ISC2 · 2026 Edition
A complete preparation guide written by ISC2-certified engineers. Covers the exam format,all 7 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–4 months
Prep time
Intermediate
Difficulty
125
Exam questions
700/1000
Pass mark
Exam code
SSCP
Full name
SSCP
Vendor
ISC2
Duration
180 minutes
Questions
125 items
Passing score
700/1000 (scaled)
Domains covered
7 blueprint domains
Recommended experience
1 year of paid work experience in 1 of the 7 SSCP domains required; candidates without experience earn Associate of (ISC)²
Typical prep time
3–4 months
SSCP validates hands-on operational security skills for practitioners who implement and maintain security controls. It is the first rung of the (ISC)² certification ladder above CC and is recognised by US DoD 8570 for IAT Level II and IAM Level I roles.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Security Concepts and Practices: security models, risk management, security controls
Tip: SSCP has 7 domains. The two heaviest — Access Controls (20%) and Network and Communications Security (17%) — together account for 37% of the exam. Prioritise these before diving into lighter domains like Cryptography (10%) or Incident Response (13%).
Weeks 4–6
Access Controls and Identity Management: authentication methods, PKI, directory services
Tip: Kerberos is tested on SSCP. Know the ticket-granting process: client requests TGT from KDC Authentication Server → KDC issues TGT → client requests service ticket from Ticket Granting Server → TGS issues service ticket → client presents ticket to application server. Know what each component does.
Weeks 7–9
Network Security: firewalls, IDS/IPS, VPNs, wireless security, network protocols
Tip: OSI model with security controls at each layer is tested on SSCP: Layer 2 (802.1X, MAC filtering), Layer 3 (IPSec, ACLs), Layer 4 (stateful firewall, TCP inspection), Layer 7 (application firewall, DLP, proxy). Know which security control operates at which OSI layer.
Weeks 10–13
Risk Identification, Incident Response, Cryptography, Systems and Application Security
Tip: Cryptographic protocols on SSCP: TLS 1.3 for transport security, S/MIME for email, SSH for remote access, PGP for file encryption. Know what protocol is appropriate for which use case — SSCP questions describe a communication channel and ask which protocol should secure it.
SSCP requires 1 year of paid work experience in any one of the 7 domains. Candidates without this experience can pass the exam and become an Associate of (ISC)², then earn the full certification after gaining the experience.
Risk management terminology tested on SSCP: asset (what has value), threat (what could harm it), vulnerability (weakness the threat exploits), risk (probability × impact), control (countermeasure). Know the risk treatment options: accept (tolerate the risk), avoid (eliminate the activity), mitigate (reduce likelihood or impact), transfer (insurance, outsourcing).
Virtualisation and cloud security basics appear on SSCP: know the VM escape attack (a VM compromises the hypervisor to access other VMs), container security (namespace isolation, not full VM isolation), and shared responsibility model at the IaaS, PaaS, and SaaS levels.
Forensics vocabulary on SSCP: chain of custody (documented handling of evidence), order of volatility (collect most volatile evidence first: CPU cache → RAM → swap → disk), write blocker (prevents contamination of disk evidence). Know these concepts and when each applies.
SSCP certification is valid for 3 years. Renewal requires 60 CPE credits (20 per year) and annual maintenance fees. The (ISC)² member portal tracks CPEs and offers free webinars that qualify.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on SSCP — with exam key points and common misconceptions.