Domain 1: Security Principles and Practices (22%)
1: Plan, develop, implement, and manage the organization’s security program to protect the organization’s assets. Knowledge of:

• Principles of planning, organization, and control
• Security theory, techniques, and processes (e.g., artificial intelligence, IoT)
• Security industry standards (e.g., ASIS/ISO)
• Continuous assessment and improvement processes
• Cross-functional organizational collaboration
• Enterprise Security Risk Management (ESRM)

2: Develop, manage, or conduct the security risk assessment process. Knowledge of:

• Quantitative and qualitative risk assessments
• Vulnerability, threat, and impact assessments
• Potential security threats (e.g., “all hazards,” criminal activity, terrorism, consequential)

3: Evaluate methods to improve the security program on a continuous basis through the use of auditing, review, and assessment. Knowledge of:

• Cost-benefit analysis methods
• Risk management strategies (e.g., avoid, assume/accept, transfer, spread)
• Risk mitigation techniques (e.g., technology, personnel, process, facility design)
• Data collection and trend analysis techniques

4: Develop and manage professional relationships with external organizations to achieve security objectives. Knowledge of:

• Roles and responsibilities of external organization and agencies
• Methods for creating effective working relationships
• Techniques and protocols of liaison
• Local and national public/private partnerships

5: Develop, implement, and manage workforce security awareness programs to achieve organizational goals and objectives. Knowledge of:

• Training methodologies
• Communication strategies, techniques, and methods
• Awareness program objectives and program metrics
• Elements of a security awareness program (e.g., roles and responsibilities, physical risk, communication risk, privacy)

Domain 2: Business Principles and Practices (15%)
1: Develop and manage budgets and financial controls to achieve fiscal responsibility. Knowledge of:

• Principles of management accounting, control, audits, and fiduciary responsibility
• Business finance principles and financial reporting
• Return on Investment (ROI) analysis
• The lifecycle for budget planning purposes

2: Develop, implement, and manage policies, procedures, plans, and directives to achieve organizational objectives. Knowledge of:

• Principles and techniques of policy/procedures development
• Communication strategies, methods, and techniques
• Training strategies, methods, and techniques
• Cross-functional collaboration
• Relevant laws and regulations

3: Develop procedures/techniques to measure and improve organizational productivity. Knowledge of:

• Techniques for quantifying productivity/metrics/key performance indicators (KPI)
• Data analysis techniques and cost-benefit analysis
• Improvement techniques (e.g., pilot/beta testing programs, education, training)

4: Develop, implement, and manage security staffing processes and personnel development programs in order to achieve organizational objectives. Knowledge of:

• Interview techniques for staffing
• Candidate selection and evaluation techniques
• Job analysis processes
• Pre-employment background screening
• Principles of performance evaluations, 360 reviews, and coaching/mentoring
• Interpersonal and feedback techniques
• Training strategies, methodologies, and resources
• Retention strategies and methodologies
• Talent management and succession planning

5: Monitor and ensure an acceptable ethical climate in accordance with regulatory requirements and organizational culture. Knowledge of:

• Governance standards
• Guidelines for individual and corporate behavior
• Generally accepted ethical principles
• Confidential information protection techniques and methods
• Legal and regulatory compliance

6: Develop performance requirements and contractual terms for security vendors/suppliers. Knowledge of:

• Key concepts in the preparation of requests for proposals and bid reviews/evaluations
• Service Level Agreement (SLA) terms, metrics, and reporting
• Contract law, indemnification, and liability insurance principles
• Monitoring processes to ensure that organizational needs and contractual requirements are being met

Domain 3: Investigations (9%)

1: Identify, develop, implement, and manage investigative operations. Knowledge of:

• Principles and techniques of policy and procedure development
• Organizational objectives and cross-functional collaboration
• Types of investigations (e.g., incident, misconduct, compliance, due diligence)
• Internal and external resources to support investigative functions
• Report preparation for internal/external purposes and legal proceedings
• Laws pertaining to developing and managing investigative programs

2:Manage or conduct the collection, preservation, and disposition of evidence to support investigative actions. Knowledge of:

• Protection/preservation of crime scene
• Evidence collection techniques
• Requirements of chain of custody
• Methods for preservation/disposition of evidence
• Laws pertaining to the collection, preservation, and disposition of evidence

3:Manage or conduct surveillance processes. Knowledge of:

• Surveillance and counter-surveillance techniques
• Technology/equipment and personnel to conduct surveillance (e.g., Unmanned Aircraft Systems (UAS), robotics)
• Laws pertaining to managing surveillance processes

4:Manage and conduct investigations requiring specialized tools, techniques, and resources. Knowledge of:

• Financial and fraud related crimes
• Intellectual property and espionage crimes
• Crimes against property (e.g., arson, vandalism, theft, sabotage)
• Cybercrimes (e.g., distributed denial of service (DDoS), phishing, ransomware)
• Crimes against persons (e.g., workplace violence, human trafficking, harassment)

5:Manage or conduct investigative interviews. Knowledge of:

• Interview and interrogation techniques
• Techniques for detecting deception
• Non-verbal communication and cultural considerations
• Rights of interviewees
• Required components of written statements
• Legal considerations pertaining to managing investigative interviews

6:Provide support to legal counsel in actual or potential criminal or civil proceedings. Knowledge of:

• Statutes, regulations, and case law governing or affecting the security industry and the protection of people, property, and information
• Criminal law and procedures
• Civil law and procedures
• Employment law (e.g., confidential information, wrongful termination, discrimination, harassment)

Domain 4: Personnel Security (11%)

1:Develop, implement, and manage background investigation processes for hiring, promotion, and retention of individuals. Knowledge of:

• Background investigations and personnel screening techniques
• Quality and types of information sources (e.g., open source, social media, government databases, credit reports)
• Screening policies and guidelines
• Laws and regulations pertaining to personnel screening

2:Develop, implement, manage, and evaluate policies and procedures to protect individuals in the workplace against human threats (e.g., harassment, violence, active assailant). Knowledge of:

• Protection techniques and methods
• Threat assessment
• Prevention, intervention, and response tactics
• Educational and awareness program design and implementation
• Travel security (e.g., flight planning, global threats, consulate services, route selection, contingency planning)
• Industry/labor regulations and applicable laws
• Organizational efforts to reduce employee substance abuse

3:Develop, implement, and manage executive protection programs. Knowledge of:

• Executive protection techniques and methods
• Threat analysis
• Liaison and resource management techniques
• Selection, costs, and effectiveness of proprietary and contract executive protection personnel

Domain 5: Physical Security (16%)

1:Conduct facility surveys to determine the current status of physical security. Knowledge of:

• Security protection equipment and personnel (e.g., Unmanned Aircraft Systems (UAS), robotics)
• Survey techniques (e.g., document review, checklist, onsite visit, stakeholder interviews)
• Building plans, drawings, and schematics
• Risk assessment techniques
• Gap analysis

2:Select, implement, and manage physical security strategies to mitigate security risks. Knowledge of:

• Fundamentals of security system design
• Countermeasures (e.g., policies, technology, procedures)
• Budgetary projection development process (e.g., technology, hardware, labor)
• Bid package development and evaluation process
• Vendor qualification and selection process
• Testing procedures and final acceptance (e.g., commissioning, factory acceptance test)
• Project management techniques
• Cost-benefit analysis techniques
• Labor-technology relationship

3: Assess the effectiveness of physical security measures by testing and monitoring. Knowledge of:

• Protection personnel, hardware, technology, and processes
• Audit and testing techniques (e.g., operation testing)
• Predictive, preventive, and corrective maintenance

Domain 6: Information Security (14%)

1:Conduct surveys to evaluate the current status of information security programs. Knowledge of:

• Survey techniques
• Quantitative and qualitative risk assessments
• Risk mitigation strategies (e.g., technology, personnel, process, facility design)
• Cost-benefit analysis methods
• Protection technology, security threats equipment, and procedures (e.g., interoperability)
• Information security threats
• Integration of facility and system plans, drawings, and schematics

2:Develop policies and procedures to ensure information is evaluated and protected against vulnerabilities and threats. Knowledge of:

• Principles of information security management
• Information security theory and terminology
• Information security industry standards (e.g., ISO, PII, PCI)
• Laws and regulations regarding records management including collection, retention, legal holds, and disposition practices (e.g., General Data Protection Regulation (GDPR), biometric information)
• Practices to protect proprietary information and intellectual property
• Information protection measures including security processes, physical access systems, and data management

3:Implement and manage an integrated information security program. Knowledge of:

• Information security including confidentiality, integrity, and availability
• Information security systems methodology
• Authentication techniques (e.g., multi-factor, biometrics)
• Continuous evaluation and improvement programs
• Ethical hacking and penetration testing techniques and practices
• Encryption and data masking techniques (e.g., cryptography)
• Systems integration techniques (e.g., interoperability, licensing, networking)
• Cost-benefit analysis methodology
• Project management techniques
• Budget review process (e.g., system development lifecycle)
• Vendor evaluation and selection process
• Final acceptance and testing procedures
• Protection technology and forensic investigations
• Training and awareness programs to mitigate threats and vulnerabilities (e.g., phishing, social engineering, ransomware, insider threats)

Domain 7: Crisis Management (13%)

1:Assess and prioritize threats to mitigate potential consequences of incidents. Knowledge of:

• Threats by type, likelihood of occurrence, and consequences
• “All hazards” approach to assessing threats (e.g., natural disaster, chemical, biological, radiological, nuclear, explosives (CBRNE))
• Cost-benefit analysis
• Mitigation strategies
• Risk management and business impact analysis methodology
• Business continuity standards (e.g., ASIS ORM.1, ISO 22301)

1:Prepare and plan how the organization responds to incidents. Knowledge of:

• Resource management techniques (e.g., mutual aid agreements, MOUs)
• Emergency planning techniques
• Triage and damage assessment techniques
• Communication techniques and notification protocols (e.g., interoperability, common operating terms, emergency notification system)
• Training and exercise techniques (e.g., tabletop and full-scale exercises)
• Emergency operations center (EOC) concepts and design
• Primary roles and duties in an Incident Command Structure (ICS) (e.g., information dissemination, liaison, Public Information Officer (PIO))

1:Respond to and manage an incident. Knowledge of:

• Resource allocation
• Emergency Operations Centre (EOC) management principles and practices
• Incident management systems and protocols

1:Manage incident recovery and resumption of operations. Knowledge of:

• Resource management
• Short- and long-term recovery strategies