(ISC)² SSCP (Systems Security Certified Practitioner) Study Guide
The (ISC)2 SSCP (Systems Security Certified Practitioner) validates the hands-on, operational security skills needed to implement, monitor, and administer IT infrastructure using established security policies and procedures. It is aimed at practitioners in roles such as security analyst, systems and network administrator, and security engineer who work day to day with access controls, monitoring, incident response, cryptography, and system hardening. The exam spans seven domains and rewards practical, defense-in-depth knowledge over pure theory.
Reviewed Jul 2026.
Domain 1: Security Operations and Administration
- The CIA triad frames security goals: confidentiality restricts disclosure to authorized parties (often via encryption), integrity ensures data is not altered without detection (often via hashing), and availability ensures authorized users can reach systems and data when needed (often via redundancy and failover).
- Identification is the claim of an identity such as a username; authentication proves that claim; authorization defines what an authenticated subject may do; and accounting (auditing) logs subject activity for later review and non-repudiation.
- The (ISC)2 Code of Ethics has four mandatory canons, and protecting society, the common good, and public trust is the first and highest-priority canon that guides ordering decisions when canons appear to conflict.
- Controls are grouped by type: administrative (managerial) controls such as policies and training, technical (logical) controls implemented in hardware or software, and physical controls such as locks and badge-controlled doors.
- Controls are also grouped by function: preventive controls stop unwanted events before they occur, and detective controls identify and signal events that are happening or have occurred.
- Corrective controls remediate and restore after an event, deterrent controls discourage attackers by perception, and recovery controls restore systems and data to operational status.
- A compensating control is a substitute safeguard used when a primary control cannot be implemented, providing an equivalent level of protection through alternative means.
- Defense in depth layers multiple, diverse controls so that the failure of any single control is not fatal to overall security.
- Least privilege grants each subject only the minimum access required to perform its job, limiting the potential damage from compromise or misuse.
- Separation of duties splits a sensitive task among multiple people so that no single individual controls the entire process, reducing fraud and error.
- Need-to-know further restricts access to only the specific information required for a task, even when a subject already holds the necessary clearance.
- Redundant components and failover designs eliminate single points of failure, directly supporting the availability leg of the CIA triad.
Domain 2: Access Controls
- The AAA model comprises authentication (proving an asserted identity), authorization (granting rights and permissions), and accounting (recording what a subject did after gaining access).
- The identity lifecycle spans provisioning (creating an account and assigning initial entitlements when a user joins), ongoing management, and deprovisioning; a deprovisioning gap leaves orphaned accounts that persist as unmonitored targets.
- Authentication factors fall into distinct categories: something you know (passwords, PINs), something you have (tokens, smart cards), something you are (biometrics), somewhere you are (location), and something you do (behavior).
- True multifactor authentication requires credentials drawn from at least two different factor categories; combining two items from the same category (such as a password and a PIN) is multi-step but not multifactor.
- Biometrics include physiological traits such as iris, fingerprint, and face (something you are) and behavioral traits such as typing rhythm and mouse dynamics (something you do).
- The False Acceptance Rate (FAR) is how often the system wrongly accepts an impostor, the False Rejection Rate (FRR) is how often it wrongly rejects a valid user, and the Crossover Error Rate (CER) where FAR equals FRR is a single comparative measure of biometric accuracy.
- Tightening a biometric match threshold rejects more legitimate users, raising the FRR, while loosening it raises the FAR; tuning trades one error type against the other.
- FIDO2 uses public-key cryptography scoped to the site origin, so there is no shared secret to phish and credentials will not work on a look-alike site, making it far stronger than SMS one-time passwords that are vulnerable to SIM swapping, interception, and real-time phishing.
- Session security relies on the HttpOnly cookie attribute to block JavaScript access (mitigating theft via cross-site scripting), regenerating the session ID at login to defeat session fixation, and idle timeouts to shrink the window a stolen token stays valid.
- Access recertification (attestation) is the periodic confirmation by managers that access is still warranted; combined with removing access at each role change, it counters the accumulation of stale privileges known as privilege creep.
- In federated identity, the identity provider issues an assertion and the service provider (relying party) is the application that consumes the assertion and grants access.
- Access control models include role-based access control (RBAC), which assigns permissions to job-function roles that users are placed into, and mandatory access control (MAC), which enforces system-defined labels and clearances that users cannot alter.
Domain 3: Risk Identification, Monitoring, and Analysis
- Risk is generally the product of the likelihood of an event and its impact; a vulnerability is a weakness that a threat can exploit.
- Single Loss Expectancy (SLE) equals asset value multiplied by the exposure factor (the percentage of value lost in one event); for example a $200,000 asset with a 40 percent exposure factor gives an SLE of $80,000.
- The Annualized Rate of Occurrence (ARO) is the expected number of events per year; an event happening once every four years is a rate of 1 divided by 4, or 0.25.
- Annualized Loss Expectancy (ALE) equals SLE multiplied by ARO, giving the expected yearly cost of a risk; for example an $80,000 SLE at an ARO of 0.25 yields an ALE of $20,000.
- The net value of a safeguard equals the reduction in ALE (ALE before minus ALE after) minus the annual cost of the safeguard; a positive result means the control is cost-justified.
- Qualitative analysis ranks risk descriptively using scales such as high, medium, and low, while quantitative analysis expresses risk in numeric, usually monetary, terms to enable cost-benefit comparison.
- The four primary risk treatment options are avoidance (eliminating the risk-creating activity), transfer (shifting financial impact to a third party such as an insurer), mitigation (applying controls to reduce risk), and acceptance (formally deciding to bear the risk).
- Residual risk is what remains after controls are applied; management must decide whether it falls within the organization's risk appetite, which is the amount and type of risk the organization is willing to accept to meet its objectives.
- The NIST Risk Management Framework steps run Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor, so the step immediately after Select is Implement.
- ISO/IEC 27005 provides guidelines specifically for information security risk management, and FIPS 199 defines the low, moderate, and high impact levels used to categorize systems by confidentiality, integrity, and availability.
- STRIDE is a threat-modeling framework for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege, and a data flow diagram with trust boundaries reveals where data crosses trust levels and threats are most likely.
- Continuous monitoring keeps risk information current by detecting changes in threats, vulnerabilities, and control performance, and third-party risk is managed by reviewing independent assurance such as SOC 2 reports and watching for supply-chain compromise introduced through a vendor's build and delivery process.
Domain 4: Incident Response and Recovery
- The incident response lifecycle moves through preparation, detection and analysis, containment, eradication, recovery, and lessons learned (post-incident activity).
- Preparation is the proactive phase that stands up the response team, writes plans and playbooks, arranges communications, and procures tooling before any incident occurs.
- Detection and analysis identifies, correlates, and validates events and alerts to confirm whether an actual incident occurred and to understand its scope.
- Containment limits the spread and magnitude of an incident, often by isolating affected systems or network segments while responders investigate; network isolation preserves running state while stopping propagation.
- Eradication removes the threat and its artifacts and closes the entry point (deleting malware, removing malicious accounts, and remediating the exploited vulnerability) so the threat cannot simply return.
- Recovery restores affected systems to normal operation from trusted backups, validates functionality, and monitors for recurrence before the incident is declared closed.
- The lessons-learned phase is a structured, blameless review that documents root cause and timeline and feeds improvements back into policies, controls, and playbooks for continuous improvement.
- The Computer Security Incident Response Team (CSIRT) includes an incident commander who coordinates the response and drives decisions, and legal counsel who advises on notification duties and evidence handling.
- Escalation rules define who is notified based on severity, and out-of-band communication channels keep the team coordinated when primary systems are compromised or unavailable.
- A playbook gives repeatable, step-by-step handling for a specific incident type, while consistent classification and severity ratings drive prioritization and escalation.
- SOAR (Security Orchestration, Automation, and Response) automates enrichment and response steps through playbooks to speed and standardize handling.
- Forensic evidence is preserved by imaging the system and documenting chain of custody, and collection follows the order of volatility by capturing the most fleeting data first; RPO defines the maximum tolerable data loss as a span of time while RTO is the target time to restore a service, and an alert that fires when nothing malicious occurred is a false positive.
Domain 5: Cryptography
- Cryptography delivers confidentiality (restricting who can read data), integrity (detecting unauthorized modification via hashes and message authentication codes), authentication, and non-repudiation (binding an action to an identity so the originator cannot deny it).
- Non-repudiation and digital signatures are achieved with the sender's private key, which only the sender possesses; verifiers check the signature using the signer's public key.
- Symmetric cryptography uses one shared secret key for both encryption and decryption, while asymmetric cryptography uses a related public/private key pair where data encrypted with one key is decrypted with the other.
- AES is a symmetric block cipher operating on fixed 128-bit blocks and supporting 128-, 192-, and 256-bit keys (using 10, 12, and 14 rounds respectively).
- DES has only a 56-bit effective key that is small enough to brute-force, so 3DES chains DES operations to raise effective key strength on existing hardware as a stopgap.
- Block ciphers process fixed-size blocks while stream ciphers process a bit or byte at a time; ECB mode encrypts each block independently so identical plaintext blocks produce identical ciphertext, leaking patterns.
- In CBC mode the initialization vector is XORed with the first plaintext block to randomize output, and CTR mode encrypts an incrementing counter and XORs it with plaintext to behave like a stream cipher.
- GCM provides authenticated encryption, adding an integrity tag on top of confidentiality; a nonce is a number used once per key, and reusing a nonce repeats the keystream and exposes relationships between plaintexts.
- RSA security relies on the hardness of factoring large semiprimes, while ECC achieves comparable security to RSA using much smaller keys.
- Diffie-Hellman lets two parties derive a shared secret over an open channel, but without authentication it is open to man-in-the-middle attacks.
- For confidentiality, data is encrypted with the recipient's public key so only the recipient's private key can decrypt it; because asymmetric operations are slow, they typically only establish a fast symmetric session key for the bulk data.
- A cryptographic hash must be collision resistant, meaning it is infeasible to find two distinct inputs that produce the same digest, which underpins integrity checking and digital signatures.
Domain 6: Network and Communications Security
- The OSI Network layer (Layer 3) handles logical IP addressing and path determination, where routers forward packets by destination IP, and the Transport layer (Layer 4) provides end-to-end delivery, segmentation, and port addressing using TCP and UDP.
- The TCP/IP model has four layers (Application, Transport, Internet, and Network Access); its Application layer maps to OSI layers 5, 6, and 7, and its Network Access layer maps to OSI layers 1 and 2.
- Common well-known ports include DNS on UDP 53 (TCP 53 for zone transfers), DHCP on UDP 67 (server) and 68 (client), SMTP on TCP 25, POP3 on TCP 110, SSH on TCP 22, and HTTPS on TCP 443; the well-known port range is 0 to 1023.
- IP subnetting facts include that a /24 provides 254 usable host addresses, a /26 prefix equals the mask 255.255.255.192, 172.16.0.0/12 is an RFC 1918 private range, and the broadcast address of 192.168.10.0/28 is 192.168.10.15.
- In a star topology a central device failure disconnects all attached nodes, whereas a full mesh connects every node to every other node to maximize fault tolerance.
- A man-in-the-middle (on-path) attack intercepts and possibly alters traffic between two parties, and TLS with proper certificate validation defends against MITM on web sessions.
- ARP spoofing (ARP cache poisoning) forges ARP replies to redirect traffic, and Dynamic ARP Inspection together with DHCP snooping mitigates it.
- DNS cache poisoning injects forged records to redirect name resolution, and DNSSEC signs DNS records to protect their integrity and authenticity.
- A distributed denial-of-service (DDoS) attack uses many distributed sources, often a botnet, to overwhelm a target's capacity.
- A SYN flood sends many half-open connections that never complete the TCP handshake to exhaust resources, and SYN cookies mitigate it by avoiding state allocation until the handshake completes.
- TCP is connection-oriented and reliable using sequencing, acknowledgments, and retransmission, while UDP is connectionless best-effort delivery with lower overhead.
- SSH provides encrypted remote command-line access and secure file transfer, replacing insecure protocols like Telnet, and should use strong key-based authentication.
Domain 7: Systems and Application Security
- A worm self-propagates across networks without a host file or user action, while a Trojan horse masquerades as benign software to trick a user into running a hidden malicious payload and does not self-replicate.
- Polymorphic malware mutates its code and encryption on each infection to defeat static signatures, and a rootkit hides malicious activity by tampering with OS mechanisms such as kernel calls, making it among the hardest malware to detect and remove.
- Recovering from ransomware reliably depends on backups that are recent, restore-tested, and kept offline or otherwise isolated so the ransomware cannot encrypt them too.
- Signature-based detection cannot match zero-day or novel malware for which no signature yet exists, so behavior-based detection flags malicious activity by what code does rather than by a known pattern.
- EDR adds continuous endpoint telemetry, detection, investigation, and response beyond simple antivirus, and XDR extends detection and response across multiple security layers rather than endpoints alone.
- HIDS detects and alerts on suspicious host activity, while HIPS additionally blocks or prevents malicious activity in real time.
- Application allowlisting permits only approved applications and blocks everything else by default, and cryptographic hashes and publisher signatures uniquely and tamper-evidently identify the approved files.
- A secure baseline is a standardized, documented hardening configuration applied uniformly to like systems, and removing unneeded services and open ports shrinks the attack surface an adversary can exploit.
- Least privilege gives each account only the access needed for its job to limit damage from compromise, and configuration management keeps systems in an approved, consistent state and detects unauthorized changes.
- Patches should be applied promptly to close known vulnerabilities before attackers exploit them, but should first be tested in a representative environment before broad production rollout.
- Full-disk encryption renders data at rest unreadable without the decryption key when the device is off, but once the system is unlocked and running the data is decrypted for use.
- A TPM is an on-board chip that securely stores keys and supports platform integrity checks for disk encryption, and EDR network isolation can quickly contain a compromised host while keeping it available for forensic analysis.
(ISC)² SSCP (Systems Security Certified Practitioner) exam tips
- Learn to distinguish control classifications along two axes at once: type (administrative, technical, physical) and function (preventive, detective, corrective, deterrent, compensating, recovery); questions often give a scenario and ask for both.
- Memorize the quantitative risk formulas cold: SLE = asset value x exposure factor, ALE = SLE x ARO, and safeguard value = (ALE before - ALE after) - annual safeguard cost, then practice plugging in numbers quickly.
- Know the well-known ports and subnetting shortcuts (usable hosts, masks, broadcast addresses, RFC 1918 ranges) so you can answer network questions without hesitation.
- For multifactor questions, always check whether the factors come from different categories; two things you know is never true MFA no matter how many steps are involved.
- Study the incident response and NIST RMF phase orders as sequences, because many questions ask which phase comes next or which activity belongs to a named phase.
Study guide FAQ
How is the SSCP different from the CISSP?
The SSCP is a hands-on, operational credential aimed at practitioners who implement, monitor, and administer security controls day to day, while the CISSP is a broader, more managerial certification focused on designing and governing an enterprise security program. SSCP has seven domains centered on operations; CISSP has eight domains with more emphasis on strategy and management.
What are the exam format and passing requirements?
The SSCP is a multiple-choice exam with a 180-minute time limit, scored on a scale where 700 out of 1000 is passing. Beyond passing the exam, candidates must have at least one year of cumulative paid work experience in one or more of the seven domains (or qualify for an Associate of (ISC)2 path if they lack the experience).
How much math and calculation should I expect?
Expect a handful of quantitative risk questions requiring SLE, ARO, and ALE calculations, plus subnetting questions about host counts, masks, and broadcast addresses. The arithmetic is straightforward once you have memorized the formulas, so practice them until they are automatic.
Which domains carry the most weight and where should I focus?
Access controls, network and communications security, and systems and application security are large, detail-heavy domains and reward strong practical knowledge of authentication, ports, malware types, and endpoint defenses. Do not neglect the ethics canons and control classifications from security operations, as those concepts appear throughout the exam.