
Realistic expectations are the best. We want you to know what is, and what is not included in the course.
You have lifetime access to the content which includes:
36+ hours of video content
25 Applied cases
9 Quizzes
2 Practice exams with 245 questions each
All Quizzes and Practice exams have detailed explanations to support and explain the solutions
Guided overview of the course content and how to approach the course.
Congratulations, you are embarking on a journey to become part of the global (ISC)² community.
Not only are you taking a critical step in your own career, but you're also taking an active role in inspiring a safe and secure cyber world.
Earning the CISSP certification demonstrates your ability to design and manage nearly all aspects of an organizations cybersecurity strategy.
All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. All (ISC)² members are required to commit to fully support the (ISC)2 Code of Ethics Canons.
This section addresses ethics, security concepts, structure, standards, and overall governance we use to establish the protection of information assets. The preliminary content will be a foundation for the whole course. We will be introducing concepts and principles that will be built upon throughout the course.
To pass the CISSP exam, it will be critical that you learn and understand all the content thoroughly.
After completing this section you should be able to:
Justify an organizational code of ethics.
Relate confidentiality, integrity, availability, non-repudiation, authenticity, privacy, and safety, to due care and due diligence.
Ensure organizational processes fulfill roles and responsibilities by means of business strategy, goals, mission, and objectives.
Explain the relationship of privacy protection to organizational information security risk management.
Explain how cybercrimes and data breaches apply to privacy.
Explain how licensing and Intellectual Property (IP) requirements apply to privacy.
Explain how import and export controls apply to privacy.
Explain how transborder data flow applies to privacy.
Explain the significance of basic secure design principles.
Module Overview and Objectives
After completing this module you should be able to:
Understand what a code of ethics is and (ISC)² ethics expectations.
Module Overview and Objectives
After completing this module you should be able to:
Justify an organizational code of ethics.
Module Overview and Objectives
After completing this module you should be able to:
Relate confidentiality, integrity, availability, non-repudiation, authenticity, privacy, and safety, to due care and due diligence.
Module Overview and Objectives
After completing this module you should be able to:
Ensure organizational processes fulfill roles and responsibilities by means of business strategy, goals, mission, and objectives.
Module Overview and Objectives
After completing this module you should be able to:
Describe contractual, legal, industry standards, and regulatory requirements.
Explain the relationship of privacy protection to organizational information security risk management.
Explain how cybercrimes and data breaches apply to privacy.
Explain how licensing and intellectual property (IP) requirements apply to privacy.
Explain how transborder data flow applies to privacy.
Module Overview and Objectives
After completing this module you should be able to:
Describe contractual, legal, industry standards, and regulatory requirements.
Explain the relationship of privacy protection to organizational information security risk management.
Explain how cybercrimes and data breaches apply to privacy.
Explain how licensing and intellectual property (IP) requirements apply to privacy.
Explain how transborder data flow applies to privacy.
Module Overview and Objectives
After completing this module you should be able to:
Explain the significance of basic secure design principles.
This provides a glossary of terms used in this module.
This section addresses the protection of valuable assets to an organization as these assets go through their life cycle.
It addresses the creation and or collection, identification and classification, protection, storage, usage, maintenance, disposition, retention and archiving, and defensible destruction of assets. To properly protect valuable assets such as information, an organization requires the careful and proper implementation of ownership and classification processes which can ensure that assets receive the level of protection based on their value to the organization.
After completing this section you should be able to:
Identify information assets.
Classify information assets.
Categorize information assets.
Explain the importance of treating information as an asset.
Manage information assets.
Differentiate the data roles.
Select data security standards to meet organizational compliance requirements.
Module Overview and Objectives
After completing this module you should be able to:
Identify information assets.
Classify information assets.
Categorize information assets.
Explain the importance of treating information as an asset.
Module Overview and Objectives
After completing this module you should be able to:
Differentiate the IT asset management lifecycle from the data security lifecycle.
Relate the data states of in use, in transit, and at rest to the data lifecycle.
Relate the different roles that people and organizations have with respect to data.
Module Overview and Objectives
After completing this module you should be able to:
Differentiate the IT asset management lifecycle from the data security lifecycle.
Relate the data states of in use, in transit, and at rest to the data lifecycle.
Relate the different roles that people and organizations have with respect to data.
Module Overview and Objectives
After completing this module you should be able to:
Describe the different security control types and categories.
Explain the use of data security standards and baselines to meet organizational compliance requirements.
This provides a glossary of terms used in this module.
IAM addresses the roles and access of anyone using a network and how those access privileges are granted or not. We will learn about maintaining confidentiality, integrity, and availability of assets and the resources that are critical to business survival and function.
Central to maintaining protection of business critical assets is the ability to name, associate, and apply suitable identity and access control methodologies and technologies that meet specific business needs.
After completing this section you should be able to:
Explain the identity lifecycle
Implement the identification, authentication, authorization and accounting (IAAA) process.
Compare and contrast access control models and mechanisms.
Identify design implications needed by the human component of information security.
Describe needs for physical and logical access to assets.
Explain the identity store.
Compare and contrast different identity management implementations.
Select appropriate authentication and authorization processes for an organization's environment.
Module Overview and Objectives
After completing this module you should be able to:
Explain the identity lifecycle.
Implement the identification, authentication, authorization and accounting (IAAA) process.
Module Overview and Objectives
After completing this module you should be able to:
Security Models
Compare and contrast access control models and mechanisms.
Module Overview and Objectives
After completing this module you should be able to:
Apply secure system design concepts, security models, and access control models to typical business and organizational processes.
Module Overview and Objectives
After completing this module you should be able to:
Describe needs for physical and logical access to assets.
Module Overview and Objectives
After completing this module you should be able to:
Describe needs for physical and logical access to assets.
Module Overview and Objectives
After completing this module you should be able to:
Explain the identity store.
Compare and contrast different identity management implementations.
Module Overview and Objectives
After completing this module you should be able to:
Explain the identity store.
Compare and contrast different identity management implementations.
Module Overview and Objectives
After completing this module you should be able to:
Select appropriate authentication and authorization processes for an organization's environment.
This provides a glossary of terms used in this module.
An information security professional should have a solid understanding of the principles of security architecture and engineering to design, implement, monitor, and secure a wide range of information systems.
These principles must encompass both the technical architectures, as well as the policies and practices, which implement the technical controls. With this knowledge, a security professional will be able to evaluate the security posture of a system relative to the risk of operation of that system.
After completing this section you should be able to:
Describe the major components of security engineering standards.
Explain major architectural models for information security.
Explain the security capabilities implemented in hardware and firmware.
Apply security principles to different information systems architectures and environments.
Determine the best application of cryptographic approaches to solving organizational information security needs.
Manage the use of certificates and digital signatures to meet organizational information security needs.
Discover the implications of the failure to use cryptographic techniques to protect the supply chain.
Apply different cryptographic management solutions to meet the organizational information security needs.
Verify cryptographic solutions are working and meeting the evolving threat of the real world.
Implement defences against common cryptographic attacks.
Develop a management checklist to determine the organization's cryptologic state of health and readiness.
Module Overview and Objectives
After completing this module you should be able to:
Explain the hardware foundations of security.
Apply security principles to different information systems architectures and environments.
Module Overview and Objectives
After completing this module you should be able to:
Explain the hardware foundations of security.
Apply security principles to different information systems architectures and environments.
Module Overview and Objectives
After completing this module you should be able to:
Determine the best application of cryptographic approaches to solving organizational information security needs.
Module Overview and Objectives
After completing this module you should be able to:
Manage the use of certificates and digital signatures to meet organizational information security needs.
Discover the implications of the failure to use cryptographic techniques to protect the supply chain.
Module Overview and Objectives
After completing this module you should be able to:
Apply different cryptographic management solutions to meet the organizational information security needs.
Verify cryptographic solutions are working and meeting the evolving threat of the real world.
Module Overview and Objectives
After completing this module you should be able to:
Implement defences against common cryptographic attacks.
Develop a management checklist to determine the organization’s cryptologic state of health and readiness.
This provides a glossary of terms used in this module.
Think of this topic as a two-edged sword.
One edge, is the explosive growth in networks, connectivity and communications that has paved the way for the unprecedented shift in business, personal and government services into electronic web-enabled forums. This growth in e-business, and e-commerce greatly expanded the threat surface that fraudsters, criminals, unscrupulous business competitors, nation states and non-nation state actors can use to take harmful actions against others around the world that cuts towards the defenders.
The other edge, which cuts toward the attackers, keeps those e-functions safe, secure and resilient while also keeping their use of telecommunications and network services secure.
We will explore ISOs Open Systems Interconnection seven layer model and the IETS Transmission Control Protocol over internet protocol or TCP over IP model are used by almost every laptop, smartphone, smart house, smart car and other such end-points to communicate with servers and applications in businesses and governments.
After completing this section you should be able to:
Describe the architectural characteristics, relevant technologies, protocols and security considerations of each of the layers in the OSI model.
Explain the application of secure design practices in developing network infrastructure.
Describe the evolution of methods to secure IP communications protocols.
Explain the security implications of bound (cable and fibre) and unbound (wireless) network environments.
Describe the evolution of, and security implications for, key network devices.
Evaluate and contrast the security issues with voice communications in traditional and VoIP infrastructures.
Describe and contrast the security considerations for key remote access technologies.
Explain the security implications of software-defined networking (SDN) and network virtualisation technologies.
Module Overview and Objectives
After completing this module you should be able to:
Understand the role of the ISO OSI 7-Layer and TCP/IP models in internetworking and data communications.
Recognize the fundamental role of encapsulation in packet-based communications such as those used in internetworking.
Define and understand the purpose of advanced persistent threat models and kill chains.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architectural characteristics and relevant technologies associated with the Physical Layer in the OSI model.
Identify relevant threats and countermeasures associated with the Physical Layer in the OSI model.
Explain the security implications of bound (wired or fibre) and unbound (wireless) network environments.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architectural characteristics, relevant technologies, protocols and security threats associated with the Data Link Layer in the OSI model.
Identify relevant threats and countermeasures associated with the Data Link Layer in the OSI model.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architectural characteristics, relevant technologies, protocols and security threats associated with the Network Layer in the OSI model.
Identify relevant threats and countermeasures associated with the Network Layer in the OSI model.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architectural characteristics, relevant technologies, protocols and security threats associated with the Transport Layer in the OSI model.
Identify relevant threats and countermeasures associated with the Transport Layer in the OSI model.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architectural characteristics, relevant technologies, protocols and security threats associated with the Session Layer in the OSI model.
Identify relevant threats and countermeasures associated with the Session Layer in the OSI model.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architectural characteristics, relevant technologies, protocols and security threats associated with the Presentation Layer in the OSI model.
Identify relevant threats and countermeasures associated with the Presentation Layer in the OSI model.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architectural characteristics, relevant technologies, and protocols and security threats associated with the Application Layer in the OSI model.
Identify relevant threats and countermeasures associated with the Application Layer in the OSI model.
Module Overview and Objectives
After completing this module you should be able to:
Describe the evolution of methods to secure IP communications protocols.
Contrast the security considerations of network virtualisation with physical networks.
Describe key software-defined networking (SDN) concepts.
Explain the importance of SDN technology.
Module Overview and Objectives
After completing this module you should be able to:
Describe the architecture and design of computer hardware security.
Describe the evolution of, and security implications for, key network devices.
Module Overview and Objectives
After completing this module you should be able to:
Evaluate and contrast the security issues with voice communications in traditional and VoIP infrastructures.
Evaluate the evolution and security implications of remote computing tools.
Module Overview and Objectives
After completing this module you should be able to:
Evaluate and contrast the security issues with voice communications in traditional and VoIP infrastructures.
Evaluate the evolution and security implications of remote computing tools.
This provides a glossary of terms used in this module.
From a threat surface perspective, the greatest number of potentially exploitable opportunities for threats to cross any of the systems boundaries or perimeters, internal or external to the system, involve attempts to attack software components of the system.
Unauthorized devices may be part of an attack but almost always they are vehicles for bringing a software or data payload into contact with the software elements of the threat surface.
After completing this section you should be able to:
Recognize the many software elements that can put information systems security at risk.
Identify and illustrate major causes of security weaknesses in source code.
Identify major languages within context of language generations.
Describe and assess programming language generations and their security implications.
Identify security issues associated with open-source software.
Illustrate major causes of security weaknesses in database and data warehouse systems.
Identify security issues involving extensive database and data warehouse sharing across multiple organizations.
Explain applicability of OWASP framework to various web architectures.
Determine mitigation strategies to limit ransomware and “live-off-the-land” ransom attacks in various contexts.
Differentiate between major secure coding guidelines to support selection of organizational software development practices.
Identify and explain security implications of major development methodologies.
Explain how IPT affects software risk and development practices.
Identify emerging trends in security virtualisation (e.g., infrastructure as code, micro-boundaries, perimeter virtualisation, firewalls-as-a-service.
Describe security advantages of mature programming environments.
Differentiate between the maturity levels in the SEI CMM.
Identify primary secure coding bodies of practice, differentiating between standards and guidelines.
Contrast major application programming interface (API) methods and tools.
Evaluate risks associated with centralized code repositories.
Distinguish between software and systems lifecycle models.
Explain security implications of program execution (run-time/debug/compiled).
Describe the CI/CD process and identify security advantages.
Contrast legacy SCM approaches with automated configuration tools.
Describe the SOAR approach and identify security advantages.
Identify approaches to, and advocate for, appropriate security testing in systems development environments.
Identify security issues associated with managed services.
Identify methods and artifacts, which would support security assessment of third-party vendors.
Module Overview and Objectives
After completing this module you should be able to:
Recognize the many software elements that can put information systems security at risk.
Module Overview and Objectives
After completing this module you should be able to:
Identify and illustrate major causes of security weaknesses in source code.
Explain the evolution of programming languages and how this relates to security.
Understand security weaknesses and vulnerabilities at the source-code level.
Identify security issues associated with open source software.
Module Overview and Objectives
After completing this module you should be able to:
Illustrate major causes of security weaknesses in database and data warehouse systems.
Identify security issues involving extensive database and data warehouse sharing across multiple organizations.
Module Overview and Objectives
After completing this module you should be able to:
Explain the applicability of the OWASP framework to various web architectures.
Module Overview and Objectives
After completing this module you should be able to:
Determine mitigation strategies to limit ransomware and "live-off-the-land" ransom attacks in various contexts.
Module Overview and Objectives
After completing this module you should be able to:
Explain the value and use of secure coding standards, guidelines, frameworks, and architectural concepts.
Differentiate between major secure coding methodologies to support selection of organizational software development practices.
Describe security advantages of mature programming environments and toolsets.
Evaluate the risks and benefits of code repositories and libraries.
Understand the value of integrated development environments.
Differentiate between the maturity levels in the SEI CMM Identify primary secure coding bodies of practice. Explain the security implications of using the Capabilities Maturity Model as part of managing software development, deployment, and support.
Contrast major Application Programming Interface (API) methods and tools.
Module Overview and Objectives
After completing this module you should be able to:
Explain security implications of program execution environments.
Describe the CI/CD process and its security advantages.
Module Overview and Objectives
After completing this module you should be able to:
Contrast legacy software configuration management approaches with automated configuration tools.
Identify approaches for appropriate security testing in systems development environments.
Identify methods and artifacts which would support security assessment of third-party vendors, COTS and commodity systems, and orphaned systems elements.
Explain the software security assessment issues that arise during organizational mergers and acquisitions.
This provides a glossary of terms used in this module.
Security assessment determines whether the controls implemented to reduce risk have been implemented as designed, are operating as expected and are achieving the desired result.
This assurance can be the result of outside organizations evaluating the control environment or actions taken by the organization itself to evaluate the performance of the controls. Assessment and testing processes must be performed consistently and the results communicated properly so that the organization's management understands the risks they could potentially face.
Audit processes should assure external valuators how much or to what degree an organization's controls meet its compliance expectations. The results of audit assessment and testing activities will allow the organization to identify control gaps and inefficiencies.
This information will be the starting point for continual process improvement activities.
The security professional should be familiar with the strategies, techniques and processes by which organizational expectations for controls are set, evaluated, and improved.
After completing this section you should be able to:
Describe the purpose, process, and objectives of formal and informal security assessment and testing.
Apply professional and organizational ethics to security assessment and testing.
Explain internal, external, and third-party assessment and testing.
Explain management and governance issues related to planning and conducting security assessments.
Explain the role of assessment in data-driven security decision-making.
Module Overview and Objectives
After completing this module you should be able to:
Identify and select security assessment approaches, frameworks, and standards.
Explain internal, external, and third-party assessment and testing.
Describe the process of engaging with key stakeholders involved with security assessment activities.
Module Overview and Objectives
After completing this module you should be able to:
Explain the relationship between control objectives, controls and control assessment.
Identify security implications of various control testing methods.
Apply ethical practices to testing activities.
Select applicable artifacts to meet compliance requirements (test results, log files, and other information to meet compliance needs).
Module Overview and Objectives
After completing this module you should be able to:
Explain the need for data-driven security decision-making, which relies on organizational experiences and performance.
Describe the use of account data to support security decision-making.
Identify key activities associated with proper management of security practices.
Determine performance and risk indicators, and associated data stores, to support decision-making.
Describe the use of operational data to support decision-making.
Integrate organizational performance data with training and awareness activities.
Identify security process data needed to support disaster recovery (DR) and business continuity (BC) operations.
Module Overview and Objectives
After completing this module you should be able to:
Describe proper analysis and reporting of test and assessment results.
Describe organizational response to identified weaknesses.
Identify exception handling procedures within organizational risk tolerance.
Apply ethical practices to disclosure of test results.
This provides a glossary of terms used in this module.
This section addresses three fundamental questions:
What security tasks have been assigned to the operational real time elements both human and non human of the systems infrastructures and business processes the organization depends upon?
How do managers know moment by moment or throughout the days and weeks that those tasks are being executed effectively?
What immediate or urgent changes to the operational tempo technique or sensitivity to incident precursors and indicators do circumstances suggest are needed?
Incident detection and response is the heart of the information security operation set of processes and principles. Everything done in the name of security operations should revolve around this centre, provide support of its purpose, and enable the security operations team to quickly and accurately detect potential intrusions or other incidents and respond to them in a timely manner.
After completing this section you should be able to:
Show how to efficiently and effectively gather and assess security data.
Explain the security benefits of effective change management and change control.
Develop incident response policies and plans.
Link incident response to needs for security controls and their operational use.
Relate security controls to improving and achieving required availability of information assets and systems.
Understand the security and safety ramifications of various facilities, systems, and infrastructure characteristics.
Module Overview and Objectives
After completing this module you should be able to:
Assess what makes logging practices effective and efficient.
Describe the security implications of IDS/IPS.
Describe the operation of, and security implications associated with SIEM systems.
Explain the use of continuous, ingress, and egress monitoring.
Relate UEBA activities with advanced organizational authentication methods and apply UEBA analysis to security improvements.
Describe practical limitations of security monitoring.
Module Overview and Objectives
After completing this module you should be able to:
Assess what makes logging practices effective and efficient.
Describe the security implications of IDS/IPS.
Describe the operation of, and security implications associated with SIEM systems.
Explain the use of continuous, ingress, and egress monitoring.
Relate UEBA activities with advanced organizational authentication methods and apply UEBA analysis to security improvements.
Describe practical limitations of security monitoring.
Module Overview and Objectives
After completing this module you should be able to:
Relate organizational change management practices to information security.
Identify change management standards.
Explain security implications of system provisioning and baselining.
Justify the use of increased automation of change activities in terms of systems and information security.
Identify organizational enforcement approaches to support change management activities.
Module Overview and Objectives
After completing this module you should be able to:
Describe key differences and similarities regarding incident response compliance issues in various standards.
Relate incident detection and response to digital or cyber forensics as processes.
Evaluate the impact of organizational culture and compliance expectations on incident response.
Module Overview and Objectives
After completing this module you should be able to:
Apply incident response standard to incident response activities.
Explain the basic concepts of incident response.
Identify key activities which rely on incident response processes.
Module Overview and Objectives
After completing this module you should be able to:
Determine relative merits of security implications for operational controls.
Associate incident response activities with specific attack forms.
Explain the security implications of machine learning and artificial intelligence tools in security operations.
Assess the security value of third-party services.
Module Overview and Objectives
After completing this module you should be able to:
Describe established approaches to improving systems availability.
Module Overview and Objectives
After completing this module you should be able to:
Apply the lessons of CPTED to info systems security design and operation.
Module Overview and Objectives
After completing this module you should be able to:
Identify information security implications of various physical facilities, systems and infrastructure.
Module Overview and Objectives
After completing this module you should be able to:
Assess information security implications of personnel safety practices.
This provides a glossary of terms used in this module.
Throughout the last eight sections we have looked in depth and breadth that the many challenges facing the practising security professional and the organizations they work for and with. We have examined how the different needs for information security and assurance take different forms and demand different degrees of control, in order to strike a balance between cost, utility, availability, and risk.
This section will thread all of content covered along with three major themes positioned in the real-time.
Risk management, which governs the organization's actions to prepare for and respond to risk events.
Incident response, which also must contain the bad news that happens when risk events become reality
Equipping and empowering the organization's people. Who can and should be the strongest security investment it can make.
This is supported by a last look at some of the relevant standards and frameworks.
After completing this section you should be able to:
Explain how governance frameworks and processes relate to the operational use of information security controls.
Relate the process of conducting forensic investigations to information security operations.
Relate business continuity and disaster recovery preparedness to information security operations.
Explain how to use education, training, awareness, and engagement with all members of the organization as a way to strengthen and enforce information security processes.
Show how to operationalize information systems and IT supply chain risk management.
Module Overview and Objectives
After completing this module you should be able to:
Link governance as a process to the operational use of administrative security controls.
Compare and contrast the security operations characteristics of different types of governance and administrative controls.
Identify key elements of governance frameworks.
Module Overview and Objectives
After completing this module you should be able to:
Link various privacy, cybersecurity, and risk frameworks as compliance requirements to their role in operational processes.
Compare and contrast different frameworks from an operational security perspective.
Module Overview and Objectives
After completing this module you should be able to:
Describe forensic investigations.
Explain the requirements for compliance with forensic investigations.
Explain the chain of custody requirements.
Describe the legal, organizational, and compliance requirements of investigation activities.
Module Overview and Objectives
After completing this module you should be able to:
Explain the overall organizational business continuity practice.
Describe the importance of the business impact analysis (BIA) to the planning process.
Identify the key steps and resources necessary to support the BIA.
Describe training activities and place them within a progressively challenging training strategy.
It's important to keep in mind that the term disaster recovery has a much narrower scope than the normal English language meaning of the word disaster would suggest. Instead, disaster recovery refers to the activities necessary to restore IT and communications services to an organization, in the event of a disruption or outage.
That’s all it means.
Business continuity, by contrast, covers everything it takes to continue to perform vital business or organizational functions during and immediately after a disruption, whether that disruption is a temporary and localized power outage or a major natural disaster that affects an entire region.
Module Overview and Objectives
After completing this module you should be able to:
Advocate for security considerations in personnel practices.
Module Overview and Objectives
After completing this module you should be able to:
Apply basic risk management theory to information security risks.
Module Overview and Objectives
After completing this module you should be able to:
Apply risk management practices to an example business area.
Identify standards associated with supply chain risk management.
Describe service-level agreements to support contractual relationships.
Module Overview and Objectives
After completing this module you should be able to:
Demonstrate the readiness of the human component of organizational information security.
This provides a glossary of terms used in this module.
The CISSP (ISC)² Certification Preparation Course + Quizzes is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles.
This course uses detailed lectures, assignments, quizzes, and practice tests to teach and test the concepts learned in each module - and unlike some courses, there is no limitations on the time the course will be available to you - you will have Lifetime access to the course.
Be sure to review the free-access previews to set realistic course expectations.
NOTE: This is not an official (ISC)² Certification course but the content covered in this course covers all the required material to prepare the learner for the CISSP Exam.
Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. With a CISSP, you validate your expertise and become an (ISC)² member, unlocking a broad array of exclusive resources, educational tools, and peer-to-peer networking opportunities.
Prove your skills, advance your career, help earn the salary you want and gain the support of a community of cybersecurity leaders here to support you throughout your career.
Most of the persons holding the CISSP certification have the following backgrounds:
Chief Information Security Officer
Chief Information Officer
Director of Security
IT Director/Manager
Security Systems Engineer
Security Analyst
Security Manager
Security Auditor
Security Architect
Security Consultant
Network Architect
Project Manager
Depending on which exam format is chosen by the candidate, the CISSP exam is either three or four hours long; it is up to 250 multiple choice and advanced questions meant to assess your knowledge and understanding of the eight domains within the (ISC)² Common Body of Knowledge (CBK) and you will need to achieve a 70% to pass the certification exam.
The Certified Information Systems Security Professional (CISSP) is the most globally recognized certification in the information security market. CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.
The broad spectrum of topics included in the CISSP Common Body of Knowledge (CBK®) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following eight domains.
CISSP CAT Examination Weights
Domains & Average Weight
Security and Risk Management (16%)
Asset Security (10%)
Security Architecture and Engineering (13%)
Communication and Network Security (13%)
Identity and Access Management (IAM) (13%)
Security Assessment and Testing (12%)
Security Operations (13%)
Software Development Security (10%)
Domains
Domain 1: Security and Risk Management
1.1 - Understand, adhere to, and promote professional ethics
ISC2 Code of Professional Ethics
Organizational code of ethics
1.2 - Understand and apply security concepts
Confidentiality, integrity, and availability, authenticity, and nonrepudiation (5 Pillars of Information Security)
1.3 - Evaluate and apply security governance principles
Alignment of the security function to business strategy, goals, mission, and objectives
Organizational processes (e.g., acquisitions, divestitures, governance committees)
Organizational roles and responsibilities
Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))
Due care/due diligence
1.4 - Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
Cybercrimes and data breaches
Licensing and Intellectual Property requirements
Import/export controls
Transborder data flow
Issues related to privacy (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act)
Contractual, legal, industry standards, and regulatory requirements
1.5 - Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
1.6 - Develop, document, and implement security policy, standards, procedures, and guidelines
Alignment of the security function to business strategy, goals, mission, and objectives
Organizational processes (e.g., acquisitions, divestitures, governance committees)
Organizational roles and responsibilities
Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))
Due care/due diligence
1.7 - Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
Business impact analysis (BIA)
External dependencies
1.8 - Contribute to and enforce personnel security policies and procedures
Candidate screening and hiring
Employment agreements and policy driven requirements
Onboarding, transfers, and termination processes
Vendor, consultant, and contractor agreements and controls
1.9 - Understand and apply risk management concepts
Threat and vulnerability identification
Risk analysis, assessment, and scope
Risk response and treatment (e.g., cybersecurity insurance)
Applicable types of controls (e.g., preventive, detection, corrective)
Control assessments (e.g., security and privacy)
Continuous monitoring and measurement
Reporting (e.g., internal, external)
Continuous improvement (e.g., risk maturity modeling)
Risk frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI))
1.10 - Understand and apply threat modeling concepts and methodologies
1.11 - Apply Supply Chain Risk Management (SCRM) concepts
Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
1.12 - Establish and maintain a security awareness, education, and training program
Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
Program effectiveness evaluation
Domain 2: Asset Security
2.1 - Identify and classify information and assets
Data classification
Asset Classification
2.2 - Establish information and asset handling requirements
2.3 - Provision information and assets securely
Information and asset ownership
Asset inventory (e.g., tangible, intangible)
Asset management
2.4 - Manage data lifecycle
Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
Data collection
Data location
Data maintenance
Data retention
Data remanence
Data destruction
2.5 - Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support)
2.6 - Determine data security controls and compliance requirements
Data states (e.g., in use, in transit, at rest)
Scoping and tailoring
Standards selection
Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
Domain 3: Security Architecture and Engineering
3.1 - Research, implement and manage engineering processes using secure design principles
Threat modeling
Least privilege
Defense in depth
Secure defaults
Fail securely
Segregation of Duties (SoD)
Keep it simple and small
Zero trust or trust but verify
Privacy by design
Shared responsibility
Secure access service edge
3.2 - Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
3.3 - Select controls based upon systems security requirements
3.4 - Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 - Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
Client-based systems
Server-based systems
Database systems
Cryptographic systems
Industrial Control Systems (ICS)
Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
Distributed systems
Internet of Things (IoT)
Microservices (e.g., application programming interface (API))
Containerization
Serverless
Embedded systems
High-Performance Computing systems
Edge computing systems
Virtualized systems
3.6 - Select and determine cryptographic solutions
Cryptographic life cycle (e.g., keys, algorithm selection)
Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
Public key infrastructure (PKI) (e.g., quantum key distribution
3.7 - Understand methods of cryptanalytic attacks
Brute force
Ciphertext only
Known plaintext
Frequency analysis
Chosen ciphertext
Implementation attacks
Side-channel
Fault injection
Timing
Man-in-the-Middle (MITM)
Pass the hash
Kerberos exploitation
Ransomware
3.8 - Apply security principles to site and facility design
3.9 - Design site and facility security controls
Wiring closets/intermediate distribution facilities
Server rooms/data centers
Media storage facilities
Evidence storage
Restricted and work area security
Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
Environmental issues (e.g., natural disasters, man-made)
Fire prevention, detection, and suppression
Power (e.g., redundant, backup)
3.10 - Manage the information system lifecycle
Stakeholders needs and requirements
Requirements analysis
Architectural design
Development /implementation
Integration
Verification and validation
Transition/deployment
Operations and maintenance/sustainment
Retirement/disposal
Domain 4: Communication and Network Security
4.1 - Apply secure design principles in network architectures
Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
Internet Protocol (IP) version 4 and 6 (IPv6) (e.g., unicast, broadcast, multicast, anycast)
Secure protocols (e.g., Internet Protocol Security (IPSec), Secure Shell (SSH), Secure Sockets Layer (SSL)/ Transport Layer Security (TLS))
Implications of multilayer protocols
Converged protocols (e.g., Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP), InfiniBand over Ethernet, Compute Express Link)
Transport architecture (e.g., topology, data/control/management plane, cut-through/store-and-forward)
Performance metrics (e.g., bandwidth, latency, jitter, throughput, signal-to-noise ratio)
Traffic flows (e.g., north-south, east-west)
Physical segmentation (e.g., in-band, out-of-band, air-gapped)
Logical segmentation (e.g., virtual local area networks (VLANs), virtual private networks (VPNs), virtual routing and forwarding, virtual domain)
Micro-segmentation (e.g., network overlays/encapsulation; distributed firewalls, routers, intrusion detection system (IDS)/intrusion prevention system (IPS), zero trust)
Edge networks (e.g., ingress/egress, peering)
Wireless networks (e.g., Bluetooth, Wi-Fi, Zigbee, satellite)
Cellular/mobile networks (e.g., 4G, 5G)
Content distribution networks (CDN)
Software defined networks (SDN), (e.g., application programming interface (API), Software-Defined Wide- Area Network, network functions virtualization)
Virtual Private Cloud (VPC)
Monitoring and management (e.g., network observability, traffic flow/shaping, capacity management, fault detection and handling)
4.2 - Secure network components
Operation of infrastructure (e.g., redundant power, warranty, support)
Transmission media (e.g., physical security of media, signal propagation quality)
Network Access Control (NAC) systems (e.g., physical, and virtual solutions)
Endpoint security (e.g., host-based)
4.3 - Implement secure communication channels according to design
Voice, video, and collaboration (e.g., conferencing, Zoom rooms)
Remote access (e.g., network administrative functions)
Data communications (e.g., backhaul networks, satellite)
Third-party connectivity (e.g., telecom providers, hardware support)
Domain 5: Identity and Access Management (IAM)
5.1 - Control physical and logical access to assets
Information
Systems
Devices
Facilities
Applications
Services
5.2 - Design identification and authentication strategy (e.g., people, devices, and services)
Groups and Roles
Authentication, Authorization and Accounting (AAA) (e.g., multi-factor authentication (MFA), password-less authentication)
Session management
Registration, proofing, and establishment of identity
Federated Identity Management (FIM)
Credential management systems (e.g., Password vault)
Single sign-on (SSO)
Just-In-Time
5.3 - Federated identity with a third-party service
On-premise
Cloud
Hybrid
5.4 - Implement and manage authorization mechanisms
Role-based access control (RBAC)
Rule based access control
Mandatory access control (MAC)
Discretionary access control (DAC)
Attribute-based access control (ABAC)
Risk based access control
Access policy enforcement (e.g., policy decision point, policy enforcement point)
5.5 - Manage the identity and access provisioning lifecycle
Account access review (e.g., user, system, service)
Provisioning and deprovisioning (e.g., on /off boarding and transfers)
Role definition and transition (e.g., people assigned to new roles)
Privilege escalation (e.g., use of sudo, auditing its use)
Service accounts management
5.6 - Implement authentication systems
Domain 6: Security Assessment and Testing
6.1 - Design and validate assessment, test, and audit strategies
Internal (e.g., within organization control)
External (e.g., outside organization control)
Third-party (e.g., outside of enterprise control)
Location (e.g., on-premises, cloud, hybrid)
6.2 - Conduct security control testing
Vulnerability assessment
Penetration testing (e.g., red, blue, and/or purple team exercises)
Log reviews
Synthetic transactions/benchmarks
Code review and testing
Misuse case testing
Coverage analysis
Interface testing (e.g., user interface, network interface, application programming interface (API))
Breach attack simulations
Compliance checks
6.3 - Collect security process data (e.g., technical and administrative)
Account management
Management review and approval
Key performance and risk indicators
Backup verification data
Training and awareness
Disaster Recovery (DR) and Business Continuity (BC)
6.4 - Analyze test output and generate report
Remediation
Exception handling
Ethical disclosure
6.5 - Conduct or facilitate security audits
Internal (e.g., within organization control)
External (e.g., outside organization control)
Third-party (e.g., outside of enterprise control)
Location (e.g., on-premises, cloud, hybrid)
Domain 7: Security Operations
7.1 - Understand and comply with investigations
Evidence collection and handling
Reporting and documentation
Investigative techniques
Digital forensics tools, tactics, and procedures
Artifacts (e.g., data, computer, network, mobile device)
7.2 - Conduct logging and monitoring activities
Intrusion detection and prevention (IDPS)
Security Information and Event Management (SIEM)
Continuous monitoring and tuning
Egress monitoring
Log management
Threat intelligence (e.g., threat feeds, threat hunting)
User and Entity Behavior Analytics (UEBA)
7.3 - Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
7.4 - Apply foundational security operations concepts
Need-to-know/least privilege
Separation of Duties (SoD) and responsibilities
Privileged account management
Job rotation
Service-level agreements (SLA)
7.5 - Apply resource protection
Media management
Media protection techniques
Data at rest/data in transit
7.6 - Conduct incident management
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons learned
7.7 - Operate and maintain detection and preventative measures
Firewalls (e.g., next generation, web application, network)
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
Whitelisting/blacklisting
Third-party provided security services
Sandboxing
Honeypots/honeynets
Anti-malware
Machine learning and Artificial Intelligence (AI) based tools
7.8 - Implement and support patch and vulnerability management
7.9 - Understand and participate in change management processes
7.10 - Implement recovery strategies
Backup storage strategies (e.g., cloud storage, onsite, offsite)
Recovery site strategies (e.g., cold vs. hot, resource capacity agreements)
Multiple processing sites
System resilience, high availability (HA), Quality of Service (QoS), and fault tolerance
7.11 - Implement Disaster Recovery (DR) processes
Response
Personnel
Communications (e.g., methods)
Assessment
Restoration
Training and awareness
Lessons learned
7.12 - Test Disaster Recovery Plans (DRP)
Read-through/tabletop
Walkthrough
Simulation
Parallel
Full interruption
Communications (e.g., stakeholders, test status, regulators)
7.13 - Participate in Business Continuity (BC) planning and exercises
7.14 - Implement and manage physical security
Perimeter security controls
Internal security controls
7.15 - Address personnel safety and security concerns
Travel
Security training and awareness (e.g., insider threat, social media impacts, two-factor authentication (2FA) fatigue)
Emergency management
Duress
Domain 8: Software Development Security
8.1 - Understand and integrate security in the Software Development Life Cycle (SDLC)
Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps, Scaled Agile Framework)
Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
Operation and maintenance
Change management
Integrated Product Team
8.2 - Identify and apply security controls in software development ecosystems
Programming languages
Libraries
Tool sets
Integrated Development Environment
Runtime
Continuous Integration and Continuous Delivery (CI/CD)
Software configuration management (CM)
Code repositories
Application security testing (e.g., static application security testing (SAST), dynamic application security testing (DAST), software composition analysis, Interactive Application Security Test (IAST))
8.3 - Assess the effectiveness of software security
Auditing and logging of changes
Risk analysis and mitigation
8.4 - Assess security impact of acquired software
Commercial-off-the-shelf (COTS)
Open source
Third-party
Managed services (e.g., enterprise applications)
Cloud services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
8.5 - Define and apply secure coding guidelines and standards
Security weaknesses and vulnerabilities at the source-code level
Security of application programming interfaces (API)
Secure coding practices
Software-defined security