Domaine 6 · 12% Exam weight

Security Assessment and Testing

Domain 6 verifies that controls work: assessment/test/audit strategies, control testing (vulnerability assessment, penetration testing, SAST/DAST, synthetic vs RUM), process data collection (KPI/KRI, backups, SETA, BC/DR), analysis, reporting, ethical disclosure and conducting audits (internal, external, third-party, SOC). Exam weight: 12%.

(ISC)² CBK Objectives

The 5 official learning areas of Domain 6. Click an objective for detail.

Objective 6.1

Design and validate assessment, test and audit strategies

Select approaches, frameworks and standards (RMF, CSF, ISO 27000, SOC). Distinguish formal/informal, internal/external/third-party, and the independence a credible audit requires.

Key points

  • Assessment vs audit vs testing
  • SOC 1/2/3, Type I/II, TSC
  • Internal vs external (external first)
Objective 6.2

Conduct security control testing

Vulnerability assessment, ethical penetration testing (RoE, box testing, red/blue/purple), log reviews, synthetic vs RUM, code review (SAST/DAST), misuse/negative testing, coverage, interface, BAS, compliance checks.

Key points

  • SAST (code at rest) vs DAST (running app)
  • Black/gray/white box
  • Synthetic (scripts) vs RUM (passive)
Objective 6.3

Collect security process data

Account management, management review, KPI vs KRI, backup verification, SETA, BC/DR tests (desk check, walk-through, tabletop, simulation, parallel, full cutover).

Key points

  • KPI (past) vs KRI (future)
  • Verify backups via test restore
  • 6 levels of BC/DR tests
Objective 6.4

Analyze test output and generate report

Remediation, PDCA and Six Sigma, exception handling within risk tolerance, ethical disclosure (full/responsible/non-disclosure), mandatory reporting, whistleblowing.

Key points

  • PDCA = Plan-Do-Check-Act
  • Exceptions: temporary, documented
  • Responsible disclosure (Project Zero 90 d)
Objective 6.5

Conduct or facilitate security audits

Internal, external and third-party audits; chartering, scoping, testing, reporting, remediating (POA&M); SOC audit preparation; audit types; managed services and supply chain.

Key points

  • Internal: familiarity vs independence
  • External: independent, often mandatory
  • POA&M tracks remediation

Key concepts

Assessment vs audit vs testing

Assessment = broad control evaluation, scope set by management. Audit = formal review vs a standard, requires independence. Testing = compare actual vs expected behaviour, a reusable block or standalone monitoring.

Anatomy of a finding

Five elements: Condition (observation), Criteria (standard), Cause (why), Effect (impact), Recommendation (action). Compiled into a report to the chartering body.

SOC reports

SOC 1 = financial reporting (ICFR). SOC 2 = security controls (TSC), confidential. SOC 3 = public summary. SOC for Cybersecurity = cyber programme. Type I = design (point in time); Type II = effectiveness (period).

Vulnerability assessment

Automated scanners finding known vulnerabilities, authenticated (creds, inside view) or unauthenticated (attacker view). A vuln is not an exploit; manage false positives.

Ethical penetration testing

Simulates a threat actor under RoE. 5 phases: Chartering, Discovery, Scanning, Exploitation, Reporting. Box: black/gray/white. Teams: red/blue/purple. Without a signed contract, criminal risk.

Code review: SAST vs DAST

SAST = static analysis of code at rest (white box). DAST = dynamic analysis of the running app (black box). IAST combines. Fuzzing (mutation/generation) is a DAST case.

Synthetic transactions vs RUM

Synthetic = automated scripts (active), 24/7 even with no traffic; web/DB/TCP/SLA. RUM = passive monitoring capturing every real-user transaction (EUM). They complement each other.

Software test types

Levels: unit, integration, system, acceptance (UAT). Cross-cutting: regression, positive, negative, misuse case, interface, white/black box. Coverage = 100% by convention.

KPI vs KRI

Metric = measurement; indicator = metric + context. KPI looks at the past (goals met?). KRI looks at the future (emerging risk, proactive).

BC/DR tests

Increasing order: desk check, walk-through, tabletop, simulation, parallel, full cutover. Parallel keeps prod up; full cutover affects it. Fire evacuation = walk-through.

Remediation and PDCA

Remediation = project (priority, milestones, tracking, POA&M). Continual improvement via PDCA (Plan-Do-Check-Act) and Six Sigma (DMAIC). No test fixes: it identifies.

Ethical disclosure

Full (immediate), responsible (vendor grace period, Project Zero 90 d), nondisclosure (NDA/investigation/GDPR). Mandatory reporting (legal) and whistleblowing (ethical) in addition.

Internal/external/third-party audits

Internal: familiarity (benefit) vs independence (risk). External: independent, often mandatory. Third-party: SOC 2/CSA STAR; the data controller stays liable for a processor's breach.

Frameworks & standards

FrameworkRole
NIST RMF (SP 800-37) Risk management framework, US federal audit reference.
NIST SP 800-53A Assessment procedures for security and privacy controls.
NIST CSF Voluntary, risk-driven maturity model.
ISO/IEC 27000 ISMS audit framework, strong outside the US.
SOC / SSAE 18 Control attestation reports (1/2/3, cyber).
ISAE 3402 / 3000 International counterparts of the SSAE.
PCI DSS Payment card data security (annual audit).
MITRE ATT&CK Adversary tactics/techniques base for emulation.
ISO 22301 / 27031 Business continuity and IS continuity.
ISO 28000 Supply chain security management.

Acronyms

AcronymMeaning
SAST Static Application Security Testing (code at rest)
DAST Dynamic Application Security Testing (running app)
IAST Interactive Application Security Testing (hybrid)
BAS Breach and Attack Simulation
RUM Real-User Monitoring (passive)
EUM End-User experience Monitoring
CVSS Common Vulnerability Scoring System (severity 0-10)
EPSS Exploit Prediction Scoring System (probability)
CVE / NVD Common Vulnerabilities and Exposures / National Vulnerability Database
RoE Rules of Engagement (pentest scope)
SOC Service Organization Control (1/2/3, cyber)
TSC Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy)
SSAE / ISAE Statement on Standards for Attestation Engagements / International Standard on Assurance Engagements
ICFR Internal Control over Financial Reporting (SOC 1)
POA&M Plan of Action and Milestones
PDCA Plan-Do-Check-Act (Deming wheel)
KPI / KRI Key Performance / Key Risk Indicator
SETA Security Education, Training and Awareness
BC / DR Business Continuity / Disaster Recovery
VEP Vulnerabilities Equities Process

Mnemonics

Memo · SAST vs DAST

S for Static (code stopped); D for Dynamic (running app). SAST = white box, DAST = black box.

Memo · SOC 1/2/3

1 = finance (ICFR), 2 = security (TSC, confidential), 3 = public. Type I = design, Type II = effectiveness.

Memo · CIANA+P

The 5 SOC 2 TSC: Confidentiality, Integrity (processing), Availability, Non-repudiation/Security, + Privacy.

Memo · Box testing

Black = blind, Gray = partial, White = transparent (mimics insider, doesn't test NAT).

Memo · Pentest 5 phases

Chartering, Discovery, Scanning, Exploitation, Reporting. CDSER.

Memo · KPI vs KRI

KPI = past (goals met?). KRI = future (emerging risk, proactive).

Memo · Tests BC/DR

Least to most disruptive: desk check, walk-through, tabletop, simulation, parallel, full cutover.

Memo · PDCA

Plan, Do, Check, Act. No 'Calculate' (trap). Six Sigma = DMAIC.

Formulas

Remember

CVSS : 0 None | 0.1-3.9 Low | 4.0-6.9 Medium | 7.0-8.9 High | 9.0-10 Critical

Technical severity. EPSS complements with exploitation probability.

Remember

Coverage = (elements testes / total) ; coverage implique 100 % par convention

Statement < branch < condition < path in demand; proportionate to risk.

Exam pitfalls

Pitfall

SOC 1 vs SOC 2

SOC 1 = financial (ICFR); SOC 2 = security (TSC). SOC 1 covers neither DR nor privacy. Trap: tying SOC 2 to finance.

Pitfall

Type I vs Type II

Type I = design at a point in time (due care). Type II = effectiveness over a period (due diligence). For a third party, require a Type II.

Pitfall

SAST vs DAST

SAST = code at rest (white box); DAST = running app (black box). Fuzzing is a DAST case.

Pitfall

Fire evacuation = walk-through

In BC/DR, a fire evacuation is a walk-through (step-by-step review), not a simulation or a tabletop.

Pitfall

KPI vs KRI

KRIs monitor emerging risk (future); KPIs measure goal achievement (past). Don't swap them.

Pitfall

Synthetic = test by scripts

A web test relying on scripts (not live) is a synthetic transaction. RUM is passive and observes real users.

Pitfall

No test fixes

A test identifies a problem; it does not fix it. Remediation always follows. A vuln is not an exploit.

Real-world cases

Case · Case study

Coalfire vs Iowa: a physical pentest without disseminated RoE

Pentesters arrested at the Dallas County courthouse because RoE were not communicated to the county, despite a state-level contract. Lesson: disseminate RoE to all authorities, plan contingencies, stop and present authorisation on alarm.

Case · Case study

WannaCry: unpatched systems and DR

The ransomware exploits EternalBlue on unpatched systems. Highlights continuous pentesting, a DR covering functionality (not just data), international BC collaboration and continuous awareness. Typical DR weakness: single point of failure.

10-second recap

10-second recap

  • Assessment (broad), audit (formal/independent), testing (execution).
  • SOC 1 finance, SOC 2 security (confidential), SOC 3 public; Type I design, Type II effectiveness.
  • Vuln assessment identifies; pentest exploits (RoE, 5 phases, box, red/blue/purple).
  • SAST = code at rest; DAST = running app; synthetic = scripts, RUM = passive.
  • KPI = past, KRI = future; verify backups via test restore.
  • BC/DR tests: desk check -> full cutover; evacuation = walk-through.
  • PDCA (Plan-Do-Check-Act); temporary exceptions; responsible disclosure (90 d).
  • Internal audit (familiarity vs independence), external (mandatory), third-party (SOC 2/CSA STAR); POA&M.

Domain quiz

Three levels available. Pick one based on the time you have.

🔒 Sign-up required for quizzes

Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.