Career Employer

FREE SSCP Study Guide 2026: All 7 Domains

The most important things the SSCP tests — an interactive study guide with built-in quizzes and flashcards, organized by all 7 ISC2 domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer SSCP

By

This free SSCP study guide walks through every content domain the Systems Security Certified Practitioner exam tests, organized to the current ISC2 exam outline (effective October 1, 2025).[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

The SSCP tests seven official domains, and we teach each as its own study module, leading with the heaviest-weighted content. The SSCP is the hands-on, technical counterpart to the CISSP — it proves you can implement and operate security controls, where the CISSP proves you can manage a program.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security textbook.

SSCP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.

SSCP Exam Snapshot

SSCP exam at a glance
DetailSSCP Exam
Questions100–125 items (adaptive CAT; includes unscored pretest items)
FormatComputerized Adaptive Testing (CAT); multiple choice + advanced items
Time2 hours
Passing score700 out of 1000 points (scaled)
Administered byISC2, delivered at Pearson VUE
Certifying bodyISC2 (formerly (ISC)²)
Eligibility1 year experience in 1+ domain (degree waiver); or Associate of ISC2
CostAbout $599 USD (Americas) — verify at registration
RecertificationEvery 3 years — 60 CPE credits + $135 annual maintenance fee
Outline versionEffective October 1, 2025

The SSCP covers seven domains, and the weights are fairly even — no single domain dominates. Security Concepts & Practices and Network & Communications Security tie for the most at 16% each, while Cryptography is the lightest at 9%.[1] Study by weight:

SSCP weighting by domain (ISC2 exam outline, 2025)
Security Concepts & Practices16% · Domain 1
Network & Communications Security16% · Domain 6
Access Controls15% · Domain 2
Risk Identification, Monitoring & Analysis15% · Domain 3
Systems & Application Security15% · Domain 7
Incident Response & Recovery14% · Domain 4
Cryptography9% · Domain 5

Module 1 · Security Concepts & Practices

16% of the exam — tied for the largest domain. This domain is the foundation of the whole SSCP: the goals of security, the controls used to achieve them, the ethics you must uphold, and the housekeeping (asset and change management) that keeps an environment secure over time.

1.1 CIA Triad & Core Concepts

Everything starts with the . prevents unauthorized disclosure (encryption, access control); prevents unauthorized change (hashing, digital signatures); and keeps systems reachable for authorized users (redundancy, backups). The SSCP adds (tying actions to an identity) and (proof an action can’t be denied).

Three principles limit access and abuse: (only the minimum access needed), (only the specific data required), and (no one person controls a sensitive task end to end). Related fraud controls are , , and .

Core fraud-prevention and access principles
PrincipleWhat it does
Least privilegeGrant only the minimum access an identity needs to do its job
Need-to-knowLimit access to the specific information required, even within a clearance
Separation of dutiesSplit a sensitive task so no one person can complete it alone
Dual controlRequire two people to act together on one sensitive operation
Job rotationRotate staff between duties to surface fraud and reduce single-person dependence
Mandatory vacationForce time off so hidden fraudulent activity can surface

1.2 Ethics, Governance & Controls

Every SSCP signs the . Its four canons are applied in order: (1) protect society and the infrastructure, (2) act honorably, (3) provide diligent service to principals, and (4) advance the profession. When two canons conflict, the earlier one wins.[3] Governance also rests on (doing the research and building the plan) and (acting on it) — together the “prudent-person rule.”

Controls are classified two ways: by category, , and — and by function: preventive, detective, corrective, deterrent, , and recovery. Expect to classify a given control by both.

Security control categories and functions
ControlCategoryFunction
Security-awareness trainingAdministrativePreventive
Firewall / encryptionTechnical (logical)Preventive
Intrusion Detection System (IDS)TechnicalDetective
CCTV cameraPhysicalDetective / deterrent
Backups (restore after loss)TechnicalRecovery / corrective
Extra monitoring in place of segregationAdministrativeCompensating

1.3 Asset & Change Management

Protecting assets starts with — labeling data by sensitivity so the right protection is applied. The (a senior manager) is accountable and sets the classification; the (usually IT) implements the controls day to day. At end of life you must defeat with proper : clearing (overwrite for reuse), purging (degauss/strong overwrite to release externally), or destruction (shred, pulverize, incinerate).[8]

keeps the environment stable and secure: every change is requested (an RFC), evaluated, approved by a change control board, tested, documented, and given a rollback plan. Uncontrolled change is a leading cause of outages and security gaps.

Media sanitization levels (NIST SP 800-88)
LevelHowWhen to use
ClearOverwrite the mediaReuse within the organization
PurgeDegauss or strong overwrite/crypto-eraseRelease media outside the organization
DestroyShred, pulverize, incinerate, or meltThe most sensitive data; media won't be reused

Checkpoint · Security Concepts & Practices

Question 1 of 10

A security administrator is asked to enforce a policy that no single employee can both create a vendor record and approve payments to that vendor. Which security principle does this enforce?

Module 2 · Access Controls

15% of the exam. Access control is how the right people — and only the right people — get to the right resources. This domain covers proving identity, the models that decide who can do what, and managing identities through their lifecycle.

2.1 Identity & Authentication

Access control is a sequence: (claim an identity) → (prove it) → (what you may do) → accounting (log it) — together .[7] Strong authentication means : combining factors from different categories — something you know (password), have (token), and are (biometric).

Biometrics are judged by error rates: the (wrongly admits an impostor — the security risk), the (wrongly rejects a real user — the usability problem), and the where the two are equal. A lower CER is a more accurate system. Enterprises tie identities together with (ticket-based), SAML (web federation), and OAuth/OIDC — and centralize network logins with or TACACS+.

The three authentication factor categories
FactorTypeExamples
Something you knowKnowledgePassword, PIN, passphrase
Something you havePossessionSmart card, hardware token, phone
Something you areInherence (biometric)Fingerprint, iris, face

2.2 Access Control Models

Authorization is enforced through access control models. The four you must know are (the owner decides), (the system enforces from labels/clearances), (by job role), and (by attributes and policy — the most granular).

Modern environments add — never trust, always verify, even inside the network — and to tightly control, monitor, and time-limit admin accounts (a top target for attackers). Provision, periodically review, and promptly deprovision identities across the lifecycle so no orphaned accounts linger.

Access control models compared
ModelWho decides accessBest for
DACThe data owner (ACLs, file permissions)Flexible commercial environments
MACThe system, from labels and clearancesClassified / high-security data
RBACJob role, not the individualLarge enterprises (scales well)
ABACAttributes and policy (user, time, location)Fine-grained, dynamic access

Checkpoint · Access Controls

Question 1 of 10

An employee leaves the company. To prevent lingering access, which action is most important during offboarding?

Module 3 · Risk Identification, Monitoring & Analysis

15% of the exam. This domain is about understanding risk, treating it, and then watching the environment to catch problems early — assessments, vulnerability management, and monitoring.

3.1 Risk Management

is the chance a exploits a to harm an asset — often expressed as likelihood × impact. You assess it two ways: qualitative (subjective high/medium/low — fast) and quantitative (dollar-based, using formulas). Quantitatively, the = Asset Value × Exposure Factor; the is events per year; and the = SLE × ARO.[4]

Once you know the risk, pick a treatment: mitigate (add controls), transfer (insurance), avoid (stop the activity), or accept (tolerate it with management sign-off). Whatever you do, remains, and a control should never cost more than the asset it protects. What an organization will tolerate is its .

The four risk treatment options
TreatmentWhat you doExample
Mitigate (reduce)Add controls to lower likelihood or impactDeploy MFA to reduce account takeover
TransferShift the financial impact to a third partyBuy cyber-insurance
AvoidStop the activity that creates the riskDiscontinue a risky product feature
AcceptFormally tolerate the residual riskManagement signs off on a low-impact risk

3.2 Monitoring & Vulnerability Analysis

You verify controls and find weaknesses through assessment. A is an automated, broad check for known weaknesses (no exploitation); a goes further, actively exploiting weaknesses to prove real impact under written rules of engagement. Findings are rated with severity scores and tracked against CVE identifiers.[5]

Operationally, you monitor continuously. A aggregates and correlates logs from across the environment to detect suspicious patterns, generate alerts, and support investigations. Effective monitoring depends on a known baseline of normal behavior so anomalies stand out.

Scan vs. test vs. monitor
ActivityWhat it doesCadence
Vulnerability scanFinds known weaknesses automatically (no exploit)Frequent, low-risk
Penetration testExploits weaknesses to prove real impactPeriodic, authorized, scoped
Continuous monitoring (SIEM)Correlates logs/events to detect anomaliesOngoing, real-time

Checkpoint · Risk Identification, Monitoring & Analysis

Question 1 of 10

A practitioner discovers that several systems are running software past its end-of-life date with no vendor patches available. What is the most appropriate first action?

Module 4 · Incident Response & Recovery

14% of the exam. When prevention fails, this domain takes over: detecting and handling incidents, preserving evidence, and recovering the business after a disruption.

4.1 Incident Response & Forensics

An program follows the NIST lifecycle: Preparation; Detection & Analysis; Containment, Eradication & Recovery; and Post-Incident Activity (lessons learned).[6] You prepare in advance (policy, the , tooling), detect and confirm a real incident from events, contain it to limit damage, eradicate the threat and root cause, recover operations, and review to improve.

When an incident may lead to legal action, forensics matters. Collect evidence in (capture memory and live data before powering off), hash it to prove integrity, and maintain a strict — who handled the evidence, when, and how — or it may be inadmissible.

4.2 Business Continuity & DR

A keeps critical functions running through a disruption; restores IT afterward. Both rest on the , which identifies critical functions and sets the recovery targets: , (must be shorter than MTD), and (which drives backup frequency).[9]

Recovery objectives and recovery sites
Term / siteMeaningTrade-off
MTDMaximum Tolerable Downtime — the absolute limitDrives the RTO
RTORecovery Time Objective — target time to restoreMust be shorter than the MTD
RPORecovery Point Objective — acceptable data lossDrives backup frequency
Hot siteFully equipped, near-real-time failoverFastest recovery, most expensive
Warm siteHardware and connectivity, data restored on demandModerate cost and speed
Cold siteEmpty space with power/cooling onlyCheapest, slowest to bring online

Know the backup types — full (everything), incremental (changes since the last backup of any kind; fast backup, slow restore), and differential (changes since the last full; slower backup, faster restore) — and the 3-2-1 rule: three copies, on two media types, with one off-site.

Backup types compared
TypeBacks upRestore
FullAll selected dataFastest (one set)
IncrementalChanges since the last backup of any typeSlowest (full + every increment)
DifferentialChanges since the last full backupFaster (full + one differential)

Checkpoint · Incident Response & Recovery

Question 1 of 10

Which phase typically comes FIRST in an incident response lifecycle?

Module 5 · Cryptography

9% of the exam — the lightest domain, but high-value. Cryptography delivers confidentiality, integrity, authentication, and non-repudiation. Know the building blocks and how trust is managed.

5.1 Crypto Fundamentals

uses one shared key (AES) — fast but hard to distribute; uses a public/private key pair (RSA, ECC) — slower but it solves key exchange and enables signatures. Real systems use both (hybrid): asymmetric to exchange a fast symmetric session key.[5] For integrity, produces a one-way digest (SHA-256); an adds authenticity, and passwords are protected with plus a slow algorithm (bcrypt, PBKDF2, Argon2).

A hashes a message and encrypts the hash with the sender’s private key, giving integrity, authenticity, and non-repudiation. Watch the most-missed point: you encrypt with the recipient’s public key but sign with your own private key.

Symmetric vs. asymmetric encryption
PropertySymmetricAsymmetric
KeysOne shared secret keyPublic/private key pair
SpeedFast (bulk data)Slow (small data, key exchange)
ExamplesAES, 3DES, ChaCha20RSA, ECC, Diffie-Hellman
Solves key exchange?No (distribution is hard)Yes (and enables signatures)

5.2 PKI & Secure Protocols

is the framework that manages public keys and trust. A issues and signs (X.509) that bind a public key to an identity; clients verify the chain of trust and check revocation via a CRL or OCSP. Secure protocols apply this in practice: secures application traffic (HTTPS), secures Layer 3 (VPN tunnels), and SSH secures remote administration.

PKI components and secure protocols
ItemWhat it does
Certificate Authority (CA)Issues and signs digital certificates; the root of trust
Digital certificate (X.509)Binds a public key to a verified identity
CRL / OCSPPublish which certificates have been revoked
TLSSecures application traffic (HTTPS) with hybrid crypto
IPsecSecures IP at Layer 3 — VPN tunnels (AH, ESP)
SSHSecure remote administration and file transfer

Checkpoint · Cryptography

Question 1 of 10

Which encryption approach uses the same key to encrypt and decrypt data?

Module 6 · Network & Communications Security

16% of the exam — tied for the largest. This domain covers how data moves across networks, the attacks that target it, and the appliances and controls that defend it.

6.1 Networking & the OSI Model

The backbone here is the — seven layers from Physical to Application. The SSCP maps devices, protocols, and attacks to layers: switches at Layer 2, routers at Layer 3.[1] then layers controls so a single failure doesn’t expose the asset.

Know the common protocols and their secure replacements: HTTP→HTTPS (TLS), FTP→SFTP/FTPS, Telnet→SSH, and DNS, DHCP, SMTP for naming, addressing, and mail. checks a device’s identity and posture before letting it onto the network, and segmentation (VLANs, subnets, a ) limits how far an attacker can move.

Insecure protocols and their secure replacements
Insecure (avoid)Secure replacementPurpose
HTTPHTTPS (TLS)Web traffic
FTP / TelnetSFTP/FTPS / SSHFile transfer / remote admin
WEPWPA3Wireless encryption
SNMPv1/2SNMPv3Network device management

6.2 Attacks, Defenses & Wireless

Common network attacks include DoS/DDoS, spoofing, man-in-the-middle, ARP and DNS poisoning, and sniffing. The core defenses are firewalls and intrusion systems.

A filters traffic against a rule set; a tracks connection state (smarter than a simple packet filter), and proxy/NGFW/WAF go further. An detects and alerts; an sits inline and can block. A (IPsec or TLS) encrypts traffic across untrusted networks.

Network defenses compared
DefenseWhat it does
Packet-filter firewallInspects each packet against rules; no memory of sessions
Stateful firewallTracks connection state; allows return traffic for known sessions
Proxy / NGFW / WAFInspects at the application layer; WAF protects web apps
IDS (detective)Monitors and alerts; passive, out of band
IPS (preventive)Inline; actively blocks or drops malicious traffic
VPNEncrypts traffic over an untrusted network (IPsec / TLS)

Secure wireless with (or WPA2-Enterprise with 802.1X/EAP), and watch for rogue access points and evil-twin attacks. Apply the same hardening discipline to IoT devices, which often ship insecure by default.

Checkpoint · Network & Communications Security

Question 1 of 10

At which layer of the OSI model does a router primarily operate?

Module 7 · Systems & Application Security

15% of the exam. This domain is about securing the endpoints, applications, and platforms where work happens — from malware defense to cloud and virtualization.

7.1 Malware & Endpoint Security

Know the types and how they differ: a needs a user to run an infected file; a self-replicates across networks with no user action; a hides in legitimate-looking software; encrypts data for extortion; and a hides itself with deep system access. The leading delivery method is social engineering, especially .

Defend endpoints with and anti-malware, host firewalls, application allowlisting, , and (remove unneeded services, secure configuration, baselines). Manage mobile devices with — enforcing passcodes, encryption, and remote wipe — and contain BYOD with containerization.

Malware types compared
TypeHow it spreads / behaves
VirusAttaches to a file; needs a user to run it
WormSelf-replicates across networks; no user action
TrojanDisguised as legitimate software; hidden payload
RansomwareEncrypts data and demands payment
RootkitDeep, privileged access; hides its presence
Logic bombDormant until a trigger condition is met

7.2 Cloud & Virtualization Security

In the cloud, the splits security duties: the provider always secures the underlying infrastructure, and the customer always owns its data, identities, and configuration. How much else the customer manages depends on the service model.[10]

Virtualization adds its own risks. A runs the virtual machines (Type 1 on bare metal, Type 2 on a host OS); the most serious threat is a , where code breaks out of a guest VM to reach the hypervisor or other VMs. Watch for VM sprawl and insecure snapshots, and patch and isolate the hypervisor — compromising it exposes every VM on the host.

Cloud service models and customer responsibility
ModelCustomer securesExample
IaaSOS, apps, data, and configurationCloud virtual machines
PaaSApps and dataManaged app/database platform
SaaSMainly data, access, and settingsHosted email / CRM

Checkpoint · Systems & Application Security

Question 1 of 10

Which input validation flaw allows an attacker to insert malicious SQL into a query, potentially exposing or altering database data?

How to Use This SSCP Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight, but cover all seven. Lead with the two 16% domains (Security Concepts & Practices and Network & Communications Security), but no domain is small enough to skip — even Cryptography (9%) carries easy points.
  • Think like a practitioner. The SSCP tests how you implement and operate controls — the hands-on answer, not just the high-level policy.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.

SSCP Concept Questions

Common SSCP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

SSCP Glossary

The high-yield SSCP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

AAA
Authentication, Authorization, and Accounting — the framework that proves identity, grants access, and logs activity.
Accountability
Tying actions back to a specific identity through logging and monitoring.
Administrative control
A managerial control such as a policy, procedure, training, or background check.
Annualized Loss Expectancy (ALE)
The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
Annualized Rate of Occurrence (ARO)
The expected number of times a specific risk event will occur in one year.
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
Attribute-based access control (ABAC)
Access decided by attributes and policy (user, resource, time, location); the most granular.
Authentication
Proving a claimed identity with a credential (knowledge, possession, or inherence factor).
Authorization
Determining what an authenticated identity is permitted to access and do.
Availability
Ensuring authorized users have timely, reliable access to systems and data; protected by redundancy, backups, and fault tolerance.
Business continuity plan (BCP)
A plan to keep critical business functions operating during and after a disruption.
Business Impact Analysis (BIA)
An analysis that identifies critical functions and sets recovery objectives (MTD, RTO, RPO).
Certificate Authority (CA)
A trusted entity that issues and signs digital certificates binding a public key to an identity.
Chain of custody
Documentation showing who handled evidence and when, preserving its integrity for legal use.
Change management
A controlled process for requesting, evaluating, approving, and documenting changes to systems.
CIA triad
The three core goals of information security: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized modification), and Availability (timely, reliable access for authorized users).
Compensating control
An alternative control used when the primary control is not feasible (e.g., extra monitoring).
Confidentiality
Preventing the unauthorized disclosure of data; protected primarily by encryption and access controls.
Crossover Error Rate (CER)
The point where FAR equals FRR; a lower CER means a more accurate biometric system.
CSIRT
Computer Security Incident Response Team — the group that handles security incidents.
CVSS
The Common Vulnerability Scoring System — a standard 0–10 score for the severity of a vulnerability.
Data classification
Labeling data by sensitivity (e.g., public, confidential, secret) so the right protection is applied.
Data custodian
The party (usually IT) that implements and maintains the controls protecting data day to day.
Data owner
The senior business manager accountable for data, who sets its classification and protection requirements.
Data remanence
Residual data that remains on media after deletion or formatting and may be recoverable.
Defense in depth
Layering multiple, overlapping controls so that if one fails, others still protect the asset.
Detective control
A control that identifies an incident in progress or after it occurs (e.g., logs, an IDS, CCTV).
Digital certificate
An X.509 document that binds a public key to a verified identity, signed by a CA.
Digital signature
A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
Disaster recovery (DR)
The processes and procedures to restore IT systems and operations after a disruptive event.
Discretionary access control (DAC)
Access decided by the data owner (e.g., file permissions, ACLs).
DMZ
A screened subnet that hosts public-facing services, isolating them from the internal network.
Dual control
Requiring two authorized people to act together to perform a single sensitive operation.
Due care
Acting on due diligence by implementing and maintaining reasonable controls — the prudent-person rule.
Due diligence
Doing the research and developing the plans and policies needed to protect the organization.
EDR
Endpoint Detection and Response — software that continuously monitors endpoints to detect and respond to threats.
False Acceptance Rate (FAR)
How often a biometric system wrongly accepts an impostor (a Type II error) — the security risk.
False Rejection Rate (FRR)
How often a biometric system wrongly rejects a legitimate user (a Type I error) — the usability problem.
Firewall
A device or software that filters network traffic against a rule set to enforce a security boundary.
Hashing
A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256); not reversible.
HMAC
A keyed hash that provides both integrity and authenticity of a message.
Hypervisor
Software that creates and runs virtual machines; Type 1 runs on bare metal, Type 2 on a host OS.
Identification
A subject claiming an identity (e.g., a username) — the first step of access control.
IDS
Intrusion Detection System — passively monitors and alerts on suspicious activity but does not block it.
Incident response
The structured process to detect, respond to, recover from, and learn from a security incident.
Integrity
Ensuring data is accurate and unaltered except by authorized parties; protected by hashing, signatures, and change control.
IPS
Intrusion Prevention System — sits inline and can actively block or drop malicious traffic.
IPsec
A protocol suite that secures IP traffic at Layer 3, used for VPN tunnels (AH and ESP).
ISC2 Code of Ethics
Four canons every SSCP must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
Job rotation
Periodically moving staff between duties to detect fraud and reduce dependence on any one person.
Kerberos
A symmetric-key SSO authentication protocol using tickets and a Key Distribution Center (KDC).
Least privilege
Granting users and processes only the minimum access needed to do their job, and nothing more.
Malware
Malicious software — viruses, worms, trojans, ransomware, rootkits, spyware, and logic bombs.
Mandatory access control (MAC)
Access enforced by the system from labels and clearances; rigid and high-security.
Mandatory vacation
Requiring employees to take time off so that hidden fraudulent activity can surface in their absence.
Maximum Tolerable Downtime (MTD)
The longest time a business function can be unavailable before unacceptable harm occurs.
Media sanitization
Removing data from media via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
Mobile device management (MDM)
Software that enforces security policy on mobile devices (passcodes, encryption, remote wipe).
Multi-factor authentication (MFA)
Using two or more factors from different categories — something you know, have, and are.
Need-to-know
Limiting access to the specific information a person requires for their role, even within their clearance.
Network access control (NAC)
Technology that checks a device's posture and identity before allowing it onto the network.
Non-repudiation
Assurance that a party cannot deny having performed an action, achieved through digital signatures and logging.
Order of volatility
The order in which to collect evidence by how quickly it disappears — capture memory before disk before backups.
OSI model
A seven-layer reference model for networking: Physical, Data Link, Network, Transport, Session, Presentation, Application.
Patch management
The process of acquiring, testing, and applying software updates to fix vulnerabilities.
Penetration test
An authorized, simulated attack that actively exploits weaknesses to demonstrate real impact.
Phishing
A social-engineering attack that uses fraudulent messages to trick users into revealing data or installing malware.
Physical control
A control that protects the physical environment, such as locks, guards, fences, or cameras.
Preventive control
A control that stops an incident before it happens (e.g., a lock, MFA, or input validation).
Privileged access management (PAM)
Controls that secure, monitor, and limit accounts with elevated (admin) privileges.
Public Key Infrastructure (PKI)
The framework of certificate authorities, certificates, and policies that manages public keys and trust.
RADIUS
A protocol that centralizes authentication, authorization, and accounting for network access.
Ransomware
Malware that encrypts a victim's data and demands payment for the decryption key.
Recovery Point Objective (RPO)
The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
Recovery Time Objective (RTO)
The targeted time to restore a system or function after a disruption; must be shorter than the MTD.
Residual risk
The risk that remains after controls are applied; senior management formally accepts it.
Risk
The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
Risk appetite
The amount and type of risk an organization is willing to accept in pursuit of its objectives.
Role-based access control (RBAC)
Access granted by job role rather than the individual; scales well in enterprises.
Rootkit
Malware that gains deep, privileged access and hides its presence from the operating system.
Salting
Adding random data to a password before hashing so identical passwords produce different hashes.
Separation of duties
Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
Shared responsibility model
The split of cloud security duties between the provider (infrastructure) and the customer (data, access, config).
SIEM
Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
Single Loss Expectancy (SLE)
The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
Single sign-on (SSO)
One authentication that grants access to multiple systems (e.g., via Kerberos or SAML).
Stateful firewall
A firewall that tracks the state of active connections and allows only traffic that fits a known session.
Symmetric encryption
Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is hard.
System hardening
Reducing a system's attack surface by removing unneeded services, applying secure configuration, and patching.
Technical control
A logical control implemented in technology, such as a firewall, encryption, or access control list.
Threat
Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
Transport Layer Security (TLS)
The protocol that secures application traffic (HTTPS) using hybrid cryptography.
Trojan
Malware disguised as legitimate software to trick a user into installing a hidden payload.
Virus
Malware that attaches to a file and requires a user to run it in order to spread.
VM escape
An attack that breaks out of a guest virtual machine to reach the hypervisor or other VMs.
VPN
A Virtual Private Network that creates an encrypted tunnel over an untrusted network (e.g., IPsec or TLS).
Vulnerability
A weakness in a system, process, or control that a threat can exploit.
Vulnerability scan
An automated check that identifies known weaknesses without exploiting them.
Worm
Self-replicating malware that spreads across networks on its own, with no user action.
WPA3
The current Wi-Fi security standard, providing strong encryption and protection against offline attacks.
Zero trust
A model that trusts no user or device by default and verifies every access request continuously.

SSCP Study Guide FAQ

Under the ISC2 outline effective October 1, 2025, the SSCP uses Computerized Adaptive Testing (CAT): 100 to 125 items in 2 hours. The number you see varies because the test adapts to your performance, and some items are unscored pretest questions. It includes multiple-choice and advanced item types.

References

  1. 1.ISC2. “SSCP Certification Exam Outline (effective October 1, 2025).” isc2.org.
  2. 2.ISC2. “SSCP — Systems Security Certified Practitioner.” isc2.org.
  3. 3.ISC2. “ISC2 Code of Ethics.” isc2.org.
  4. 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov.
  7. 7.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov.
  9. 9.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide.” csrc.nist.gov.
  10. 10.National Institute of Standards and Technology. “SP 800-145: The NIST Definition of Cloud Computing.” csrc.nist.gov.
  11. 101.National Institute of Standards and Technology (NIST). “SP 800-115: Technical Guide to Information Security Testing.” csrc.nist.gov, accessed 19 June 2026.
  12. 102.National Institute of Standards and Technology (NIST). “Cryptographic Standards and Guidelines.” csrc.nist.gov, accessed 19 June 2026.
  13. 103.National Institute of Standards and Technology (NIST). “SP 800-94: Guide to Intrusion Detection and Prevention Systems.” csrc.nist.gov, accessed 19 June 2026.
  14. 104.National Institute of Standards and Technology (NIST). “SP 800-41 Rev. 1: Guidelines on Firewalls and Firewall Policy.” csrc.nist.gov, accessed 19 June 2026.
  15. 105.National Institute of Standards and Technology (NIST). “SP 800-83 Rev. 1: Guide to Malware Incident Prevention and Handling.” csrc.nist.gov, accessed 19 June 2026.
  16. 106.National Institute of Standards and Technology (NIST). “SP 800-125: Guide to Security for Full Virtualization Technologies.” csrc.nist.gov, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.