CPP Exam Domains and Knowledge Statements

DOMAIN I: SECURITY PRINCIPLES AND PRACTICES (21%)

Task 1: Plan, develop, implement, and manage the organization's security program to protect the organization's assets

1. Principles of planning, organization, and control
2. Security theory, techniques, and processes
3. Security industry standards
4. Continuous assessment and improvement processes
5. Cross-functional organizational collaboration

Task 2: Develop, manage, or conduct the security risk assessment process

1. Quantitative and qualitative risk assessments
2. Vulnerability, threat, and impact assessments
3. Potential security threats (e.g., all hazards, criminal activity)

Task 3: Evaluate methods to improve the security program on a continuous basis through the use of auditing, review, and assessment

1. Cost-benefit analysis methods
2. Risk management strategies (e.g., avoid, assume/accept, transfer, spread)
3. Risk mitigation techniques (e.g., technology, personnel, process, facility design)
4. Data collection and trend analysis techniques

Task 4: Develop and manage external relations programs with public sector law enforcement or other external organizations to achieve security objectives

1. Roles and responsibilities of external organization and agencies
2. Methods for creating effective working relationships
3. Techniques and protocols of liaison
4. Local and national Public/Private Partnerships

Task 5: Develop, implement, and manage employee security awareness programs to achieve organizational goals and objectives

1. Training methodologies
2. Communication strategies, techniques, and methods
3. Awareness program objectives and program metrics
4. ​Elements of a security awareness program (e.g., roles and responsibilities, physical risk, communication risk, privacy)​

DOMAIN II: BUSINESS PRINCIPLES AND PRACTICES (13%)

Task 1: Develop and manage budgets and financial controls to achieve fiscal responsibility

1. Principles of management accounting, control, and audits
2. Business finance principles and financial reporting
3. Return on Investment (ROI) analysis
4. The lifecycle for budget planning purposes

Task 2: Develop, implement, and manage policies, procedures, plans, and directives to achieve organizational objectives

1. Principles and techniques of policy/procedures development
2. Communication strategies, methods, and techniques
3. Training strategies, methods, and techniques
4. Cross-functional collaboration
5. Relevant laws and regulations

Task 3: Develop procedures/ techniques to measure and improve organizational productivity

1. Techniques for quantifying productivity/metrics/key performance indicators (KPI)
2. Data analysis techniques and cost-benefit analysis
3. Improvement techniques (e.g., pilot programs, education and training)

Task 4: Develop, implement, and manage security staffing processes and personnel development programs in order to achieve organizational objectives

1. Interview techniques for staffing
2. Candidate selection and evaluation techniques
3. Job analysis processes
4. Pre-employment background screening 
5. Principles of performance evaluations, 360 reviews, and coaching
6. Interpersonal and feedback techniques
7. Training strategies, methodologies, and resources
8. Retention strategies and methodologies 
9. Talent management and succession planning

Task 5: Monitor and ensure a sound ethical climate in accordance with regulatory requirements and the organization's directives and standards to support and promote proper business practices

1. Good governance standards
2. Guidelines for individual and corporate behavior
3. Generally accepted ethical principles
4. Confidential information protection techniques and methods
5. Legal and regulatory compliance

Task 6: Provide advice and assistance to management and others in developing performance requirements and contractual terms for security vendors/suppliers

1. Key concepts in the preparation of requests for proposals and bid reviews/evaluations
2. Service Level Agreements (SLA) definition, measurement and reporting 
3. Contract law, indemnification, and liability insurance principles 
4. Monitoring processes to ensure that organizational needs and contractual requirements are being met​

​DOMAIN III: INVESTIGATIONS (10%)

Task 1: Identify, develop, implement, and manage investigative functions

1. Principles and techniques of policy and procedure development
2. Organizational objectives and cross-functional collaboration
3. Types of investigations (e.g., incident, misconduct, compliance) 
4. Internal and external resources to support investigative functions
5. Report preparation for internal purposes and legal proceedings 
6. Laws pertaining to developing and managing investigative programs

Task 2: Manage or conduct the collection and preservation of evidence to support investigation actions

1. Evidence collection techniques
2. Protection/preservation of crime scene
3. Requirements of chain of custody
4. Methods for preservation of evidence 
5. Laws pertaining to the collection and preservation of evidence

Task 3: Manage or conduct surveillance processes

1. Surveillance techniques
2. Technology/equipment and personnel to conduct surveillance
3. Laws pertaining to managing surveillance processes

Task 4: Manage and conduct investigations requiring specialized tools, techniques, and resources

Techniques, tools and resources related to:

1. Financial and fraud related crime
2. Intellectual property and industrial espionage crime
3. Arson and property crime
4. Cybercrimes

Task 5: Manage or conduct investigative interviews

1. Methods and techniques of eliciting information
2. Techniques for detecting deception
3. The nature of non-verbal communication and cultural considerations
4. Rights of interviewees 
5. Required components of written statements
6. Laws pertaining to managing investigative interviews

Task 6: Provide coordination, assistance, and evidence such as documentation and testimony to support legal counsel in actual or potential criminal and/or civil proceedings

1. Statutes, regulations and case law governing or affecting the security industry and the protection of people, property and information
2. Criminal law and procedures 
3. Civil law and procedures 
4. Employment law (e.g., wrongful termination, discrimination and harassment)

DOMAIN IV: PERSONNEL SECURITY (12%)

Task 1: Develop, implement, and manage background investigations for hiring, promotion, or retention of individuals

1. Background investigations and personnel screening techniques
2. Quality and types of information sources
3. Screening policies and guidelines 
4. Laws and regulations pertaining to personnel screening

Task 2: Develop, implement, manage, and evaluate policies, procedures, programs and methods to protect individuals in the workplace against human threats (e.g., harassment, violence)

1. Protection techniques and methods
2. Threat assessment 
3. Prevention, intervention and response tactics
4. Educational and awareness program design and implementation
5. Travel security program
6. Laws, government, and labor regulations
7. Organizational efforts to reduce employee substance abuse ​

Task 3: Develop, implement, and manage executive protection programs

1. Executive protection techniques and methods
2. Risk analysis
3. Liaison and resource management techniques
4. Selection, costs, and effectiveness of proprietary and contract executive protection personnel

​DOMAIN V: PHYSICAL SECURITY (25%)

Task 1: Conduct facility surveys to determine the current status of physical security

1. Security protection equipment and personnel
2. Survey techniques 
3. Building plans, drawings, and schematics
4. Risk assessment techniques
5. Gap analysis

Task 2: Select, implement, and manage physical security strategies to mitigate security risks

1. Fundamentals of security system design
2. Countermeasures 
3. Budgetary projection development process
4. Bid package development and evaluation process
5. Vendor qualification and selection process
6. Final acceptance and testing procedures
7. Project management techniques
8. Cost-benefit analysis techniques
9. Labor-technology relationship

Task 3: Assess the effectiveness of physical security measures by testing and monitoring

1. Protection personnel, technology, and processes
2. Audit and testing techniques
3. Preventive and corrective maintenance for systems ​

DOMAIN VI: INFORMATION SECURITY (9%)

Task 1: Conduct surveys of information asset facilities, processes, systems, and services to evaluate current status of information security program

1. Elements of an information security program, including physical security, procedural security, information systems security, employee awareness, and information destruction and recovery capabilities
2. Survey techniques 
3. Quantitative and qualitative risk assessments 
4. Risk mitigation strategies (e.g., technology, personnel, process, facility design) 
5. Cost-benefit analysis methods 
6. Protection technology, equipment and procedures
7. Information security threats 
8. Building and system plans, drawings, and schematics

Task 2: Develop and implement policies and procedures to ensure information is evaluated and protected against all forms of unauthorized/ inadvertent access, use, disclosure, modification, destruction or denial

1. Principles of management
2. Information security theory and terminology
3. Information security industry standards (e.g., ISO, PII, PCI) 
4. Relevant laws and regulations regarding records management, retention, legal holds and destruction practices 
5. Practices to protect proprietary information and intellectual property 
6. Protection measures, equipment, and techniques; including information security processes, systems for physical access, data control, management, and information destruction​

Task 3: Develop and manage a program of integrated security controls and safeguards to ensure information asset protection including confidentiality, integrity, and availability

1. Elements of information asset protection including confidentiality, integrity, and availability, authentication, accountability, and audit ability of sensitive information and associated information technology resources, assets and investigations
2. Information security theory and systems methodology
3. Multi-factor authentication techniques 
4. Threats and vulnerabilities assessment and mitigation
5. Ethical hacking and penetration testing techniques and practices 
6. Encryption and data masking techniques 
7. Systems integration techniques
8. Cost-benefit analysis methodology
9. Project management techniques
10. Budget development process
11. Vendor evaluation and selection process
12. Final acceptance and testing procedures, information systems, assessment, and security program documentation
13. Protection technology, investigations, and procedures
14. Training and awareness methodologies and procedures​

​​DOMAIN VII: CRISIS MANAGEMENT (10%)

Task 1: Assess and prioritize threats to mitigate potential consequences of incidents

1. Threats by type, likelihood of occurrence, and consequences
2. "All hazards" approach to assessing threats 
3. Cost-benefit analysis
4. Mitigation strategies
5. Risk management and business impact analysis methodology
6. Business Continuity standards (e.g., ISO 22301)

Task 2: Prepare and plan how the organization will respond to incidents

1. Resource management techniques
2. Emergency planning technique
3. Triage and damage assessment techniques 
4. Communication techniques and notification protocols
5. Training and exercise techniques
6. Emergency operations center (EOC) concepts and design
7. Primary roles and duties in an incident command structure

Task 3: Respond to and manage an incident

1. Resource management techniques
2. EOC management principles and practices
3. Incident management systems and protocols

Task 4: Recover from incidents by managing the recovery and resumption of operations

1. Resource management techniques
2. Short and long-term recovery strategies
3. Recovery assistance resources
4. Mitigation opportunities in the recovery process​