(ISC)² CBK Objectives
The 5 official learning areas of Domain 6. Click an objective for detail.
Design and validate assessment, test and audit strategies
Select approaches, frameworks and standards (RMF, CSF, ISO 27000, SOC). Distinguish formal/informal, internal/external/third-party, and the independence a credible audit requires.
Key points
- Assessment vs audit vs testing
- SOC 1/2/3, Type I/II, TSC
- Internal vs external (external first)
Conduct security control testing
Vulnerability assessment, ethical penetration testing (RoE, box testing, red/blue/purple), log reviews, synthetic vs RUM, code review (SAST/DAST), misuse/negative testing, coverage, interface, BAS, compliance checks.
Key points
- SAST (code at rest) vs DAST (running app)
- Black/gray/white box
- Synthetic (scripts) vs RUM (passive)
Collect security process data
Account management, management review, KPI vs KRI, backup verification, SETA, BC/DR tests (desk check, walk-through, tabletop, simulation, parallel, full cutover).
Key points
- KPI (past) vs KRI (future)
- Verify backups via test restore
- 6 levels of BC/DR tests
Analyze test output and generate report
Remediation, PDCA and Six Sigma, exception handling within risk tolerance, ethical disclosure (full/responsible/non-disclosure), mandatory reporting, whistleblowing.
Key points
- PDCA = Plan-Do-Check-Act
- Exceptions: temporary, documented
- Responsible disclosure (Project Zero 90 d)
Conduct or facilitate security audits
Internal, external and third-party audits; chartering, scoping, testing, reporting, remediating (POA&M); SOC audit preparation; audit types; managed services and supply chain.
Key points
- Internal: familiarity vs independence
- External: independent, often mandatory
- POA&M tracks remediation
Key concepts
Assessment vs audit vs testing
Assessment = broad control evaluation, scope set by management. Audit = formal review vs a standard, requires independence. Testing = compare actual vs expected behaviour, a reusable block or standalone monitoring.
Anatomy of a finding
Five elements: Condition (observation), Criteria (standard), Cause (why), Effect (impact), Recommendation (action). Compiled into a report to the chartering body.
SOC reports
SOC 1 = financial reporting (ICFR). SOC 2 = security controls (TSC), confidential. SOC 3 = public summary. SOC for Cybersecurity = cyber programme. Type I = design (point in time); Type II = effectiveness (period).
Vulnerability assessment
Automated scanners finding known vulnerabilities, authenticated (creds, inside view) or unauthenticated (attacker view). A vuln is not an exploit; manage false positives.
Ethical penetration testing
Simulates a threat actor under RoE. 5 phases: Chartering, Discovery, Scanning, Exploitation, Reporting. Box: black/gray/white. Teams: red/blue/purple. Without a signed contract, criminal risk.
Code review: SAST vs DAST
SAST = static analysis of code at rest (white box). DAST = dynamic analysis of the running app (black box). IAST combines. Fuzzing (mutation/generation) is a DAST case.
Synthetic transactions vs RUM
Synthetic = automated scripts (active), 24/7 even with no traffic; web/DB/TCP/SLA. RUM = passive monitoring capturing every real-user transaction (EUM). They complement each other.
Software test types
Levels: unit, integration, system, acceptance (UAT). Cross-cutting: regression, positive, negative, misuse case, interface, white/black box. Coverage = 100% by convention.
KPI vs KRI
Metric = measurement; indicator = metric + context. KPI looks at the past (goals met?). KRI looks at the future (emerging risk, proactive).
BC/DR tests
Increasing order: desk check, walk-through, tabletop, simulation, parallel, full cutover. Parallel keeps prod up; full cutover affects it. Fire evacuation = walk-through.
Remediation and PDCA
Remediation = project (priority, milestones, tracking, POA&M). Continual improvement via PDCA (Plan-Do-Check-Act) and Six Sigma (DMAIC). No test fixes: it identifies.
Ethical disclosure
Full (immediate), responsible (vendor grace period, Project Zero 90 d), nondisclosure (NDA/investigation/GDPR). Mandatory reporting (legal) and whistleblowing (ethical) in addition.
Internal/external/third-party audits
Internal: familiarity (benefit) vs independence (risk). External: independent, often mandatory. Third-party: SOC 2/CSA STAR; the data controller stays liable for a processor's breach.
Frameworks & standards
| Framework | Role |
|---|---|
| NIST RMF (SP 800-37) | Risk management framework, US federal audit reference. |
| NIST SP 800-53A | Assessment procedures for security and privacy controls. |
| NIST CSF | Voluntary, risk-driven maturity model. |
| ISO/IEC 27000 | ISMS audit framework, strong outside the US. |
| SOC / SSAE 18 | Control attestation reports (1/2/3, cyber). |
| ISAE 3402 / 3000 | International counterparts of the SSAE. |
| PCI DSS | Payment card data security (annual audit). |
| MITRE ATT&CK | Adversary tactics/techniques base for emulation. |
| ISO 22301 / 27031 | Business continuity and IS continuity. |
| ISO 28000 | Supply chain security management. |
Acronyms
| Acronym | Meaning |
|---|---|
| SAST | Static Application Security Testing (code at rest) |
| DAST | Dynamic Application Security Testing (running app) |
| IAST | Interactive Application Security Testing (hybrid) |
| BAS | Breach and Attack Simulation |
| RUM | Real-User Monitoring (passive) |
| EUM | End-User experience Monitoring |
| CVSS | Common Vulnerability Scoring System (severity 0-10) |
| EPSS | Exploit Prediction Scoring System (probability) |
| CVE / NVD | Common Vulnerabilities and Exposures / National Vulnerability Database |
| RoE | Rules of Engagement (pentest scope) |
| SOC | Service Organization Control (1/2/3, cyber) |
| TSC | Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) |
| SSAE / ISAE | Statement on Standards for Attestation Engagements / International Standard on Assurance Engagements |
| ICFR | Internal Control over Financial Reporting (SOC 1) |
| POA&M | Plan of Action and Milestones |
| PDCA | Plan-Do-Check-Act (Deming wheel) |
| KPI / KRI | Key Performance / Key Risk Indicator |
| SETA | Security Education, Training and Awareness |
| BC / DR | Business Continuity / Disaster Recovery |
| VEP | Vulnerabilities Equities Process |
Mnemonics
S for Static (code stopped); D for Dynamic (running app). SAST = white box, DAST = black box.
1 = finance (ICFR), 2 = security (TSC, confidential), 3 = public. Type I = design, Type II = effectiveness.
The 5 SOC 2 TSC: Confidentiality, Integrity (processing), Availability, Non-repudiation/Security, + Privacy.
Black = blind, Gray = partial, White = transparent (mimics insider, doesn't test NAT).
Chartering, Discovery, Scanning, Exploitation, Reporting. CDSER.
KPI = past (goals met?). KRI = future (emerging risk, proactive).
Least to most disruptive: desk check, walk-through, tabletop, simulation, parallel, full cutover.
Plan, Do, Check, Act. No 'Calculate' (trap). Six Sigma = DMAIC.
Formulas
CVSS : 0 None | 0.1-3.9 Low | 4.0-6.9 Medium | 7.0-8.9 High | 9.0-10 Critical
Technical severity. EPSS complements with exploitation probability.
Coverage = (elements testes / total) ; coverage implique 100 % par convention
Statement < branch < condition < path in demand; proportionate to risk.
Exam pitfalls
SOC 1 vs SOC 2
SOC 1 = financial (ICFR); SOC 2 = security (TSC). SOC 1 covers neither DR nor privacy. Trap: tying SOC 2 to finance.
Type I vs Type II
Type I = design at a point in time (due care). Type II = effectiveness over a period (due diligence). For a third party, require a Type II.
SAST vs DAST
SAST = code at rest (white box); DAST = running app (black box). Fuzzing is a DAST case.
Fire evacuation = walk-through
In BC/DR, a fire evacuation is a walk-through (step-by-step review), not a simulation or a tabletop.
KPI vs KRI
KRIs monitor emerging risk (future); KPIs measure goal achievement (past). Don't swap them.
Synthetic = test by scripts
A web test relying on scripts (not live) is a synthetic transaction. RUM is passive and observes real users.
No test fixes
A test identifies a problem; it does not fix it. Remediation always follows. A vuln is not an exploit.
Real-world cases
Coalfire vs Iowa: a physical pentest without disseminated RoE
Pentesters arrested at the Dallas County courthouse because RoE were not communicated to the county, despite a state-level contract. Lesson: disseminate RoE to all authorities, plan contingencies, stop and present authorisation on alarm.
WannaCry: unpatched systems and DR
The ransomware exploits EternalBlue on unpatched systems. Highlights continuous pentesting, a DR covering functionality (not just data), international BC collaboration and continuous awareness. Typical DR weakness: single point of failure.
10-second recap
10-second recap
- Assessment (broad), audit (formal/independent), testing (execution).
- SOC 1 finance, SOC 2 security (confidential), SOC 3 public; Type I design, Type II effectiveness.
- Vuln assessment identifies; pentest exploits (RoE, 5 phases, box, red/blue/purple).
- SAST = code at rest; DAST = running app; synthetic = scripts, RUM = passive.
- KPI = past, KRI = future; verify backups via test restore.
- BC/DR tests: desk check -> full cutover; evacuation = walk-through.
- PDCA (Plan-Do-Check-Act); temporary exceptions; responsible disclosure (90 d).
- Internal audit (familiarity vs independence), external (mandatory), third-party (SOC 2/CSA STAR); POA&M.
Domain quiz
Three levels available. Pick one based on the time you have.
🔒 Sign-up required for quizzes
Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.