1.0 General Security Concepts (12 % of the exam)

• Compare and contrast various types of security controls.

• Summarize fundamental security concepts.

• Explain the importance of change management processes and the impact to security.

• Explain the importance of using appropriate cryptographic solutions.

2.0 Threats, Vulnerabilities, and Mitigations (22% of the exam)

• Compare and contrast common threat actors and motivations.

• Explain common threat vectors and attack surfaces.

• Explain various types of vulnerabilities.

• Given a scenario, analyze indicators of malicious activity.

• Explain the purpose of mitigation techniques used to secure the enterprise.

3.0 Security Architecture (18% of the exam)

• Compare and contrast security implications of different architecture models.

• Given a scenario, apply security principles to secure enterprise infrastructure.

• Compare and contrast concepts and strategies to protect data.

• Explain the importance of resilience and recovery in security architecture.

4.0 Security Operations (28% of the exam)

• Given a scenario, apply common security techniques to computing resources.

• Explain the security implications of proper hardware, software, and data asset management.

• Explain various activities associated with vulnerability management.

• Explain security alerting and monitoring concepts and tools.

• Given a scenario, modify enterprise capabilities to enhance security.

• Given a scenario, implement and maintain identity and access management.

• Explain the importance of automation and orchestration related to secure operations.

• Explain appropriate incident response activities.

• Given a scenario, use data sources to support an investigation.

5.0 Security Program Management and Oversight (20% of the exam)

• Summarize elements of effective security governance.

• Explain elements of the risk management process.

• Explain the processes associated with third-party risk assessment and management.

• Summarize elements of effective security compliance.

• Explain types and purposes of audits and assessments.

• Given a scenario, implement security awareness practices.