- Closer Look #1: Security+
- Closer Look #2: Systems Security Certified Practitioner
- Which One Is Right for You: Security+ or SSCP? Can You Do Without Either?
Closer Look #2: Systems Security Certified Practitioner
The requirements language for the SSCP is more focused and exact than that for the Security+. Quoting from the SSCP Candidate Information Bulletin (for access to which visitors to the (ISC)2 SSCP page must register, then request e-mail delivery of a download link), “applicants must have a minimum of one year of direct full-time security work experience in one or more of the seven domains of the (ISC)2 SSCP CBK” (where CBK stands for “Common Body of Knowledge,” the (ISC)2’s name for the collection of topical domains that this credential addresses). This document then goes on to explain in great detail that such experience includes work on a technical or college degree, “work requiring habitual memory of a body of knowledge shared with others doing similar work,” various types of managerial or supervisory roles, related teaching or training activities, and so on and so forth.
Examination of the seven elements of the SSCP CBK (listed by name in Table 1) is also revealing. In addition to a laundry list of key areas of knowledge for each topic, each domain is also defined and described in enough detail to be understandable, and to establish a connection with fundamental security principles, processes, and practices. In general, the SSCP shares with Security+ an emphasis on practice over theory (though it does include more theoretical material than does Security+), and an interest in matters of best practice, implementation, upkeep, and management of security rather than a deep dive into underlying causes, unwanted effects, and the overarching role afforded to understanding, defining, enforcing, and maintaining security policy that plays so heavily in most senior information security certifications.
One important area that SSCP covers that’s largely overlooked in Security+ (there’s at least rough parity for all of the other areas covered in each of these two exams) has to do with what’s often called BCP/DRP in information technology circles. BCP stands for “business continuity planning,” and DRP stands for “disaster recovery planning;” both disciplines are inter-related and are also understood to cover training, testing and dry runs, regular audits, and actual implementation of such plans as well as the outright planning activities themselves. This part of the exam covers the whole process from managing risk and performing security assessments, to handling incidents, and understanding what distinguishes BCP from DRP. This is valuable and important material for anybody who wants to pursue information security as an IT professional.