CISSP Cheat Sheet (Updated for Latest Exam)

CISSP Cheat Sheet

You’ve made an intelligent choice to aim for CISSP as your next certification, but the sheer volume of CISSP study materials can be intimidating. CISSP study guides can also be overwhelming. Moreover, the CISSP exam is long, and you need a brief outline to help you remember how to tie all the exam concepts together.

The good news is, you’ve come to the right place: this CISSP cheat sheet is the brief outline you need. We’ve drawn a roadmap of top ideas to help you navigate this challenging certification. It highlights the concepts which are the foundations of the other concepts.

We hope this CISSP exam cheat sheet helps you prepare well for this examination wherever you are in your cyber security career. Download this cheat sheet here and let’s get started.

CISSP Cheat Sheet Search

Search our CISSP cheat sheet to find the right cheat for the term you're looking for. Simply enter the term in the search bar and you'll receive the matching cheats available.

What is the CISSP Certification?

Certified Information Systems Security Professional (CISSP) is a highly sought-after information security certification developed by (ISC)2, an abbreviation for the nonprofit “International Information System Security Certification Consortium.”

To become CISSP-certified, you need to:

  1. Pass the CISSP examination to become an Associate;
  2. Submit the required documentation showing you have cumulative paid full-time work experience of five years, or four years plus proof of having gained a four-year tertiary degree or (ISC)2-approved credential; and
  3. Get endorsed by a member of (ISC)2.

Find the details on CISSP work experience requirements here.

CISSP Certification Pathway: Earning CISSP

The following diagram illustrates the eight domains of the CISSP Common Body of Knowledge (CBK). 

Here is an overview of the two CISSP exam formats available:

Exam formatDynamic; Computerized Adaptive Testing (CAT)Linear; fixed-form
Language(s) available✔ English✔ French
✔ German
✔ Brazilian
✔ Portuguese
✔ Spanish (Modern)
✔ Japanese
✔ Simplified Chinese
✔ Korean
Length (hours)3–46
Number of questions125–175250
Can I change answers to earlier questions?NoYes

The passing mark is 700 out of 1000, and you can only take the examination on a computer via Pearson VUE. The exam consists of multiple-choice (four options, one correct answer) and scenario-based questions. As CISSP is a long examination, candidates may take breaks but won’t get compensation in the form of extra exam time.
Remember to pick up (ISC)2’s CISSP Ultimate Guide and Exam Action Plan.

Domains

We’ve broken down the concepts and terms of the CBKs below. You may find the latest updates on the exam here. Remember to check out our Security+ cheat sheet, as both syllabi have overlapping concepts.

Security and Risk Management

This domain is the basis for all other domains, covering fundamental risk mitigation, legal and regulatory issues, professional ethics, and security concepts in an organizational context.

ConceptElaboration
CIAConfidentiality, Integrity, Availability
DADDisclosure, Alteration, Destruction
IAAAIdentification and Authentication, Authorization and Accountability
Least privilegeMinimum necessary access
Need to knowJust enough data to do your job
Non-repudiationOne cannot deny having done something
PCI-DSSPayment Card Industry Data Security Standard
OCTAVEOperationally Critical Threat, Asset, and Vulnerability Evaluation
FRAPFacilitated Risk Analysis Process
COBITControl Objectives for Information and Related Technology
COSOCommittee of Sponsoring Organizations
ITILInformation Technology Infrastructure Library
ISMSInformation security management system
ISOInternational Organization for Standardization
IECInternational Electrotechnical Commission
ISO/IEC 27000 seriesInternational standards on how to develop and maintain an ISMS developed by ISO and IEC
Defense in Depth/Layered Defense/Onion DefenseMultiple overlapping security controls to protect assets
LiabilityWho is held accountable; C-level executives (senior leadership/management) are ultimately liable
Due careImplementing security practices and patches
Memory aid: Do Correct
Due diligenceChecking for vulnerabilities
Memory aid: Do Detect
NegligenceOpposite of due care, without which you may become liable
GDPRGeneral Data Protection Regulation
Court-admissible evidence• Relevant
• Complete
• Sufficient/believable
• Reliable/accurate
HIPAAHealth Insurance Portability and Accountability Act
ECPAElectronic Communications Privacy Act
USA PATRIOT ACT2001 legislation expanding law enforcement electronic monitoring
CFAAComputer Fraud and Abuse Act—Title 18 Section 1030 for prosecuting computer crimes
GLBAGramm-Leach-Bliley Act
SOXSarbanes-Oxley Act (2002)
Red team, blue team, purple team, etc.(Refer to graphic below)

Check out our articles on cyber security rules and regulations here.

Pentesting Team Colors Decoded

What do terms like “red team” and “blue team” mean in penetration testing?

The primary colors red, blue, and yellow refer to attackers, defenders, and builders of a system respectively. The secondary colors are combinations of these roles. For example, purple team members have dual attack/defense roles. The white team supervises the hack.

Asset Security

Key concepts involving data and information are here.

ConceptElaboration
Data at restOn computer storage
Data in use/processingIn RAM being accessed
Data in transit/motionTraveling along cables or broadcasting wirelessly
DRMDigital Rights Management
CASBCloud Access Security Broker
DLPData Loss Prevention
Soft destructionPreserve storage hardware
Full physical destructionDestroy storage hardware

Security Architecture and Engineering

Here we focus on the most important methods to protect our assets. 

Secure architecture and design

A well-designed computer system/network can deter many attacks.

ConceptElaboration
Zachman framework• What/data, How/function, Where/network, Who/people, When/time, and Why/motivation
• Planner, Owner, Designer, Builder, Implementer, and Worker
TOGAFThe Open Group Architecture Framework
DoDAFDepartment of Defense Architecture Framework
MODAFMinistry of Defence Architecture Framework
SABSASherwood Applied Business Security Architecture
The Red BookTrusted Network Interpretation (TNI); part of a Rainbow Series
The Orange BookThe Trusted Computer System Evaluation Criteria (TCSEC); part of a Rainbow Series
Type 1 hypervisorBare or native metal
Type 2 hypervisorApp-like virtual machine on the operating system
IaaSInfrastructure as a service
PaaSPlatform as a service
SaaSSoftware as a service

Cryptography

“A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.”—Auguste Kerckhoffs, cryptographer

ConceptElaboration
Symmetric cipherStreaming:
• RC4
Block:
• DES
• Blowfish
• 3DES
Considerations:
• key length
• block size
• number of rounds
Asymmetric cipherExamples:
• Diffie-Hellman key exchange
• RSA
• Elliptic-curve cryptography
HashingOne-way, deterministic process of transforming a string of characters into another
SaltingCharacters appended to a string (e.g., password) before hashing
SteganographyHide data inside other data
QuantumExploit quantum mechanics
Post-quantumSecure against cryptanalysis by quantum computer
Brute-force attackTrying character combinations
Variant: spraying (trying the same password across different accounts)
Dictionary attackUsing lists of probable passwords
Rainbow tablesUsing pre-calculated password hashes
Key stretchingMethod that strengthens weak passwords

Physical security

A given physical security measure can fall into one or more categories below.

Control typeElaboration
PreventativeFor preventing attacks, e.g., tall fences, locked doors, bollards
DetectiveFor detecting attacks, e.g., CCTV, alarms
DeterrentFor obstructing an attack, e.g., fences, security guards, dogs, lights, warning signs.
CompensatingTo compensate for other controls, e.g., locks, alarms, sensors, shock absorbers in data center
AdministrativeCompliance, policies, procedures, staff training, etc.

Communication and Network Security

Here, we cover network and communications concepts that warrant review and how to protect such channels.

ConceptElaboration
SimplexOne-way communication
Half-duplexSend/receive one at a time only
Full-duplexSend/receive simultaneously
BasebandOne channel, send one signal at a time
Example: Ethernet
BroadbandMultiple channels, send/receive many signals at a time
OSI modelOpen Systems Interconnect:
1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application

Memory aid: Please Do Not Throw Sausage Pizza Away
ARPAddress Resolution Protocol
NATNetwork Address Translation
PATPort Address Translation
DHCPDynamic Host Configuration Protocol
PANAProtocol for Carrying Authentication for Network Access
SLIPSerial Line Internet Protocol
DMZDemilitarized zone (screened subnet):
• External network
• External router
• Perimeter network
• Internal router
• Internal network
Well-Known Ports: Unencrypted vs Encrypted

Learn more about ports and protocols with our Common Ports Cheat Sheet here.

Identity and Access Management (IAM)

Logical and physical controls, identity-related services, and access control attacks comprise this domain.

ConceptElaboration
2FATwo-factor authentication
FRRFalse rejection rate
FARFalse acceptance rate
CER/EER Crossover error rate/equal error rate
IDaaSIdentity as a Service
KerberosTicketing-based authentication protocol
SESAMESecure European System for Applications in a Multi-vendor Environment
RADIUSRemote Authentication Dial-In User Service
TACACSTerminal Access Controller Access Control System
XTACACSTACACS with separate authentication, authorization, and auditing processes
TACACS+XTACACS plus 2FA
DiameterLike RADIUS and TACACS+ with more flexibility
PAPPassword Authentication Protocol
CHAPChallenge-Handshake Authentication Protocol
Identity and Access Provisioning Lifecycle

Security Assessment and Testing

Penetration testing (pentesting) falls under this domain, which, being much more expansive, encompasses technical stress tests and reporting of vulnerabilities to non-technical members of the organization.

ConceptElaboration
Static testingPassively test code but not run it
Dynamic testingTest code during execution
Fuzzing (Fuzz testing)Input random characters and expect spurious results
Penetration testing (pentesting)Actively exploit vulnerabilities
Black/gray/white boxZero/Partial/extensive-knowledge pentesting
SOCService Organization Controls: 1, 2, and 3

Security Operations

This domain emphasizes the aspects of information security on management, prevention, recovery, and digital forensics.

ConceptElaboration
BCPBusiness continuity plan
BIABusiness impact analysis
COOPContinuity of operations
DRPDisaster Recovery Plan
MTBFMean time between failures
MTTFMean time to failure
MTTRMean time to repair
RTORecovery time objective
RPORecovery point objective
SIEMSecurity information and event management
NDANon-Disclosure Agreement
PAMPrivileged Account/Access Management
UEBAUser and Entity Behavior Analytics
Database ShadowingExact real-time copies of database/files to another location
Electronic Vaulting (E-vaulting)Make remote backups at certain intervals or when files change
Remote JournalingSends transaction log files to a remote location, not the files themselves
Ways to minimize insider threats• Least privilege
• Need to know
• Separation of duties
• Job rotation
• Mandatory vacations
Digital forensicsProcess:
• Identification
• Preservation
• Collection
• Examination
• Analysis
• Presentation in Court
• Court decision
• Real evidence
• Evidence integrity
• Chain of custody (to prove the integrity of the data)
○ Who handled it?
○ When did they handle it?
○ What did they do with it?
○ Where did they handle it?
Disk-based forensic data• Allocated space
• Unallocated space
• Slack space
• Bad blocks/clusters/sectors

* This step is for real-world job settings only. It’s outside the CISSP exam syllabus, but in practice, the more thoroughly an organization equips its team for security incidents, the better it handles problems and the faster it recovers from them.

Software Development Security

Building security controls into software applications is a new best practice in cyber security, and a CISSP needs to know how to secure software during its development.

ConceptElaboration
SDSSoftware-Defined Security
EULAEnd-User License Agreement
SDLCSoftware development life cycle:
• Planning
• Defining
• Designing
• Building
• Testing
• Deployment
CI/CDContinuous Integration/Continuous [Delivery/Deployment/Development]
DevOpsCooperation between development, operations, and quality assurance
DevSecOpsDevOps plus security
Software Development Methodologies• Waterfall
• Sashimi
• Agile
• Scrum
• Extreme Programming (XP)
• Spiral
• Rapid Application Development (RAD)
• Prototyping
ORBObject Request Broker
CORBACommon Object Request Broker Architecture
ACID modelAtomicity, Consistency, Isolation, and Durability
OWASPOpen Web Application Security Project; identifies top vulnerabilities
CSRF/XSRFCross-Site Request Forgery
XSSCross-Site Scripting
TOC/TOUTime-of-check/time-of-use
SOARSecurity Orchestration, Automation, and Response
Expert SystemComputer system that emulates humanlike decision-making ability
ANNArtificial Neural Networks
GPGenetic Programming

Conclusion

We hope this CISSP exam cheat sheet provides a bird’s-eye view of the CISSP syllabus, accelerates your cyber security journey, and helps you realize your career ambitions. 

Find our CISSP course offerings here and check out our other articles on CISSP. We wish you all the best in your CISSP exam and beyond.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Cassandra Lee

    Cassandra is a writer, artist, musician, and technologist who makes connections across disciplines: cyber security, writing/journalism, art/design, music, mathematics, technology, education, psychology, and more. She's been a vocal advocate for girls and women in STEM since the 2010s, having written for Huffington Post, International Mathematical Olympiad 2016, and Ada Lovelace Day, and she's honored to join StationX. You can find Cassandra on LinkedIn and Linktree.

>