
What we cover: Course orientation and external study resources for certification preparation.
Why it matters: Resource awareness supports consistent learning and reduces gaps in security knowledge.
Exam relevance: Not directly tested, but supports readiness through practice questions and supplemental review.
What we cover: Course logistics for downloading study guides and submitting an instructor review.
Why it matters: Effective study resource use supports consistent knowledge retention and self-assessment during preparation.
Exam relevance: No direct exam objectives are tested, but it affects readiness and performance on exam-style questions.
What we cover: Course notation cues that flag high-priority topics, partial lists, and keywords for memorization.
Why it matters: Clear signal interpretation improves accurate terminology recall and reduces misunderstanding of scope.
Exam relevance: Tested indirectly through precise term recognition and selecting correct definitions when distractors use incomplete lists.
What we cover: Identity and access management concepts across asset identity, authentication, authorization, and provisioning lifecycle controls.
Why it matters: Proper IAM control selection reduces unauthorized access by enforcing verified identities and least-privilege access.
Exam relevance: Tested through scenario-based access control decisions, identity service model distinctions, and attack mitigation selection.
What we cover: Access control concepts and the IAAA model across layered defense.
Why it matters: Correct identification and multifactor authentication enable controlled access and individual accountability.
Exam relevance: Tests distinguishing identification versus authentication and selecting valid multifactor factors versus single-factor combinations.
What we cover: Type 1 authentication as the knowledge factor using passwords and related password attack types.
Why it matters: Knowledge factors are easiest to compromise so controls must harden password storage and login behavior.
Exam relevance: Identify password attacks and choose mitigations like salting, key stretching, and lockout thresholds.
What we cover: Type 2 authentication as a possession factor including smart cards, tokens, and one-time passwords.
Why it matters: Possession factors strengthen identity assurance by requiring control of a trusted physical or logical authenticator.
Exam relevance: Tested as factor classification and MFA selection, including HOTP versus TOTP behavior and contact versus contactless card distinctions.
What we cover: Type 3 authentication as the inherence factor using biometric physiological or behavioral characteristics.
Why it matters: Biometric threshold tuning balances false acceptance and false rejection while addressing privacy and non-revocability risks.
Exam relevance: Identify FAR versus FRR and Type 1 versus Type 2 errors and select appropriate authentication and multifactor factors.
What we cover: Authorization decisions using access control models including DAC, MAC, RBAC, ABAC, and context versus content controls.
Why it matters: Correct model selection enforces confidentiality, integrity, and availability requirements through consistent permission assignment and policy constraints.
Exam relevance: Identify models from traits like owner discretion, labels and clearance, roles, attributes, and contextual conditions in scenario questions.
What we cover: Accountability auditing in IAAA links actions to a unique identity through audit logs.
Why it matters: It enables non-repudiation and reliable attribution by preventing shared credentials and protecting log integrity.
Exam relevance: Tested as choosing auditing controls and identifying why shared accounts and modifiable logs break accountability.
What we cover: Centralized versus decentralized access control architectures and their decision points for authorization.
Why it matters: Architecture choice drives consistency, administrative control, and resilience when connectivity or local security varies.
Exam relevance: Tested as selecting appropriate access control models and federated identity methods based on requirements and constraints.
What we cover: Policy Decision Point versus Policy Enforcement Point roles in access control and service account management as an account control category.
Why it matters: Centralized policy decisions with distributed enforcement and least privilege reduce inconsistent access and privileged account abuse.
Exam relevance: Tested as selecting PDP versus PEP placement and identifying service account hardening controls in access scenarios.
What we cover: Identity and access provisioning concepts including entity, identity, attributes, and federated identity versus single sign-on.
Why it matters: Clear identity modeling and lifecycle provisioning supports least privilege, accountability, and consistent access control enforcement.
Exam relevance: Tested as IAM terminology distinctions and selecting federation, SSO, SAML, or IDaaS in access control questions.
What we cover: Authentication protocols for access control with mutual authentication and AAA distinctions across Kerberos, SESAME, RADIUS, and Diameter.
Why it matters: Correct protocol selection determines secure credential exchange and centralized authentication control across networks and services.
Exam relevance: Tested as protocol identification by properties and ports, plus scenario-based selection between ticketing, PKI-based, and AAA methods.
What we cover: TACACS+ versus RADIUS encryption scope and PAP versus CHAP credential handling.
Why it matters: Authentication protocol choice determines credential exposure risk and AAA protection strength.
Exam relevance: Tested as protocol identification and secure selection plus Active Directory domain controller roles and trust directionality.
What we cover: Identity and access management concepts including classification, access control models, authentication, authorization, and accountability.
Why it matters: Correct IAM control selection limits access to authorized subjects and reduces unauthorized access paths.
Exam relevance: Tested through scenario-based selection of access control models, MFA factors, SSO/IDaaS use, and provisioning lifecycle decisions.
What we cover: Security assessment and testing strategies for validating technical, operational, and management controls.
Why it matters: Testing confirms controls work as intended and reveals gaps requiring remediation and clearer reporting.
Exam relevance: Assessed through scenario-based selection of intrusive versus non-intrusive testing and interpreting assessment outputs.
What we cover: Static testing, dynamic testing, fuzzing, penetration testing, and synthetic transaction monitoring as assessment methods.
Why it matters: Each method targets different assurance goals and control validation needs across the software lifecycle.
Exam relevance: Identify which testing approach fits a described objective and distinguish security testing from performance baselining.
What we cover: Security assessments as broad evaluations of control effectiveness across defined organizational scope.
Why it matters: Assessments validate administrative and technical controls and drive risk-based adjustments without undermining user compliance.
Exam relevance: Tested as selecting appropriate assessment types and differentiating audits, vulnerability scanning, vulnerability assessment, and penetration testing by purpose.
What we cover: Security audits and SOC report types, including internal versus external versus structured audits and SOC 1/2/3 distinctions.
Why it matters: Audit type selection validates control design and operating effectiveness against required standards and trust criteria.
Exam relevance: Tested through scenario-based identification of audit type and SOC report scope, audience, and point-in-time versus period coverage.
What we cover: Security audit logs as a detective control with centralized or hybrid collection and protected integrity.
Why it matters: Logging validates access control enforcement and preserves trustworthy evidence for monitoring and investigations.
Exam relevance: Tested through selecting appropriate logging architectures, retention and integrity protections, and prioritizing actionable alerts over noise.
What we cover: Audit strategy differences between on-premises and cloud using the shared responsibility model across service types.
Why it matters: Correctly assigning control ownership ensures appropriate security controls, monitoring scope, and compliance accountability for hosted data.
Exam relevance: Tested through scenario-based responsibility mapping for IaaS, PaaS, and SaaS plus third-party assurance reports and data sovereignty.
What we cover: Audit strategy adjustments for hybrid and cloud environments under shared responsibility and limited visibility.
Why it matters: Correct scoping and control validation maintains consistent security posture across integrated on-prem and cloud resources.
Exam relevance: Tested through scenario-based selection of audit focus, responsibility boundaries, and audit approach differences across deployment models.
What we cover: Vulnerability scanning tools as technical security assessment controls that identify known weaknesses in defined targets.
Why it matters: Proper scope and approvals prevent disruption while enabling accurate prioritization of real vulnerabilities.
Exam relevance: Tested through selecting appropriate scanning actions, interpreting severity ratings, and distinguishing vulnerability findings from risk.
What we cover: Penetration testing scope control and knowledge levels as an assessment activity.
Why it matters: Clear authorization boundaries enable safe, legal testing and accurate risk validation.
Exam relevance: Tested as selecting correct test type, distinguishing box models from hat types, and identifying required engagement documentation.
What we cover: Social engineering influence techniques used to bypass technical and administrative controls by manipulating users.
Why it matters: Recognizing manipulation cues supports correct control selection through awareness training and stricter access control enforcement.
Exam relevance: Tested as identifying attack vectors and selecting appropriate countermeasures based on authority, intimidation, consensus, scarcity, urgency, and familiarity.
What we cover: Penetration testing concepts covering war dialing, war driving, client-side versus server-side attacks, and ethical disclosure.
Why it matters: Accurate attack classification and ethical boundaries guide appropriate control selection and responsible vulnerability handling.
Exam relevance: Tested as terminology distinctions, attack-vector identification, and choosing correct ethical actions and authorization scope.
What we cover: Static versus dynamic software testing and white box versus black box testing within the SDLC.
Why it matters: Early, continuous testing aligns security requirements to design and reduces exploitable defects.
Exam relevance: Identify correct testing type and access level from prompts and distinguish vulnerability from risk using threat presence.
What we cover: Software testing types and their purpose across the release lifecycle.
Why it matters: Testing validates functionality and security while reducing defects introduced by changes.
Exam relevance: Assesses selecting the correct testing method and interpreting coverage and regression needs in scenario questions.
What we cover: Security assessment and testing methods and the threat-plus-vulnerability requirement for risk.
Why it matters: It guides control validation and prioritization by confirming which weaknesses are exploitable and relevant.
Exam relevance: Tested through choosing scans, penetration tests, audits, or code review and distinguishing risk from findings.
* Updated for the 2024 CISSP curriculum and exam. We do in-place updates, meaning any future exam updates you get for free*
Welcome, I am Thor Pedersen, here to help you pass your CISSP certification and advance your career.
Get your CISSP certification, the gold standard in IT Security, and unlock career opportunities with an average salary of over $147,000 in the US.
There are over 82,000 CISSP job openings, so now is the perfect time to get certified.
Join the over 760,000 enrollments from 209 countries who have taken my “Best Selling” and “Highest Rated” CISSP, CISM, and Certified in Cybersecurity (CC) courses here on Udemy.
I think my courses are fantastic but don't just take my word for it. Here's what some of my other students have to say about them:
Thor's videos played a major factor in my ability to pass I cannot recommend them enough! (Blair, ★★★★★).
I passed the CISSP with the ISC Book and Thor's lectures and practice questions. Enough said! (Warren, ★★★★★).
Thor the Legend Pedersen! His course material here, his training site which has other supplementary stuff and his facebook channel all helped me in passing my CISSP. (Kenny, ★★★★★).
This content helped me pass my CISSP first time! It was the main material I used for studying! Very helpful! (Duncan, ★★★★★).
This course assisted me in successfully passing the CISSP Exam! Highly recommend! (Patrick, ★★★★★).
Hi Thor, I used your test and videos and passed the exam at first attempt. (Shan, ★★★★★).
Join our community of successful students and reach your certification goals!
When you buy this course you get all this:
3.5 hours of CISSP videos: Covering the CISSP Domain 5 and 6 exam topics.
39-page PDF CISSP study guides: Detailed guides made from our lectures.
4 Detailed CISSP Mind Maps.
17-page PDF Quick Sheets: For your review sessions.
2-page PDF CISSP Mnemonics.
60 Domain 5-6 practice questions: Test your knowledge with 30 questions from each domain.
18 topic-specific questions: Reaffirm your knowledge after each major topic.
70 website links: Additional resources to deepen your understanding of Domain 5 and 6 topics.
Subtitles in multiple languages: English, Spanish (Latin America), Portuguese (Brazil), French, Arabic, Japanese, Chinese, and Hindi.
An automatic certificate of completion: Hang on your wall or use for CEUs/PDUs. (3 CEUs).
30-day money-back guarantee: No questions asked.
Lifetime Access to the course and all course updates.
Offline video viewing: Available on the Udemy mobile apps.
In Domain 5 we cover:
5.1 Control physical and logical access to assets
5.2 Design identification and authentication strategy (e.g., people, devices, and services)
5.3 Federated identity with a third-party service
5.4 Implement and manage authorization mechanisms
5.5 Manage the identity and access provisioning lifecycle
5.6 Implement authentication systems
In Domain 6 we cover:
6.1 Design and validate assessment, test, and audit strategies
6.2 Conduct security controls testing
6.3 Collect security process data (e.g., technical, and administrative)
6.4 Analyze test output and generate report
6.5 Conduct or facilitate security audits
We continue to update our courses to make sure you have the latest and most effective study materials:
2025: Added 4 CISSP Domain 5-6 Mind Maps. Updated quiz and practice questions.
2024: Updated for the 2024 curriculum. New videos on Policy Decision/Enforcement Points, and Service Account Management, Audit Strategies for Cloud and Hybrid Environments - Part 1 and Part 2. Added subtitles in Japanese and Portuguese (Brazil).
2023: 20+ updates with new content, clearer explanations, practice questions, and study guides. Added subtitles in Spanish (Latin America), French, Arabic, Chinese, and Hindi, and added topic quizzes with 18 questions.
2022: 10+ updates with new content, clearer explanations, practice questions, and study guides.
2021: Full course update for the 2021 curriculum.
2020: 10+ updates with new content, clearer explanations, practice questions, and study guides.
2019: 20+ updates with new content, clearer explanations, practice questions, and study guides.
2018: Full course update for the 2018 curriculum.
Start Your Certification Journey Today!
Join thousands of successful professionals who have transformed their careers with ThorTeaches. Let me guide you to CISSP certification success.
Enroll now and let's achieve your certification goals together!
Thor Pedersen