The Certified Information Systems Security Professional (CISSP) is one of the most respected cyber security certifications. Itβs gained worldwide recognition because of the wealth of information on which test takers are quizzed.
If you plan on passing this four-hour exam, youβll have to familiarize yourself with the eight CISSP domains. Each domain is designed to test a different area of cyber security expertise.
To prepare you for the exam, weβll help you understand each of these domains, how theyβre weighted, and other critical details about this renowned exam.
Weβll also give you a couple of questions that will test your knowledge of each domain to gauge your readiness.
If youβre ready, letβs start.
- About the CISSP Exam and CISSP Certification
- Domain 1: Security and Risk Management
- Domain 2: Asset Security
- Domain 3: Security Architecture and Engineering
- Domain 4: Communication and Network Security
- Domain 5: Identity and Access Management (IAM)
- Domain 6: Security Assessment and Testing
- Domain 7: Security Operations
- Domain 8: Software Development Security
- Conclusion
- Frequently Asked Questions
About the CISSP Exam and CISSP Certification
CISSP is an advanced cyber security certification that tests your knowledge of technical and managerial expertise. The exam will also ascertain your ability to design, engineer, and manage an organization's overall security posture.
Anyone can take this exam, but to become CISSP certified, youβll need at least five years of work experience in two or more of the domain areas listed below.
A four-year diploma or credential from ISC2βs approved list will satisfy one year of required experience, but you also need a recommendation from a CISSP holder in good standing.
This means the exam is for more senior cyber security professionals or those looking to move into a managerial position.
The standard domains of knowledge youβll be tested on are as follows:
Here are some other details to know when it comes to taking the test:
| Length | 4 hours |
| Number of questions | 125-175 |
| Question types | Multiple choice and advanced innovative items |
| Passing grade | 700/1000 |
The number of questions asked is based on the Computerized Adaptive Testing (CAT) scoring system. As you take the exam, the test will adapt to your mastery of the material.
If youβre doing well, the exam will ask more challenging questions that count for more points. If you answer them, youβll be asked fewer questions. This is why the number of questions asked varies.
CISSP Domains List
There are eight CISSP domains, each testing a different aspect of cyber security and cyber security management.
Be sure to study each domain before taking the exam.
| Domain | Weight |
| Security and Risk Management | 15% |
| Asset Security | 10% |
| Security Architecture and Engineering | 13% |
| Communication and Network Security | 13% |
| Identity and Access Management (IAM) | 13% |
| Security Assessment and Testing | 12% |
| Security Operations | 13% |
| Software Development Security | 11% |
CISSP Syllabus
We encourage you to download the official CISSP Certification Exam Outline to get a more detailed understanding of the subdomains youβll be tested on.
Domain 1: Security and Risk Management
The first domain tests your understanding of a variety of frameworks, fundamental security concepts, understanding of compliance requirements, and other cyber security practices you must take into account when creating a comprehensive cyber security plan.
Be prepared to receive questions regarding how to develop, document, and implement security policies, standards, and procedures, implement a business continuity plan, and ensure that the people you hire and vendors you work with wonβt put your company at risk.
Here are some key terms to remember:
- CIA Triad: Confidentiality, Integrity, and Availability
- BIA: Business Impact Analysis
- SCRM: Supply Chain Risk Management
- RMF: Risk Management Framework
- GDPR: The General Data Protection Regulation
Example questions from this domain: (answer key follows)
Answers:
- Risk management plays a vital role in the overall security program. Managing risk is daunting because there are so many risks to contend with.
- Accepting product risk assessment results performed by the developing organization as the security baseline is not a sound practice simply because the risk assessment isnβt independent and doesnβt validate the actual security posture of the acquired product. Third-party validation should be used whenever possible.
Domain 2: Asset Security
When tested on Asset Security, youβll be asked to identify and classify information and assets, demonstrate proper asset handling, provision resources, manage data lifecycles, use adequate data security controls, and prove your understanding of compliance requirements.
Youβll most likely come across some of these terms on the exam:
- EOL: End-of-life
- EOS: End of Support
- DRM: Data Rights Management
- DLP: Data Loss Prevention
- CASB: Cloud Access Security Broker
Example questions from this domain: (answer key follows)
Answers:
- A repeater simply re-amplifies the signal of a connection and cannot perform decision-based functionality regarding access restrictions. However, real examples of firewalls can come in many different forms, including a single device or a combination of devices. Routers, proxy servers, and TCP Wrapper (a firewall program to protect Unix systems) could be accurately characterized as firewalls if they have rules configured to monitor traffic.
- Public data is the least secure classification in any organization. It can be compared to the militaryβs βunclassifiedβ level. Because the financial results of public companies are open to anyone, this type of data doesnβt need security controls as strict as those for more sensitive information.
Domain 3: Security Architecture and Engineering
Building an airtight cyber security architecture is a task for senior cyber security employees.
The CISSP will test your ability to develop a defensive plan that uses secure design principles to shore up your digital assets.
Be sure to brush up on the following secure design principles before taking the exam:
- Threat modeling
- Least privilege
- Secure default
- Fail securely
- Defense in depth
- Zero trust
- Privacy by design
- Trust but verify
Youβll also be asked to use crucial concepts from security models like Biba, Star Model, and Bell-LaPadula, as well as controls, to design a digital security architecture.
CISSP understands the value of assessing and mitigating common security vulnerabilities.
For this reason, youβll need to understand the vulnerabilities of widespread security architectures, including but not limited to server-based systems, ICS, cryptographic systems, IoT, embedded systems, edge computer systems, and more.
One of the best security practices involves using encryption to protect data. Youβll also have to understand the ins and outs of cryptographic solutions and cryptoanalytic attacks, such as brute force and side-channel attacks.
Other key terms youβll need to remember include:
- SoD: Separation of Duties
- TPM: Trusted Platform Module
- IS: Information Systems
- IoT: Internet of Things
- ICS: Industrial Control Systems
- MITM: Man-in-the-Middle
Example questions from this domain: (answer key follows)
Answers:
- The Harrison-Ruzzo-Ullman model outlines how access rights can be changed and how subjects and objects should be created and deleted. This newer model provides more granularity and direction for vendors to meet the goals outlined in the earlier models.
- Configuration management is a process for controlling the changes that occur while a system or application is being developed. This control happens throughout the lifetime of the system or application, so any changes to it in production also fall under configuration management. Configuration management doesnβt ensure that changes take place but controls the changes to ensure theyβre carried out properly.
Domain 4: Communication and Network Security
This domain will test your grasp of secure design principles as they relate to network architectures.
Of course, youβll have to know the basics of OSI and TCP/IP models, but youβll also be asked to apply secure networking practices to cell, wireless, and content distribution networks.
Identifying networking hardware and implementing secure communication channels should be relatively easy for you if you have a networking background.
When studying, be sure to review these key terms:
- OSI: Open System Interconnection
- FCoE: Fiber Channel Over Ethernet
- SDN: Software Defined Networks
- VXLAN: Virtual eXtensible Local Area Network
- CDN: Content Distribution Networks
Example questions from this domain: (answer key follows)
Answers:
- Several countermeasures should be put in place to reduce this threat:
β’ Disable unnecessary ports and services.
β’ Block access at the perimeter network using firewalls, routers, and proxy servers.
β’ Use an IDS to identify this type of activity.
β’ Use TCP wrappers on vulnerable services that have to be available.
β’ Remove as many banners as possible within operating systems and applications.
β’ Upgrade or update to more secure operating systems, applications, and protocols. - A whitelist is a set of known-good resources such as IP addresses, domain names, or applications allowed on your network.
Domain 5: Identity and Access Management (IAM)
Determining who has the right to access specific data is crucial in maintaining digital security.
If youβre a senior cyber security employee, such as a CISO or senior cyber security engineer, you have to understand how to implement identity and access management efficiently.
However, providing access to the right employees while keeping bad actors out involves more than using logical access capabilities.
Youβll also have to familiarize yourself with physical access controls and efficiently manage and authorize people, devices, and services.
Review the contexts for the use of each of the following authorization mechanisms:
- Role-based access control
- Rule-based access control
- Mandatory access control
- Discretionary access control
- Attribute-based access control
- Risk-based access control
Some key terms to review before the exam include:
- OIDC: OpenID Connect
- Oauth: Open Authorization
- SAML: Security Assertion Markup Language
- RADIUS: Remote Authentication Dial-In User Service
- TACACS+: Terminal Access Control System Plus
Example questions from this domain: (answer key follows)
Domain 6: Security Assessment and Testing
This domain evaluates your understanding of the best ways to assess and test your security.
Youβll be tested on which security control testing capability to use and when. Some testing tools and strategies youβll want to familiarize yourself with include:
- Vulnerability testing
- Penetrating testing
- Log reviews
- Code review and testing
- Misuse case testing
- Interface testing
- Breach attack simulations
Also, be aware of how you might collect security process data, analyze test output, generate reports, and conduct internal, external, and third-party audits.
Review these terms before taking the CISSP exam:
- DR: Disaster Recover
- BC: Business Continuity
- AST: Application Security Testing
- Misuse Case Testing: Testing how an application might be misused to find vulnerabilities
- BAS: Breach and Attack Simulations
Example questions from this domain: (answer key follows)
Answers:
- Penetration testing reports typically identify vulnerabilities and their severity, the method used to exploit them, and information on how to remediate those same vulnerabilities.
- The product is not actually used in a production environment until the life cycle reaches the operations and maintenance phase. The testing phase leads to this next level, but certain tasks must be completed before the product can be used. Testing, certifying, and integration tasks must all be completed first to ensure the product functions properly and coexists successfully with other network devices and software.
Domain 7: Security Operations
As a senior cyber security professional, you must understand how logging and monitoring work, how to apply foundational security operations concepts, how to conduct incident management, how to implement detective and preventative security measures, how to implement recovery strategies, and much more.
You must also understand the best ways to shore up physical security and protect the physical safety of your employees.
Some keywords and acronyms to remember are:
- DRP: Disaster Recovery Plans
- QoS: Quality of Service
- IDS: Intrusion Detection Systems
- IPS: Intrusion Prevention Systems
- SLAs: Service Level Agreements
- UEBA: User and Entity Behavior Analytics
Example questions from this domain: (answer key follows)
Answers:
- In a simulation test, all employees who participate in operational and support functionsβor their representativesβcome together to practice executing the disaster recovery plan based on a specific scenario. The scenario tests the reaction of each operational and support representative. The simulation test continues up to the point of relocation to an offsite facility and shipment of replacement equipment, which is where it stops.
- Telephone service may not be available after a disaster. Alternatives, such as cell phones or ham radios, should be in place for communication purposes.
Domain 8: Software Development Security
Youβll be quizzed on your grasp of the entire software development cycle, including the Agile, Waterfall, DevOps, and DevSecOps development methodologies.
Youβll surely also answer questions regarding the best ways to apply security controls to software development ecosystems.
Even if youβve used the best controls, you wonβt know if thereβs a vulnerability until you audit and log changes, provide risk analysis, and feel confident that youβve applied secure coding guidelines.
But itβs not all about the software you produce. Acquired software can also pose a threat to digital security. Your understanding of how to assess purchased software will also be tested.
Some keywords and phrases to remember are:
- COTS: Commercial-off-the-shelf
- SaaS: Sofware as a Service
- IaaS: Infrastructure as a Service
- PaaS: Platform as a Service
- SOAR: Security Orchestration, Automation, and Response
- SAMM: Software Assurance Maturity Model
Example questions from this domain: (answer key follows)
Answers:
- The product is not used in a production environment until the life cycle reaches the operations and maintenance phase. The testing phase leads to this next level, but specific tasks must be completed before the product can be used. Testing, certifying, and integration tasks must all be completed first to ensure the product functions properly and coexists successfully with other network devices and software.
- Static analysis is a debugging technique that examines the code without executing the program and is therefore carried out before the program is compiled. The term static analysis is generally reserved for automated tools that assist programmers and developers, whereas manual inspection by humans is generally referred to as code review.
Conclusion
As the most globally recognized cyber security certification, the CISSP exam will test you on a wealth of technical and managerial cyber security-related information. Itβll test your ability to design, engineer, test, and manage an organization's security posture.
The best way to prepare yourself is by joining the StationX Accelerator Program. Itβs here that youβll have access to the over 1,000 courses, tests, and labs to help prepare you for CISSP. Youβll also receive unlimited mentorship, access to mastermind groups, find support in our forums, and much more.
To get started studying for the CISSP consider enrolling in the followning courses:
Frequently Asked Questions
Level Up in Cyber Security: Join Our Membership Today!
