Table of Contents

The ISC2 CISSP is the most globally recognized certification in information security. It validates your deep technical and managerial knowledge to design, engineer, and manage the overall security posture of an organization. This course covers all eight domains of the April 2024 exam outline so you build mastery across the full Common Body of Knowledge. You need a minimum of five years cumulative, full-time experience in two or more of the eight domains, though passing the exam first makes you an Associate of ISC2 with six years to earn it.

DomainTitleWeight
1Security and Risk Management16%
2Asset Security10%
3Security Architecture and Engineering13%
4Communication and Network Security13%
5Identity and Access Management (IAM)13%
6Security Assessment and Testing12%
7Security Operations13%
8Software Development Security10%

Exam details: The CISSP uses Computerized Adaptive Testing (CAT) with 100 to 150 questions over 3 hours. You need 700 out of 1000 points to pass. The exam is available in Chinese, English, German, Japanese, and Spanish.

Resources

Domain 1: Security and Risk Management (16%)

Security and Risk Management

  • Understand and promote professional ethics, including the ISC2 Code of Professional Ethics and organizational ethics
  • Apply security concepts, including confidentiality, integrity, availability, authenticity, and non-repudiation (the 5 Pillars of Information Security)
  • Evaluate and apply security governance principles and align the security function to business strategy
  • Understand legal, regulatory, and compliance issues, including investigation types (administrative, criminal, civil, regulatory, industry standards)
  • Develop and implement security policy, standards, procedures, and guidelines
  • Identify and implement Business Continuity (BC) requirements, including business impact analysis (BIA)
  • Apply risk management concepts, including threat and vulnerability identification, risk analysis, risk response, and risk frameworks (ISO, NIST, COBIT, SABSA, PCI)
  • Apply supply chain risk management (SCRM) concepts, including product tampering, counterfeits, silicon root of trust, and software bill of materials
  • Establish a security awareness, education, and training program

Domain 2: Asset Security (10%)

Asset Security

  • Identify and classify information and assets, including data and asset classification
  • Establish information and asset handling requirements
  • Provision information and assets securely and manage the data lifecycle
  • Manage data roles, including owners, controllers, custodians, processors, and users
  • Address data remanence and destruction, plus data collection, location, maintenance, and retention
  • Ensure appropriate asset retention, including End of Life (EOL) and End of Support
  • Determine data security controls, including data states (in use, in transit, at rest), scoping, and tailoring
  • Apply data protection methods, including DRM, DLP, and CASB

Domain 3: Security Architecture and Engineering (13%)

Security Architecture and Engineering

  • Apply secure design principles, including threat modeling, least privilege, defense in depth, secure defaults, fail securely, zero trust, and privacy by design
  • Understand security models, including Biba, Bell-LaPadula, and the Star Model
  • Understand security capabilities of information systems, including memory protection, TPM, and encryption/decryption
  • Select and determine cryptographic solutions, including the cryptographic lifecycle, symmetric, asymmetric, elliptic curve, and quantum methods, and PKI
  • Understand cryptanalytic attacks, including brute force, ciphertext only, known plaintext, side-channel, fault injection, timing, MITM, pass the hash, and ransomware
  • Apply security principles to site and facility design, including wiring closets, server rooms, media storage, and fire prevention
  • Manage the information system lifecycle from requirements analysis through retirement and disposal

Domain 4: Communication and Network Security (13%)

Communication and Network Security

  • Apply secure design principles in network architectures, including OSI and TCP/IP models, IPv4/IPv6, and secure protocols (IPSec, SSH, SSL/TLS)
  • Implement segmentation, including physical, logical (VLANs, VPNs), and micro-segmentation with zero trust
  • Secure wireless and cellular networks, including Bluetooth, Wi-Fi, Zigbee, satellite, and 4G/5G
  • Understand modern network concepts, including SDN, VPC, CDN, and performance metrics (bandwidth, latency, jitter, throughput)
  • Secure network components, including NAC systems, endpoint security, and transmission media
  • Implement secure communication channels, including voice, video, collaboration, remote access, and data communications

Domain 5: Identity and Access Management (IAM) (13%)

Identity and Access Management

  • Control physical and logical access to assets, including information, systems, devices, and facilities
  • Design an identification and authentication strategy for people, devices, and services, including MFA and passwordless authentication
  • Implement federated identity with a third-party service, including SSO and Federated Identity Management (FIM)
  • Implement and manage authorization mechanisms, including RBAC, rule-based access control, MAC, DAC, ABAC, and risk-based access control
  • Manage the identity and access provisioning lifecycle, including provisioning, deprovisioning, role transitions, and privilege escalation
  • Implement authentication systems across on-premises, cloud, and hybrid environments

Domain 6: Security Assessment and Testing (12%)

Security Assessment and Testing

  • Design and validate assessment, test, and audit strategies
  • Conduct security control testing, including vulnerability assessment, penetration testing (red, blue, purple team), log reviews, and code review
  • Apply synthetic transactions, misuse case testing, interface testing, and breach attack simulations
  • Collect security process data, including account management, KPIs and KRIs, backup verification, and training
  • Analyze test output and generate reports, including remediation, exception handling, and ethical disclosure
  • Conduct or facilitate security audits, including internal, external, and third-party audits

Domain 7: Security Operations (13%)

Security Operations

  • Understand and comply with investigations, including evidence collection and handling, digital forensics, and artifacts
  • Conduct logging and monitoring activities, including SIEM, continuous monitoring, egress monitoring, threat intelligence, and UEBA
  • Perform configuration management, including provisioning, baselining, and automation
  • Apply foundational operations concepts, including need-to-know, least privilege, Segregation of Duties, privileged account management, and job rotation
  • Conduct incident management, including detection, response, mitigation, reporting, recovery, and lessons learned
  • Operate detection and preventative measures, including firewalls, IDS/IPS, sandboxing, honeypots, anti-malware, and AI-based tools
  • Implement recovery strategies and disaster recovery (DR), including backup strategies, recovery sites, and high availability
  • Participate in Business Continuity (BC) planning, including read-through, tabletop, walkthrough, simulation, parallel, and full interruption testing
  • Implement physical security and address personnel safety, including insider threat awareness

Domain 8: Software Development Security (10%)

Software Development Security

  • Integrate security in the Software Development Life Cycle (SDLC), including Agile, Waterfall, DevOps, DevSecOps, and the Scaled Agile Framework
  • Apply maturity models, including the Capability Maturity Model (CMM) and Software Assurance Maturity Model (SAMM)
  • Identify and apply security controls in development ecosystems, including programming languages, libraries, CI/CD, code repositories, and configuration management
  • Assess the effectiveness of software security through SAST, DAST, software composition analysis, and IAST
  • Assess the security impact of acquired software, including COTS, open source, third-party, and managed/cloud services
  • Define and apply secure coding guidelines and standards, including API security and secure coding practices

Work through all eight domains, then test your knowledge before exam day. The CISSP rewards breadth, so understand each domain at a managerial level rather than memorizing technical detail alone. For more certification courses and hands-on playbooks, visit Courses and Playbooks .