Domain 1: Security and Risk Management
- 1.1 Understand and apply concepts of confidentiality, integrity and availability
- 1.2 Evaluate and apply security governance principles
- 1.3 Determine compliance requirements
- 1.4 Understand legal and regulatory issues that pertain to information security in a global context
- 1.5 Understand, adhere to, and promote professional ethics
- 1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
- 1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements
- 1.8 Contribute to and enforce personnel security policies and procedures
- 1.9 Understand and apply risk management concepts
- 1.10 Understand and apply threat modeling concepts and methodologies
- 1.11 Apply risk-based management concepts to the supply chain
- 1.12 Establish and maintain a security awareness, education, and training program
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
- 3.1 Implement and manage engineering processes using secure design principles
- 3.2 Understand the fundamental concepts of security models
- 3.3 Select controls based upon systems security requirements
- 3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
- 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- 3.6 Assess and mitigate vulnerabilities in web-based systems
- 3.7 Assess and mitigate vulnerabilities in mobile systems
- 3.8 Assess and mitigate vulnerabilities in embedded devices
- 3.9 Apply cryptography
- 3.10 Apply security principles to site and facility design
- 3.11 Implement site and facility security controls
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management (IAM)
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
- 7.1 Understand and support investigations
- 7.2 Understand requirements for investigation types
- 7.3 Conduct logging and monitoring activities
- 7.4 Securely provisioning resources
- 7.5 Understand and apply foundational security operations concepts
- 7.6 Apply resource protection techniques
- 7.7 Conduct incident management
- 7.8 Operate and maintain detective and preventative measures
- 7.9 Implement and support patch and vulnerability management
- 7.10 Understand and participate in change management processes
- 7.11 Implement recovery strategies
- 7.12 Implement Disaster Recovery (DR) processes
- 7.13 Test Disaster Recovery Plans (DRP)
- 7.14 Participate in Business Continuity (BC) planning and exercises
- 7.15 Implement and manage physical security
- 7.16 Address personnel safety and security concerns
Domain 8: Software Development Security
- 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
- 8.2 Identify and apply security controls in development environments
- 8.3 Assess the effectiveness of software security
- 8.4 Assess security impact of acquired software
- 8.5 Define and apply secure coding guidelines and standards
