1.0 General Security Concepts (12 % of the exam)
Compare and contrast various types of security controls.
Summarize fundamental security concepts.
Explain the importance of change management processes and the impact to security.
Explain the importance of using appropriate cryptographic solutions.
2.0 Threats, Vulnerabilities, and Mitigations (22% of the exam)
Compare and contrast common threat actors and motivations.
Explain common threat vectors and attack surfaces.
Explain various types of vulnerabilities.
Given a scenario, analyze indicators of malicious activity.
Explain the purpose of mitigation techniques used to secure the enterprise.
3.0 Security Architecture (18% of the exam)
Compare and contrast security implications of different architecture models.
Given a scenario, apply security principles to secure enterprise infrastructure.
Compare and contrast concepts and strategies to protect data.
Explain the importance of resilience and recovery in security architecture.
4.0 Security Operations (28% of the exam)
Given a scenario, apply common security techniques to computing resources.
Explain the security implications of proper hardware, software, and data asset management.
Explain various activities associated with vulnerability management.
Explain security alerting and monitoring concepts and tools.
Given a scenario, modify enterprise capabilities to enhance security.
Given a scenario, implement and maintain identity and access management.
Explain the importance of automation and orchestration related to secure operations.
Explain appropriate incident response activities.
Given a scenario, use data sources to support an investigation.
5.0 Security Program Management and Oversight (20% of the exam)
Summarize elements of effective security governance.
Explain elements of the risk management process.
Explain the processes associated with third-party risk assessment and management.
Summarize elements of effective security compliance.
Explain types and purposes of audits and assessments.
Given a scenario, implement security awareness practices.