Security awareness

CompTIA Security+ Certification: History of the Exam

July 13, 2017 by Greg Belding


Since its beginning in 2002, the Security+ certification offered by CompTIA has been considered one of the leading vendor-neutral certifications for professionals working in Information Security. For the past 16 years, the Security+ certification has validated the baseline skills that are needed to perform core security functions essential for a career in Information Security. Security+ is considered to be the senior exam in their 3 part foundation certification series which consists of A+, Network+, and Security+.

CompTIA Security+ is a vendor-neutral Information Security certification that demonstrates competency in:

  • Network security
  • Compliance and operational security
  • Threats and vulnerabilities
  • Application, data, and host security
  • Access control and identity management
  • Cryptography

While there are no mandatory pre-requisites for candidates considering Security+, CompTIA does offer candidates some recommendations. First, candidates should have at least two years of IT administration experience with a specific focus on security. Second, the candidate should have day-to-day technical Information Security experience. This is in part because of the real IT scenarios that candidates face on the exam. Third, CompTIA recommend that candidates at least acquire their CompTIA A+ certification before Security+. CompTIA considers Security+ to be the senior certification in their 3-part foundation certification series which consists of A+, Network+, and Security+.

Gaining this certification makes a candidate more desirable to top private technology companies such as Lockheed Martin, Trendmicro, Hitachi Information Systems, as well as the public sector with the U.S. State Department, and U.S. government contractors such as Northrop Grumman, General Dynamics, and EDS.


Around the turn of the new millennium there was a need for an entry to intermediate level certification for professionals pursuing a career in Information Security. Specifically, there was not a good springboard to intermediate level security certifications for those individuals that were interested in seriously pursuing a career in Information Security. CompTIA launched the Security+ certification in 2002 to address this need.

The guiding vision of Security+ is to test what is generally assumed to be the knowledge and skill held by an Information Security professional with two years of full-time Information Security work experience.   Besides bringing a significant boost to the certification holder’s competitiveness in job searches for Information Security professions, those in other fields can gain great benefit from Security+.   Professionals working in healthcare (which is governed by HIPAA laws and regulations), education, and finance can apply Security+ to the heightened Information Security standards in those fields.

Much like Information Security itself, Security+ is continuously evolving and it must to keep up with the constantly changing security landscape. The first Security+ exam version was SY0-101 and was used until 2008 when the revised exam version SY0-201 premiered. This new version of the Security+ exam included a new focus on Systems Security, Network Infrastructure, Organizational Security, Methods for Access Control, Audits, and Cryptography. SY0-201 was available for exam takers until the end of 2011. In May of 2011, CompTIA released the second major revision of Security +, SY0-301.

Security+ exam version SY0-301 was launched with some significant changes to the exam material that it covered. These changes included some new concepts such as cloud computing, threat administration, and mitigation as well as other recent developments in the field of Information Security. Security+ exam version SY0-301 expired at the end of 2014.

Not to rest on it’s laurels as a premier entry to intermediate level Information Security certification, Security+ evolved still. As of January 5, 2013, to more accurately judge and measure a candidate’s skills and knowledge competency, the Security+ exam began to include a performance-based exam portion that require the candidate to perform tasks or solve problems within a simulated Information Technology environment followed by corresponding questions. These questions start with phrases such as “Given a scenario…”.

In May of 2014, CompTIA released Security+ exam version SY0-401. This new version of Security+ shifted focus yet again, this time with an emphasis on Access Control and Identity Management. This version of the Security+ certification exam will expire as of July 2018.

The latest of the Security+ certification exams is SY0-501 and was released in October of 2017. The exam content from SY0-401 to SY0-501 has changed by about 25%. These changes included an increased emphasis on cyber-attacks, risk management, and best practices. The reason for the increased cyber-attack coverage is due to the increase in Distributed Denial of Service attacks (DDoS), ransomware, phishing, and email attacks. In the last few years these attacks have become more varied, sophisticated, and successful making it more important than ever for Information Security professionals to effectively identify and neutralize these attacks.


The current version of Security+ also includes expanded coverage of newer technologies which include:

  • Cloud security/support
  • Expansion of Virtualization and related security
  • Mobile device security including specific issues with mobile device manufacturers such as Samsung and LG
  • Secure cart technology and payment systems security
  • Monitoring tools and the analysis of their respective metrics
  • Sideloaded applications and related management, verification and validation of the applications


CompTIA’s Security + Certification is a broad based springboard to intermediate level Information Security Certification. This certification’s exam was born in an Information Security landscape that lacked a concise validation of the skills and knowledge of an Information Security professional having worked with day-to-day technical Information Security experience for two years. Security+ has effectively evolved with the changing Information Security field and will continue to launch careers of Information Security professionals going forward into the future.


Posted: July 13, 2017
Articles Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117