Security Principles and Practices
22%of exam
Business Principles and Practices
15%of exam
Investigations
9%of exam
Personnel Security
11%of exam
Physical Security
16%of exam
Information Security
14%of exam
Crisis Management
13%of exam
Quick Facts
- Exam
- ASIS CPP
- Credential
- Certified Protection Professional
- Items
- 225 (200 scored + 25 pretest)
- Time
- 4 hours
- Pass
- 650 scaled score
- Domains
- 7 weighted domains
- Fee
- $580 member / $910 nonmember
- Provider
- Prometric (CBT or remote)
- Validity
- 3 years, 60 CPE credits
- Retake
- 60-day wait, 3 max
ALE Formula
Annualized Loss Expectancy equals SLE times ARO
Quantitative vs Qualitative Risk
Quantitative
- Uses dollar-based loss figures
- Needs reliable historical loss data
- Produces ALE, SLE, ARO numbers
- Best for budget comparison
Qualitative
- Uses severity and likelihood ratings
- Works with limited available data
- Faster risk prioritization tool
- Less precise for budgeting
Numeric precision versus rapid ranking
Risk Treatment Selection
- Reliable loss data available→Run quantitative analysis(ALE equals SLE times ARO)
- Data limited or urgent→Run qualitative analysis(Severity and likelihood ratings)
- Risk is avoidable entirely→Choose risk avoidance(Stop the risky activity)
- Risk low, cost high→Choose risk acceptance(Owner formally retains risk)
- Financial exposure is primary→Choose risk transfer(Insurance or contractual indemnification)
- Need to reduce impact→Choose risk mitigation(Technology, personnel, process, design)
Risk Formulas
- ALE formula
- SLE multiplied by ARO
- SLE
- Dollar loss per single event
- ARO
- Expected event occurrences per year
- Quantitative risk assessment
- Uses dollar-based loss figures
- Qualitative risk assessment
- Uses severity and likelihood ratings
Risk Treatment Options
Avoid, accept, transfer, or mitigate the risk
ASIS and ISO Standards
- ANSI/ASIS RA.1-2015
- Risk assessment PDCA-based model
- ANSI/ASIS PSC.1
- Private security company operations standard
- ANSI/ASIS SPC.1-2009
- Organizational resilience management standard
- ISO 31000
- International risk management guidelines
- PDCA cycle
- Plan Do Check Act
Finance and ROI
- ROI formula
- Net gain divided by cost
- Payback period
- Time to recoup investment cost
- CapEx
- Multi-year capital asset spending
- OpEx
- Recurring day-to-day operating expense
- Management accounting
- Internal decisions, not external reporting
Staffing and Vendors
- 360-degree feedback
- Supervisor, peer, and self input
- Coaching
- Day-to-day current performance focus
- Mentoring
- Long-term career development relationship
- SLA
- Vendor performance terms and metrics
- RFP
- Formal request for vendor bids
PEACE Interview Model
Planning, Engage, Account, Closure, Evaluation
Interview vs Interrogation
Interview
- Non-accusatory, fact-gathering conversation
- Used before guilt is known
- Follows the PEACE model
- Produces more legally durable information
Interrogation
- Accusatory, seeks admission or confession
- Used once evidence points clearly
- Requires Miranda if custodial
- Higher false-confession risk overall
Fact-finding versus confession-seeking approach
Interview Path Decision
- Subject's role still unclear→Conduct investigative interview(Non-accusatory, follows PEACE model)
- Evidence points to subject→Conduct interrogation instead(Accusatory, seeks admission or confession)
- Subject is in custody→Give Miranda warning first(Government custodial interrogation only)
- Unionized private-sector employee→Honor Weingarten rights request(Union representative may attend)
Investigation Process
- Investigative interview
- Non-accusatory, fact-gathering conversation
- Interrogation
- Accusatory process seeking an admission
- PEACE model
- Non-coercive, five-stage interview framework
- Miranda rights
- Custodial government interrogation only
- Weingarten rights
- Union representation request right
Evidence and Surveillance
- Chain of custody
- Unbroken documented evidence transfer record
- Spoliation
- Destroying evidence after litigation hold
- FAA Part 107
- Governs commercial drone surveillance use
- Crime scene protection
- Secure before documenting or collecting
Proprietary vs Contract EP Teams
Proprietary
- In-house, institutional knowledge retained
- Direct control over training
- Higher loyalty, higher fixed cost
- Slower to scale up
Contract
- Outsourced, flexible surge capacity
- Lower fixed staffing cost
- Less institutional knowledge retained
- Quality depends on vendor
In-house control versus outsourced flexibility
Background Screening
- FCRA
- Governs third-party background check reports
- Pre-adverse-action notice
- Report copy plus rights summary
- Ban-the-box laws
- Restrict when criminal history asked
- Screening sources
- Open source, databases, credit reports
Personnel Protection
- Threat assessment
- Evaluates workplace violence risk level
- Advance work
- Survey venue and route first
- EP threat analysis
- Protectee-specific, continuously updated assessment
- Proprietary EP team
- In-house, institutional knowledge retained
- Contract EP team
- Outsourced, flexible surge capacity
CPTED Four Principles
Surveillance, Access control, Territorial reinforcement, Maintenance
Fail-Safe vs Fail-Secure Locks
Fail-Safe
- Unlocks automatically on power loss
- Required on most egress doors
- Prioritizes life safety first
- Lower physical security posture
Fail-Secure
- Stays locked during power loss
- Prioritizes asset protection first
- Needs a separate egress plan
- Higher physical security posture
Life safety versus asset protection
Physical Control Selection
- Need visual incident verification→Deploy CCTV surveillance(Detects; does not delay)
- Vehicle-borne threat expected→Install crash-rated bollards(Match K/M rating to speed)
- Door is a life-safety egress→Specify a fail-safe lock(Unlocks automatically on power loss)
- Entry needs anti-tailgating control→Install mantrap with credential(Admits one verified person)
CPTED and Perimeter
- CPTED
- Four environmental design deterrence principles
- Natural surveillance
- Visibility discourages hidden criminal activity
- Natural access control
- Design guides legitimate entry points
- Territorial reinforcement
- Signals ownership and site boundaries
- Maintenance principle
- Broken-windows theory deters further disorder
- K12/M50 rating
- Stops 15,000-lb truck at 50mph
Access Control Metrics
- FAR
- Wrongly accepts unauthorized person's credential
- FRR
- Wrongly rejects an authorized person
- CER
- Point where FAR equals FRR
- Fail-safe lock
- Unlocks on power loss
- Fail-secure lock
- Stays locked during power loss
- Mantrap
- Admits one verified person only
ISO 27001 vs PCI DSS
ISO 27001
- Covers all organizational information assets
- Applies to any organization type
- Certified through independent audit
- Broad information security management scope
PCI DSS
- Covers cardholder data environment only
- Mandatory for card processors
- Requires MFA on CDE access
- Narrow, payment-specific compliance scope
General ISMS versus payment-card mandate
InfoSec Standards
- ISO/IEC 27001:2022
- Information security management system standard
- PCI DSS v4.0.1
- Cardholder data environment security standard
- PII protection principles
- Minimization, purpose limit, access, encryption
- GDPR breach notice
- 72 hours to notify authority
- GDPR max fine
- 20 million euros or 4%
InfoSec Controls
- CIA triad
- Confidentiality, integrity, and availability
- MFA
- Requires multiple authentication factor types
- Encryption
- Protects data at rest, transit
- Least privilege
- Minimum access necessary for role
- Penetration testing
- Simulated attack finds security gaps
ICS Command Staff
PIO, Safety, and Liaison Officers report to IC
RTO vs RPO
RTO
- Maximum acceptable downtime duration
- Measured as time to restore
- Drives recovery team staffing
- Compared directly against MTD/MAO
RPO
- Maximum acceptable data loss
- Measured as time since backup
- Drives backup frequency decisions
- Independent of restore time
Downtime tolerance versus data-loss tolerance
BCP Recovery Feasibility Check
- BIA not yet done→Run Business Impact Analysis(Sets RTO, RPO, MTD targets)
- RTO at or below MTD→Recovery plan is viable(Meets outer harm limit)
- RTO exceeds the MTD→Redesign the recovery plan(Risk of irreversible harm)
- Backup frequency still undefined→Set the RPO target(Drives backup interval decisions)
BCP and DR Metrics
- RTO
- Maximum acceptable downtime for process
- RPO
- Maximum acceptable data loss window
- MTD/MAO
- Absolute outer limit before harm
- Business Impact Analysis
- Sets RTO, RPO, MTD targets
- ASIS ORM.1 (2017)
- Organizational resilience and continuity standard
- ISO 22301:2019
- Business continuity management systems standard
- NFPA 1600 (2019)
- Emergency management and continuity standard
ICS Roles and Phases
- Incident Commander
- Overall authority over incident objectives
- Public Information Officer
- Releases information to media, public
- Safety Officer
- Can halt unsafe field operations
- Liaison Officer
- Point of contact for agencies
- ICS span of control
- Ratio 1-to-3 to 1-to-7
- Mitigation phase
- Reduces long-term risk before events
- Recovery phase
- Restores normal operations after incident
Common Traps
FAR vs FRR
FAR wrongly accepts intruder ≠ FRR wrongly rejects authorized user
Interview vs Interrogation
Interview gathers facts, non-accusatory ≠ Interrogation seeks admission, accusatory
RTO vs RPO
RTO limits downtime duration ≠ RPO limits data-loss window
Fail-Safe vs Fail-Secure
Fail-safe unlocks, protects life ≠ Fail-secure locks, protects assets
ALE vs SLE
SLE is one-event dollar loss ≠ ALE is SLE times ARO
ISO 27001 vs PCI DSS
27001 covers all info assets ≠ PCI DSS covers cardholder data only
Proprietary vs Contract Staffing
Proprietary keeps institutional knowledge in-house ≠ Contract offers staffing surge flexibility
Last Minute
- 1.225 items: 200 scored, 25 pretest
- 2.4-hour exam via Prometric CBT
- 3.Passing score is 650 scaled
- 4.Weights: 22-15-9-11-16-14-13 percent
- 5.Eligibility: 7-6-5 years by degree
- 6.APP credential cuts experience one year
- 7.Retake: 60-day wait, 3 max
- 8.Certification lasts 3 years, 60 CPE
- 9.Fee: $580 members, $910 nonmembers
- 10.ALE equals SLE times ARO
- 11.RTO must not exceed MTD
- 12.CPTED has four design principles
- 13.FAR and FRR cross at CER
- 14.PEACE model replaces confrontational interrogation
- 15.GDPR breach notice: 72 hours
- 16.PCI DSS v4.0.1 fully mandatory now
Explore More ASIS International Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.
