Becoming a Certified Information Systems Security Professional (CISSP) is an excellent way to level up your cybersecurity career, but earning this prestigious certification requires rigorous preparation.
A crucial initial step is understanding the CISSP exam objectives, encompassing the 8 domains of the CISSP Common Body of Knowledge (CBK). Delving deeply into these domains requires significant time and effort. If you're uncertain about committing to the exam, it might seem impractical to invest so much upfront.
But don’t fret. We’re here to help. This article will explain each of the ISC2 CISSP domains, helping you understand the coverage of the certification and determine if you're ready to pursue it. We will also discuss the CISSP outline so you know what to expect in the examinations.
Let’s get started!
What is ISC2 CISSP CBK?
The CBK forms the foundation for the CISSP certification and is created and maintained by the International Information System Security Certification Consortium ISC2. This peer-developed compendium represents the expansive knowledge every CISSP aspirant must master.
Acting as a collection of global best practices in information security, the CBK ensures that those certified have a consistent and profound understanding of the ever-changing world of cybersecurity. This knowledge is organized into eight distinct information security domains, each offering insights into specific areas of the industry.
Think of it as the CISSP certification syllabus. The CBK provides a comprehensive overview of what is covered in the exam, as well as guidelines in information security, ensuring that certified individuals are well-equipped to address the diverse challenges in today's digital environment.
What are the CISSP domains?
To earn the CISSP certification, you must have a comprehensive understanding of all the 8 domains of cybersecurity. Essentially, these domains act as the foundational pillars for any CISSP aspirant. Let's delve into their specifics.
The first domain of the CISSP certification, making up about 15% of the exam, dives deep into the fundamental aspects of cybersecurity. It focuses on understanding security's inherent nature and honing the skills to assess and manage risk.
Additionally, this CISSP domain highlights the pivotal roles of governance and compliance. It illustrates their integration with security practices and stresses the importance of aligning organizations with existing regulations and standards.
As you journey through this domain, you'll gain insights into the strategic importance of security and risk management, preparing you for the multifaceted challenges of today's cybersecurity landscape. Here is what Domain 1 covers:
- Security governance principles
- Compliance requirements
- Professional ethics in information security
- Business continuity requirements
- Risk management concepts
- Threat modeling
- Security policies, standards, procedures, and guidelines
- Security education, training, and awareness
- Incident response and recovery
Covering 10% of the CISSP exam, the second domain covers asset security—fundamental to any cybersecurity strategy. At its core, this domain is about safeguarding the confidentiality, integrity, and availability of an organization's assets, whether digital files, databases, or physical infrastructure.
It provides in-depth insights into identifying, classifying, handling, and securing these assets, ensuring protection against unauthorized access, disclosure, changes, or destruction. It equips you with the tools and knowledge to meticulously protect the critical assets that form the backbone of modern enterprises.
Here’s a breakdown of the Domain 2:
- Asset classification and ownership
- Privacy protection
- Ensuring appropriate asset retention
- Data security controls
- Data lifecycle
- Security principles associated with cloud-based and on-premises assets
- Security controls for databases
The third domain, which covers 13% of the CISSP exam, focuses on building a strong foundation for organizational information security. Think of it as building a fortress for data; the walls, moats, and battlements are the technical solutions, protocols, and processes that keep threats at bay.
In this domain, candidates learn how to design, implement, and manage secure systems, with a focus on resistance, detection, and recovery from potential attacks. In addition to understanding various computing platforms and environments, this domain emphasizes the importance of cryptography, a fundamental tool in securing data both in transit and at rest.
Mastering these CISSP topics equips professionals to develop a robust cybersecurity infrastructure, bolstering defenses against the many digital threats out there. Here are other things you can expect from this domain:
- Concepts of secure design principles
- Security models fundamental principles
- Security capabilities of information systems
- Vulnerabilities and countermeasures in web-based systems and mobile systems
- Cryptography: Concepts, methodologies, and practices
- Physical security
- Secure protocol and design components
The fourth domain, making up 14% of the CISSP exam, focuses on the protection and design of an organization's networks and their communication processes. This domain highlights the importance of secure design, implementation, and control measures to guard against potential eavesdroppers, man-in-the-middle attacks, and other network-based threats.
Given the interconnected nature of our world, expertise in Communication and Network Security is crucial. It ensures that professionals can create, oversee, and protect essential connections integral to our digital existence. Here’s what this domain covers:
- Secure network architecture concepts and design
- Secure network components
- Secure communication channels based on design
- Network attacks, vulnerabilities, and countermeasures
- Multilayer protocols and their associated security concerns
- Wireless network security
- Secure network configuration and management
The fifth domain, which makes up 13% of the overall CISSP exam, covers all the tools and policies needed to manage, identify, authenticate, and authorize individuals or groups to access system resources. It dives into how organizations can maintain control over access to their systems and data, emphasizing the importance of limiting access to only those who genuinely need it, based on their roles and responsibilities.
Understanding and mastering IAM ensures that candidates can know how to keep data in the right hands, reducing the risk of breaches and unauthorized access, and making it a cornerstone of effective cybersecurity. Below are the topics covered in this domain:
- Physical and logical access to assets
- Identification and authentication of people and devices
- Identity management lifecycle
- Access control models
- Account management practices
- Federated identity management and single sign-on (SSO)
- Biometrics and smartcards as authentication factors
- Access control attacks and countermeasures
Accounting for 12% of the CISSP exam, the sixth domain delves into the methodologies and practices behind evaluating, testing, and assessing an organization's security posture. It emphasizes the importance of proactively identifying vulnerabilities, flaws, and weaknesses before they can be exploited by adversaries, ensuring systems are resilient against potential attacks.
By learning the principles of this domain, aspirants can equip themselves with a proactive approach to cybersecurity, continually refining defenses and ensuring systems remain robust in the face of emerging threats. The following topics are included in this domain:
- Design and validation of assessment, test, and audit strategies
- Security control testing
- Collection of security process data
- Internal and third-party audits
- Security testing tools and techniques
- Reporting and communication of test and assessment results
The seventh domain of CISSP, which constitutes 13% of the certification exam, dives into the day-to-day tasks and procedures that keep an organization's information assets safe. It emphasizes the need for incident response, disaster recovery, and continuous monitoring to ensure that systems remain secure and resilient against threats, both anticipated and unforeseen.
Candidates who master this domain can ensure the continuous protection of assets, swiftly respond to security events, and adapt defenses based on emerging threats and business needs. Here are the topics covered in this domain:
- Operational security procedures and responsibilities
- Incident response and management
- Disaster recovery (DR) and business continuity (BC) planning
- Data backup and recovery solutions
- Secure logging, monitoring, and audit activities
- Vulnerability management programs
- Physical security components
The CISSP domain 8, which comprises 10% of the CISSP exam, explores the crucial practices and procedures required to ensure that software products remain free of vulnerabilities and flaws that could be exploited by malicious actors. It emphasizes the integration of security throughout the software development lifecycle, from initial design to deployment and maintenance.
With this domain under the candidate’s belt, they can ensure that the very tools and platforms organizations rely on are built with security in mind from the ground up, minimizing risks and maximizing operational integrity. Here are the topics covered in this domain:
- Security in the software development lifecycle (SDLC)
- Development environment security controls
- Software security effectiveness assessment
- Security controls in development environments
- Secure software deployment, operations, and maintenance
CISSP Overview: What to expect in the CISSP 2023 exam?
The CISSP exam is divided into two formats, depending on the language you choose: the Computerized Adaptive Testing (CAT) and the linear exam. All candidates who will take the exam in English will follow the CAT format while opting for Chinese, German, Japanese, Korean, and Spanish will follow the linear format.
Although the formats are different, they both follow the same CISSP domain list and examination weights. Here are them:
1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communication and Network Security
5. Identity and Access Management (IAM)
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security
The major difference between these two formats is the length of the exam and the number of items to be tested on. For CAT, candidates will have 4 hours to finish 125 to 175 multiple-choice questions and advanced innovative items. Meanwhile, those planning to take the linear exam will have 6 hours to answer 250 multiple-choice questions.
Go deeper into 8 domains of CISSP
Now that you’re familiar with the CISSP basics, you're equipped to make an informed decision about pursuing this certification. If you're ready to take the plunge, let Destination Certification be your guide.
We've crafted in-depth CISSP domain summaries that dive into each of the ISC2 domains, providing detailed insights into their technical aspects. If you're looking for a deeper exploration of the CISSP topics, our MasterClass is designed to align with your current knowledge and schedule.
In this CISSP online training, the topics discussed are tailored based on your existing familiarity with the CISSP domains, ensuring a comprehensive grasp of all subjects covered in the exam. On top of that, you get a personalized review guide that updates to pinpoint the concepts you still need to reinforce.
The best part? Our courses are led by seasoned CISSP experts with extensive experience in conducting CISSP classes and guiding numerous aspirants to secure their CISSP certification.
So, if you're set on becoming a CISSP, we're here to support you every step of the way.