The 8 CISSP domains explained

The CISSP® (Certified Information Systems Security Professional) qualification is one of the most respected certifications in the information security industry, demonstrating an advanced knowledge of cyber security.

It ranks alongside CCSP (Certified Cloud Security Professional) and CSSLP (Certified Secure Software Lifecycle Professional) as one of the most in-demand credentials when hiring C-level leaders in information security.

Here, we explain the structure of CISSP and its domains.

CISSP was launched in 1994 and its structure was last updated by (ISC)2 in 2015, moving from ten domains to eight. The domain weightings in the CISSP exam were changed in 2021, but from 15 April 2024 they will change again.

These regular updates made by (ISC)2 ensure that the exam remains aligned with real-world job role expectations.

What are the 8 CISSP domains?

CISSP domainCurrent weighting
(effective 1 May 2021)
Revised weighting
(effective 15 April 2024)
1. Security and Risk Management15%16%
2. Asset Security10%10%
3. Security Architecture and Engineering13%13%
4. Communication and Network Security13%13%
5. Identity and Access Management (IAM)13%13%
6. Security Assessment and Testing12%12%
7. Security Operations13%13%
8. Software Development Security11%10%

Our CISSP exam preparation course covers these eight domains in depth.

Summary of the CISSP domains

1. Security and Risk Management

This domain comprises 15% of the CISSP exam (16% from 15 April 2024).

This is the largest domain in CISSP, providing a comprehensive overview of information systems management. It covers:

  • The confidentiality, integrity and availability of information (known as the CIA triad);
  • Security governance principles;
  • Compliance requirements;
  • Legal and regulatory issues relating to information security;
  • IT policies and procedures;
  • Risk-based management concepts; and
  • (ISC)2 Code of Ethics.

This domain highlights the complexities of classifying information and helps candidates appreciate how an organisation’s information security function interacts with other areas, such as compliance, operational risk and IT. It also includes fundamental concepts that carry through in every other domain.

2. Asset Security

Asset Security comprises 10% of the CISSP exam.

This domain addresses the physical requirements of information security. It covers:

  • The classification and ownership of information and assets;
  • Privacy;
  • Asset retention, including EoL (end-of-life) and EoS (end-of-support) processes;
  • Stages of the data lifecycle;
  • Data security controls; and
  • Handling requirements.

3. Security Architecture and Engineering

Security Architecture and Engineering comprises 13% of the CISSP exam.

This domain covers several important information security concepts, including:

  • Engineering processes using secure design principles;
  • Fundamental concepts of security models;
  • Security capabilities of information systems;
  • Assessing and mitigating vulnerabilities in systems;
  • Cryptography, including methods of cryptanalytic attacks and key management practices; and
  • Security principles as applied to designing sites and facilities.

For many candidates, this is one of the most challenging domains. The exam questions are scenario based, where candidates need to explain which option they believe is the most strategically correct.

Mastering this domain involves understanding how the principles can be applied in context, considering multiple stakeholders and not just fixing a problem.

4. Communication and Network Security

Communication and Network Security comprises 13% of the CISSP exam.

This domain covers the design and protection of an organisation’s networks. This includes:

  • Secure design principles for network architecture;
  • Secure network components;
  • Secure communication channels; and
  • OSI (Open System Interconnection) and TCP/IP (Transmission Control Protocol/Internet Protocol) models.

5. Identity and Access Management

Identity and Access Management comprises 13% of the CISSP exam.

This domain helps information security professionals understand how to control the way users can access data. It covers:

  • Physical and logical access to assets;
  • Identification and authentication;
  • Integrating identity as a service and third-party identity services;
  • Authorisation mechanisms; and
  • The identity and access provisioning lifecycle.

Identity and access management are considered the first line of defence for protecting information assets.

A number of prominent laws, regulations, standards and frameworks (such as the GDPR and the PCI DSS) implicitly require security controls (policies, procedures and technology) to be designed and implemented to reflect this.

SSO (single sign-on) protocols are also covered here.

6. Security Assessment and Testing

Security Assessment and Testing comprises 12% of the CISSP exam.

This domain focuses on the design, performance and analysis of security testing. It includes:

  • Designing and validating assessment and test strategies;
  • Security control testing;
  • Collecting security process data;
  • Test outputs; and
  • Internal and third-party security audits.

As cyber attacks and threats evolve, regular security audits, penetration tests and ethical hacking are increasingly important.

7. Security Operations

Security Operations comprises 13% of the CISSP exam.

This domain addresses how information security management principles are integrated into the day-to-day running of IT functions to support business objectives. It covers:

  • Understanding and supporting investigations;
  • Requirements for investigation types;
  • Logging and monitoring activities;
  • Securing the provision of resources;
  • Foundational security operations concepts;
  • Applying resource protection techniques;
  • Incident management;
  • Disaster recovery;
  • Managing physical security; and
  • Business continuity.

8. Software Development Security

Software Development Security comprises 11% of the CISSP exam (10% from 15 April 2024).

This domain helps professionals understand, apply and enforce software security principles in the development lifecycle. It covers:

  • Security in the software development lifecycle;
  • Security controls in software development ecosystems;
  • The effectiveness of software security; and
  • Secure coding guidelines and standards.

These principles can be applied when developing software for internal or commercial use, as well as part of due diligence processes when sourcing suppliers.

CISSP training and revision materials

The CISSP exam tests candidates’ knowledge of each of the eight domains.

The exam consists of 100­­–150 multiple-choice questions and lasts three hours. The pass grade is 70%.

When you are preparing for the exam, we recommend reading the course outline and the official CISSP study guide.

It may also be helpful to talk with a CISSP trainer or subject matter expert, whether informally or in regular one-on-one mentoring sessions.

It is well worth taking practice exams to get used to the sorts of questions you will be asked. Mock exams also help you get to grips with the lengthy examination time.

Earn your credentials

While you don’t have to become a technical expert in every area, the challenge at this level of professional certification is to think like a manager and consider how all the elements work together.

The difference between an engineering qualification and a management qualification like CISSP is the approach to problem solving that you adopt.

Technicians work with what’s directly within their remit. At management level, on the other hand, you need to interact with all areas of the organisation, lead change and prepare for multiple eventualities. 

One of the main reasons CISSP is so highly respected and in demand by employers is the scope and quality of the curriculum.

The CISSP credential is earned, not won. It prepares you to take on increasing responsibility with greater ease and confidence.

CISSP training courses from IT Governance

Built and delivered by experts, our training courses will provide everything you need to develop your information security career and pass the CISSP exam first time.

This blog post was updated in January 2024 to reflect the new CISSP exam weighting.