CIS-SIR Exam Preparation

Certified Implementation Specialist - Security Incident Response

Exam Details

60
Questions
90 min
Duration
70%
Passing Score
$315
Exam Fee

Exam Blueprint

ServiceNow Official Exam Blueprint
DomainWeight
Automation and Standard Processes
  • Automate Security Incident Response overview, security incident process automation using playbooks and runbooks, and User Reported Phishing
30%
Security Incident Response Overview and Data Visualization
  • Introducing Security Incident Response, data visualization, and Security Incident Response components
15%
Security Incident Response Management
  • Security Incident Response Workspace, standard automated assignment options, escalation paths, security tags, and process definitions
15%
Security Incident Creation and Threat Intelligence
  • Creating security incidents, major security incident management, understanding threat intelligence, and MITRE ATT&CK Framework
14%
Security Incident and Threat Intelligence Integrations
  • ServiceNow Store and Share, managing pre-built integrations, creating custom integrations, and Threat Intelligence Service Center
14%
Risk Calculations and Post Incident Response
  • Security incident calculator groups and risk scores, post incident reviews, and Event Management
12%

Study Plan

Focus on high-weight topics first for maximum impact. Topics are ordered by exam weight.

1

Automation and Standard Processes

30% weight

Configure playbooks, automated responses, and standard operating procedures to accelerate incident response.

Key Concepts to Master:

Security playbooksAutomated enrichmentResponse automationOrchestration actionsFlow Designer for SIR+3 more
2

Security Incident Response Overview and Data Visualization

15% weight

Understand the Security Incident Response application architecture, data visualization capabilities, and how SIR fits within Security Operations.

Key Concepts to Master:

Security Incident Response architectureSecurity incident lifecycleSecurity Operations suite overviewData visualization and dashboardsObservables and indicators+3 more
3

Security Incident Response Management

15% weight

Master the tools and processes for managing security incidents through investigation, containment, and resolution.

Key Concepts to Master:

Incident response phasesInvestigation workflowsContainment actionsTask managementAnalyst collaboration+3 more
4

Security Incident Creation and Threat Intelligence

14% weight

Learn how security incidents are created, classified, and enriched with threat intelligence data.

Key Concepts to Master:

Manual incident creationAutomated incident creationThreat intelligence feedsSTIX/TAXII integrationObservable extraction+3 more
5

Security Incident and Threat Intelligence Integrations

14% weight

Configure integrations with SIEM, SOAR, and threat intelligence platforms to enhance security incident response capabilities.

Key Concepts to Master:

SIEM integration (Splunk, QRadar, etc.)Endpoint detection integrationThreat intelligence platform integrationEmail security integrationNetwork security integration+3 more
6

Risk Calculations and Post Incident Response

12% weight

Understand how security risks are calculated, reported, and how post-incident activities improve future response.

Key Concepts to Master:

Risk scoring methodologySeverity and impact calculationBusiness impact analysisPost-incident review processLessons learned documentation+3 more

Required Courses

Official Now Learning courses that cover the exam content.

Course information coming soon. Visit the official exam page for the latest requirements.

Official Documentation

ServiceNow docs pages that map to the exam domains.

Documentation links coming soon. Visit docs.servicenow.com for the official documentation.

Prerequisites

  • ServiceNow CSA certification
  • Security Operations experience
  • Understanding of security incident response

Ready to Practice?

Test your knowledge with 50+ practice questions