Every three years or so the folks at CompTIA update the exam objectives for each of their certification programs. The exam objectives list out the topics covered on each of the certification exams. In November 2023 CompTIA introduced the updated Security+ SY0-701 exam. I am a Security+ Instructor and was offered the opportunity to view the new objectives and lead instructor training sessions on the new exam for the CompTIA Instructor’s Network. These are my views of the changes between the old SY0-601 and the SY0-701 exams.
What’s the Timeline?
A couple of important points before I look at the objectives. Certification exams based on the previous exam objectives (SY0-601) will be offered until the end of July 2024. That’s months between the new release and the end of the SY0-601 testing. That gives testing candidates a good amount of time to achieve Security+ certification. This July 2024 date allows schools where Security+ training is offered to continue using materials developed for the SY0-601 exam objectives.
As of November 2023 a Security+ exam based on the SY0-701 objectives is also available. One way of reducing the cost of taking the exam is by purchasing a voucher. Test takers should note that some vouchers are exam version specific. If you received or purchase a voucher to pay for an exam make sure that the voucher is for the correct version of the exam.
Big Changes?
While the new SY0-701 exam objectives were announced in November 2023 it takes time for course materials and study resources (books) to become available. Don’t throw away your SY0-601 materials. While it may look like big changes were made; only about 20% of the exam objectives have changed. All of the domain titles changed but the topics and content didn’t. The majority of the material is the same. I had an opportunity to confirm this with the CompTIA Security+ Program Manager.
Who needs Security+ certification?
CompTIA updates their certification exam objectives to keep pace with changes in the job responsibilities. The Security+ certification is a foundational cybersecurity program targeted at people who are information workers. Job titles, roles and requirements change over time and the exam objectives are updated to reflect those changes. The update is to make sure that people working with information have current knowledge of information security processes and best practices. People who have achieved Security+ certification demonstrated that they understand and can play an active role actively securing information and defending an organizations data. CompTIA recently published an article detailing the high level changes.
What Changed?
Looking at the titles of the five domains in the SY0-601 and the SY0-701 exam objectives it looks like there are major changes. The changes in the domain titles reflect a change in the targeting of the Security+ exam. In the past Security+ was entry level cybersecurity training targeted people who were going to go on to work in network security and security analyst roles in an Information Technology (IT) department. That targeting has changed because the need today is that anyone working in or with IT needs to have some understanding about what modern cyber threats are and what organizations do to respond to those threats. In short; many more people need to have the knowledge covered in the security+ certification.
General Security Concepts
In the new SY0-701 exam objectives the first domain; General Security Concepts represents basic concepts that anyone working in information security needs to know. These high level concepts such as the importance of Confidentiality, Integrity and Availability. This domain includes an overview of different types of security controls and basic cryptographic techniques. The topics covered are important not only for Security+ but also for follow on CompTIA cybersecurity certifications such as CompTIA CySA+, and CASP+ . These same concepts are covered by other cybersecurity certification programs such as ISC2 CISSP and ISACA CISM.
Threats, Vulnerabilities and Mitigations
This second SY0-701 domain title is important in that changes the focus from attacks to vulnerabilities. Remember that vulnerabilities are weaknesses in a system. Cybersecurity professionals care about weaknesses and need to know how those weaknesses might be exploited. Once an exploit exists; a means of taking advantage of a vulnerability is available and the threat posed by that vulnerability increases. Mitigations are actions that can be undertaken to avoid possible exploitation and mitigate or reduce threats.
Implementation
The objectives covered network architecture, design and implementation in the old 601 exam focused on the features of security solutions deployed in networks. That is Firewalls, Access Control solutions, Intrusion Detection and Prevention systems. That’s replaced in SY0-701 with security architecture. It’s a great change in that in the new objectives the focus is on how security solutions are used to mitigate threats rather than where they are deployed and how they are configured. Architecture helps us understand how deployed tools and solutions are used to implement and improve security. This new topic provides guidance about what to look for in a secure networks design.
Security Operations
Domain 4 in the 601 objectives was operations and incident response. In the new 701 objectives that domain is security operations. The change here is important. People who hold the Security+ certification need to know how they can contribute to information security programs. The details of how information security programs are organized and operate are more important to those taking the CySA+ (Cybersecurity Analyst) exam.
Security Program Management & Oversight
The objectives domain 5 covered governance, risk, and compliance. Those are topics that are often defined by senior leaders. In 701 this domain is titled security program management and oversight. Like domain 4 this domain is focused on how everyone who works with information plays a role in security.
How Domains are Weighted?
While there are 5 domains in the exam objectives the amount each domain contributes to the exam score isn’t equal. At first glance changes seem dramatic; especially since General Security Concepts domain is just 12% and Security Operations domain is 28% of the exam. While theses domains seem nowhere near equal in weighting the difference isn’t so extreme considering the number of topics in each domain.
Topics tell those preparing for the exam about what type of questions to expect to appear on the exam. What the exam questions may look like. General security Concepts has just 4 topics; or types of questions that may be asked on the exam. Security Operations has more than double that with 9 topics. Looking at the total shows that there are 28 topics on the new exam.
What did change on the Security+ exam?
These are the topics that I feel changed or were added to the new version of the Security+ exam.
- More emphasis on Change Control.
- Coverage of modern and in use Cryptography.
- Less emphasis on network devices but increased emphasis on Secure Networks.
- Understanding the differences between Single Sign On and Zero Trust.
- Less emphasis on Wireless.
I’ll be publishing more information about these new and modified topics in the near future.
What didn’t change.
Just looking at the exam objectives this new exam seems like a massive change. What hasn’t changed about the exam?
- Number of questions on the exam: 90
- Types of questions: Multiple Choice & Performance Based Questions
- Time allotted to complete the exam: 90 minutes
- Pass score; 750
- Cost of the exam: $392 USD
Introducing the CompTIA Security+ SY0-701 Exam
CompTIA Security+ is the foundational cybersecurity certification that CompTIA offers. CompTIA has created certifications ‘stacks’. Once an individual has achieved Security+ and CompTIA CySA+ (cybersecurity analyst) certifications; that person has achieved CompTIA Security Analytics Professional (CSAP) certification.
CompTIA continues to ensure that their certification programs are relevant in the workplace. Many employers require or list as desirable Security+ certification. The SY0-701 version of the Security+ certification continues to be recognized as a qualification for US DoD 8570-1 Baseline Certification for IAT Level II & IAM Level I.