What is the SSCP certification?
The SSCP (Systems Security Certified Practitioner) from ISC2 is an intermediate-level cybersecurity certification for hands-on IT professionals responsible for implementing and monitoring information security. It covers seven domains including access controls, cryptography, network and communications security, malware, risk, incident response, and cloud security. SSCP requires 1 year of paid security experience and costs $249 USD.
The SSCP (Systems Security Certified Practitioner) is ISC2's certification for IT practitioners who implement, monitor, and administer security systems day-to-day. It bridges the gap between entry-level Security+ and the advanced CISSP, targeting professionals in IT security analyst, network security engineer, system administrator, and security consultant roles.
SSCP is sometimes called the "practitioner's CISSP" because it targets the technical execution of security rather than the managerial oversight that CISSP emphasizes. Professionals with SSCP earn salaries of $75,000-$110,000 in the United States. The exam costs $249 USD and requires a passing score of 700 out of 1000.
Exam Overview
| Detail | Information |
|---|---|
| Certification | SSCP - Systems Security Certified Practitioner |
| Provider | ISC2 |
| Number of Questions | 125 |
| Time Limit | 3 hours |
| Passing Score | 700/1000 |
| Cost | $249 USD |
| Prerequisites | 1 year of paid security work experience |
| Validity | 3 years (CPE credits for renewal) |
The exam covers seven domains:
- Security operations and administration (16%)
- Access controls (15%)
- Risk identification, monitoring, and analysis (15%)
- Incident response and recovery (13%)
- Cryptography (10%)
- Network and communications security (16%)
- Systems and application security (15%)
"SSCP is the best certification for technical security professionals who want ISC2 recognition without yet meeting the CISSP experience requirements. It validates that you can actually implement and operate security controls, not just manage security programs. Many candidates find SSCP a natural complement to Security+ after gaining 1-2 years of hands-on security work." -- ISC2 certification community
Domain 1: Security Operations and Administration (16%)
Security Operations Center Functions
Core SOC functions tested on SSCP:
- Asset management: Maintaining an accurate inventory of hardware, software, and cloud resources
- Change management: Formal process for requesting, reviewing, approving, and documenting changes to production systems
- Configuration management: Maintaining and enforcing approved configurations (CIS benchmarks, DISA STIGs)
- Patch management: Identifying, testing, and deploying security patches in a timely manner
- Security awareness training: Educating users on phishing, social engineering, and safe computing practices
Security Controls Framework
NIST SP 800-53 provides a comprehensive catalog of security and privacy controls:
- Access Control (AC): Policies and mechanisms for controlling access to information systems
- Audit and Accountability (AU): Event logging and audit trail maintenance
- Configuration Management (CM): Baselines, change control, and software inventory
- Incident Response (IR): Procedures for detecting, analyzing, and recovering from incidents
- System and Communications Protection (SC): Network architecture, encryption, and boundary protection
Domain 2: Access Controls (15%)
Access Control Models
| Model | Description | Example |
|---|---|---|
| DAC (Discretionary Access Control) | Resource owners control access | Traditional file system permissions |
| MAC (Mandatory Access Control) | Labels and clearances determine access; owners cannot override | Military/government classified systems |
| RBAC (Role-Based Access Control) | Access based on job role | Enterprise applications with predefined roles |
| ABAC (Attribute-Based Access Control) | Access based on multiple attributes | Fine-grained access based on user, resource, and environment attributes |
| Rule-Based Access Control | Access based on system-defined rules | Firewall rules, time-of-day restrictions |
Identity and Access Management
Provisioning and de-provisioning:
- Joiner process: New employee account creation following HR-approved workflow
- Mover process: Role change requiring permission modification (old permissions removed, new permissions added)
- Leaver process: Account disablement immediately upon termination, then deletion after defined period
Federation and SSO:
- SAML 2.0: XML-based identity federation for web applications. Identity Provider (IdP) sends assertions to Service Provider (SP).
- OAuth 2.0: Authorization framework for delegated access to APIs
- OpenID Connect: Authentication layer on OAuth 2.0 for user identity federation
Domain 3: Risk Identification, Monitoring, and Analysis (15%)
Risk Assessment Process
- System characterization: Document the system, its data, and business function
- Threat identification: Identify potential threat sources (environmental, human, technical)
- Vulnerability identification: Identify weaknesses that could be exploited
- Control analysis: Document existing controls and their effectiveness
- Likelihood determination: Estimate probability of threat exploiting vulnerability
- Impact analysis: Assess business impact if the vulnerability is exploited
- Risk determination: Combine likelihood and impact to produce risk rating
- Control recommendations: Identify additional controls to reduce risk
- Results documentation: Document findings and recommendations
Security Metrics
| Metric | Formula | Purpose |
|---|---|---|
| Mean Time to Detect (MTTD) | Total detection time / incidents | Measures detection speed |
| Mean Time to Respond (MTTR) | Total response time / incidents | Measures response speed |
| Patch Compliance Rate | Patched systems / total systems | Measures patching effectiveness |
| Security Awareness Training Completion | Completed / required | Measures training program |
| Vulnerability Remediation Rate | Remediated in time / discovered | Measures remediation efficiency |
Domain 4: Incident Response and Recovery (13%)
SSCP Incident Response Procedures
Containment strategies tested on SSCP:
- Short-term containment: Immediate isolation to limit spread (quarantine the affected system)
- Long-term containment: Applying temporary fixes to allow business operations while preparing for eradication
- System isolation: Disconnecting affected systems from the network
- Account disablement: Disabling compromised accounts
Business Continuity and Disaster Recovery
Recovery strategies by RTO:
- Cold site: Physical location with space and power but no equipment. Lowest cost, longest recovery time (days to weeks).
- Warm site: Has hardware and network connectivity but not current data. Moderate cost and recovery time (hours to days).
- Hot site: Fully operational duplicate of production environment with current data. Highest cost, fastest recovery (minutes to hours).
- Cloud-based DR: Uses cloud infrastructure for failover capacity. Very fast provisioning; cost scales with usage.
Domain 5: Cryptography (10%)
Applied Cryptography
TLS handshake process (simplified):
- Client sends ClientHello with supported TLS versions and cipher suites
- Server responds with ServerHello selecting version and cipher suite
- Server sends certificate (X.509)
- Client verifies certificate against trusted CAs
- Key exchange (ECDHE for TLS 1.3; RSA or ECDHE for TLS 1.2)
- Session keys derived using PRF (Pseudo-Random Function)
- Encrypted communication begins
Certificate validation process:
- Check certificate validity period (not expired)
- Check certificate revocation (OCSP or CRL)
- Verify certificate signature using CA's public key
- Verify certificate is for the correct domain (CN or SAN)
- Verify certificate chain to a trusted root CA
Domain 6: Network and Communications Security (16%)
Network Security Controls
Defense-in-depth for network security:
- Perimeter: Firewall, IPS, WAF, DDoS protection
- Network: VLANs, network segmentation, 802.1X
- Endpoint: EDR, host-based firewall, DLP
- Application: Input validation, authentication, authorization
- Data: Encryption, DLP, rights management
VPN protocols:
| Protocol | Layer | Encryption | Use Case |
|---|---|---|---|
| IPsec/IKEv2 | Layer 3 | AES | Site-to-site and remote access |
| SSL/TLS (AnyConnect) | Layer 4/7 | AES | Remote access (web-based) |
| WireGuard | Layer 3 | ChaCha20 | Modern, high-performance VPN |
| OpenVPN | Layer 3/2 | OpenSSL | Open-source, flexible |
Domain 7: Systems and Application Security (15%)
Endpoint Security
Endpoint hardening procedures:
- Remove unnecessary services and applications
- Apply current patches and updates
- Configure host-based firewall
- Enable full disk encryption
- Deploy EDR agent
- Implement application whitelisting (allow-listing)
- Disable removable media or implement DLP controls
Cloud and Virtualization Security
Container security concerns:
- Container escape: Breaking out of container isolation to access the host
- Privileged containers: Containers with elevated host permissions create security risks
- Image security: Unverified images may contain malware or vulnerabilities
- Secrets in images: Hardcoded credentials in Dockerfile layers remain accessible in image history
Frequently Asked Questions
How does SSCP compare to Security+ and CISSP? Security+ is entry-level requiring no experience; SSCP is intermediate requiring 1 year of security experience; CISSP is senior-level requiring 5 years. Security+ validates security concepts; SSCP validates hands-on security implementation skills; CISSP validates security management and governance. The natural progression for many security professionals is Security+ > SSCP > CISSP.
Is SSCP worth getting if I already have Security+? SSCP adds ISC2 recognition and CPE-based renewal that demonstrates ongoing professional development. It is a stronger signal for technical security roles because it requires work experience and covers deeper technical security operations content. For professionals specifically targeting ISC2-credentialed roles or government positions that recognize ISC2, SSCP is worth adding after Security+.
What is the best way to prepare for SSCP? The official ISC2 SSCP Study Guide, Mike Chapple's materials, and the ISC2 CyberSecure online training platform are the primary resources. SSCP benefits significantly from hands-on experience -- the practical experience requirement exists precisely because the exam tests real-world application of security controls. Candidates with current security operations roles typically find SSCP more straightforward than those studying purely from books.
References
- ISC2. (2025). SSCP Systems Security Certified Practitioner. https://www.isc2.org/certifications/sscp
- Chapple, M., & Seidl, D. (2023). (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide. Sybex.
- NIST. (2020). SP 800-53r5: Security and Privacy Controls for Federal Information Systems. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- ISC2. (2025). SSCP Official Study App. https://www.isc2.org/certifications/sscp/sscp-self-paced-training
- SANS Institute. (2025). Incident Handling Cheat Sheet. https://www.sans.org/blog/incident-handlers-handbook/
- CSA. (2025). Cloud Security Alliance Controls Matrix. https://cloudsecurityalliance.org/research/cloud-controls-matrix/