From banks to retailers and universities to hospitals, protecting digital information is a top priority. One of the top seals of approval in the information security profession is the CISSP (Certified Information Systems Security Professional) designation. The CISSP exam, administered by the International Information Systems Security Certification Consortium or (ISC)², is recommended for security analysts, managers, auditors, architects and systems engineers, as well as IT directors and chief information security officers.
To earn the CISSP designation, you must have at least five years of paid full-time work experience in at least two of the eight domains of practice and knowledge covered on the CISSP exam. In some cases, four years of relevant experience is acceptable (e.g., if you hold at least a 4-year college degree or a regional equivalent).
The eight domains covered on the CISSP exam include:
1) Security and Risk Management
2) Asset Security
3) Security Engineering
4) Communications and Network Security
5) Identity and Access Management
6) Security Assessment and Testing
7) Security Operations
8) Software Development Security
Regardless of your work history, in order to take the CISSP exam, you’ll also need a clean criminal record. Notably, any background in criminal hacking, even if the incident took place in the past, may impact your eligibility.
On the CISSP exam, you’ll encounter 250 multiple choice and “advanced innovative” questions (e.g., simulation questions) from the eight aforementioned domains of knowledge. Notably, while each domain will be covered on the exam, unlike many certification exams, the weight of each section varies slightly from exam to exam.
The computer-based exam, which can be taken at a Pearson VUE testing center, is six hours long. The CISSP exam uses a scaled score which means all candidates who correctly answer enough questions to pass the exam are given a scaled score between 700 and 1,000. 700 is the minimum score required to pass. The following outline offers a snapshot of the key knowledge areas you can expect to encounter on the CISSP CBK 5th Edition exam.
Content Area 1: Security and Risk Management (e.g., Security, Risk, Compliance, Law, Regulations, and Business Continuity)
The first content area addresses a broad range of questions related to security and risk management. The questions in this section focus on ethics, compliance, and common security risks, as well as risk monitoring and risk management strategies. Specifically, test takers should be prepared to respond to questions that probe their readiness to:
• Understand and apply concepts of confidentiality, integrity and availability
• Security roles and responsibilities
• Understand legal and regulatory issues that pertain to information security in a global context (e.g., computer crimes, trans-border data flow and data breaches)
• Understand professional ethics (e.g., exercise (ISC)2 Code of Professional Ethics)
• Develop and implement documented security policy, standards, procedures, and guidelines
• Understand business continuity requirements
• Contribute to personnel security policies (e.g., employment candidate screenings or vendor controls).
• Understand and apply risk management concepts (e.g., identify threats and vulnerabilities, countermeasure selection, and reporting).
• Understand and apply threat modeling (e.g., identifying threats among adversaries, contractors, employees, and trusted partners, and determining and diagramming potential attacks).
• Integrate security risk considerations into acquisition strategy and practice
• Establish and manage information security education, training, and awareness (e.g., appropriate levels of awareness, training, and education required within an organization).
Content Area 2: Asset Security (e.g., Protecting Security of Assets)
The second content area focuses on asset security. CISSP candidates must be capable of evaluating how best to handle data and of developing policies and procedures to ensure data is secure. As such, questions in this section focus on the collection, handling and protection of information at all stages of the information lifecycle, classification of information and ownership issues. To ace this part of the CISSP exam, candidates must be able to demonstrate a capacity to:
• Classify information and supporting assets (e.g., sensitivity, criticality)
• Determine and maintain ownership (e.g., data owners, system owners,
• Protect privacy (e.g., data owners, data processers and data remanence)
• Ensure appropriate retention (e.g., media, hardware, personnel)
• Determine data security controls (e.g., data at rest, data in transit)
• Establish handling requirements (markings, labels, storage, destruction of sensitive information)
Content Area 3: Security Engineering (e.g., Engineering and Management of Security)
The third content area on the CISSP exam focuses on security engineering. Defined as the practice of building information systems and related architecture that can function even in the face of threats (e.g., hacking, natural disasters or system failures), security engineering is a key component of information security work. On this part of the CISSP exam, test takers must demonstrate a capacity to:
• Implement and manage engineering processes using secure design principles
• Understand the fundamental concepts of security models (e.g., Confidentiality,
Integrity, and Multi-level Models)
• Select controls and countermeasures based upon systems security evaluation models
• Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module, interfaces, fault tolerance)
• Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements (e.g., client based and server-based elements, database security, large-scale parallel data systems).
• Assess and mitigate vulnerabilities in web-based systems (e.g., XML, OWASP)
• Assess and mitigate vulnerabilities in mobile systems
• Assess and mitigate vulnerabilities in embedded devices and cyber-physical
systems (e.g., network-enabled devices, Internet of things (loT))
• Apply cryptography (e.g., cryptographic life cycle, cryptographic types and digital signatures).
• Design and implement physical security
• Utilities and HVAC considerations
• Water issues (e.g., leakage, flooding)
Content Area 4: Communication and Network Security (e.g., Designing and Protecting Network Security)
CISSP candidates are expected to demonstrate knowledge of network fundamentals (e.g., network topologies and IP addressing) and cryptography. They are also expected to hold the ability to securely operate and maintain network control devices, such as switches and routers. These topics are grouped under Content Area 4. Specifically, test takers should be prepared to exhibit the ability to:
• Apply secure design principles to network architecture (e.g., IP & non-IP
• Secure network components (e.g., physical devices and endpoint security).
• Design and establish secure communication channels (e.g., remote access).
• Prevent or mitigate network attacks
Content Area 5: Identity and Access Management (e.g., Controlling Access and Managing Identity)
An obvious way to lower security risks is to carefully manage who has access to sensitive data. Content Area 5 focuses on identity and access management issues. More specifically, this domain tests whether CISSP candidates are prepared to:
• Control physical and logical access to assets (e.g., systems and devices)
• Manage identification and authentication of people and devices
• Integrate identity as a service (e.g., cloud identity)
• Integrate third-party identity services (e.g., on-premise)
• Implement and manage authorization mechanisms
• Prevent or mitigate access control attacks
• Manage the identity and access provisioning lifecycle (e.g., provisioning,
Content Area 6: Security Assessment and Testing (e.g., Designing, Performing, and Analyzing Security Testing)
Understanding information assets is a key way to mitigate potential security breaches. For this reason, the sixth content area on the CISSP focuses on assessment and testing. Specifically, this domain tests whether or not candidates can:
• Design and validate assessment and test strategies
• Conduct security control testing (e.g., vulnerability assessment and log reviews)
• Collect security process data (e.g., management and operational controls)
• Analyze and report test outputs (e.g., automated, manual)
• Conduct or facilitate internal and third party audits
Content Area 7: Security Operations (e.g., Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)
A major focus of the CISSP exam is security operations. This area deals with some of the most common areas of information security practice. In other words, for Content Area 7, test takers should be prepared to respond to questions about daily or routine rather than exceptional security operations. Among other areas of knowledge, test takers must be able to demonstrate the ability to:
• Understand and support investigations
• Understand requirements for investigation types (e.g. operational, criminal, civil and regulatory)
• Conduct logging and monitoring activities
• Secure the provisioning of resources (e.g., asset inventory and physical assets)
• Understand and apply foundational security operations concepts
• Employ resource protection techniques
• Conduct incident management (e.g., reporting and recovery)
• Operate and maintain preventative measures (e.g., firewalls)
• Implement and support patch and vulnerability management
• Participate in and understand change management processes (e.g.,
versioning, baselining, security impact analysis)
• Implement recovery strategies
• Implement disaster recovery processes (e.g., communications and restoration)
• Test disaster recovery plans
• Participate in business continuity planning and exercises
• Implement and manage physical security
• Participate in addressing personnel safety concerns (e.g., duress, travel,
Content Area 8: Software Development Security (e.g., Understanding, Applying, and Enforcing Software Security)
The final domain on the CISSP exam focuses on software development security. Test takers should be prepared to respond to questions that test their knowledge and ability to enforce security controls on any software operating in their organizational environment. Specifically, test takers should demonstrate a capacity to:
• Understand and apply security in the software development lifecycle (e.g.,
maturity models and change management)
• Enforce security controls in development environments (e.g., security of code repositories)
• Assess the effectiveness of software security (e.g., auditing and risk analysis)
• Assess security impact of acquired software
Need some practice before taking the CISSP? Download Pocket Prep’s CISSP Exam Prep App to study anywhere, anytime on your mobile device. We also highly recommend purchasing the Certified Information Systems Security Professional Official Study Guide, 7th Edition for additional reference.