8 CISSP Domains Explained to Ace Exam in 2024

CISSP Domains

The Certified Information Systems Security Professional (CISSP) is one of the most respected cyber security certifications. It’s gained worldwide recognition because of the wealth of information on which test takers are quizzed. 

If you plan on passing this four-hour exam, you’ll have to familiarize yourself with the eight CISSP domains. Each domain is designed to test a different area of cyber security expertise.

To prepare you for the exam, we’ll help you understand each of these domains, how they’re weighted, and other critical details about this renowned exam. 

We’ll also give you a couple of questions that will test your knowledge of each domain to gauge your readiness. 

If you’re ready, let’s start. 

About the CISSP Exam and CISSP Certification

CISSP is an advanced cyber security certification that tests your knowledge of technical and managerial expertise. The exam will also ascertain your ability to design, engineer, and manage an organization's overall security posture. 

Anyone can take this exam, but to become CISSP certified, you’ll need at least five years of work experience in two or more of the domain areas listed below. 

A four-year diploma or credential from ISC2’s approved list will satisfy one year of required experience, but you also need a recommendation from a CISSP holder in good standing. 

This means the exam is for more senior cyber security professionals or those looking to move into a managerial position. 

The standard domains  of knowledge you’ll be tested on are as follows:

Here are some other details to know when it comes to taking the test:

Length4 hours
Number of questions125-175
Question typesMultiple choice and advanced innovative items
Passing grade700/1000

The number of questions asked is based on the Computerized Adaptive Testing (CAT) scoring system. As you take the exam, the test will adapt to your mastery of the material. 

If you’re doing well, the exam will ask more challenging questions that count for more points. If you answer them, you’ll be asked fewer questions. This is why the number of questions asked varies. 

CISSP Domains List

There are eight CISSP domains, each testing a different aspect of cyber security and cyber security management. 

Be sure to study each domain before taking the exam. 

DomainWeight
Security and Risk Management15%
Asset Security10%
Security Architecture and Engineering13%
Communication and Network Security13%
Identity and Access Management (IAM)13%
Security Assessment and Testing12%
Security Operations13%
Software Development Security11%

CISSP Syllabus

We encourage you to download the official CISSP Certification Exam Outline to get a more detailed understanding of the subdomains you’ll be tested on.

Domain 1: Security and Risk Management

The first domain tests your understanding of a variety of frameworks, fundamental security concepts, understanding of compliance requirements, and other cyber security practices you must take into account when creating a comprehensive cyber security plan. 

Be prepared to receive questions regarding how to develop, document, and implement security policies, standards, and procedures, implement a business continuity plan, and ensure that the people you hire and vendors you work with won’t put your company at risk. 

Here are some key terms to remember:

  • CIA Triad: Confidentiality, Integrity, and Availability
  • BIA: Business Impact Analysis
  • SCRM: Supply Chain Risk Management
  • RMF: Risk Management Framework
  • GDPR: The General Data Protection Regulation

Example questions from this domain: (answer key follows)

Answers:

  1. Risk management plays a vital role in the overall security program. Managing risk is daunting because there are so many risks to contend with.
  2. Accepting product risk assessment results performed by the developing organization as the security baseline is not a sound practice simply because the risk assessment isn’t independent and doesn’t validate the actual security posture of the acquired product. Third-party validation should be used whenever possible.

Domain 2: Asset Security

When tested on Asset Security, you’ll be asked to identify and classify information and assets, demonstrate proper asset handling, provision resources, manage data lifecycles, use adequate data security controls, and prove your understanding of compliance requirements. 

You’ll most likely come across some of these terms on the exam:

  • EOL: End-of-life
  • EOS: End of Support
  • DRM: Data Rights Management
  • DLP: Data Loss Prevention
  • CASB: Cloud Access Security Broker

Example questions from this domain: (answer key follows)

Answers:

  1. A repeater simply re-amplifies the signal of a connection and cannot perform decision-based functionality regarding access restrictions. However, real examples of firewalls can come in many different forms, including a single device or a combination of devices. Routers, proxy servers, and TCP Wrapper (a firewall program to protect Unix systems) could be accurately characterized as firewalls if they have rules configured to monitor traffic.
  2. Public data is the least secure classification in any organization. It can be compared to the military’s “unclassified” level. Because the financial results of public companies are open to anyone, this type of data doesn’t need security controls as strict as those for more sensitive information.

Domain 3: Security Architecture and Engineering

Building an airtight cyber security architecture is a task for senior cyber security employees. 

The CISSP will test your ability to develop a defensive plan that uses secure design principles to shore up your digital assets. 

Be sure to brush up on the following secure design principles before taking the exam:

  • Threat modeling
  • Least privilege
  • Secure default
  • Fail securely
  • Defense in depth
  • Zero trust
  • Privacy by design 
  • Trust but verify

You’ll also be asked to use crucial concepts from security models like Biba, Star Model, and Bell-LaPadula, as well as controls, to design a digital security architecture. 

CISSP understands the value of assessing and mitigating common security vulnerabilities. 

For this reason, you’ll need to understand the vulnerabilities of widespread security architectures, including but not limited to server-based systems, ICS, cryptographic systems, IoT, embedded systems, edge computer systems, and more. 

One of the best security practices involves using encryption to protect data. You’ll also have to understand the ins and outs of cryptographic solutions and cryptoanalytic attacks, such as brute force and side-channel attacks. 

Other key terms you’ll need to remember include: 

  • SoD: Separation of Duties
  • TPM: Trusted Platform Module
  • IS: Information Systems
  • IoT: Internet of Things
  • ICS: Industrial Control Systems
  • MITM: Man-in-the-Middle

Example questions from this domain: (answer key follows)

Answers:

  1. The Harrison-Ruzzo-Ullman model outlines how access rights can be changed and how subjects and objects should be created and deleted. This newer model provides more granularity and direction for vendors to meet the goals outlined in the earlier models.
  2. Configuration management is a process for controlling the changes that occur while a system or application is being developed. This control happens throughout the lifetime of the system or application, so any changes to it in production also fall under configuration management. Configuration management doesn’t ensure that changes take place but controls the changes to ensure they’re carried out properly.

Domain 4: Communication and Network Security

This domain will test your grasp of secure design principles as they relate to network architectures. 

Of course, you’ll have to know the basics of OSI and TCP/IP models, but you’ll also be asked to apply secure networking practices to cell, wireless, and content distribution networks. 

Identifying networking hardware and implementing secure communication channels should be relatively easy for you if you have a networking background. 

When studying, be sure to review these key terms:

  • OSI: Open System Interconnection
  • FCoE: Fiber Channel Over Ethernet
  • SDN: Software Defined Networks
  • VXLAN: Virtual eXtensible Local Area Network
  • CDN: Content Distribution Networks

Example questions from this domain: (answer key follows)

Answers:

  1. Several countermeasures should be put in place to reduce this threat:
    • Disable unnecessary ports and services.
    • Block access at the perimeter network using firewalls, routers, and proxy servers.
    • Use an IDS to identify this type of activity.
    • Use TCP wrappers on vulnerable services that have to be available.
    • Remove as many banners as possible within operating systems and applications.
    • Upgrade or update to more secure operating systems, applications, and protocols.
  2. A whitelist is a set of known-good resources such as IP addresses, domain names, or applications allowed on your network.

Domain 5: Identity and Access Management (IAM)

Determining who has the right to access specific data is crucial in maintaining digital security. 

If you’re a senior cyber security employee, such as a CISO or senior cyber security engineer, you have to understand how to implement identity and access management efficiently. 

However, providing access to the right employees while keeping bad actors out involves more than using logical access capabilities. 

You’ll also have to familiarize yourself with physical access controls and efficiently manage and authorize people, devices, and services. 

Review the contexts for the use of each of the following authorization mechanisms:

  • Role-based access control
  • Rule-based access control
  • Mandatory access control
  • Discretionary access control
  • Attribute-based access control
  • Risk-based access control

Some key terms to review before the exam include:

  • OIDC: OpenID Connect 
  • Oauth: Open Authorization
  • SAML: Security Assertion Markup Language
  • RADIUS: Remote Authentication Dial-In User Service
  • TACACS+: Terminal Access Control System Plus

Example questions from this domain: (answer key follows)

Answers:

  1. RADIUS is the only open protocol listed. An open protocol means different vendors can obtain a copy of the source code and change it to work with their product or environment. The other protocols are Cisco-proprietary protocols, meaning the source code isn’t available.
  2. The Service Provisioning Markup Language (SPML) allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. This supports the exchange of provisioning data between applications, which could reside in one organization or many.

Domain 6: Security Assessment and Testing

This domain evaluates your understanding of the best ways to assess and test your security. 

You’ll be tested on which security control testing capability to use and when. Some testing tools and strategies you’ll want to familiarize yourself with include:

Also, be aware of how you might collect security process data, analyze test output, generate reports, and conduct internal, external, and third-party audits. 

Review these terms before taking the CISSP exam:

  • DR: Disaster Recover
  • BC: Business Continuity
  • AST: Application Security Testing
  • Misuse Case Testing: Testing how an application might be misused to find vulnerabilities
  • BAS: Breach and Attack Simulations

Example questions from this domain: (answer key follows)

Answers:

  1. Penetration testing reports typically identify vulnerabilities and their severity, the method used to exploit them, and information on how to remediate those same vulnerabilities.
  2. The product is not actually used in a production environment until the life cycle reaches the operations and maintenance phase. The testing phase leads to this next level, but certain tasks must be completed before the product can be used. Testing, certifying, and integration tasks must all be completed first to ensure the product functions properly and coexists successfully with other network devices and software.

Domain 7: Security Operations

As a senior cyber security professional, you must understand how logging and monitoring work, how to apply foundational security operations concepts, how to conduct incident management, how to implement detective and preventative security measures, how to implement recovery strategies, and much more. 

You must also understand the best ways to shore up physical security and protect the physical safety of your employees. 

Some keywords and acronyms to remember are:

  • DRP: Disaster Recovery Plans
  • QoS: Quality of Service
  • IDS: Intrusion Detection Systems
  • IPS: Intrusion Prevention Systems
  • SLAs: Service Level Agreements
  • UEBA: User and Entity Behavior Analytics

Example questions from this domain: (answer key follows)

Answers:

  1. In a simulation test, all employees who participate in operational and support functions—or their representatives—come together to practice executing the disaster recovery plan based on a specific scenario. The scenario tests the reaction of each operational and support representative. The simulation test continues up to the point of relocation to an offsite facility and shipment of replacement equipment, which is where it stops.
  2. Telephone service may not be available after a disaster. Alternatives, such as cell phones or ham radios, should be in place for communication purposes.

Domain 8: Software Development Security

You’ll be quizzed on your grasp of the entire software development cycle, including the Agile, Waterfall, DevOps, and DevSecOps development methodologies. 

You’ll surely also answer questions regarding the best ways to apply security controls to software development ecosystems. 

Even if you’ve used the best controls, you won’t know if there’s a vulnerability until you audit and log changes, provide risk analysis, and feel confident that you’ve applied secure coding guidelines. 

But it’s not all about the software you produce. Acquired software can also pose a threat to digital security. Your understanding of how to assess purchased software will also be tested. 

Some keywords and phrases to remember are:

  • COTS: Commercial-off-the-shelf
  • SaaS: Sofware as a Service
  • IaaS: Infrastructure as a Service
  • PaaS: Platform as a Service
  • SOAR: Security Orchestration, Automation, and Response 
  • SAMM: Software Assurance Maturity Model

Example questions from this domain: (answer key follows)

Answers:

  1. The product is not used in a production environment until the life cycle reaches the operations and maintenance phase. The testing phase leads to this next level, but specific tasks must be completed before the product can be used. Testing, certifying, and integration tasks must all be completed first to ensure the product functions properly and coexists successfully with other network devices and software.
  2. Static analysis is a debugging technique that examines the code without executing the program and is therefore carried out before the program is compiled. The term static analysis is generally reserved for automated tools that assist programmers and developers, whereas manual inspection by humans is generally referred to as code review.

Conclusion

As the most globally recognized cyber security certification, the CISSP exam will test you on a wealth of technical and managerial cyber security-related information. It’ll test your ability to design, engineer, test, and manage an organization's security posture. 

The best way to prepare yourself is by joining the StationX Accelerator Program. It’s here that you’ll have access to the over 1,000 courses, tests, and labs to help prepare you for CISSP. You’ll also receive unlimited mentorship, access to mastermind groups, find support in our forums, and much more. 

To get started studying for the CISSP consider enrolling in the followning courses:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Spencer Abel

    Spencer is part cyber security professional and part content writer. He specializes in helping those attempting to pivot into the vast and always-changing world of cyber security by making complex topics fun and palatable. Connect with him over at LinkedIn to stay up-to-date with his latest content.

>