The 8 CISSP domains explained

The CISSP® (Certified Information Systems Security Professional) qualification is one of the most respected certifications in the information security industry, demonstrating an advanced knowledge of cyber security.

We recently discussed the benefits of becoming a CISSP. Now, we turn our attention to the structure of the qualification itself and the domains within it.

(ISC)2, which developed and maintains the CISSP qualification, updated the structure of the certificate in 2015, moving from ten domains to eight.

We’ll begin by listing the eight domains, and then go on to explain each one in more detail.

What are the 8 CISSP domains?

CISSP is broken into 8 domains that cover the main aspects of information security. Anyone looking to become a CISSP must show their expertise in each of the domains in order to achieve certification.

  1. Security and Risk Management
  2. Asset Security
  3. Security Architecture and Engineering
  4. Communications and Network Security
  5. Identity and Access Management
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security

Our CISSP exam preparation course covers these eight domains in-depth.

1) Security and Risk Management

Security and Risk Management comprises about 15% of the CISSP exam.

This is the largest domain in CISSP, providing a comprehensive overview of the things you need to know about information systems management. It covers:

  • The confidentiality, integrity and availability of information;
  • Security governance principles;
  • Compliance requirements;
  • Legal and regulatory issues relating to information security;
  • IT policies and procedures; and
  • Risk-based management concepts.

2) Asset Security

Asset Security comprises about 10% of the CISSP exam.

This domain addresses the physical requirements of information security. It covers:

  • The classification and ownership of information and assets;
  • Privacy;
  • Retention periods;
  • Data security controls; and
  • Handling requirements.

3) Security Architecture and Engineering

Security Engineering comprises about 13% of the CISSP exam.

This domain covers several important information security concepts, including:

  • Engineering processes using secure design principles;
  • Fundamental concepts of security models;
  • Security capabilities of information systems;
  • Assessing and mitigating vulnerabilities in systems;
  • Cryptography; and
  • Designing and implementing physical security.

4) Communications and Network Security

Communications and Network Security comprises about 13% of the CISSP exam.

This domain covers the design and protection of an organisation’s networks. This includes:

  • Secure design principles for network architecture;
  • Secure network components; and
  • Secure communication channels.

5) Identity and Access Management

Identity and Access Management comprises about 14% of the CISSP exam.

This domain helps information security professionals understand how to control the way users can access data. It covers:

  • Physical and logical access to assets;
  • Identification and authentication;
  • Integrating identity as a service and third-party identity services;
  • Authorisation mechanisms; and
  • The identity and access provisioning lifecycle.

6) Security Assessment and Testing

Security Assessment and Testing comprises about 12% of the CISSP exam.

This domain focuses on the design, performance and analysis of security testing. It includes:

  • Designing and validating assessment and test strategies;
  • Security control testing;
  • Collecting security process data;
  • Test outputs; and
  • Internal and third-party security audits.

7) Security Operations

Security Operations comprises about 13% of the CISSP exam.

This domain addresses the way plans are put into action. It covers:

  • Understanding and supporting investigations;
  • Requirements for investigation types;
  • Logging and monitoring activities;
  • Securing the provision of resources;
  • Foundational security operations concepts;
  • Applying resource protection techniques;
  • Incident management;
  • Disaster recovery;
  • Managing physical security; and
  • Business continuity.

8) Software Development Security

Software Development Security comprises about 10% of the CISSP exam.

This domain helps professionals to understand, apply and enforce software security. It covers:

  • Security in the software development life cycle;
  • Security controls in development environments;
  • The effectiveness of software security; and
  • Secure coding guidelines and standards.

CISSP training and revision materials

Those who sit the CISSP CBK (Common Body of Knowledge) exam will be tested on each of the eight domains.

The exam consists of 100­­–150 multiple-choice questions and lasts three hours. The pass grade is 70%.

Anyone preparing for that exam should take the take to understand the challenges awaiting you. This might begin by reading the official CISSP study guide. You should also create a consistent study schedule to ensure that you set aside plenty of time to revise for the exam.

During this study period, you should also take practice exams to get used to the sorts of questions you will be asked and how to answer them. Mock exams also help you get to grips with the lengthy examination time.

Three hours is a long time to sit an exam, and some people will struggle to concentrate for the entire time. However, through practice, this will come to you naturally and you can find a system that suits you.

You can find all the guidance you need to pass the exam with IT Governance’s CISSP Blended Online Training Course.

This online course provides the practical and theoretical skills you need to pass the CISSP exam first time. It was developed by industry experts, who use their real-world experience to guide you through the content.

Unlike traditional training courses, blended learning combines instructor-led sessions, guided digital content and one-on-one mentoring, making it ideal for those who want to balance their learning with their work and home schedule.

Blended training is shown to increase engagement, facilitate collaboration and simplify assessment. Find out how IT Governance can help you take advantage of this approach to CISSP training.