ISC2 CISSP

CISSP domains overview: Your complete preparation guide

Whether you're looking to advance your cybersecurity career or validate your expertise in information security, the Certified Information Systems Security Professional (CISSP) certification might be your next strategic move. As the most globally recognized certification in information security, CISSP validates your ability to design, engineer and manage the overall security posture of an organization.

The certification's broad scope ensures its relevance across all disciplines in information security. Successful CISSP candidates demonstrate technical and managerial competence, with experience spanning at least two of the eight domains the certification covers.

As of March 2024, over 165,000 CISSP-certified members worldwide have proven their expertise through this rigorous examination process. This article explores the CISSP domains in-depth across the following areas:

Understanding CISSP domains
Deep dive into CISSP topics and domains
CISSP impact on cybersecurity careers
Preparing for the CISSP exam
CISSP takeaways
CISSP FAQ

For additional information on the CISSP, get our free ebook of CISSP exam tips and tricks or watch our webinar, “Don't fail your CISSP exam! Proven tips to pass on your first try.”

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Understanding the CISSP domains

The CISSP certification tests your knowledge across eight distinct domains, each representing crucial areas of information security expertise. These domains form a comprehensive Common Body of Knowledge (CBK) that ensures security leaders understand current regulations, practices, and technologies.

Domain structure and weights

As of April 15, 2024, the CISSP exam domains have been refreshed with updated weights to reflect the evolving cybersecurity landscape:

Security and Risk Management (16%)
1. Forms the foundation of information security strategy
2. Covers governance, compliance and business continuity
3. Increased emphasis reflects the growing importance of risk management
Asset Security (10%)
1. Focuses on protecting digital and physical assets
2. Addresses data security throughout its lifecycle
3. Includes classification, ownership, and retention policies
Security Architecture and Engineering (13%)
1. Encompasses design principles and security models
2. Covers cryptography and physical security
3. Addresses emerging technologies and architectural frameworks
Communication and Network Security (13%)
1. Covers secure network architecture and components
2. Addresses cloud computing and virtual environments
3. Includes wireless and mobile security considerations
Identity and Access Management (13%)
1. Manages identification and authentication strategies
2. Covers physical and logical access controls
3. Includes federation and third-party services
Security Assessment and Testing (12%)
1. Focuses on security control testing and validation
2. Covers internal and external assessment strategies
3. Include security process data collection and analysis
Security Operations (13%)
1. Addresses day-to-day security operations
2. Covers incident management and disaster recovery
3. Includes investigation and preventative measures
Software Development Security (10%)
1. Covered secure development methodologies
2. Addresses security controls in development environments
3. Includes assessment of acquired software security

How the domains work together

While each domain represents a distinct area of expertise, they're designed to work together as an integrated framework for comprehensive security management. For example:

Risk management strategies from Domain 1 inform the asset protection approaches in Domain 2
Identity management controls from Domain 5 support the secure operations covered in Domain 7
Security architecture principles from Domain 3 guide the network security implementations in Domain 4

Recent changes and updates

The 2024 CISSP domain refresh includes several significant updates:

Domain 1 (Security and Risk Management) has increased from 15% to 16%, reflecting the growing importance of risk management in cybersecurity
Domain 8 (Software Development Security) has decreased from 11% to 10%
All other domains maintain their previous weights but include updated content reflecting current technologies and practices

Deep dive into CISSP topics and domains

Success in the CISSP exam requires more than memorizing facts — it demands a thorough understanding of how security concepts apply in real-world scenarios. This section will explore each domain in detail, examining key concepts, recent updates, and practical applications. For each domain, you'll learn what the exam tests are, why they matter for security professionals, and how to approach the material effectively. For more information, check out the CISSP exam outline.

Domain 1: Security and Risk Management (16%)

The first domain of the CISSP certification, Security and Risk Management, forms the foundation of information security within organizations. Recently expanded to 16% of the exam content, this domain emphasizes the crucial role of risk management in modern cybersecurity strategy. It covers everything from professional ethics to business continuity planning, ensuring that security professionals can effectively protect their organizations while meeting regulatory requirements.

Here is a breakdown of this domain's subtopics:

1.1 Understand, adhere to, and promote professional ethics
- ISC2 Code of Professional Ethics
- Organizational code of ethics
1.2 Understand and apply security concepts
- Confidentiality, integrity, availability, authenticity, and nonrepudiation
1.3 Evaluate and apply security governance principles
- Alignment of security function to business strategy, goals, mission, and objectives
- Organizational processes
- Security control frameworks
- Due care/due diligence
1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
- Cybercrimes and data breaches
- Licensing and intellectual property requirements
- Import/export controls
- Privacy regulations and compliance
1.5 Understand requirements for investigation types
1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
1.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
- Business impact analysis (BIA)
- External dependencies
1.8 Contribute to and enforce personnel security policies and procedures
- Candidate screening and hiring
- Employment agreements and policy-driven requirements
- Onboarding, transfers, and termination processes
- Vendor, consultant, and contractor agreements and controls
1.9 Understand and apply risk management concepts
Threat and vulnerability identification
- Risk analysis, assessment, and scope
- Risk response and treatment
- Applicable types of controls
- Control assessments
- Continuous monitoring and measurement
- Reporting
- Continuous improvement
- Risk frameworks
1.10 Understand and apply threat modeling concepts and methodologies
1.11 Apply supply chain risk management (SCRM) concepts
- Risks associated with the acquisition of products and services from suppliers and providers
- Risk mitigations
1.12 Establish and maintain a security awareness, education, and training program
- Methods and techniques to increase awareness and training
- Periodic content reviews to include emerging technologies and trends
- Program effectiveness evaluation

Risk is fundamental to every aspect of information security. The following sections explore each of these topics in detail, providing the context and practical knowledge you'll need to understand these concepts for both the exam and real-world application.

Goals of a security model

To effectively implement security governance principles (subdomain 1.3) and develop security policies (subdomain 1.6), organizations must understand how security models operate across different timeframes and organizational levels:

Operational goals (daily):
- Focus on productivity and task-oriented activities
- Ensure smooth company functionality
- Include activities like:
  - Patching computers as needed
  - Supporting users
  - Updating antivirus signatures
  - Maintaining network operations
Tactical goals (mid-term):
- Moving computers into domains
- Installing firewalls
- Segregating networks through DMZ creation
- Integrating workstations and resources into one domain for central control
- Other mid-term implementation projects
Strategic goals (long-term):
- Moving branches from dedicated lines to frame relay
- Implementing IPSec VPNs for remote users
- Integrating wireless technology with comprehensive security controls
- Long-term infrastructure and security evolution

This approach to strategy is called the "planning horizon." Organizations typically can't implement all changes simultaneously; some changes depend on others. For example, an organization wanting to implement its own certificate authority (CA) and PKI enterprise-wide needs first to establish proper domain structure and centralized control.

Security fundamentals: CIA Triad

The CIA triad is central to understanding and applying security concepts (subdomain 1.2). It provides the framework for evaluating security governance principles (subdomain 1.3) and developing effective security policies (subdomain 1.6). This foundational model guides how organizations protect their assets and implement controls.

1. Confidentiality: Prevent unauthorized disclosure

Key areas for maintaining confidentiality:

Social engineering: Training, awareness, separation of duties, policy enforcement, vulnerability assessments
Media reuse: Proper sanitization strategies
Eavesdropping: Encryption and access controls

2. Integrity: Detect modification of information

Key areas for maintaining confidentiality:

Implementing integrity-based encryption algorithms
Preventing intentional or malicious modification through:
- Message digests
- Message Authentication Codes (MAC)
- Digital signatures

3. Availability: Provide timely access

Key focus for maintaining availability:

Preventing single points of failure
Implementing comprehensive fault tolerance for:
- Data
- Hard drives
- Servers
- Network links

Best practices supporting CIA

Separation of duties: Prevents individual overreach and provides focus. Security administrators should never be network administrators. This preventative control helps prevent collusion.
Mandatory vacations: Forces operators to temporarily relinquish system control, acting as a detective control.
Job rotation: Similar to mandatory vacations but adds cross-training benefits.
Least privilege: Users receive only required access for their jobs.
Need to know: Beyond clearance, users must demonstrate the necessity for classified data access.
Dual control: Multiple users are required for task completion.

Risk management lifecycle

Risk management involves identifying, examining, measuring, mitigating, and transferring risk to reduce probability and impact. The lifecycle includes:

Risk assessment
1. System characterization
2. Threat identification
3. Vulnerability identification
4. Control analysis
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentation
Risk analysis
1. Qualitative: Subjective "high," "medium," "low" classifications
2. Quantitative: Objective, numbers-driven analysis essential for business decisions
3. Key formulas:
  1. Single Loss Expectancy (SLE) = Asset Value × Exposure Factor
  2. Annual Loss Expectancy (ALE) = SLE × Annual Rate of Occurrence
  3. Risk Value = Probability × Impact
Risk mitigation
1. Reduce
2. Transfer
3. Accept

Security management approach

Most security problems stem from poor security management. Two primary approaches exist:

Top-down approach (Recommended)
1. Directed and supported by top management
2. Provides necessary resources and support
3. Ensures program success through leadership commitment
Bottom-up approach (Problematic)
1. IT department drives security initiatives
2. Often lacks funding and support
3. Usually struggles due to insufficient resources

Domain 2: Asset Security (10%)

Asset security, which makes up 10% of the CISSP exam content, protects an organization's most valuable resources - its information and assets. This domain ensures security professionals understand how to identify, classify, and protect assets throughout their entire lifecycle, from creation through destruction. Whether dealing with sensitive data, physical equipment, or intellectual property, the principles covered in this domain help organizations maintain their assets' confidentiality, integrity, and availability while meeting compliance requirements.

Here is a breakdown of this domain's subtopics:

2.1 Identify and classify information and assets
- Data classification
- Asset Classification
2.2 Establish information and asset handling requirements
2.3 Provision information and assets securely
- Information and asset ownership
- Asset inventory
- Asset management
2.4 Manage data lifecycle
- Data roles
- Data collection
- Data location
- Data maintenance
- Data retention
- Data remanence
- Data destruction
2.5 Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support)
2.6 Determine data security controls and compliance requirements
- Data states
- Scoping and tailoring
- Standards selection
- Data protection methods

Asset security includes concepts, structures, principles, and standards to monitor and secure anything important to the organization, including partners, employees, facilities, equipment, and information. The following sections thoroughly explore these topics, demonstrating how they work together to protect organizational assets.

Information classification

Understanding classification levels is fundamental to identifying and classifying information assets (subdomain 2.1) and establishing proper handling requirements (subdomain 2.2). The classification tag follows an asset throughout its lifecycle, ensuring appropriate protection at each stage.

Organizations choose classification levels based on their operational scope:

Commercial business classifications:
- Public data: Information viewable by the general public; disclosure causes no damage
- Sensitive information: Requires extraordinary precautions for confidentiality and integrity
- Private data: Personal information like credit card data; unauthorized disclosure can be disastrous
- Confidential information: Used only within the organization; unauthorized disclosure has serious consequences
Government classifications:
- Unclassified information: Non-sensitive information
- Secret information: Disclosure could adversely affect national security
- Top secret information: Disclosure could cause massive damage to national security

Data ownership

Successful data lifecycle management (subdomain 2.4) requires clear roles and responsibilities for various entities involved in data protection:

The data owner is a manager who ensures data protection and determines the classification level.
The system owner controls the working of the computer that stores data. This involves the software and hardware configurations but also supports services like related clouds.
The data custodian is responsible for the protection of data through maintenance activities, backing up and archiving, preventing the loss or corruption and recovering data.
The security administrator is responsible for ensuring the overall security of the entire infrastructure. These professionals perform tasks that lead to the discovery of vulnerabilities, monitor network traffic and configure tools to protect the network.
Supervisors are responsible for overseeing the activities of all the entities above and all support personnel.
Users have to comply with rules, mandatory policies, standards and procedures. Users have access to data according to their roles and their need to access certain info.

Retention policies

Implementing appropriate asset retention (subdomain 2.5) requires balancing business needs with risk management. Organizations must preserve sensitive data for required periods while ensuring it's not kept longer than necessary.

Three fundamental questions guide retention policy development:

How to retain data
1. Must maintain accessibility when needed
2. Consider taxonomy (classification scheme)
  1. Functional categories (HR, product development)
  2. Organizational categories (executive, union employee)
  3. Combined approaches
3. Implement normalization for searchability
  1. Standardize formats for diverse data types
How long to retain data
1. Common approaches balance between
  1. Keep everything approach (outdated)
  2. Keep nothing approach (impractical)
2. Guidelines for retention duration:
  1. Tax records: 7 years
  2. Employment records: 7 years after termination
  3. Contract documents: 7 years after expiration
  4. Corporate documents: Permanent
  5. Customer master files: Permanent
What data to retain
1. Business management information
2. Third-party dealings documentation
3. Partnership records
4. Compliance documentation

Privacy protection

Protecting privacy is essential when provisioning information assets securely (subdomain 2.3) and determining security controls (subdomain 2.6). Data owners play a crucial role in deciding who can access specific data.

Data remnants are still left even after the deletion of data, and they could badly threaten privacy. The data deletion operation just marks the memory available for other data without erasing the original data. There are four approaches used to counter data remanence:

Overwriting: Replace original data with patterns of zeros and ones
Degaussing: Remove magnetic field patterns
Encryption: Protect data with cryptographic keys
Shredding: Physical destruction of media

Data security controls

Security control selection (subdomain 2.6) requires consideration of data stats and appropriate protection methods:

Scoping and tailoring
- Scoping determines applicable standards
- Tailoring customizes standards for organization
Protection methods
- Drive encryption for data at rest
- Secure protocols for data in transit
- Application controls for data in use

Handling Requirements

Proper handling requirements (subdomain 2.2) encompass:

Marking
- Enable easy recognition of data value
- Ensure appropriate protection levels
- Support availability, confidentiality, and integrity
Handling
- Maintain protection levels during transport
- Apply security measures based on classification
Storing
- Implement controls based on sensitivity
- Use encryption and backup options
Destroying
- Eliminate data when no longer needed
- Ensure no data remanence remains

Domain 3: Security Architecture and Engineering (13%)

Security architecture and engineering forms the technical foundation for building secure systems and infrastructure. At 13% of the CISSP exam content, this domain ensures security professionals can effectively design, implement, and manage security controls while understanding core concepts like cryptography and physical security. This domain covers the technical building blocks needed to create resilient security architectures, from memory protection to secure facility design.

Here is a breakdown of this domain's subtopics:

3.1 Research, implement and manage engineering processes using secure design principles
- Threat modeling
- Least privilege
- Defense in depth
- Secure defaults
- Fail securely
- Segregation of Duties (SoD)
- Keep it simple and small
- Zero trust or trust but verify
- Privacy by design
- Shared responsibility
- Secure access service edge
3.2 Understand the fundamental concepts of security models
3.3 Select controls based upon systems security requirements
3.4 Understand the security capabilities of Information Systems (IS)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- Client-based systems
- Server-based systems
- Database systems
- Cryptographic systems
- Industrial Control Systems (ICS)
- Cloud-based systems
- Distributed systems
- Internet of Things (IoT)
- Microservices
- Containerization
- Serverless
- Embedded systems
- High-Performance Computing systems
- Edge computing systems
- Virtualized systems
3.6 Select and determine cryptographic solutions
- Cryptographic life cycle
- Cryptographic methods
- Public key infrastructure
- Key management practices
- Digital signatures and certificates
3.7 Understand methods of cryptanalytic attacks
- Brute force
- Ciphertext only
- Known plaintext
- Frequency analysis
- Chosen ciphertext
- Implementation attacks
- Side-channel
- Fault injection
- Timing
- Man-in-the-Middle (MITM)
- Pass the hash
- Kerberos exploitation
- Ransomware
3.8 Apply security principles to site and facility design
3.9 Design site and facility security controls
- Wiring closets/intermediate distribution facilities
- Server rooms/data centers
- Media storage facilities
- Evidence storage
- Restricted and work area security
- Utilities and heating, ventilation, and air conditioning (HVAC)
- Environmental issues
- Fire prevention, detection, and suppression
- Power
3.10 Manage the information system lifecycle
- Stakeholders' needs and requirements
- Requirements analysis
- Architectural design
- Development /implementation
- Integration
- Verification and validation
- Transition/deployment
- Operations and maintenance/sustainment
- Retirement/disposal

The following sections explore each of these concepts in detail, examining how security architecture and engineering principles work together to create secure, resilient systems. Let's begin with the system development lifecycle.

NIST system development lifecycle

The System Development Life Cycle (SDLC) directly supports implementing secure engineering processes (subdomain 3.1) by addressing security at every stage of system development. This methodology ensures security integration from the initial concept through retirement.

The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) first addressed this topic with the publication of NIST SP 800-64, Security Considerations in the System Development Life Cycle; its second revision was retired in 2019.

Currently, professionals can refer to NIST SP 800-160 Vol 1, which addresses "the engineering-driven actions necessary to develop more defensible and survivable systems" in a landscape in which the frequency, intensity and adverse consequences of sophisticated cyberattacks on the systems are on the rise.

Domain 3 represents the exam portion for those who will implement architectural information security requirements in information systems to minimize or eliminate security vulnerabilities introduced in the development lifecycle. Several security models are covered.

Security models

Security models (subdomain 3.2) provide theoretical frameworks for implementing security policies. Key models include:

Bell-LaPadula Model
- Focuses on confidentiality
- Uses security levels and categories
- Implements "no read up, no write down"
Biba Model
- Focuses on integrity
- Prevents modification by lower integrity subjects
- Implements "no write up, no read down"
Star Model (Clark-Wilson)
- Focuses on data integrity
- Uses well-formed transactions
- Enforces separation of duties

Enterprise security architecture framework

Understanding and implementing security architecture frameworks (subdomain 3.3) is crucial for organizations highly dependent on information systems. A well-designed security architecture provides:

Effective security controls
Business operation support
Risk mitigation strategies
Compliance adherence

Information system security capabilities

Understanding security capabilities (subdomain 3.4) includes:

Memory protection
- Address space isolation
- Process separation
- Memory encryption
Hardware security
- Trusted Platform Modules
- Secure boot processes
- Hardware encryption
System hardening
- Service minimization
- Configuration management
- Security baseline establishment

Vulnerability assessment

Assessing vulnerabilities (subdomain 3.5) involves examining:

Architecture components
- Client systems
- Server infrastructure
- Network design
- Cloud services
- IoT devices
- Virtualization platforms
Common vulnerabilities
- Configuration errors
- Design flaws
- Implementation weaknesses
- Process gaps
- Integration issues

Cryptographic solutions

Selection of cryptographic solutions (subdomain 3.6) requires understanding:

Cryptographic lifecycle
- Key generation and distribution
- Algorithm selection
- Implementation
- Retirement
Methods and approaches
- Symmetric encryption
- Asymmetric encryption
- Hash functions
- Digital signatures
- Key management

Physical security

Physical security design (subdomains 3.8 and 3.9) encompasses:

Facility design
- Perimeter security
- Access control points
- Environmental controls
- Power management
Security controls
- Barriers and fencing
- Lighting
- Alarm systems
- Video surveillance
- Guard force operations

Domain 4: Communication and Network Security (13%)

Communication and network security serves as the backbone of modern information systems, representing 13% of the CISSP exam content. This domain focuses on securing data as it moves through networks, addressing everything from basic network architecture to complex cloud implementations. Security professionals must understand the technical aspects of network protocols and how to design and implement secure network architectures that protect increasingly distributed systems.

Here is a breakdown of this domain's subtopics:

4.1 Apply secure design principles in network architectures
- OSI and TCP/IP models
- IP version 4 and 6
- Secure protocols
- Implications of multilayer protocols
- Converged protocols
- Transport architecture
- Performance metrics
- Traffic flows
- Physical segmentation
- Logical segmentation
- Micro-segmentation
- Edge networks
- Wireless networks
- Cellular/mobile networks
- Content distribution networks (CDN)
- Software defined networks (SDN)
- Virtual Private Cloud (VPC)
- Monitoring and management
4.2 Secure network components
- Operation of infrastructure
- Transmission media
- Network Access Control (NAC) systems
- Endpoint security
4.3 Implement secure communication channels according to design
- Voice, video, and collaboration
- Remote access
- Data communications
- Third-party connectivity

The sections below examine the practical implementation of these concepts, exploring how different security components work together to create robust network defenses. We'll explore architecture models, protocol security, and the evolution of network segmentation approaches.

Network architecture fundamentals

The OSI and TCP/IP models provide essential frameworks for understanding network communication, but their practical implementation requires careful security considerations at each layer. Network architects must understand how vulnerabilities at one layer can impact others, creating potential cascading security failures if not properly managed.

The transport layer serves as a crucial security boundary, managing both session establishment and data flow. Modern networks have evolved beyond simple packet handling to implement advanced transport architectures that balance security with performance requirements. Cut-through switching enables faster packet processing by examining only the destination address while maintaining security through access control lists and traffic monitoring. This architecture particularly benefits high-frequency trading and real-time applications where latency is critical.

Store-and-forward architecture takes a more conservative approach, providing additional security by fully receiving and checking packets before forwarding them. This makes it ideal for environments requiring deep packet inspection or strong security controls, though at the cost of slightly increased latency. Many organizations implement both architectures in different parts of their network, optimizing for security or performance based on specific requirements.

Segmentation strategies

Modern network segmentation combines physical, logical, and micro-segmentation techniques to create robust defense-in-depth. Key approaches include:

Physical separation:
- Out-of-band management networks with dedicated hardware
- Air-gapped networks for critical systems
- Physically isolated backup infrastructure
- Separate cabling for sensitive control systems
Logical controls:
- VLAN segmentation with strict access controls
- Virtual routing and forwarding (VRF) instances
- Network access control (NAC) implementation
- Software-defined network boundaries
Zero Trust implementation:
- Identity-based access controls
- Microsegmentation around individual workloads
- Continuous monitoring and verification
- Dynamic security policy enforcement

Secure communication protocols

Modern networks must support diverse communication types while maintaining security. Voice and video traffic present unique challenges due to their real-time nature and sensitivity to latency. Organizations implement specialized controls, including:

Real-time communications security:
- Session Border Controllers for VoIP security
- Media encryption using SRTP
- QoS mechanisms for voice/video priority
- Call authentication and monitoring
Remote access technologies:
- Software-defined perimeters
- Zero trust network access platforms
- Multi-factor authentication integration
- Endpoint security verification

Edge and cloud networking

The rapid growth of edge computing and cloud services has fundamentally changed how organizations approach network architecture. Content delivery networks now extend beyond simple caching to become integral parts of security infrastructure. These distributed systems help organizations maintain consistent security controls across diverse geographic locations while optimizing performance for end users.

Edge networks provide local processing and security enforcement points closer to users and devices, reducing latency while ensuring appropriate controls are applied based on local requirements. This distributed architecture helps organizations comply with regional privacy regulations while maintaining high performance for time-sensitive applications.

Modern CDNs integrate advanced security services directly into their infrastructure. Web application firewalls distributed across edge locations protect against application-layer attacks while maintaining performance through distributed processing. Machine learning systems analyze traffic patterns across the entire network to identify and block emerging threats. The massive scale of CDN infrastructure also provides natural protection against DDoS attacks, absorbing malicious traffic while maintaining service availability for legitimate users.

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Domain 5: Identity and Access Management (13%)

Identity and access management (IAM) represents a cornerstone of enterprise security, comprising 13% of the CISSP exam content. This domain focuses on the crucial task of ensuring the right individuals have appropriate access to resources while preventing unauthorized access. As organizations increasingly adopt cloud services and support remote work, IAM has become more complex, requiring security professionals to understand everything from basic authentication principles to advanced federated identity solutions.

Here is a breakdown of this domain's subtopics:

5.1 Control physical and logical access to assets
- Information
- Systems
- Devices
- Facilities
- Applications
- Services
5.2 Design identification and authentication strategy
- Groups and Roles
- Authentication, Authorization and Accounting (AAA)
- Registration, proofing, and establishment of identity
- Federated Identity Management (FIM)
- Credential management systems (e.g., Password vault)
- Single sign-on (SSO)
- Just-In-Time
5.3 Federated identity with a third-party service
- On-premises
- Cloud
- Hybrid
5.4 Implement and manage authorization mechanisms
- Role-based access control (RBAC)
- Rule-based access control
- Mandatory access control (MAC)
- Discretionary access control (DAC)
- Attribute-based access control (ABAC)
- Risk-based access control
- Access policy enforcement
5.5 Manage the identity and access provisioning lifecycle
- Account access review
- Provisioning and deprovisioning
- Service accounts management
- Role definition and transition
- Privilege escalation
5.6 Implement authentication systems

The following sections explore these IAM concepts in depth, examining how they work together to create comprehensive identity and access management solutions.

Access Control Process

The access control process consists of three steps:

Identification
Authentication
Authorization

Identification

Physical World: Physical access control deals with issues of identity and restricts admission to certain individuals. This covers cases where an individual makes a claim about his or her identity but doesn't present any proof. Imagine a situation where you want to enter a secure office building for an appointment, but during the identification step of the process, you just walk up to the security desk and say, "Hi, I'm Sam."

Computer World: When we log in to a system, we identify ourselves using a username, one most likely composed of some combination of the letters from our names.

Authentication

Physical World: During the authentication step, proof comes into play as the individual proves his or her identity to the satisfaction of the access-control system. Consider the same case when entering the secure building: the guard would likely want to see Sam's driver's license to confirm whether this is Sam or not.

Computer World: In the authentication phase, the user is commonly asked to enter a password.

Authorization

Physical World: In the same example above, the security guard might check a list of that day's appointments to see if it includes Sam's name. This authorizes Sam to enter the premises.

Computer World: In the electronic world, authorization often takes the form of access-control lists that itemize the specific file-system permissions granted to an individual user or group of users.

All access-control systems provide the means to accomplish these three steps of the access-control process. Remember, in the CISSP exam, it's very important that you remember the distinction between the identification and authentication phases, as it sometimes becomes confusing.

Note: The above-mentioned steps only depict simple examples of access control steps. In the real world, there is a layered approach to these three steps, which we will discuss in greater detail.

Now let's dive into it and see how organizations implement the above-mentioned steps of access control.

Identification

As we have seen earlier, identification is one of the basic requirements of any access-control system. Users must have a way to identify themselves uniquely to a system that ensures they will not be confused with any other user of the system. The following are some common identification mechanisms often used in an organization and covered by the CISSP exam.

Usernames

An identification used by a person with access to a computer, network or online service.

Access cards

A card with a chip or a magnetic strip consists of encoded data that is read by passing the card through or over an electronic device. It is used to provide access to restricted or secure areas or systems.

Biometrics

Biometric identification is increasing in popularity as users turn away from the inconvenience of identifying and authenticating themselves via a keyboard. Biometrics provide a means of identifying someone based on one or more physical characteristics of that person. They often serve as both identification and authentication mechanisms. Some types of biometric authentication techniques used are:

Fingerprint scanners
Eye scanners
Voiceprint identification
Facial recognition

Registration and identity-proofing

Every identity and access-management solution user must be given initial credentials when they are created in the system as entities.

The registration procedure incorporates gathering info about a user and making a corresponding entity in the system
The identity-proofing process guarantees that the user introducing themself for registration is who they claim to be

Authentication

Once the person is identified to a system, the person must prove that claim of identity. That's where authentication comes into the picture.

Authentication Factors

Overall, there are three authentication factors:

Something you know. It comes as a password that the user remembers and enters into a system during the authentication procedure
Something you are. Biometrics measure one of your physical characteristics, such as eye pattern, voiceprint, fingerprint or facial geometry
Something you have. Requires the user to have physical ownership of a device, such as a cell phone or authentication token like RSA

The strength of the techniques utilized by every one of these authentication factors may be estimated by the number of errors it generates.

False acceptance rate (FAR) happens when the system misidentifies a person as an authorized user and allows access that ought to be denied
False rejection rate (FRR) happens when an authorized individual endeavors to access a system but is incorrectly denied access by that system

The FAR and FRR are not by themselves appropriate measures to identify the strength of an authentication factor. Let's explore it with an example: system administrators may configure the system just to permit no one at all into the system, giving it an impeccable false acceptance rate but also a very high false rejection rate. And if the system permits anyone to access it, it has a perfect false rejection rate but an unacceptably high false acceptance rate.

The solution for this measurement issue is to use a balanced measure of authentication strength, which is CER: crossover error rate.

Crossover error rate (CER) is measured as the error frequency that happens when administrators tune the system to have equivalent false rejection rates and false acceptance rates.

Multi-Factor Authentication

Multi-factor authentication brings added security to the authentication system by combining multiple factors. For example, when an authentication system requires both a password (something you know) and a smart card (something you have), a hacker stealing the password still won't have the required smart card and vice versa. It becomes much more difficult for the attacker to gain access to the account because something you know and something you have are different factors.

The most common approach organizations take is to combine something you know, such as a password or PIN, with something you have, such as a physical (hardware) or soft token.

The codes generated for these authentication mechanisms are called one-time passwords and use two protocols:

HMAC-based one-time password algorithm (HOTP) uses a shared secret and an incrementing counter to generate the code displayed on the token screen
Time-based one-time password algorithm (TOTP) uses the time of day in conjunction with a shared secret. This means that the code changes constantly and is only valid until the token generates the next code. The token and the authentication system must have synchronized clocks

Password Authentication Protocols

Many access-control systems rely on password-based mechanisms to implement something-you-know security, and one of the most common applications of password security is to secure VPNs and other remote access technologies. Protocols used for these authentication mechanisms:

PAP (Password Authentication Protocol)
CHAP (Challenge Handshake Authentication Protocol)

Federated Identity Management System

This leverages the fact that a single individual may have accounts across a wide variety of systems. When organizations agree to federate their identity management systems, they share some of this information across the organizations. This reduces the number of individual identities a user must have and eases the burden on the user and the organization. The most common example of a federated identity management system is when you log into websites using your Google account, Facebook Connect, or Twitter account.

Single Sign-On (SSO)

In an SSO approach, users log into the first SSO-enabled system they encounter. That login session then persists across other systems until it reaches its expiration time. SSO basically shares authenticated sessions across systems. Many organizations create SSO solutions within their organizations to help users avoid the burden of repeatedly authenticating.

Trust relationships across different authentication domains are described in terms of their direction and their transitivity.

Security Assertion Markup Language (SAML)

This allows browser-based SSO across a variety of web systems. There are three actors in a SAML request:

Principle: The end user who wants to use web-based services
Identity provider: the organization providing the proof of identity
Service provider: the web-based service that the end user wishes to access

Trust direction can be either one-way or two-way:

If a one-way trust exists from domain1 to domain2, domain1 will trust authenticated sessions from domain2 but domain2 will not trust sessions from domain1
If the trust relationship is two-way, both domains will trust each other
Trust transitivity: it can be either transitive or nontransitive
In a transitive trust, trust relationships transfer across domains. For example, if domain1 has a transitive trust with domain2 and domain2 has a transitive trust with domain3, domain1 and domain3 will have a trust relationship as well without the administrator explicitly creating the trust
In a nontransitive trust, this trust relationship will not be automatically inferred. Domain1 will not trust domain3 unless the administrator creates that trust
Organizations' most common need is to have a centralized approach to network and application authentication, authorization and accounting. Protocols such as RADIUS and TACACS+ offer these services to enterprises

Remote Access Dial-In User Service (RADIUS)

A centralized RADIUS server could support modem pools located around the country, providing a single point of administration for password and account management and consolidating accounting records in a centralized location.

Terminal Access Controller Access Control System (TACACS+)

An alternative to RADIUS, performing a similar function. The current TACACS standard is the TACACS+ protocol. Developed by Cisco as a proprietary standard, it functions in a manner similar to RADIUS with two modifications:

It uses TCP rather than UDP
It fully encrypts the entire authentication session

The Kerberos Access-Control System

Widely used to implement authentication and authorization systems, Kerberos is a ticket-based authentication system that allows users to authenticate to a centralized service and then use tickets from that authentication process to gain access to distributed systems that support Kerberos authentication. Kerberos uses port 88.

The Lightweight Directory Access Protocol (LDAP)

LDAP is an imperative protocol when it comes to access control. It allows services on a network to share data about users and their authorizations in a standardized open format. Active Directory utilizes LDAP in combination with Kerberos; while Kerberos handles authentication, LDAP provides the means to query information stored in the directory service. LDAP uses port 389 for unencrypted communication and 636 for encrypted communication.

Identity and Access Management as a Service (IDaaS)

This is an area where enterprises are gaining significant benefits by using third-party providers, which allows organizations to move some or all of their identity and access management infrastructure to the cloud. This eliminates the need for costly and hard-to-find identity and management access specialists.

Certificates-Based Authentication

Digital certificates have various use cases when it comes to authentication. A certificate can connect to servers via SSH, to power smart cards or restrict network access to specific devices. When a digital certificate is utilized for authentication, you create a digital certificate similar to the one used to secure websites. The certificate aims to provide a trusted copy of a public key to third parties. You retain the corresponding private key to prove that you are the owner of the public key in the certificate.

Accountability is the principle here: it means that every action taken on a system can be clearly traced back to an individual user without any ambiguity. It is achieved by two fundamental requirements:

Identification: Each user of the system must be identified by a unique identifier, such as a username
Authentication: Every account on the system must be protected by strong authentication that prevents unauthorized users from gaining access

Managing Credentials

The management of user accounts is a key responsibility for information security professionals. This includes designing strong processes that implement:

Principles of least privilege: Users should have only the minimum set of permissions necessary for their job function
Separation of duties: Sensitive functions should require action by two separate users
Job rotation/mandatory vacation schemes: Regularly move people between jobs to prevent fraud. Mandatory vacation enforces periods of time when employees have no access to systems; this enforced absence provides an opportunity for fraudulent activity to come to light
Managing the account life cycle: Security professionals are also responsible for managing the account and credential lifecycle. Their duties are to:
- Administer the process of granting new users access to systems
- Modifying roles when a user changes jobs
- Review when a user's job requires new access
- Review access on a regular basis and modify discrepancies found
- Removing the access of terminated users
- User account policies
- Password policies
- Managing roles

Authorization

Authorization is the final step in the access control process. Once an individual successfully authenticates in a system, authorization determines the individual's privileges to access resources and information. There are many different authorization approaches; some of them are covered on the CISSP exam.

Mandatory Access-Control Systems (MAC)

In mandatory access control, the OS confines the permissions granted to users and processes on system resources. MAC is normally implemented as a rule-based access-control system, where users and resources have labels, and the operating system makes access-control decisions by comparing those labels. The most common example of an operating system implementing MAC is Security-Enhanced Linux, or SELinux.

Discretionary Access Control

Discretionary access-control systems are the most common form of access control because they provide organizations with needed flexibility; unlike MAC, they offer a flexible approach to authorization, allowing users to assign access permissions to other users. The owners of files, computers and other resources have the discretion to configure permissions as they see fit. In a discretionary access-control system, file owners manage resource permissions by creating access-control lists. An access-control list is simply a table containing user names and the permissions granted to each user of a resource.

The Implicit Deny Principle

This principle, also known as default deny, says that anything that is not explicitly allowed should be denied. If a computer system doesn't have explicit instructions on how to handle a situation, it should default to denying access. Firewalls are a common example of implicit deny.

Role-Based Access Control Systems

Role-based access control systems simplify some of the work of managing authorizations. Instead of trying to manage all of the permissions assigned to each individual user, administrators create job-based roles and then assign permissions to those roles.

This is a little more work up front, but it makes life much easier down the road. When a user arrives, the administrator doesn't need to figure out all of the explicit permissions that user requires.

Time-of-Day Restrictions

Restricts users from accessing the system based on the time and day.

Access Control Attacks

Access control attacks are techniques typically used to bypass or circumvent access-control methods in order to steal data or user credentials.

Password Attacks

Some of the password-related attacks covered under the CISSP exam are:

Dictionary attacks
Rainbow table attacks
Hybrid attacks

Social Engineering Attacks

Social engineering uses psychological tricks to manipulate people into carrying out an action or divulging sensitive information that undermines the organization's security. Some of the social engineering attacks covered under the CISSP exam are:

Spearphishing
Whaling
Pharming
Vishing
Email spamming/spam via instant messaging
Identity spoofing

Watering Hole Attack

A watering hole attack is a client-side attack where the attacker identifies and compromises a highly-targeted website that their audience will likely visit. The attacker chooses a client exploit that will breach the security of website visitors' browsers and then bundles in a botnet payload; as soon as the visitor visits this website, the malicious program gets downloaded on the visitor's computer and circumvents various access controls to achieve its malicious intent. Watering-hole attacks are especially dangerous because they often come from trusted websites.

Domain 6: Security Assessment and Testing (12%)

Would you spot a burglar casing your house? The same challenge faces organizations protecting their digital assets. Security assessment and testing, worth 12% of the CISSP exam, teaches security professionals how to uncover vulnerabilities before attackers do. From penetration testing to code review, this domain builds the skills needed to evaluate security controls, test pre-release applications, and audit security processes.

Here is a breakdown of this domain's subtopics:

6.1 Design and validate assessment, test, and audit strategies
- Internal
- External
- Third-party
- Location
6.2 Conduct security control testing
- Vulnerability assessment
- Penetration testing
- Log reviews
- Synthetic transactions/benchmarks
- Code review and testing
- Misuse case testing
- Coverage analysis
- Interface testing
- Breach attack simulations
- Compliance checks
6.3 Collect security process data (e.g., technical and administrative)
- Account management
- Management review and approval
- Key performance and risk indicators
- Backup verification data
- Training and awareness
- Disaster recovery (DR) and Business Continuity (BC)
6.4 Analyze test output and generate report
- Remediation
- Exception handling
- Ethical disclosure
6.5 Conduct or facilitate security audit
- Internal
- External
- Third-party
- Location

Let's examine how these elements work together to create strong security testing programs. You'll learn practical approaches to finding weaknesses and measuring security effectiveness in ways that matter to both technical teams and business leaders.

Assessment strategy creation

Smart security testing starts with strategy. Think of subdomain 6.1 as your game plan for finding vulnerabilities. Running random security scans might catch some issues, but a well-planned assessment strategy catches problems early and saves money.

Internal security teams often miss issues because they're too close to the systems. That's why mixing internal expertise with external perspectives works best. Your own team knows the systems inside out, but external testers bring fresh eyes and new attack techniques. Third-party assessors add another layer, bringing specialized tools and industry-wide experience to your testing program.

Location matters, too. Testing your headquarters network won't tell you much about branch office security. Each site needs its own assessment plan. Cloud systems need special attention - you can't test them the same way you test on-premises systems.

Security testing methods

When putting subdomain 6.2 into practice, you'll need different testing approaches:

Vulnerability testing:
- Automated scanning to find known weaknesses
- Manual testing for business logic flaws
- Configuration reviews against security baselines
- Network mapping and service enumeration
- Web application security scanning
Penetration testing types:
- Black box testing with no inside knowledge
- White box testing with full system access
- Purple team exercises combining attack and defense
- Red team campaigns simulating real threats
- Social engineering assessments
Code analysis:
- Static testing before deployment
- Dynamic testing of running applications
- Interactive testing during development
- Dependencies and third-party library checks
- Secure coding standard verification

Security process measurement

Measuring security processes (subdomain 6.3) takes more than just counting vulnerabilities. Strong security teams track:

Control effectiveness:
- Time to detect security issues
- Speed of patch deployment
- Failed login attempt patterns
- Data access anomalies
- Security tool coverage gaps
Training impact:
- Phishing test success rates
- Security awareness scores
- Incident response times
- Policy compliance levels
- Security tool adoption rates

Security audit execution

Security audits, covered in subdomain 6.5, reveal whether your security program actually works. A good audit tells you if people follow the rules you've set up. Better still, it shows you where those rules need to change.

Your internal audit team plays a crucial role here. They spot issues others miss because they know your business processes. But they might hesitate to challenge powerful departments or long-standing practices. External auditors don't have these political concerns. They'll call out problems your internal team might skip.

Location-based audits matter, too. Maybe your main office runs a tight security ship, but what about that small branch office? Or that cloud service provider? Each location needs its own audit approach. The controls that work at headquarters might not fit a small remote office or a cloud environment.

Domain 7: Security Operations (13%)

Picture yourself as a security guard watching dozens of monitors. You've got cameras on every door, but you also need to watch for fires, check ID badges, and keep the building running smoothly. Security operations works just like this — you're watching everything at once. At 13% of the CISSP exam, this domain shows you how to run the day-to-day security tasks that keep organizations safe, from monitoring logs to handling incidents.

Here is a breakdown of this domain's subtopics:

7.1 Understand and comply with investigations
- Evidence collection and handling
- Reporting and documentation
- Investigative techniques
- Digital forensics tools, tactics, and procedures
- Artifacts
7.2 Conduct logging and monitoring activities
- Media management
- Media protection techniques
- Data at rest/data in transit
- Intrusion detection and prevention (IDPS)
- Security information and event management (SIEM)
- Continuous monitoring and tuning
- Egress monitoring
- Log management
- Threat intelligence
- User and entity behavior analytics (UEBA)
7.3 Perform configuration management (CM)
7.4 Apply foundational security operations concepts
- Need-to-know/least privilege
- Segregation of Duties (SoD) and responsibilities
- Privileged account management
- Job rotation
- Service-level agreements (SLA)
7.5 Apply resource protection
7.6 Conduct incident management
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons learned
7.7 Operate and maintain detection and preventative measures
- Firewalls
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
- Whitelisting/blacklisting
- Third-party-provided security services
- Sandboxing
- Honeypots/honeynets
- Anti-malware
- Machine learning and artificial intelligence (AI) based tools
7.8 Implement and support patch and vulnerability management
7.9 Understand and participate in change management processes
7.10 Implement recovery strategies
- Backup storage strategies
- Recovery site strategies
- Multiple processing sites
- System resilience, high availability (HA), Quality of Service (QoS), and fault tolerance
7.11 Implement disaster recovery (DR) processes
- Response
- Personnel
- Communications
- Assessment
- Restoration
- Training and awareness
- Lessons learned
7.12 Test disaster recovery plans (DRP)
- Read-through/tabletop
- Walkthrough
- Simulation
- Parallel
- Full interruption
- Communications
7.13 Participate in Business Continuity (BC) planning and exercises
7.14 Implement and manage physical security
- Perimeter security controls
- Internal security controls
7.15 Address personnel safety and security concerns
- Travel
- Security training and awareness
- Emergency management
- Duress

These critical operational activities form the backbone of any security program. Let's examine how they work in practice and what makes them successful.

Security monitoring and response

Think of security monitoring as your organization's nervous system. Your SIEM (Security Information and Event Management) acts like a central brain, processing signals from throughout your network. Supporting subdomains 7.1 and 7.2, this monitoring helps you catch issues fast.

Raw logs tell only part of the story. Smart security teams correlate events across systems. A failed login might mean nothing or signal the start of an attack when paired with unusual network traffic. User behavior analytics spots patterns humans might miss. Maybe Karen in accounting always works 9 to 5, so why is her account active at 3 AM?

Security operations centers run 24/7 because attackers don't sleep. Your monitoring tools must catch everything from routine policy violations to sophisticated attacks. When they spot something wrong, your incident response plan kicks in. Speed matters. Every minute an attack goes undetected means more potential damage.

Change and configuration control

Security breaks when systems change without proper controls. Supporting subdomains 7.3 and 7.9, strong change management keeps systems secure through updates and modifications.

Start with known-good configurations - your security baseline. Document every setting that affects security, from password rules to firewall configs. When something needs changing, follow a clear process. Test changes before they go live. Keep records of what changed and why.

Patch management deserves special attention. Missing patches leave holes attackers love to exploit. But patching too fast can break systems. Find the right balance between speed and stability. Test patches thoroughly, but don't wait too long to deploy them.

Incident handling and recovery

You can't prevent every attack but can control how you respond. Smart incident management (subdomain 7.6) follows a clear process:

Response steps:
- Detection through monitoring and alerts
- Triage to assess incident severity
- Containment stopping damage spread
- Investigation finding root causes
- Eradication removing threats
- Recovery restoring operations
- Lessons learned preventing repeats
Documentation needs:
- Incident timeline and details
- Actions taken and results
- Evidence collected
- Communication logs
- Resolution steps

Detective and preventive controls

Putting subdomain 7.7 into action requires layers of security controls:

Network protection:
- Next-generation firewalls that understand application traffic
- Intrusion prevention systems catching known attack patterns
- Web application firewalls blocking OWASP Top 10 attacks
- Network segmentation limiting damage from breaches
Endpoint security:
- Anti-malware catching known threats
- Host-based IPS blocking suspicious behavior
- Application whitelisting preventing unauthorized programs
- Disk encryption protecting stolen devices
Deception technology:
- Honeypots attracting and studying attackers
- Honeytokens revealing data theft attempts
- Honeynets mapping attack techniques
- Decoy systems distracting attackers

Domain 8: Software Development Security (10%)

What happens when security becomes an afterthought in software development? Just ask companies who've faced massive data breaches from simple coding flaws. At 10% of the CISSP exam, software development security teaches you to build security into applications from the start. This domain shows you how to create software that stands up to real-world attacks, from secure coding practices to testing methodologies.

Here is a breakdown of this domain's subtopics:

8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
- Development methodologies
- Maturity models
- Operation and maintenance
- Change management
- Integrated Product Team
8.2 Identify and apply security controls in software development ecosystems
- Programming languages
- Libraries
- Tool sets
- Integrated Development Environment
- Runtime
- Continuous Integration and Continuous Delivery (CI/CD)
- Software configuration management (CM)
- Code repositories
- Application security testing
8.3 Assess the effectiveness of software security
- Auditing and logging of changes
- Risk analysis and mitigation
8.4 Assess the security impact of acquired software
- Commercial-off-the-shelf (COTS)
- Open source
- Third-party
- Managed services
- Cloud services
8.5 Define and apply secure coding guidelines and standards
- Security weaknesses and vulnerabilities at the source-code level
- Security of application programming interfaces (API)
- Secure coding practices
- Software-defined security

Let's explore how these elements combine to create secure applications that resist attack while meeting business needs.

Development lifecycle security

Writing secure code starts long before anyone types the first line. Supporting subdomain 8.1, the secure SDLC builds security into every step of development. Different teams choose different approaches. Waterfall projects plan everything upfront. Agile teams work in short sprints. DevOps pushes for constant delivery. Each style needs its own security controls.

Maturity models help you measure how well you're doing. The Software Assurance Maturity Model (SAMM) shows you where your security practices stand. Maybe your code reviews work great, but your security training needs work. These models point out weak spots before they cause problems.

Change management keeps things from breaking when code updates roll out. Good change control means testing security impacts before pushing updates live. Bad change control means hoping nothing breaks - and dealing with the cleanup when it does.

Security testing approaches

Building on subdomain 8.2, modern development needs multiple testing layers:

Automated testing:
- Static analysis finding code flaws
- Dynamic testing of running applications
- Software composition analysis checking libraries
- Fuzz testing with random inputs
- Container security scanning
Manual reviews:
- Architecture analysis for design flaws
- Threat modeling identifying risks
- Code reviews catching subtle bugs
- Penetration testing to find weaknesses
- Security requirement verification
Tool integration:
- Security plugins for development tools
- Automated build testing
- Deployment security checks
- Runtime application protection
- Container security monitoring

Third-party software assessment

Most applications use someone else's code. Subdomain 8.4 teaches you to handle this reality. Commercial software comes with vendor promises about security. Open source lets you check the code yourself — if you have time and expertise. Third-party services need careful vetting.

Each type brings different risks. Commercial vendors might go out of business, leaving you stuck with unpatched code. Open-source projects might lack security expertise. Cloud services could change their security model without warning. Smart teams plan for these possibilities.

Supply chain attacks target these relationships. An attacker who compromises a trusted vendor can slip malicious code into your systems. Defense requires checking everything: where code comes from, how it's delivered and what it does on your systems.

Secure coding fundamentals

You can't bolt security onto finished code. Subdomain 8.5 shows you how to write secure code from scratch. Start with clear coding standards - rules everyone follows. Ban dangerous functions. Require input validation. Set rules for error handling.

APIs need special attention. They're doors into your application - doors attackers love to probe. Good API security means checking every input, validating every request and limiting access to what each user truly needs. One careless API endpoint can expose your whole system.

Memory handling trips up many developers. Buffer overflows still plague C and C++ code. SQL injection hits database applications. Cross-site scripting attacks web interfaces. Each language brings its own security pitfalls. Secure coding practices help developers avoid these common traps.

The impact of CISSP on cybersecurity careers

The CISSP credential opens doors. Organizations seek CISSP holders for senior security roles because the certification proves both technical knowledge and management skills. Chief Information Security Officers (CISOs) often list CISSP as a required credential, and many security architects and managers find the certification accelerates their career growth.

Common roles for CISSP holders include:

Security Manager/Director
Security Architect
Security Analyst (Senior Level)
IT Director
Security Consultant
Security Systems Engineer
CISO/CSO

For an idea of what a CISSP certification can bring as far as salary goes, download our free cybersecurity salary guide. The certification particularly helps when moving into management positions, as it demonstrates the broad knowledge needed to oversee security programs.

Beyond salary, CISSP brings professional recognition. Your peers know you've mastered complex security concepts. Your organization trusts your security decisions. Vendors and partners respect your expertise. This professional capital helps you drive security improvements and build support for critical projects.

Preparing for the CISSP exam

Success on the CISSP exam requires a structured approach. Your study plan should cover:

Study resources:
- Official ISC2 CISSP CBK Guide (essential reading)
- Infosec's free CISSP exam tips ebook and webinar (instructor with 95% pass rate!)
- Infosec's CISSP training hub
- Infosec's CISSP Boot Camp
- Practice exams and question banks
- Study groups and discussion forums
Time management:
- Set a realistic exam date based on your experience
- Study 2-3 hours daily for 3-6 months
- Focus extra time on unfamiliar domains
- Take full practice exams under test conditions
Key study strategies:
- Start with a practice test to identify weak areas
- Master core concepts before memorizing details
- Draw mind maps connecting related topics
- Explain concepts to others to test understanding
- Review real-world applications of each domain
Common pitfalls to avoid:
- Studying only technical details
- Skipping practice questions
- Reading without active engagement
- Cramming before the exam
- Neglecting unfamiliar domains

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

CISSP domains: Key takeaways

The CISSP certification tests your ability to think like a senior security professional. Success requires:

Understanding how risk management drives security decisions
Knowing when to apply technical controls versus administrative ones
Recognizing security's role in supporting business goals
Balancing security with operational needs
Thinking beyond individual controls to complete security programs

Remember that the CISSP exam tests your ability to select the BEST answer, not just a technically correct one. Questions often present realistic scenarios where you'll need to consider business impact, cost and practicality alongside security requirements.

Want more guidance for your CISSP journey? Download our CISSP exam tips ebook for proven study strategies and exam insights. For a broader view of how CISSP fits into your career path, check out Cybersecurity certifications and skills: A roadmap for mid-career professionals.

Quick summary: FAQs

What experience do I need for the CISSP?

Five years of paid work experience in two or more CISSP domains. A relevant college degree counts as one year.

How long is the exam?

Three hours maximum, with 100-150 questions using computerized adaptive testing (CAT).

What's the passing score?

700 out of 1000 points. The CAT format means your score depends on question difficulty and your answer patterns.

How do I maintain my certification?

Earn 120 Continuing Professional Education (CPE) credits every 3 years and pay an annual maintenance fee.

Can I take the exam without experience?

Yes. You'll become an associate of ISC2 until you gain the required experience.

Which domain should I study first?

Start with Security and Risk Management. It provides foundations for other domains and carries the highest exam weight, at 16%.

Posted: February 1, 2025

Dan Virgillito

View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.