
6, 7
9
16
9
9
9
9
16
9
9
9
9
6, 7
6, 7
6, 7
7
7
7
7, 14, 21
7
7
7
7
7
7
7
7
7
7
14
14
21
10
10
10
10
10
10
10
10
10
10
10
8
8
8
8
8
8
8
8
8
8
11, 12
11, 12
11
11
11
11
11
11
12
11
11
11
11
11
11
11
11
11
11
12
11
11
11
11
11
12
12
12
12
12
13, 14
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
14
14
14
14
14
14
14
14
13, 14
13
13
13
14
13
14
15, 18
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15
15, 18
15
15
15
15
15, 18
15, 18
15
15
15
15
15
15
15
15
15
3, 10, 11 16, 17, 18, 21
19
19
19
19
19
19
17, 21
17
17
17
17
17
17
21
16
16
16
16
16
16
16
16
16
16
16
17
17
17
17
17
17
17
17
11, 17, 21
11
17
17
17
17
17
17, 21
17
16
16
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
18
3
10
10
10
16
16
16
16
16
15, 16, 20, 21
20
20
20
20
20
20
15, 20, 21
20
20
20
20
20
20
20
20
15
20, 21
20
21
16, 20
20
20
20
16
16
20, 21
21
20
20
20
Chapter of subdomains
Chapter 15 34 Domain Title
Chapter 16 31 1 Security and Risk Management
Chapter 20 26 2 Asset Security
Security Architecture and
Chapter 13 25 3 Engineering
Communication and Network
Chapter 11 24 4 Security
Identity and Access Management
Chapter 17 23 5 (IAM)
Chapter 18 23 6 Security Assessment and Testing
Chapter 8 20 7 Security Operations
Chapter 2 19 8 Software Development Security
Chapter 7 19
Chapter 5 18
Chapter 1 16
Chapter 9 14
Chapter10 14
Chapter 14 14
Chapter 21 11
Chapter 19 10
Chapter 12 8
Chapter 4 7
Chapter 6 5
Chapter 3 4
Percentage Chapters
16% 1, 2. 3. 4. 19
10% 5, 16
13% 1, 6, 7, 8, 9, 10, 14, 16, 20, 21
13% 11, 12
13% 13, 14
12% 15, 18
13% 3, 10, 11 16, 17, 18, 21
10% 15, 16, 20, 21
Domain Description Chapter
1.1 Understand and apply threat modeling concepts and methodologies 1
1.11 Apply supply chain risk management (SCRM) concepts 1
1.2 Understand and apply security concepts 1
1.3 Evaluate
Develop, and apply security
document, governance
and implement principles
security policy, standards, 1
1.6 procedures,
Risks and guidelines
associated(e.g.,
with the acquisition of products 1
Risk mitigations third-party assessment andand services minimum
monitoring, from
1.11.1 suppliers and providers (e.g., product tampering, counterfeits,
security requirements, service level requirements, silicon root of trust, implants) 1
1.11.2 physically unclonable
Confidentiality, integrity,function, software bill
and availability, of materials)
authenticity, and 1
1.2.1 nonrepudiation
Security (5 Pillars of Information Security)
Alignment of the security function to business strategy, goals,for
control frameworks (e.g., International Organization mission, 1
1.3.1 Standardization
and objectives (ISO), National Institute of Standards and Technology
Organizational processes (e.g., acquisitions, divestitures, governance 1
1.3.2 (NIST), Control Objectives for Information and Related Technology
committees) 1
(COBIT), Sherwood Applied Business Security Architecture (SABSA),
1.3.3 Organizational
Payment roles and(PCI),
Card Industry responsibilities
Federal Risk and Authorization 1
1.3.4 Management Program (FedRAMP)) 1
1.3.5 Due care/due diligence 1
3.1.1 Threat modeling 1
3.1.3 Defense
Establishinand
depth
maintain a security awareness, education, and training 1
1.12 program 2
1.8 Contribute to and enforce personnel security policies and procedures 2
1.9 Understand
Methods andand apply risktomanagement
techniques concepts
increase awareness and training (e.g., social 2
1.12.1 engineering, phishing, security champions, gamification)
Periodic content reviews to include emerging technologies and trends 2
1.12.2 (e.g., cryptocurrency, artificial intelligence (Al), blockchain) 2
1.12.3 Program effectiveness evaluation 2
1.8.1 Candidate screening and hiring 2
1.8.2 Employment agreements and policy driven requirements 2
1.8.3 Onboarding, transfers, and termination processes 2
1.8.4 Vendor, consultant, and contractor agreements and controls 2
1.9.1 Threat and vulnerability identification 2
1.9.2 Risk analysis, assessment, and scope 2
1.9.3 Risk response and treatment (e.g., cybersecurity insurance) 2
1.9.4 Applicable types of controls (e.g., preventive, detection, corrective) 2
1.9.5 Control assessments (e.g., security and privacy) 2
1.9.6 Risk frameworks
Continuous (e.g., International
monitoring and measurementOrganization for Standardization 2
1.9.7 (ISO), National Institute of Standards
Reporting (e.g., internal, external) and Technology (NIST), Control 2
Objectives for Information and Related Technology (COBIT), Sherwood
1.9.8 Continuous improvement
Applied Business Security(e.g., risk maturity
Architecture modeling)
(SABSA), Payment Card 2
1.9.9 Industry (PCI))
Identify, analyze, assess, prioritize, and implement Business Continuity 2
1.7 (BC) requirements 3
7.13 Participate in Business Continuity (BC) planning and exercises 3
1.7.1 Business Impact Analysis (BIA) 3
1.7.2 External
Understanddependencies
legal, regulatory, and compliance issues that pertain to 3
1.4 information security in a holistic context 4
1.4.1 Cybercrimes and data breaches 4
 1.4.2 Licensing and Intellectual Property requirements 4
1.4.3 Import/export controls 4
Issues related to privacy (e.g., General Data Protection Regulation
1.4.4 Transborder data flow
(GDPR), California Consumer Privacy Act, Personal Information 4
1.4.5 Protection Law, Protection of Personal Information Act) 4
1.4.6 Contractual, legal, industry standards, and regulatory requirements 4
2.1 Identify and classify information and assets 5
2.2 Establish information and asset handling requirements 5
2.4 Manage data lifecycle
Ensure appropriate asset retention (e.g., End of Life (EOL), End of 5
2.5 Support) 5
2.6 Determine data security controls and compliance requirements 5
2.1.1 Data classification 5
2.1.2 Assetroles
Data classification
(i.e., owners, controllers, custodians, processors, 5
2.4.1 users/subjects) 5
2.4.2 Data collection 5
2.4.3 Data location 5
2.4.4 Data maintenance 5
2.4.5 Data retention 5
2.4.6 Data remanence 5
2.4.7 Data destruction 5
2.6.1 Data states (e.g., in use, in transit, at rest) 5
2.6.2 Scoping and tailoring 5
2.6.3 Standards selection
Data protection methods (e.g., Digital Rights Management (DRM) data 5
2.6.4 loss prevention (DLP), cloud access security broker (CASB)) 5
3.6.3 Public Key Infrastructure (PKI) (e.g., quantum key distribution) 7
3.6.4 Key management practices (e.g., rotation) 7
3.6.5 Digital signatures and digital certificates (e.g., non-repudiation, integrity) 7
3.7.1 Brute force 7
3.7.10 Man-in-the-Middle (MITM) 7
3.7.2 Ciphertext only 7
3.7.3 Known plaintext 7
3.7.4 Frequency analysis 7
3.7.5 Chosen ciphertext 7
3.7.6 Implementation attacks 7
3.7.7 Side-channel 7
3.7.8 Fault injection 7
3.7.9 Timing 7
3.1 Manage
Understandthe the
information system
fundamental lifecycle
concepts of security models (e.g., Biba, 8
3.2 Star Model, Bell-LaPadula) 8
Understand security capabilities of Information Systems (IS) (e.g.,
3.3 Select
memory controls based
protection, upon systems
Trusted Platform security
Module requirements
(TPM), 8
3.4 encryption/decryption) 8
3.1.11 Secure access service edge 8
 3.1.4 Secure defaults 8
3.1.5 Fail securely 8
3.1.7 Keep it simple and small 8
3.1.8 Zero trust or trust but verify 8
3.1.9 Privacy by design 8
3.10.1 Stakeholders needs and requirements 8
3.10.2 Requirements analysis 8
3.10.3 Architectural design 8
3.10.4 Development /implementation 8
3.10.5 Integration 8
3.10.6 Verification and validation 8
3.10.7 Transition/deployment 8
3.10.8 Operations and maintenance/sustainment 8
3.10.9 Retirement/disposal 8
3.1.10 Shared responsibility 9
3.5.1 Client-based systems 9
3.5.10 Containerization 9
3.5.12 Embedded systems 9
3.5.13 High-Performance Computing systems 9
3.5.14 Edge computing systems 9
3.5.15 Virtualized systems 9
3.5.2 Server-based systems 9
3.5.5 Industrial Control Systems (ICS) 9
3.5.7 Distributed systems 9
3.5.8 Internet of Things (IoT) 9
3.5.9 Microservices (e.g., application programming interface (API)) 9
3.8 Apply security principles to site and facility design 10
3.9 Design site and facility security controls 10
7.14 Implement and manage physical security 10
3.9.1 Wiring closets/intermediate distribution frame 10
3.9.2 Server rooms/data centers 10
3.9.3 Media storage facilities 10
3.9.4 Evidence storage 10
3.9.5 Restricted and work area security 10
3.9.6 Utilities and Heating, Ventilation, and Air Conditioning (HVAC) 10
3.9.7 Environmental issues (e.g., natural disasters, man-made) 10
3.9.8 Fire prevention, detection, and suppression 10
3.9.9 Power (e.g., redundant, backup) 10
7.14.1 Perimeter security controls 10
7.14.2 Internal security controls 10
4.2 Secure network components 11
 Open System Interconnection (OSI) and Transmission Control
4.1.1 Protocol/Internet
Logical segmentationProtocol
(e.g.,(TCP/IP) models
virtual local area networks (VLANs), virtual 11
Micro-segmentation (e.g., network overlays/encapsulation; distributed
4.1.10 private networks (VPNs), virtual routing and forwarding, virtual
firewalls, routers, intrusion detection system (IDS)/intrusion prevention domain) 11
4.1.11 system (IPS), zero trust) 11
4.1.12 Edge networks (e.g., ingress/egress, peering) 11
4.1.13 Wireless networks (e.g., Bluetooth, Wi-Fi, Zigbee, satellite) 11
4.1.14 Cellular/mobile networks (e.g., 4G, 5G) 11
Software defined networks (SDN), (e.g., application programming
4.1.15 Content
interfacedistribution networks (CDN)
(API), Software-Defined Wide-Area Network, network functions 11
4.1.16 virtualization) 11
4.1.17 Virtual
InternetPrivate
ProtocolCloud
(IP) (VPC)
version 4 and 6 (IPv6) (e.g., unicast, broadcast, 11
4.1.2 multicast, anycast)
Secure protocols (e.g., Internet Protocol Security (IPSec), Secure Shell 11
4.1.3 (SSH), Secure Sockets Layer (SSL)]/Transport Layer Security (TLS)) 11
Converged protocols (e.g., Internet Small Computer Systems Interface
4.1.4 Implications
(iSCSI), of over
Voice multilayer protocols
Internet Protocol (VoIP), InfiniBand over Ethernet, 11
4.1.5 Compute Express
Transport Link)(e.g., topology, data/control/management plane,
architecture 11
4.1.6 cut-through/store-and-forward) 11
4.1.8 Traffic flows (e.g., north-south, east-west) 11
4.1.9 Physical segmentation (e.g., in-band, out-of-band, air-gapped) 11
4.2.1 Operation
Transmission of infrastructure (e.g., redundant
media (e g. physical power,
security of warranty,
media, support)
signal propagation 11
4.2.2 quality)
Network Access Control (NAC) systems (e.g., physical, and virtual 11
4.2.3 solutions) 11
4.2.4 Endpoint security (e.g., host-based) 11
7.7.1 Firewalls (e.g., next generation, web application, network) 11
4.3 Implement
Monitoring andsecure communication
management (e.g.,channels according to design
network observability, traffic 12
4.1.18 flow/shaping, capacity management, fault detection and handling)
Performance metrics (e.g., bandwidth, latency, jitter, throughput, signal- 12
4.1.7 to-noise ratio) 12
4.3.1 Voice, video, and collaboration (e.g., conferencing, Zoom rooms) 12
4.3.2 Remote access (e.g., network administrative functions) 12
4.3.3 Data communications (e.g., backhaul networks satellite) 12
4.3.4 Third-party connectivity (e.g., telecom providers, hardware support) 12
5.1 Control physical and and
Design identification logical access to assets
authentication strategy (e.g., people, devices, 13
5.2 and services) 13
5.3 Federated identity with a third-party service 13
5.1.1 Information 13
5.1.2 Systems 13
5.1.3 Devices 13
5.1.4 Facilities 13
5.1.5 Applications 13
5.1.6 Services 13
5.2.1 Groups and Roles
Authentication, Authorization and Accounting (AAA) (e.g., multi-factor 13
5.2.2 authentication (MFA), password-less authentication) 13
5.2.3 Session management 13
5.2.4 Registration, proofing, and establishment of identity 13
 5.2.5 Federated Identity Management (FIM) 13
5.2.6 Credential management systems (e.g., Password vault) 13
5.2.7 Single sign-on (SSO) 13
5.2.8 Just-ln-Time 13
5.3.1 On-premise 13
5.3.2 Cloud 13
5.3.3 Hybrid 13
5.5.1 Account access review (e.g., user, system, service) 13
5.5.2 Provisioning and deprovisioning (e.g., on/off boarding and transfers) 13
5.5.3 Role definition and transition (e.g., people assigned to new roles) 13
5.5.5 Service accounts management 13
5.4 Implement and manage authorization mechanisms 14
5.6 Implement authentication systems 14
3.7.11 Pass the hash 14
3.7.12 Kerberos exploitation 14
5.4.1 Role-based access control (RBAC) 14
5.4.2 Rule based access control 14
5.4.3 Mandatory access control (MAC) 14
5.4.4 Discretionary access control (DAC) 14
5.4.5 Attribute-based access control (ABAC) 14
5.4.6 Risk
Accessbased access
policy control (e.g., policy decision point, policy
enforcement 14
5.4.7 enforcement point) 14
5.5.4 Privilege escalation (e.g., use of sudo, auditing its use) 14
6.1 Design and validate assessment, test, and audit strategies 15
6.2 Conduct security controls testing 15
6.4 Analyze test output and generate report 15
6.5 Conduct or facilitate security audits 15
6.1.1 Internal (e.g., within organization control) 15
6.1.2 External (e.g., outside organization control) 15
6.1.3 Third-party (e.g., outside of enterprise control) 15
6.1.4 Location (e.g., on-premise, cloud, hybrid) 15
6.2.1 Vulnerability assessment 15
6.2.10 Compliance checks 15
6.2.2 Penetration testing (e.g., red, blue, and/or purple team exercises) 15
6.2.3 Log reviews 15
6.2.4 Synthetic transactions/benchmarks 15
6.2.5 Code review and testing 15
6.2.6 Misuse case testing 15
6.2.7 Coverage analysis
Interface testing (e.g., user interface, network interface, application 15
6.2.8 programming interface (API)) 15
6.2.9 Breach attack simulations 15
 6.3.1 Account management 15
6.3.2 Management review and approval 15
6.3.3 Key performance and risk indicators 15
6.3.4 Backup verification data 15
6.4.1 Remediation 15
6.4.2 Exception handling 15
6.4.3 Ethical disclosure 15
6.5.1 Internal (e.g., within organization control) 15
6.5.2 External (e.g., outside organization control) 15
6.5.3 Third-party (e.g., outside of enterprise control) 15
Application security testing (e.g., static application security testing
6.5.4 Location (e.g., on-premise,
(SAST), dynamic applicationcloud, hybrid)
security testing (DAST), software 15
8.2.9 composition analysis, interactive application security testing (IAST)) 15
2.3 Provision information and assets securely 16
7.15 Address personnel safety
Perform configuration and security
management (CM)concerns
(e.g., provisioning, baselining, 16
7.3 automation) 16
7.4 Apply foundational security operations concepts 16
7.5 Apply resource protection 16
7.8 Implement and support patch and vulnerability management 16
7.9 Understand and participate in change management processes 16
2.3.1 Information and asset ownership 16
2.3.2 Asset inventory (e.g., tangible, intangible) 16
2.3.3 Asset management 16
3.1.2 Least privilege 16
3.1.6 Segregation of Duties (SoD) 16
3.5.11 Serverless
Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure 16
3.5.6 as a Service (IaaS), Platform as a Service (PaaS)) 16
7.15.1 Travel
Security training and awareness (e.g., insider threat, social media 16
7.15.2 impacts, two-factor authentication (2FA) fatigue) 16
7.15.3 Emergency management 16
7.15.4 Duress 16
7.4.1 Need-to-know/least privilege 16
7.4.2 Segregation of Duties (SoD) and responsibilities 16
7.4.3 Privileged account management 16
7.4.4 Job rotation 16
7.4.5 Service-level agreements (SLA) 16
7.5.1 Media management 16
7.5.2 Media protection techniques 16
7.5.3 Data at rest/data in transit 16
8.4.4 Managed services
Cloud services (e.g.,
(e.g., enterprise
Software as a applications)
Service (SaaS), Infrastructure as a 16
8.4.5 Service [IaaS], Platform as a Service (PaaS)) 16
7.6 Conduct incident management 17
 7.2.1 Intrusion detection and prevention system (IDPS) 17
7.2.2 Security information and event management (SIEM) 17
7.2.3 Continuous monitoring and tuning 17
7.2.4 Egress monitoring 17
7.2.5 Log management 17
7.2.6 Threat intelligence (e.g., threat feeds, threat hunting) 17
7.6.1 Detection 17
7.6.2 Response 17
7.6.3 Mitigation 17
7.6.4 Reporting 17
7.6.5 Recovery 17
7.6.6 Remediation 17
7.6.7 Lessons learned
Intrusion detection systems (IDS) and intrusion prevention systems 17
7.7.2 (IPS) 17
7.7.3 Whitelisting/blacklisting 17
7.7.4 Third-party provided security services 17
7.7.5 Sandboxing 17
7.7.6 Honeypots/honeynets 17
7.7.8 Machine learning and Artificial Intelligence (Al) based tools 17
7.1 Implement recovery strategies 18
7.11 Implement disaster recovery (DR) processes 18
7.12 Test disaster recovery plan (DRP) 18
7.10.1 Backup
Recovery storage strategies
site strategies (e.g.,
(e.g., cloud
cold vs. storage, onsite,
hot, resource offsite)
capacity 18
7.10.2 agreements) 18
7.10.3 Multiple processinghigh
System resilience, sitesavailability (HA), Quality of Service (QoS), and 18
7.10.4 fault tolerance 18
7.11.1 Response 18
7.11.2 Personnel 18
7.11.3 Communications (e.g., methods) 18
7.11.4 Assessment 18
7.11.5 Restoration 18
7.11.6 Training and awareness 18
7.11.7 Lessons learned 18
7.12.1 Read-through/tabletop 18
7.12.2 Walkthrough 18
7.12.3 Simulation 18
7.12.4 Parallel 18
7.12.5 Full interruption 18
7.12.6 Communications (e.g., stakeholders, test status, regulators) 18
1.1 Understand, adhere to, and
Understand requirements forpromote professional
investigation ethics
types (i.e., administrative, 19
1.5 criminal, civil, regulatory, industry standards) 19
 7.1 Understand and comply with investigations 19
1.1.1 ISC2 Code of Professional Ethics 19
1.1.2 Organizational code of ethics 19
7.1.1 Evidence collection and handling 19
7.1.2 Reporting and documentation 19
7.1.3 Investigative techniques 19
7.1.4 Digital forensics tools, tactics, and procedures 19
7.1.5 Artifacts
Understand(e.g.,
anddata, computer,
integrate network,
security in the mobile device)
Software Development Life 19
8.1 Cycle (SDLC) 20
3.5.3 Database
Development systems
methodologies (e.g., Agile, Waterfall, DevOps, 20
8.1.1 DevSecOps,
Maturity models (e.g.,Agile
Scaled Framework)
Capability Maturity Model (CMM), Software 20
8.1.2 Assurance Maturity Model (SAMM)) 20
8.1.3 Operation and maintenance 20
8.1.4 Change management 20
8.1.5 Integrated Product Team 20
8.2.1 Programming languages 20
8.2.2 Libraries 20
8.2.3 Tool sets 20
8.2.4 Integrated Development Environment 20
8.2.5 Runtime 20
8.2.6 Continuous Integration and Continuous Delivery (Cl/CD) 20
8.2.7 Software Configuration Management (CM) 20
8.2.8 Code repositories 20
8.3.1 Auditing and logging of changes 20
8.4.1 Commercial-off-the-shelf (COTS) 20
8.4.2 Open source 20
8.4.3 Third-party 20
8.5.2 Security of application programming interfaces (API) 20
8.5.3 Secure coding practices 20
8.5.4 Software-defined security 20
3.7.13 Ransomware 21
7.2.7 User and Entity Behavior Analytics (UEBA) 21
8.3.2 Risk analysis and mitigation 21
8.5.1 Security weaknesses and vulnerabilities at the source-code level 21
3.7 Understand methods of cryptanalytic attacks 7, 14, 21
7.7 Operate and maintain detection and preventative measures 11, 17, 21
3.6 Select and determine cryptographic solutions 6, 7
3.5.4 Cryptographic systems 6, 7
3.6.1 Cryptographic life cycle (e.g.,
Cryptographic methods (e.g., keys, algorithm
symmetric, selection)elliptic curves,
asymmetric, 6, 7
3.6.2 quantum) 6, 7
4.1 Apply secure design principles in network architectures 11, 12
 Research, implement, and manage engineering processes using secure
3.1 design principles 1, 8, 9, 16
5.5 Manage the identity and access provisioning lifecycle 13, 14
6.3 Collect security process data (e.g., technical and administrative) 15, 18
6.3.5 Training and awareness 15, 18
6.3.6 Disaster Recovery (DR) and Business Continuity (BC) 15, 18
8.2 Identify and apply security controls in software development ecosystems 15, 20, 21
8.4 Assess security impact of acquired software 16, 20
7.2 Conduct logging and monitoring activities 17, 21
7.7.7 Anti-malware 17, 21
8.3 Assess the effectiveness of software security 20, 21
8.5 Define
Assessandandapply secure
mitigate coding guidelines
the vulnerabilities and standards
of security architectures, designs, 20, 21
3.5 and solution elements 6, 7, 9, 16, 20
1 Security and Risk Management
2 Asset Security
3 Security Architecture and Engineering
4 Communication and Network Security
5 Identity and Access Management (IAM)
6 Security Assessment and Testing
7 Security Operations
8 Software Development Security
Chapter 9 14

Chapter10 14

Chapter 11 24
Chapter 12 8

Chapter 13 25
Chapter 14 14

Chapter 15 34
Chapter 16 31

Chapter 17 23
Chapter 18 23

Chapter 19 10
Chapter 20 26

Chapter 21 11