1.

Security and Risk Management

Focuses on the foundational concepts of security, risk, compliance, and

governance.

 Key Topics:

o Confidentiality, Integrity, and Availability (CIA Triad)

o Security Governance and Risk Management

o Compliance and Legal/Regulatory Issues

o Risk Assessment and Risk Management

o Threat Modeling

o Business Continuity (BC) and Disaster Recovery Planning

(DRP)

o Ethics and Professional Standards (e.g., (ISC)² Code of Ethics)

o Security Policies, Standards, Procedures, and Guidelines

2. Asset Security

Covers the management and protection of organizational assets

throughout their lifecycle.

 Key Topics:

o Classification and Ownership of Information and Assets

o Data Retention Policies

o Secure Data Handling and Disposal

o Privacy Protection

o Data Security Controls

o Storage and Media Security

3. Security Architecture and Engineering

Focuses on designing and implementing secure systems and

architectures.

 Key Topics:
 o Secure Design Principles (e.g., Defense in Depth, Least
Privilege)

o Security Models (e.g., Bell-LaPadula, Biba, Clark-Wilson)

o Cryptography Basics (encryption, hashing, digital signatures)

o Secure Hardware, Software, and Firmware Design

o Vulnerabilities and Countermeasures

o Security Architecture Frameworks

o Physical Security Design and Controls

4. Communication and Network Security

Addresses the design, implementation, and management of secure

communication systems and networks.

 Key Topics:

o Network Protocols and Architecture

o Secure Network Design and Segmentation

o Wireless Network Security

o Remote Access and VPNs

o Network Attacks and Countermeasures

o Firewalls, IDS/IPS, and NAC

o Secure Communication Protocols (e.g., TLS, IPsec)

5. Identity and Access Management (IAM)

Focuses on ensuring proper identification, authentication, and

authorization mechanisms.

 Key Topics:

o Identity Management Concepts

o Authentication Methods (e.g., passwords, biometrics, MFA)

o Access Control Models (e.g., Role-Based Access Control)

o Federated Identity Management (e.g., SSO, OAuth)

o Account and Credential Management

 o Privileged Access Management (PAM)

o Identity as a Service (IDaaS)

6. Security Assessment and Testing

Covers techniques to ensure that systems are secure and operating as

intended.

 Key Topics:

o Security Assessment and Audit Techniques

o Vulnerability Management and Penetration Testing

o Security Testing Tools and Techniques

o Log Management and Analysis

o Reporting and Documentation of Assessment Results

o Continuous Monitoring and Metrics

7. Security Operations

Addresses operational security and incident response.

 Key Topics:

o Incident Response Lifecycle

o Security Operations Center (SOC) and Threat Intelligence

o Forensics and Evidence Collection

o Logging and Monitoring

o Patch Management and Change Control

o Disaster Recovery and Business Continuity Operations

o Personnel Safety and Security (e.g., evacuation procedures)

8. Software Development Security

Focuses on securing applications and software development processes.

 Key Topics:
o Software Development Life Cycle (SDLC) and Security
Integration

o Secure Coding Practices

o Application Security Testing (e.g., SAST, DAST)

o Vulnerabilities in Web Applications (e.g., SQL Injection, XSS)

o APIs and Microservices Security

o DevSecOps Practices

o Secure Software Environments and Tools