1.1 Implement and maintain authentication methods

• Single/multifactor authentication
• Single sign-on
• Device authentication
• Federated access

1.2 Support internetwork trust architectures

• Trust relationships (e.g., 1-way, 2-way, transitive)
• Extranet
• Third-party connections

1.3 Participate in the identity management lifecycle

• Authorization
• Proofing
• Provisioning/de-provisioning
• Maintenance
• Entitlement
• Identity and Access Management (IAM) systems

1.4 Implement access controls

• Mandatory
• Non-discretionary
• Discretionary
• Role-based
• Attribute-based
• Subject-based
• Object-based

2.1 Comply with codes of ethics

• (ISC)² Code of Ethics
• Organizational code of ethics

2.2 Understand security concepts
2.3 Document, implement and maintain functional security controls

• Deterrent controls
• Preventative controls
• Detective controls
• Corrective controls
• Compensating controls

2.4 Participate in asset management

• Lifecycle (hardware, software, and data)
• Hardware inventory
• Software inventory and licensing
• Data storage

2.5 Implement security controls and assess compliance

• Technical controls (e.g., session timeout, password aging)
• Physical controls (e.g., mantrap, cameras, locks)
• Administrative controls (e.g., security policies and standards, procedures, baselines)
• Periodic audit and review

2.6 Participate in change management

• Execute change management process
• Identify security impact
• Testing /implementing patches, fixes, and updates (e.g., operating system, applications, SDLC)

2.7 Participate in security awareness and training
2.8 Participate in physical security operations (e.g., data center assessment, badging)

3.1 Understand the risk management process

• Risk visibility and reporting (e.g., risk register, sharing threat intelligence, Common Vulnerability Scoring System (CVSS))
• Risk management concepts (e.g., impact assessments, threat modelling, Business Impact Analysis (BIA))
• Risk management frameworks (e.g., ISO, NIST)
• Risk treatment (e.g., accept, transfer, mitigate, avoid, recast)

3.2 Perform security assessment activities

• Participate in security testing
• Interpretation and reporting of scanning and testing results
• Remediation validation
• Audit finding remediation

3.3 Operate and maintain monitoring systems (e.g., continuous monitoring)

• Events of interest (e.g., anomalies, intrusions, unauthorized changes, compliance monitoring)
• Logging
• Source systems
• Legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)

3.4 Analyze monitoring results

• Security baselines and anomalies
• Visualizations, metrics, and trends (e.g., dashboards, timelines)
• Event data analysis
• Document and communicate findings (e.g., escalation)

4.1 Support incident lifecycle

• Preparation
• Detection, analysis, and escalation
• Containment
• Eradication
• Recovery
• Lessons learned/implementation of new countermeasure

4.2 Understand and support forensic investigations

• Legal and ethical principles
• Evidence handling (e.g., first responder, triage, chain of custody, preservation of scene)

4.3 Understand and support Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) activities

• Emergency response plans and procedures (e.g., information system contingency plan)
• Interim or alternate processing strategies
• Restoration planning
• Backup and redundancy implementation
• Testing and drills

5.1 Understand fundamental concepts of cryptography
5.2 Understand reasons and requirements for cryptography

• Confidentiality
• Integrity and authenticity
• Data sensitivity (e.g., PII, intellectual property, PHI)
• Regulatory

5.3 Understand and support secure protocols

• Services and protocols (e.g., IPSec, TLS, S/MIME, DKIM)
• Common use cases
• Limitations and vulnerabilities

5.4 Understand Public Key Infrastructure (PKI) systems

• Fundamental key management concepts (e.g., key rotation, key composition, key creation, exchange, revocation, escrow)
• Web of Trust (WOT) (e.g., PGP, GPG)

6.1 Understand and apply fundamental concepts of networking
6.2 Understand network attacks and countermeasures (e.g., DDoS, man-in-the-middle, DNS poisoning)
6.3 Manage network access controls

• Network access control and monitoring (e.g., remediation, quarantine, admission)
• Network access control standards and protocols (e.g., IEEE 802.1X, Radius, TACACS)
• Remote access operation and configuration (e.g., thin client, SSL VPN, IPSec VPN, telework)

6.4 Manage network security

• Logical and physical placement of network devices (e.g., inline, passive)
• Segmentation (e.g., physical/logical, data/control plane, VLAN, ACLs)
• Secure device management

6.5 Operate and configure network-based security devices

• Firewalls and proxies (e.g., filtering methods)
• Network intrusion detection/prevention systems
• Routers and switches
• Traffic-shaping devices (e.g., WAN optimization, load balancing)

6.6 Operate and configure wireless technologies (e.g., Bluetooth, NFC, WiFi)

• Transmission security
• Wireless security devices (e.g., WIPS, WIDS)

7.1 Identify and analyze malicious code and activity

• Malware (e.g., rootkits, spyware, scareware, ransomware, Trojans, virus, worms, trapdoors, backdoors, and remote access Trojans)
• Malicious code countermeasures (e.g., scanners, anti-malware, code signing, sandboxing)
• Malicious activity (e.g., insider threat, data theft, DDoS, botnet)
• Malicious activity countermeasures (e.g., user awareness, system hardening, patching, sandboxing, isolation)

7.2 Implement and operate endpoint device security
7.3 Operate and configure cloud security
7.4 Operate and secure virtual environments

1.1 Understand and apply concepts of confidentiality, integrity and availability
1.2 Evaluate and apply security governance principles

• Alignment of security function to business strategy, goals, mission, andobjectives
• Organizational processes (e.g., acquisitions, divestitures, governance committees)
• Organizational roles and responsibilities
• Security control frameworks
• Due care/due diligence

1.3 Determine compliance requirements

• Contractual, legal, industry standards, and regulatory requirements
• Privacy requirements

1.4 Understand legal and regulatory issues that pertain to information security in a global context

• Cybercrimes and data breaches
• Licensing and intellectual property requirements
• Import/export controls
• Trans-border data flow
• Privacy

1.5 Understand, adhere to, and promote professional ethics

• (ISC)² Code of Professional Ethics
• Organizational code of ethics

1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements

• Develop and document scope and plan
• Business Impact Analysis (BIA)

1.8 Contribute to and enforce personnel security policies and procedures

• Candidate screening and hiring
• Employment agreements and policies
• Onboarding and termination processes
• Vendor, consultant, and contractor agreements and controls
• Compliance policy requirements
• Privacy policy requirements

1.9 Understand and apply risk management concepts

• Identify threats and vulnerabilities
• Risk assessment/analysis
• Risk response
• Countermeasure selection and implementation
• Applicable types of controls (e.g., preventive, detective, corrective)
• Security Control Assessment (SCA)
• Monitoring and measurement
• Asset valuation
• Reporting
• Continuous improvement
• Risk frameworks

1.10 Understand and apply threat modeling concepts and methodologies

• Threat modeling methodologies
• Threat modeling concepts

1.11 Apply risk-based management concepts to the supply chain

• Risks associated with hardware, software, and services
• Third-party assessment and monitoring
• Minimum security requirements
• Service-level requirements

1.12 Establish and maintain a security awareness, education, and training program

• Methods and techniques to present awareness and training
• Periodic content reviews
• Program effectiveness evaluation

2.1 Identify and classify information and assets

• Data classification
• Asset Classification

2.2 Determine and maintain information and asset ownership
2.3 Protect privacy

• Data owners
• Data processers
• Data remanence
• Collection limitation

2.4 Ensure appropriate asset retention
2.5 Determine data security controls

• Understand data states
• Scoping and tailoring
• Standards selection
• Data protection methods

2.6 Establish information and asset handling requirements

Domain 3: Security Architecture and Engineering

3.1 Implement and manage engineering processes using secure design principles
3.2 Understand the fundamental concepts of security models
3.3 Select controls based upon systems security requirements
3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

• Client-based systems
• Server-based systems
• Database systems
• Cryptographic systems
• Industrial Control Systems (ICS)
• Cloud-based systems
• Distributed systems
• Internet of Things (IoT)

3.6 Assess and mitigate vulnerabilities in web-based systems
3.7 Assess and mitigate vulnerabilities in mobile systems
3.8 Assess and mitigate vulnerabilities in embedded devices
3.9 Apply cryptography

• Cryptographic life cycle (e.g., key management, algorithm selection)
• Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
• Public Key Infrastructure (PKI)
• Key management practices
• Digital signatures
• Non-repudiation
• Integrity (e.g., hashing)
• Understand methods of cryptanalytic attacks
• Digital Rights Management (DRM)

3.10 Apply security principles to site and facility design
3.11 Implement site and facility security controls

• Wiring closets/intermediate distribution facilities
• Server rooms/data centers
• Media storage facilities
• Evidence storage
• Restricted and work area security
• Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
• Environmental issues

• Fire prevention, detection, and suppression

3.1 Implement and manage engineering processes using secure design principles
3.2 Understand the fundamental concepts of security models
3.3 Select controls based upon systems security requirements
3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

• Client-based systems
• Server-based systems
• Database systems
• Cryptographic systems
• Industrial Control Systems (ICS)
• Cloud-based systems
• Distributed systems
• Internet of Things (IoT)

3.6 Assess and mitigate vulnerabilities in web-based systems
3.7 Assess and mitigate vulnerabilities in mobile systems
3.8 Assess and mitigate vulnerabilities in embedded devices
3.9 Apply cryptography

• Cryptographic life cycle (e.g., key management, algorithm selection)
• Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
• Public Key Infrastructure (PKI)
• Key management practices
• Digital signatures
• Non-repudiation
• Integrity (e.g., hashing)
• Understand methods of cryptanalytic attacks
• Digital Rights Management (DRM)

3.10 Apply security principles to site and facility design
3.11 Implement site and facility security controls

• Wiring closets/intermediate distribution facilities
• Server rooms/data centers
• Media storage facilities
• Evidence storage
• Restricted and work area security
• Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
• Environmental issues
• Fire prevention, detection, and suppression

4.1 Implement secure design principles in network architectures

• Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
• Internet Protocol (IP) networking
• Implications of multilayer protocols
• Converged protocols
• Software-defined networks
• Wireless networks

4.2 Secure network components

• Operation of hardware
• Transmission media
• Network Access Control (NAC) devices
• Endpoint security
• Content-distribution networks

4.3 Implement secure communication channels according to design

• Voice
• Multimedia collaboration
• Remote access
• Data communications
• Virtualized networks

5.1 Control physical and logical access to assets

• Information
• Systems
• Devices
• Facilities

5.2 Manage identification and authentication of people, devices, and services

• Identity management implementation
• Single/multi-factor authentication
• Accountability
• Session management
• Registration and proofing of identity
• Federated Identity Management (FIM)
• Credential management systems

5.3 Integrate identity as a third-party service

• On-premise
• Cloud
• Federated

5.4 Implement and manage authorization mechanisms

• Role Based Access Control (RBAC)
• Rule-based access control
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Attribute Based Access Control (ABAC)

5.5 Manage the identity and access provisioning lifecycle

• User access review
• System account access review
• Provisioning and DE provisioning

6.1 Design and validate assessment, test, and audit strategies

• Internal
• External
• Third-party

6.2 Conduct security control testing

• Vulnerability assessment
• Penetration testing
• Log reviews
• Synthetic transactions
• Code review and testing
• Misuse case testing
• Test coverage analysis
• Interface testing

6.3 Collect security process data (e.g., technical and administrative)

• Account management
• Management review and approval
• Key performance and risk indicators
• Backup verification data
• Training and awareness
• Disaster Recovery (DR) and Business Continuity (BC)

6.4 Analyze test output and generate report
6.5 Conduct or facilitate security audits

• Internal
• External
• Third-party

7.1 Understand and support investigations

• Evidence collection and handling
• Reporting and documentation
• Investigative techniques
• Digital forensics tools, tactics, and procedures

7.2 Understand requirements for investigation types

• Administrative
• Criminal
• Civil
• Regulatory
• Industry standards

7.3 Conduct logging and monitoring activities

• Intrusion detection and prevention
• Security Information and Event Management (SIEM)
• Continuous monitoring
• Egress monitoring

7.4 Securely provisioning resources

• Asset inventory
• Asset management
• Configuration management

7.5 Understand and apply foundational security operations concepts

• Need-to-know/least privileges
• Separation of duties and responsibilities
• Privileged account management

7.6 Apply resource protection techniques

• Media management
• Hardware and software asset management

7.7 Conduct incident management

• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons learned

7.8 Operate and maintain detective and preventative measures

• Firewalls
• Sandboxing
• Intrusion detection and prevention systems
• Whitelisting/blacklisting
• Third-party provided security services

7.9 Implement and support patch and vulnerability management
7.10 Understand and participate in change management processes
7.11 Implement recovery strategies

• Backup storage strategies
• Recovery site strategies
• Multiple processing sites
• System resilience, high availability, Quality of Service (QoS), and fault tolerance

7.12 Implement Disaster Recovery (DR) processes

• Response
• Personnel
• Communications
• Assessment
• Restoration
• Training and awareness

7.13 Test Disaster Recovery Plans (DRP)

• Read-through/tabletop
• Walkthrough
• Simulation
• Parallel
• Full interruption

7.14 Participate in Business Continuity (BC) planning and exercises
7.15 Implement and manage physical security

• Perimeter security controls
• Internal security controls

7.16 Address personnel safety and security concerns

• Travel
• Security training and awareness
• Emergency management
• Duress

8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)

• Development methodologies
• Maturity models
• Change management
• Integrated product team
• Operation and maintenance

8.2 Identify and apply security controls in development environments

• Security of the software environments
• Configuration management as an aspect of secure coding
• Security of code repositories

8.3 Assess the effectiveness of software security

• Auditing and logging of changes
• Risk analysis and mitigation

8.4 Assess security impact of acquired software
8.5 Define and apply secure coding guidelines and standards

• Security weaknesses and vulnerabilities at the source-code level
• Security of application programming interfaces
• Secure coding practices

1.1 Understand Cloud Computing Concepts

• Cloud Computing Definitions
• Cloud Computing Roles (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker)
• Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access, multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)
• Building Block Technologies (e.g., virtualization, storage, networking, databases, orchestration)

1.2 Describe Cloud Reference Architecture

• Cloud Computing Activities
• Cloud Service Capabilities (e.g., application capability types, platform capability types, infrastructure capability types)
• Cloud Service Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
• Cloud Deployment Models (e.g., public, private, hybrid, community)
• Cloud Shared Considerations (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and Service Level Agreements (SL A), auditability, regulatory)
• Impact of Related Technologies (e.g., machine learning, artificial intelligence,

1.3 Understand Security Concepts Relevant to Cloud Computing

• Cryptography and Key Management
• Access Control
• Data and Media Sanitization (e.g., overwriting, cryptographic erase)
• Network Security (e.g., network security groups)
• Virtualization Security (e.g., hypervisor security, container security)
• Common Threats

1.4 Understand Design Principles of Secure Cloud Computing

• Cloud Secure Data Lifecycle
• Cloud based Disaster Recovery (DR) and Business Continuity (B C) planning
• Cost Benefit Analysis
• Functional Security Requirements (e.g., portability, interoperability, vendor lock-in)
• Security Considerations for Different Cloud Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

1.5 Evaluate Cloud Service Providers

• Verification Against Criteria(e.g., International Organization for Standardization/ International Electro technical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))
• System/subsystem Product Certifications (e.g., Common Criteria (CC), Federal Information Processing Standard (FIPS) 140-2)

2.1 Describe Cloud Data Concepts

• Cloud Data Life Cycle Phases
• Data Dispersion

2.2 Design and Implement Cloud Data Storage Architectures

• Storage Types (e.g. long term, ephemeral, raw-disk)
• Threats to Storage Types

2.3 Design and Apply Data Security Technologies and Strategies

Encryption and Key Management

• Hashing
• Masking
• Tokenization
• Data Loss Prevention (DLP)
• Data Obfuscation
• Data De-identification (e.g., anonymization)

2.4 Implement Data Discovery

• Structured Data
• Unstructured Data

2.5 Implement Data Classification

• Mapping
• Labeling
• Sensitive data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII), card holder data)

2.6 Design and Implement Information Rights Management (IRM)

• Objectives (e.g., data rights, provisioning, access models)
• Appropriate Tools (e.g., issuing and revocation of certificates)

2.7 Plan and Implement Data Retention, Deletion and Archiving Policies

• Data Retention Policies
• Data Deletion Procedures and Mechanisms
• Data Archiving Procedures and Mechanisms
• Legal Hold

2.8 Design and Implement Auditability, Traceability and Accountability of Data Events

• Definition of Event Sources and Requirement of Identity Attribution
• Logging, Storage and Analysis of Data Events
• Chain of Custody and Non-repudiation

3.1 Comprehend Cloud Infrastructure Components

• Physical Environment
• Network and Communications
• Compute Virtualization
• Storage
• Management Plane

3.2 Design a Secure Data Center

• Logical Design (e.g., tenant partitioning, access control)
• Physical Design (e.g. location, buy or build)
• Environmental Design (e.g., Heating, Ventilation and Air Conditioning (HVAC), multi-vendor pathway connectivity

3.3 Analyze Risks Associated with Cloud Infrastructure

• Risk Assessment and Analysis
• Cloud Vulnerabilities, Threats and Attacks Virtualization Risks
• Counter-measure Strategies

3.4 Design and Plan Security Controls

• Physical and Environmental Protection (e.g., on premise)
• System and Communication Protection
• Virtualization Systems Protection
• Identification, Authentication and Authorization in Cloud Infrastructure
• Audit Mechanisms (e.g., log collection, packet capture)

3.5 Plan Disaster Recovery (DR) and Business Continuity (BC) Risks Related to the Cloud Environment

• Business Requirements (e.g., Recovery Time Objective (RTO), Recovery Point Objective (RPO), Recovery Service Level (RSL)) Business Continuity/Disaster Recovery Strategy
• Creation, Implementation and Testing of Plan

4.1 Advocate Training and Awareness for Application Security

• Cloud Development Basics
• Common Pitfalls
• Common Cloud Vulnerabilities

4.2 Describe the Secure Software Development Life Cycle (SDLC) Process

• Business Requirements
• Phases and Methodologies

4.3 Apply the Secure Software Development Life Cycle (SDLC)

Avoid Common Vulnerabilities during Development

• Cloud-specific Risks
• Quality Assurance Threat Modeling
• Software Configuration Management and Versioning

4.4 Apply Cloud Software Assurance and Validation

• Functional Testing
• Security Testing Methodologies

4.5 Use Verified Secure Software

• Approved Application Programming Interfaces (API)
• Supply-chain Management
• Third Party Software Management
• Validated Open Source Software

4.6 Comprehend the Specifics of Cloud Application Architecture

• Supplemental Security components (e.g., Web Application Firewall (WAF), Database Activity Monitoring (DAM), Extensible Markup Language (XML) firewalls, Application Programming Interface (API) gateway)
• Cryptography
• Sandboxing
• Application Virtualization and Orchestration

4.7 Design Appropriate Identity and Access Management (IAM) Solutions

• Federated Identity
• Identity Providers
• Single Sign-On (SSO)
• Multi-factor Authentication

• Cloud Access Security Broker (CASB)

5.1 Implement and Build Physical and Logical Infrastructure for Cloud Environment

• Hardware Specific Security Configuration Requirements (e.g., Basic Input Output System (BIOS), settings for virtualization and Trusted Platform Module (TPM), storage controllers, network controllers)
• Installation and Configuration of Virtualization Management Tools
• Virtual Hardware Specific Security Configuration Requirements (e.g., network, storage, memory, Central Processing Unit (CPU))
• Installation of Guest Operating System (OS) Virtualization Toolsets

5.2 Operate Physical and Logical Infrastructure for Cloud Environment

• Configure Access Control for Local and Remote Access (e.g., Secure Keyboard Video Mouse (KVM), console-based access mechanisms, Remote Desk top Protocol (RDP))
• Secure Network Configuration (e.g., Virtual Local Area Networks (VLAN), Transport Layer Security (TLS), Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Virtual Private Network (VPN))
• Operating System (OS) Hardening through the Application of Baselines (e.g., Windows, Linux, VMware)
• Availability of Stand-Alone Hosts
• Availability of Clustered Hosts (e.g., Distributed Resource Scheduling (DRS), Dynamic Optimization (DO), storage clusters, maintenance mode, High Availability)
• Availability of Guest Operating System (OS)

5.3 Manage Physical and Logical Infrastructure for Cloud Environment

• Access Controls for Remote Access (e.g., Remote Desktop Proto col (RDP), Secure Terminal Access, Secure Shell (SSH))
• Operating System (OS) Baseline Compliance Monitoring and Remediation
• Patch Management
• Performance and Capacity Monitoring (e.g., network, compute, storage, response time)
• Hardware Monitoring (e.g., Disk, Central Processing Unit (CPU), fan speed, temperature)
• Configuration of Host and Guest Operating System (OS) Backup and Restore Functions
• Network Security Controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, and network security groups)
• Management Plane (e.g., scheduling, orchestration, maintenance)

5.4 Implement Operational Controls and Standards (e.g., Information Technology

Infrastructure Library (ITIL), International Organization for Standardization/ International Electro technical Commission (ISO/IEC) 20000-1)

Change Management

• Continuity Management
• Information Security Management
• Continual Service Improvement Management
• Incident Management
• Problem Management

Release Management

• Deployment Management
• Configuration Management
• Service level Management
• Availability Management
• Capacity Managemen

5.5 Support Digital Forensics

• Forensic Data Collection Methodologies
• Evidence Management
• Collect, Acquire and Preserve Digital Evidence

5.6 Manage Communication with Relevant Parties

Vendors

• Customers
• Partners

Regulators

• Other Stakeholders

5.7 Manage Security Operations

• Security Operations Center (SOC)
• Monitoring of Security Controls (e.g., firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), honeypots, vulnerability assessments, network security groups)
• Log Capture and Analysis (e.g., Security Information and Event Management (SIEM), log management)
• Incident Management

6.1 Articulate Legal Requirements and Unique Risks within the Cloud Environment Conflicting International Legislation

• Evaluation of Legal Risks Specific to Cloud Computing
• Legal Framework and Guidelines eDiscovery (e.g., International Organization for Standardization/ International Electro technical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)
• Forensics Requirements

6.2 Understand Privacy Issues

• Difference between Contractual and Regulated Private Data (e. g., Protected Health Information (PHI), Personally Identifiable Information (PII))
• Country-Specific Legislation Related to Private Data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))
• Jurisdictional Differences in Data Privacy
• Standard Privacy Requirements (e.g., International Organization for Standardization /International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP), General Data Protection Regulation (GDPR))

6.3 Understand Audit Process, Methodologies, and Required Adaptations for a Cloud Environment

• Internal and External Audit Controls
• Impact of Audit Requirements
• Identify Assurance Challenges of Virtualization and Cloud
• Types of Audit Reports (e.g., Statement on Standards for Attestation Engagements (SSAE), Service Organization Control (SOC), International Standard on Assurance Engagements (ISAE))
• Restrictions of Audit Scope Statements (e.g., Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))

Gap Analysis

• Audit Planning
• Internal Information Security Management System (ISMS)
• Internal Information Security Controls System
• Policies (e.g., organizational, functional, cloud computing)
• Identification and Involvement of Relevant Stakeholders
• Specialized Compliance Requirements for Highly-Regulated Industries (e.g., North American Electric Reliability Corporation/ Critical Infra structure Protection (NERC/CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))
• Impact of Distributed Information Technology (IT) Model (e.g. , diverse geographical locations and crossing over legal jurisdictions)

6.4 Understand Implications of Cloud to Enterprise Risk Management Assess Providers Risk Management Programs (e.g., controls, methodologies, policies)

• Difference between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile, risk appetite, responsibility)
• Regulatory Transparency Requirements (e.g., breach notification, Sarbanes-Oxley (SOX), General Data Protection Regulation Risk Treatment (i.e., avoid, modify, share, retain)
• Different Risk Frameworks
• Metrics for Risk Management
• Assessment of Risk Environment (e.g., service, vendor, infrastructure)

6.5 Understand Outsourcing and Cloud Contract Design

Business Requirements (e.g., Service Level Agreement (SLA), M aster Service Agreement (MSA), Statement of Work (SOW))

• Vendor Management
• Contract Management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data, cyber risk insurance)
• Supply-Chain Management (e.g., International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC) 27036)