This free SSCP study guide walks through every content domain the Systems Security Certified Practitioner exam tests, organized to the current ISC2 exam outline (effective October 1, 2025).[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
The SSCP tests seven official domains, and we teach each as its own study module, leading with the heaviest-weighted content. The SSCP is the hands-on, technical counterpart to the CISSP — it proves you can implement and operate security controls, where the CISSP proves you can manage a program.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security textbook.
SSCP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.
SSCP Exam Snapshot
| Detail | SSCP Exam |
|---|---|
| Questions | 100–125 items (adaptive CAT; includes unscored pretest items) |
| Format | Computerized Adaptive Testing (CAT); multiple choice + advanced items |
| Time | 2 hours |
| Passing score | 700 out of 1000 points (scaled) |
| Administered by | ISC2, delivered at Pearson VUE |
| Certifying body | ISC2 (formerly (ISC)²) |
| Eligibility | 1 year experience in 1+ domain (degree waiver); or Associate of ISC2 |
| Cost | About $599 USD (Americas) — verify at registration |
| Recertification | Every 3 years — 60 CPE credits + $135 annual maintenance fee |
| Outline version | Effective October 1, 2025 |
The SSCP covers seven domains, and the weights are fairly even — no single domain dominates. Security Concepts & Practices and Network & Communications Security tie for the most at 16% each, while Cryptography is the lightest at 9%.[1] Study by weight:
Security Concepts and Practices
16% of the exam
Access Controls
15% of the exam
Risk Identification, Monitoring & Analysis
15% of the exam
Incident Response and Recovery
14% of the exam
Cryptography
9% of the exam
Network and Communications Security
16% of the exam
Systems and Application Security
15% of the exam
Module 1 · Security Concepts & Practices
16% of the exam — tied for the largest domain. This domain is the foundation of the whole SSCP: the goals of security, the controls used to achieve them, the ethics you must uphold, and the housekeeping (asset and change management) that keeps an environment secure over time.
1.1 CIA Triad & Core Concepts
Everything starts with the . prevents unauthorized disclosure (encryption, access control); prevents unauthorized change (hashing, digital signatures); and keeps systems reachable for authorized users (redundancy, backups). The SSCP adds (tying actions to an identity) and (proof an action can’t be denied).
Three principles limit access and abuse: (only the minimum access needed), (only the specific data required), and (no one person controls a sensitive task end to end). Related fraud controls are , , and .
| Principle | What it does |
|---|---|
| Least privilege | Grant only the minimum access an identity needs to do its job |
| Need-to-know | Limit access to the specific information required, even within a clearance |
| Separation of duties | Split a sensitive task so no one person can complete it alone |
| Dual control | Require two people to act together on one sensitive operation |
| Job rotation | Rotate staff between duties to surface fraud and reduce single-person dependence |
| Mandatory vacation | Force time off so hidden fraudulent activity can surface |
1.2 Ethics, Governance & Controls
Every SSCP signs the . Its four canons are applied in order: (1) protect society and the infrastructure, (2) act honorably, (3) provide diligent service to principals, and (4) advance the profession. When two canons conflict, the earlier one wins.[3] Governance also rests on (doing the research and building the plan) and (acting on it) — together the “prudent-person rule.”
Controls are classified two ways: by category — , , and — and by function: preventive, detective, corrective, deterrent, , and recovery. Expect to classify a given control by both.
| Control | Category | Function |
|---|---|---|
| Security-awareness training | Administrative | Preventive |
| Firewall / encryption | Technical (logical) | Preventive |
| Intrusion Detection System (IDS) | Technical | Detective |
| CCTV camera | Physical | Detective / deterrent |
| Backups (restore after loss) | Technical | Recovery / corrective |
| Extra monitoring in place of segregation | Administrative | Compensating |
1.3 Asset & Change Management
Protecting assets starts with — labeling data by sensitivity so the right protection is applied. The (a senior manager) is accountable and sets the classification; the (usually IT) implements the controls day to day. At end of life you must defeat with proper : clearing (overwrite for reuse), purging (degauss/strong overwrite to release externally), or destruction (shred, pulverize, incinerate).[8]
keeps the environment stable and secure: every change is requested (an RFC), evaluated, approved by a change control board, tested, documented, and given a rollback plan. Uncontrolled change is a leading cause of outages and security gaps.
| Level | How | When to use |
|---|---|---|
| Clear | Overwrite the media | Reuse within the organization |
| Purge | Degauss or strong overwrite/crypto-erase | Release media outside the organization |
| Destroy | Shred, pulverize, incinerate, or melt | The most sensitive data; media won't be reused |
Checkpoint · Security Concepts & Practices
Question 1 of 10
A security administrator is asked to enforce a policy that no single employee can both create a vendor record and approve payments to that vendor. Which security principle does this enforce?
Module 2 · Access Controls
15% of the exam. Access control is how the right people — and only the right people — get to the right resources. This domain covers proving identity, the models that decide who can do what, and managing identities through their lifecycle.
2.1 Identity & Authentication
Access control is a sequence: (claim an identity) → (prove it) → (what you may do) → accounting (log it) — together .[7] Strong authentication means : combining factors from different categories — something you know (password), have (token), and are (biometric).
- 1
Identification
Claim an identity (username, ID).
- 2
Authentication
Prove the claim (password, token, biometric).
- 3
Authorization
Grant only the access the identity is permitted.
- 4
Accounting
Log and track what the identity did.
Biometrics are judged by error rates: the (wrongly admits an impostor — the security risk), the (wrongly rejects a real user — the usability problem), and the where the two are equal. A lower CER is a more accurate system. Enterprises tie identities together with — (ticket-based), SAML (web federation), and OAuth/OIDC — and centralize network logins with or TACACS+.
| Factor | Type | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, passphrase |
| Something you have | Possession | Smart card, hardware token, phone |
| Something you are | Inherence (biometric) | Fingerprint, iris, face |
2.2 Access Control Models
Authorization is enforced through access control models. The four you must know are (the owner decides), (the system enforces from labels/clearances), (by job role), and (by attributes and policy — the most granular).
DAC — Discretionary
The data owner decides who gets access (e.g., file permissions, ACLs). Flexible but error-prone.
MAC — Mandatory
The system enforces access from labels and clearances (e.g., classified data). Rigid and high-security.
RBAC — Role-Based
Access is granted by job role, not the individual. Scales well in enterprises.
ABAC — Attribute-Based
Access decided by attributes and policy (user, resource, time, location). The most granular.
Modern environments add — never trust, always verify, even inside the network — and to tightly control, monitor, and time-limit admin accounts (a top target for attackers). Provision, periodically review, and promptly deprovision identities across the lifecycle so no orphaned accounts linger.
| Model | Who decides access | Best for |
|---|---|---|
| DAC | The data owner (ACLs, file permissions) | Flexible commercial environments |
| MAC | The system, from labels and clearances | Classified / high-security data |
| RBAC | Job role, not the individual | Large enterprises (scales well) |
| ABAC | Attributes and policy (user, time, location) | Fine-grained, dynamic access |
Checkpoint · Access Controls
Question 1 of 10
An employee leaves the company. To prevent lingering access, which action is most important during offboarding?
Module 3 · Risk Identification, Monitoring & Analysis
15% of the exam. This domain is about understanding risk, treating it, and then watching the environment to catch problems early — assessments, vulnerability management, and monitoring.
3.1 Risk Management
is the chance a exploits a to harm an asset — often expressed as likelihood × impact. You assess it two ways: qualitative (subjective high/medium/low — fast) and quantitative (dollar-based, using formulas). Quantitatively, the = Asset Value × Exposure Factor; the is events per year; and the = SLE × ARO.[4]
SLE = AV × EF
Single Loss Expectancy = Asset Value × Exposure Factor (the % of the asset lost per event).
ALE = SLE × ARO
Annualized Loss Expectancy = Single Loss Expectancy × Annualized Rate of Occurrence (events per year).
Worked example
Asset = $200,000; a flood destroys 50% (EF = 0.5) → SLE = $100,000. A flood every 10 years (ARO = 0.1) → ALE = $100,000 × 0.1 = $10,000/year. Spend less than $10,000/year to mitigate.
Once you know the risk, pick a treatment: mitigate (add controls), transfer (insurance), avoid (stop the activity), or accept (tolerate it with management sign-off). Whatever you do, remains, and a control should never cost more than the asset it protects. What an organization will tolerate is its .
| Treatment | What you do | Example |
|---|---|---|
| Mitigate (reduce) | Add controls to lower likelihood or impact | Deploy MFA to reduce account takeover |
| Transfer | Shift the financial impact to a third party | Buy cyber-insurance |
| Avoid | Stop the activity that creates the risk | Discontinue a risky product feature |
| Accept | Formally tolerate the residual risk | Management signs off on a low-impact risk |
3.2 Monitoring & Vulnerability Analysis
You verify controls and find weaknesses through assessment. A is an automated, broad check for known weaknesses (no exploitation); a goes further, actively exploiting weaknesses to prove real impact under written rules of engagement. Findings are rated with severity scores and tracked against CVE identifiers.[5]
Operationally, you monitor continuously. A aggregates and correlates logs from across the environment to detect suspicious patterns, generate alerts, and support investigations. Effective monitoring depends on a known baseline of normal behavior so anomalies stand out.
| Activity | What it does | Cadence |
|---|---|---|
| Vulnerability scan | Finds known weaknesses automatically (no exploit) | Frequent, low-risk |
| Penetration test | Exploits weaknesses to prove real impact | Periodic, authorized, scoped |
| Continuous monitoring (SIEM) | Correlates logs/events to detect anomalies | Ongoing, real-time |
Checkpoint · Risk Identification, Monitoring & Analysis
Question 1 of 10
A practitioner discovers that several systems are running software past its end-of-life date with no vendor patches available. What is the most appropriate first action?
Module 4 · Incident Response & Recovery
14% of the exam. When prevention fails, this domain takes over: detecting and handling incidents, preserving evidence, and recovering the business after a disruption.
4.1 Incident Response & Forensics
An program follows the NIST lifecycle: Preparation; Detection & Analysis; Containment, Eradication & Recovery; and Post-Incident Activity (lessons learned).[6] You prepare in advance (policy, the , tooling), detect and confirm a real incident from events, contain it to limit damage, eradicate the threat and root cause, recover operations, and review to improve.
- 1
Preparation
Build the policy, the CSIRT, tooling, and training before an incident happens.
- 2
Detection & Analysis
Identify and confirm a real incident from events; determine scope and severity.
- 3
Containment
Limit the spread and damage (short-term isolation, then a longer-term fix).
- 4
Eradication
Remove the threat — malware, compromised accounts, and the root cause.
- 5
Recovery
Restore systems to normal, validated operation and monitor for recurrence.
- 6
Post-Incident / Lessons Learned
Review what happened and improve the plan, controls, and detection.
When an incident may lead to legal action, forensics matters. Collect evidence in (capture memory and live data before powering off), hash it to prove integrity, and maintain a strict — who handled the evidence, when, and how — or it may be inadmissible.
4.2 Business Continuity & DR
A keeps critical functions running through a disruption; restores IT afterward. Both rest on the , which identifies critical functions and sets the recovery targets: , (must be shorter than MTD), and (which drives backup frequency).[9]
| Term / site | Meaning | Trade-off |
|---|---|---|
| MTD | Maximum Tolerable Downtime — the absolute limit | Drives the RTO |
| RTO | Recovery Time Objective — target time to restore | Must be shorter than the MTD |
| RPO | Recovery Point Objective — acceptable data loss | Drives backup frequency |
| Hot site | Fully equipped, near-real-time failover | Fastest recovery, most expensive |
| Warm site | Hardware and connectivity, data restored on demand | Moderate cost and speed |
| Cold site | Empty space with power/cooling only | Cheapest, slowest to bring online |
Know the backup types — full (everything), incremental (changes since the last backup of any kind; fast backup, slow restore), and differential (changes since the last full; slower backup, faster restore) — and the 3-2-1 rule: three copies, on two media types, with one off-site.
| Type | Backs up | Restore |
|---|---|---|
| Full | All selected data | Fastest (one set) |
| Incremental | Changes since the last backup of any type | Slowest (full + every increment) |
| Differential | Changes since the last full backup | Faster (full + one differential) |
Checkpoint · Incident Response & Recovery
Question 1 of 10
Which phase typically comes FIRST in an incident response lifecycle?
Module 5 · Cryptography
9% of the exam — the lightest domain, but high-value. Cryptography delivers confidentiality, integrity, authentication, and non-repudiation. Know the building blocks and how trust is managed.
5.1 Crypto Fundamentals
uses one shared key (AES) — fast but hard to distribute; uses a public/private key pair (RSA, ECC) — slower but it solves key exchange and enables signatures. Real systems use both (hybrid): asymmetric to exchange a fast symmetric session key.[5] For integrity, produces a one-way digest (SHA-256); an adds authenticity, and passwords are protected with plus a slow algorithm (bcrypt, PBKDF2, Argon2).
Confidentiality
Encrypt with the RECIPIENT's PUBLIC key
Only the recipient's private key can decrypt.
Authenticity / non-repudiation
Sign with YOUR OWN PRIVATE key
Anyone can verify it with your public key.
Integrity
Hash the message (no key)
Any change produces a different digest.
A hashes a message and encrypts the hash with the sender’s private key, giving integrity, authenticity, and non-repudiation. Watch the most-missed point: you encrypt with the recipient’s public key but sign with your own private key.
| Property | Symmetric | Asymmetric |
|---|---|---|
| Keys | One shared secret key | Public/private key pair |
| Speed | Fast (bulk data) | Slow (small data, key exchange) |
| Examples | AES, 3DES, ChaCha20 | RSA, ECC, Diffie-Hellman |
| Solves key exchange? | No (distribution is hard) | Yes (and enables signatures) |
5.2 PKI & Secure Protocols
is the framework that manages public keys and trust. A issues and signs (X.509) that bind a public key to an identity; clients verify the chain of trust and check revocation via a CRL or OCSP. Secure protocols apply this in practice: secures application traffic (HTTPS), secures Layer 3 (VPN tunnels), and SSH secures remote administration.
| Item | What it does |
|---|---|
| Certificate Authority (CA) | Issues and signs digital certificates; the root of trust |
| Digital certificate (X.509) | Binds a public key to a verified identity |
| CRL / OCSP | Publish which certificates have been revoked |
| TLS | Secures application traffic (HTTPS) with hybrid crypto |
| IPsec | Secures IP at Layer 3 — VPN tunnels (AH, ESP) |
| SSH | Secure remote administration and file transfer |
Checkpoint · Cryptography
Question 1 of 10
Which encryption approach uses the same key to encrypt and decrypt data?
Module 6 · Network & Communications Security
16% of the exam — tied for the largest. This domain covers how data moves across networks, the attacks that target it, and the appliances and controls that defend it.
6.1 Networking & the OSI Model
The backbone here is the — seven layers from Physical to Application. The SSCP maps devices, protocols, and attacks to layers: switches at Layer 2, routers at Layer 3.[1] then layers controls so a single failure doesn’t expose the asset.
- 7ApplicationHTTP, DNS, SMTP
- 6PresentationEncoding, TLS sits ~6/7
- 5SessionSession setup/teardown
- 4TransportTCP, UDP (ports)
- 3NetworkIP, routers, IPsec
- 2Data LinkMAC, switches
- 1PhysicalCables, signals, hubs
Know the common protocols and their secure replacements: HTTP→HTTPS (TLS), FTP→SFTP/FTPS, Telnet→SSH, and DNS, DHCP, SMTP for naming, addressing, and mail. checks a device’s identity and posture before letting it onto the network, and segmentation (VLANs, subnets, a ) limits how far an attacker can move.
| Insecure (avoid) | Secure replacement | Purpose |
|---|---|---|
| HTTP | HTTPS (TLS) | Web traffic |
| FTP / Telnet | SFTP/FTPS / SSH | File transfer / remote admin |
| WEP | WPA3 | Wireless encryption |
| SNMPv1/2 | SNMPv3 | Network device management |
6.2 Attacks, Defenses & Wireless
Common network attacks include DoS/DDoS, spoofing, man-in-the-middle, ARP and DNS poisoning, and sniffing. The core defenses are firewalls and intrusion systems.
A filters traffic against a rule set; a tracks connection state (smarter than a simple packet filter), and proxy/NGFW/WAF go further. An detects and alerts; an sits inline and can block. A (IPsec or TLS) encrypts traffic across untrusted networks.
| Defense | What it does |
|---|---|
| Packet-filter firewall | Inspects each packet against rules; no memory of sessions |
| Stateful firewall | Tracks connection state; allows return traffic for known sessions |
| Proxy / NGFW / WAF | Inspects at the application layer; WAF protects web apps |
| IDS (detective) | Monitors and alerts; passive, out of band |
| IPS (preventive) | Inline; actively blocks or drops malicious traffic |
| VPN | Encrypts traffic over an untrusted network (IPsec / TLS) |
Secure wireless with (or WPA2-Enterprise with 802.1X/EAP), and watch for rogue access points and evil-twin attacks. Apply the same hardening discipline to IoT devices, which often ship insecure by default.
Checkpoint · Network & Communications Security
Question 1 of 10
At which layer of the OSI model does a router primarily operate?
Module 7 · Systems & Application Security
15% of the exam. This domain is about securing the endpoints, applications, and platforms where work happens — from malware defense to cloud and virtualization.
7.1 Malware & Endpoint Security
Know the types and how they differ: a needs a user to run an infected file; a self-replicates across networks with no user action; a hides in legitimate-looking software; encrypts data for extortion; and a hides itself with deep system access. The leading delivery method is social engineering, especially .
Defend endpoints with and anti-malware, host firewalls, application allowlisting, , and (remove unneeded services, secure configuration, baselines). Manage mobile devices with — enforcing passcodes, encryption, and remote wipe — and contain BYOD with containerization.
| Type | How it spreads / behaves |
|---|---|
| Virus | Attaches to a file; needs a user to run it |
| Worm | Self-replicates across networks; no user action |
| Trojan | Disguised as legitimate software; hidden payload |
| Ransomware | Encrypts data and demands payment |
| Rootkit | Deep, privileged access; hides its presence |
| Logic bomb | Dormant until a trigger condition is met |
7.2 Cloud & Virtualization Security
In the cloud, the splits security duties: the provider always secures the underlying infrastructure, and the customer always owns its data, identities, and configuration. How much else the customer manages depends on the service model.[10]
IaaS
You secure the OS, apps, and data; the provider secures the hardware, network, and hypervisor. Most customer responsibility.
PaaS
You secure your apps and data; the provider also manages the OS and runtime. Shared in the middle.
SaaS
The provider secures almost everything; you mainly manage your data, access, and configuration. Least customer responsibility.
Virtualization adds its own risks. A runs the virtual machines (Type 1 on bare metal, Type 2 on a host OS); the most serious threat is a , where code breaks out of a guest VM to reach the hypervisor or other VMs. Watch for VM sprawl and insecure snapshots, and patch and isolate the hypervisor — compromising it exposes every VM on the host.
| Model | Customer secures | Example |
|---|---|---|
| IaaS | OS, apps, data, and configuration | Cloud virtual machines |
| PaaS | Apps and data | Managed app/database platform |
| SaaS | Mainly data, access, and settings | Hosted email / CRM |
Checkpoint · Systems & Application Security
Question 1 of 10
Which input validation flaw allows an attacker to insert malicious SQL into a query, potentially exposing or altering database data?
How to Use This SSCP Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight, but cover all seven. Lead with the two 16% domains (Security Concepts & Practices and Network & Communications Security), but no domain is small enough to skip — even Cryptography (9%) carries easy points.
- Think like a practitioner. The SSCP tests how you implement and operate controls — the hands-on answer, not just the high-level policy.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.
SSCP Concept Questions
Common SSCP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
SSCP Glossary
The high-yield SSCP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- AAA
- Authentication, Authorization, and Accounting — the framework that proves identity, grants access, and logs activity.
- Accountability
- Tying actions back to a specific identity through logging and monitoring.
- Administrative control
- A managerial control such as a policy, procedure, training, or background check.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a specific risk event will occur in one year.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, time, location); the most granular.
- Authentication
- Proving a claimed identity with a credential (knowledge, possession, or inherence factor).
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Availability
- Ensuring authorized users have timely, reliable access to systems and data; protected by redundancy, backups, and fault tolerance.
- Business continuity plan (BCP)
- A plan to keep critical business functions operating during and after a disruption.
- Business Impact Analysis (BIA)
- An analysis that identifies critical functions and sets recovery objectives (MTD, RTO, RPO).
- Certificate Authority (CA)
- A trusted entity that issues and signs digital certificates binding a public key to an identity.
- Chain of custody
- Documentation showing who handled evidence and when, preserving its integrity for legal use.
- Change management
- A controlled process for requesting, evaluating, approving, and documenting changes to systems.
- CIA triad
- The three core goals of information security: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized modification), and Availability (timely, reliable access for authorized users).
- Compensating control
- An alternative control used when the primary control is not feasible (e.g., extra monitoring).
- Confidentiality
- Preventing the unauthorized disclosure of data; protected primarily by encryption and access controls.
- Crossover Error Rate (CER)
- The point where FAR equals FRR; a lower CER means a more accurate biometric system.
- CSIRT
- Computer Security Incident Response Team — the group that handles security incidents.
- CVSS
- The Common Vulnerability Scoring System — a standard 0–10 score for the severity of a vulnerability.
- Data classification
- Labeling data by sensitivity (e.g., public, confidential, secret) so the right protection is applied.
- Data custodian
- The party (usually IT) that implements and maintains the controls protecting data day to day.
- Data owner
- The senior business manager accountable for data, who sets its classification and protection requirements.
- Data remanence
- Residual data that remains on media after deletion or formatting and may be recoverable.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Detective control
- A control that identifies an incident in progress or after it occurs (e.g., logs, an IDS, CCTV).
- Digital certificate
- An X.509 document that binds a public key to a verified identity, signed by a CA.
- Digital signature
- A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
- Disaster recovery (DR)
- The processes and procedures to restore IT systems and operations after a disruptive event.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, ACLs).
- DMZ
- A screened subnet that hosts public-facing services, isolating them from the internal network.
- Dual control
- Requiring two authorized people to act together to perform a single sensitive operation.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — the prudent-person rule.
- Due diligence
- Doing the research and developing the plans and policies needed to protect the organization.
- EDR
- Endpoint Detection and Response — software that continuously monitors endpoints to detect and respond to threats.
- False Acceptance Rate (FAR)
- How often a biometric system wrongly accepts an impostor (a Type II error) — the security risk.
- False Rejection Rate (FRR)
- How often a biometric system wrongly rejects a legitimate user (a Type I error) — the usability problem.
- Firewall
- A device or software that filters network traffic against a rule set to enforce a security boundary.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256); not reversible.
- HMAC
- A keyed hash that provides both integrity and authenticity of a message.
- Hypervisor
- Software that creates and runs virtual machines; Type 1 runs on bare metal, Type 2 on a host OS.
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- IDS
- Intrusion Detection System — passively monitors and alerts on suspicious activity but does not block it.
- Incident response
- The structured process to detect, respond to, recover from, and learn from a security incident.
- Integrity
- Ensuring data is accurate and unaltered except by authorized parties; protected by hashing, signatures, and change control.
- IPS
- Intrusion Prevention System — sits inline and can actively block or drop malicious traffic.
- IPsec
- A protocol suite that secures IP traffic at Layer 3, used for VPN tunnels (AH and ESP).
- ISC2 Code of Ethics
- Four canons every SSCP must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
- Job rotation
- Periodically moving staff between duties to detect fraud and reduce dependence on any one person.
- Kerberos
- A symmetric-key SSO authentication protocol using tickets and a Key Distribution Center (KDC).
- Least privilege
- Granting users and processes only the minimum access needed to do their job, and nothing more.
- Malware
- Malicious software — viruses, worms, trojans, ransomware, rootkits, spyware, and logic bombs.
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security.
- Mandatory vacation
- Requiring employees to take time off so that hidden fraudulent activity can surface in their absence.
- Maximum Tolerable Downtime (MTD)
- The longest time a business function can be unavailable before unacceptable harm occurs.
- Media sanitization
- Removing data from media via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
- Mobile device management (MDM)
- Software that enforces security policy on mobile devices (passcodes, encryption, remote wipe).
- Multi-factor authentication (MFA)
- Using two or more factors from different categories — something you know, have, and are.
- Need-to-know
- Limiting access to the specific information a person requires for their role, even within their clearance.
- Network access control (NAC)
- Technology that checks a device's posture and identity before allowing it onto the network.
- Non-repudiation
- Assurance that a party cannot deny having performed an action, achieved through digital signatures and logging.
- Order of volatility
- The order in which to collect evidence by how quickly it disappears — capture memory before disk before backups.
- OSI model
- A seven-layer reference model for networking: Physical, Data Link, Network, Transport, Session, Presentation, Application.
- Patch management
- The process of acquiring, testing, and applying software updates to fix vulnerabilities.
- Penetration test
- An authorized, simulated attack that actively exploits weaknesses to demonstrate real impact.
- Phishing
- A social-engineering attack that uses fraudulent messages to trick users into revealing data or installing malware.
- Physical control
- A control that protects the physical environment, such as locks, guards, fences, or cameras.
- Preventive control
- A control that stops an incident before it happens (e.g., a lock, MFA, or input validation).
- Privileged access management (PAM)
- Controls that secure, monitor, and limit accounts with elevated (admin) privileges.
- Public Key Infrastructure (PKI)
- The framework of certificate authorities, certificates, and policies that manages public keys and trust.
- RADIUS
- A protocol that centralizes authentication, authorization, and accounting for network access.
- Ransomware
- Malware that encrypts a victim's data and demands payment for the decryption key.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
- Recovery Time Objective (RTO)
- The targeted time to restore a system or function after a disruption; must be shorter than the MTD.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Risk
- The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
- Risk appetite
- The amount and type of risk an organization is willing to accept in pursuit of its objectives.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well in enterprises.
- Rootkit
- Malware that gains deep, privileged access and hides its presence from the operating system.
- Salting
- Adding random data to a password before hashing so identical passwords produce different hashes.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
- Shared responsibility model
- The split of cloud security duties between the provider (infrastructure) and the customer (data, access, config).
- SIEM
- Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
- Single Loss Expectancy (SLE)
- The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
- Single sign-on (SSO)
- One authentication that grants access to multiple systems (e.g., via Kerberos or SAML).
- Stateful firewall
- A firewall that tracks the state of active connections and allows only traffic that fits a known session.
- Symmetric encryption
- Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is hard.
- System hardening
- Reducing a system's attack surface by removing unneeded services, applying secure configuration, and patching.
- Technical control
- A logical control implemented in technology, such as a firewall, encryption, or access control list.
- Threat
- Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
- Transport Layer Security (TLS)
- The protocol that secures application traffic (HTTPS) using hybrid cryptography.
- Trojan
- Malware disguised as legitimate software to trick a user into installing a hidden payload.
- Virus
- Malware that attaches to a file and requires a user to run it in order to spread.
- VM escape
- An attack that breaks out of a guest virtual machine to reach the hypervisor or other VMs.
- VPN
- A Virtual Private Network that creates an encrypted tunnel over an untrusted network (e.g., IPsec or TLS).
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Vulnerability scan
- An automated check that identifies known weaknesses without exploiting them.
- Worm
- Self-replicating malware that spreads across networks on its own, with no user action.
- WPA3
- The current Wi-Fi security standard, providing strong encryption and protection against offline attacks.
- Zero trust
- A model that trusts no user or device by default and verifies every access request continuously.
SSCP Study Guide FAQ
Under the ISC2 outline effective October 1, 2025, the SSCP uses Computerized Adaptive Testing (CAT): 100 to 125 items in 2 hours. The number you see varies because the test adapts to your performance, and some items are unscored pretest questions. It includes multiple-choice and advanced item types.
From the 2025 ISC2 outline: Security Concepts and Practices (16%), Access Controls (15%), Risk Identification, Monitoring and Analysis (15%), Incident Response and Recovery (14%), Cryptography (9%), Network and Communications Security (16%), and Systems and Application Security (15%).
You need a scaled score of 700 out of 1000 points to pass. Because the exam uses adaptive scoring, a raw question count does not translate directly to a percentage; the 700 threshold reflects a consistent ability standard across exam versions.
You need at least one year of cumulative paid work experience in one or more of the seven SSCP domains. A relevant post-secondary degree can waive that year. Without the experience, you can pass the exam and become an Associate of ISC2, then earn the required year within two years.
Study by weight, but cover all seven domains. Security Concepts & Practices and Network & Communications Security are the largest (16% each), so invest there, then work through Access Controls, Risk, Incident Response, Systems & Application Security, and Cryptography. Read each module, take the checkpoint, then drill gaps with our free practice test and flashcards.
The standard exam fee is about $599 USD in the Americas; treat that as a dated figure and confirm current pricing at registration. After certifying, you recertify every three years by earning 60 Continuing Professional Education (CPE) credits and paying an annual maintenance fee of $135.
The SSCP is a hands-on, technical practitioner certification requiring one year of experience, while the CISSP is a senior, managerial credential requiring five years. The SSCP covers seven domains focused on implementing and operating security; the CISSP covers eight broader domains with a manager's-mindset focus. Many professionals earn the SSCP first.
The SSCP is issued by ISC2 and delivered at Pearson VUE test centers. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISC2. “SSCP Certification Exam Outline (effective October 1, 2025).” isc2.org. ↑
- 2.ISC2. “SSCP — Systems Security Certified Practitioner.” isc2.org. ↑
- 3.ISC2. “ISC2 Code of Ethics.” isc2.org. ↑
- 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 7.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov. ↑
- 8.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov. ↑
- 9.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide.” csrc.nist.gov. ↑
- 10.National Institute of Standards and Technology. “SP 800-145: The NIST Definition of Cloud Computing.” csrc.nist.gov. ↑
- 101.National Institute of Standards and Technology (NIST). “SP 800-115: Technical Guide to Information Security Testing.” csrc.nist.gov, accessed 19 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “Cryptographic Standards and Guidelines.” csrc.nist.gov, accessed 19 June 2026. ↑
- 103.National Institute of Standards and Technology (NIST). “SP 800-94: Guide to Intrusion Detection and Prevention Systems.” csrc.nist.gov, accessed 19 June 2026. ↑
- 104.National Institute of Standards and Technology (NIST). “SP 800-41 Rev. 1: Guidelines on Firewalls and Firewall Policy.” csrc.nist.gov, accessed 19 June 2026. ↑
- 105.National Institute of Standards and Technology (NIST). “SP 800-83 Rev. 1: Guide to Malware Incident Prevention and Handling.” csrc.nist.gov, accessed 19 June 2026. ↑
- 106.National Institute of Standards and Technology (NIST). “SP 800-125: Guide to Security for Full Virtualization Technologies.” csrc.nist.gov, accessed 19 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
