In this article
The CISSP CBK Domains: Info and Updates
According to the (ISC)² Global Information Security Workforce Survey (GISWS), the global workforce shortage will reach 1.5 million by 2020. In other words, there is a lack of qualified InfoSec professionals on the job market that is causing hiring and staffing difficulties for many organizations. As a result, there is now greater emphasis on forming professionals in the fields and on the certifications that can give IT practitioners a way to measure and prove their skills.
One of the most in-demand IT certification is CISSP®, for Certified Information Systems Security Professionals. An (ISC)² examination validates the candidates’ knowledge, can give them opportunities to advance their career and can provide them a path that would open up new possibilities for more demanding roles in a workplace that recognizes the specialized talents a CISSP credential holder has demonstrated. “CISSPs are information assurance professionals who define the architecture, design, management and controls that assure the security of business environments.” Employers of CISSP-certified professionals shall be confident in the knowledge that their skills are genuine and current.
(ISC)2 and CISSP
“Formed in 1989 [:], (ISC)2® is the largest not-for-profit membership body of certified information and software security professionals worldwide, with nearly 100,000 members in more than 135 countries.”
The (ISC)², or the International Information Systems Security Certiﬁcation Consortium, is the global, non-proﬁt organization that acts as the accreditation body of the CISSP exam; (ISC)² issues the CISSP credentials to qualified candidates via a certification process and administration of an exam that is geared towards verifying the knowledge and skills of IT security professionals across all industries. (ISC)² provides CISSP preparation material and insight, in addition to continued education in learning all there is in the field of information security.
(ISC)²’s CISSP was also the first credential in the field of information security to meet the ISO/IEC Standard 17024 (the accreditation was awarded in 2006). The ISO/IEC standard Conformity assessment – General requirements for bodies operating certification of persons – “provides a global benchmark for personnel certification programs to ensure that they operate in a consistent, comparable and reliable manner worldwide, thereby allowing individuals to have skills that translate across national lines.”
The exam is often updated to keep up with this ever-changing field and to ensure professionals are tested on the latest thematic and can demonstrate skills that are relevant to the current Information Assurance scenery. Many organizations, in fact, rely on this test to ensure the readiness of their IT security teams; for example, the CISSP cert is approved by the DoD for workforce conducting Information Assurance (IA) functions.
When you earn an (ISC)² certification, you also become a member. The benefits of (ISC)² Membership include access to a full spectrum of global resources, educational tools, and peer networking opportunities to meet and collaborate with other security professionals through a local (ISC)² Chapter, as well as participate online to free programs, briefings and webinars—e.g., the (ISC)² e-Symposium Seminar Series, the (ISC)² ThinkTANK webinars—and industry events like the (ISC)² one-day local events and the (ISC)² Security Congress.
Like with other IT certifications, the CISSP cert requires the holder to obtain continuing professional education credits or CPEs to keep the accreditations current after certification. Principally, the CPEs ensure the professional is continually exposed to current InfoSec-related material. CPE credits can also be awarded through participation to (ISC)² Security Congress and other associated events, such as the 7th Annual (ISC)² Security Congress on September 25-27, 2017 – to be held JW Marriott in Austin, TX.
There are many reasons to acquire this certification. To become a CISSP shows one’s commitment as an information security professional; second, a CISSP certification fulfills government and organization requirements; third, a great percent of cyber-jobs in the contracting industry require this certification, as noted Ryan Fahey, InfoSec Institute, and; lastly because CISSP is globally recognized. Many SMEs in this profession agree that the (ISC)² Certified Information Systems Security Professional (CISSP) is one of the ‘Top Security Certifications You Should Have.’
The (ISC)2® CISSP CBK
CISSP candidates are tested on their practical skills associated with the theoretical knowledge related to CBK (Critical/Complete Body of Knowledge) domains that focus on theory for designing and maintaining the security infrastructure within an organization to include the “understanding of new threats, technologies, regulations, standards, and practices,” as reported on the (ISC)² website.
The (ISC)² CISSP Common Body of Knowledge (CBK), aka the Critical/Complete Body of Knowledge, is an established common framework of information on security terms and principles, a compendium of cyber security topics. The CBK was finalized in 1992, but it was in 1988 that a coalition of several organizations met to establish a much needed Common Body of Knowledge (CBK) that was officially established in 1989. The first CISSPs were certified back in 1994.
CISSPs are SMEs with work involvement in two or more of the eight domains of the CISSP CBK and possess thorough knowledge, skills, and experience through training and learning. Those that hold the CISSP certification have demonstrated the necessary talents to perform the operational duties at enterprises while abiding by the high ethical standards set forth by the (ISC)²’s Code of Ethics that provides a clear measure of competence for the entire profession; this, assures uniformity across the industry so that everyone in the field is on the same page.
As mentioned, CISSP history is made of several updates and curriculum refreshes that ensure its correspondence with the skills necessary in the ever-evolving IT world. One of the latest updates was a thorough streamlining that brought the domains from 10 to 8 in 2015. Currently, (ISC)²’s CISSP Exam covers the following eight domains:
- Security and Risk Management – A domain about different aspects of risk. Weight in the exam: 16%.
This is a domain that covers general, basic concepts in information security, especially focusing on confidentiality, integrity, and availability (CIA). Testers, then, are evaluated on skills related to the implementation of security policies and procedure as well as on the perfecting of business continuity planning and recovery points as well as implementing solid user awareness programs. Great emphasis is placed on risk management especially in relation to the safe acquisition of new software, hardware, and services. Topics tested include:
- CIA – understanding the concept of confidentiality, integrity, and availability
- Compliance – including law and privacy requirements
- Security and risk managements – identify threats, countermeasures, monitoring and reporting
- Policies and procedures
- Asset Security –. A domain on Protecting Security of Assets. Weight in the exam: 10%.
This is an important domain as it deals with the issues related to the management of data and the concept of ownership of information. This includes knowledge of the different roles regarding data processing (owner, processor, etc.:) as well as privacy concerns and limitations of use. Topics tested include:
- Information and asset classification
- Ownership (e.g. data owners, system owners)
- Protect privacy
- Appropriate retention
- Data security controls – how to protect data at rest or in transit, cryptography, etc.
- Handling requirements (e.g. markings, labels, storage) – also includes destruction
- Security Engineering – see Security Architecture & Design Skillset. A domain on applying principles in IS architecture design. Weight in the exam: 12%.
This is a domain with a wide scope and covering several important concepts in information security. Candidates are tested on security engineering processes, models, and design principles. Vulnerabilities, database security, crypto systems, and clouds are also covered in this domain. Topics tested include:
- Engineering processes using secure design principles
- Security models fundamental concepts
- Security evaluation models
- Security capabilities of information systems
- Security architectures, designs, and solution elements vulnerabilities
- Web-based systems vulnerabilities
- Mobile systems vulnerabilities
- Embedded devices and cyber-physical systems vulnerabilities – includes IoT and devices in networks
- Cryptography – PKI, digital signatures, keys, digital rights and cryptanalytic
- Site and facility design secure principles
- Physical security – concerns with water flooding, fires, storage security and more strictly “physical” issues
- Communications and Network Security – see Communication and Network Security Skillset. A domain that focuses on Designing and Protecting Network Security. Weight in the exam: 12%.
An important domain, this section of the exam deals with network security and the ability to create secure communication channels. Testers will have to answer questions on different aspects of network architecture, communication protocols, segmentations, routing and wireless transmissions. Topics tested include:
- Secure network architecture design (e.g. IP & non-IP protocols, segmentation) – covers wireless technology, cryptography applied to communications, TCP/IP
- Secure network components – access control, transmission media, communication hardware
- Secure communication channels – VPN, VLAN, instant messaging, remote collaboration
- Network attacks
- Identity and Access Management – see Authorization. A domain to understand the different styles of controlling the way that users gain access to data. Weight in the exam: 13%.
This part of the test deals with attacks that exploit the human component to gain access to data and ways to identify those who have rights to access to servers and information. It covers the concept of sessions, multi-factor authentication, proofing, credentials, role-based or rule-based access control, MAC, and DAC. Topics tested include:
- Physical and logical assets control
- Identification and authentication of people and devices – identity management, registration, credentials, techniques for authentication including biometrics.
- Identity as a service (e.g. cloud identity)
- Third-party identity services (e.g. on premise)
- Access control attacks
- Identity and access provisioning lifecycle (e.g. provisioning review)
- Security Assessment and Testing – see Security Assessment and Testing of the CISSP CBK. A domain that concentrates on Designing, Performing, and Analyzing Security Testing. Weight in the exam: 11%.
This crucial domain covers all the tools and techniques used to assess the security of systems and find vulnerabilities, errors in coding or design, weaknesses and possible areas of concerns not corrected by policies and procedures. Vulnerability assessment and penetration testing would fall under this domain. Also, disaster recovery and business continuity plans, as well as awareness training for users, are also covered. Topics tested include:
- Assessment and test strategies
- Security process data (e.g. management and operational controls)
- Security control testing
- Test outputs (e.g. automated, manual)
- Security architectures vulnerabilities
- Security Operations – see Security Operations Fundamentals Skillset. A domain that highlights Foundational Concepts, Investigations, Incident Management, Disaster Recovery. Weight in the exam: 16%.
Another broad and very practical domain, it ranges from discussing digital forensic and investigations to intrusion prevention and detection tools, firewalls and sandboxing. Topics tested include:
- Investigations support and requirements – digital forensics, regulatory concerns
- Logging and monitoring activities – IDPS, event management, monitoring of systems
- Provisioning of resources
- Foundational security operations concepts – assign roles, monitor access privileges, information lifecycle
- Resource protection techniques
- Incident management – from incident to remediation to after-incident review
- Preventative measures – IDPS, sandboxing, honeypots, firewall, malware prevention
- Patch and vulnerability management
- Change management processes
- Recovery strategies – backup, multiple operation sites
- Disaster recovery processes and plans
- Business continuity planning and exercises
- Physical security
- Personnel safety concerns
- Software Development Security – see Software Development Security Fundamentals Skillset. A domain on Understanding, Applying and Enforcing Software Security. Weight in the exam: 10%.
The last domain deals with implementing security controls on software within the environment for which the security information system expert is responsible. Auditing, risk analysis and the identification of vulnerabilities in source codes are all covered in this section. Topics tested include:
- Security in the software development lifecycle
- Development environment security controls
- Software security effectiveness – auditing, risk analysis
- Acquired software security impact
The CISSP CBK exam tests one’s competence in these domains. To learn each domain will enable the tester to get a good grasp not only of the topics needed to pass the test but also of the knowledge required to excel in this career and perform related operational duties.
The (ISC)2 certification exams consist of a 250-multiple-choice question with a six-hour time limit; the passing grade is 700 out of 1000 points which equal a 70% passing score. Tests are held at Pearson VUE® Authorized Test Centers in a proctored environment. To take the exam, candidates need to register at www.pearsonvue.com/isc2. The approximate cost of the CISSP exam is $599 USD for Americas, Asia Pacific, Middle East and Africa regions. (See the latest Examination Pricing chart here.)
As mentioned in the (ISC)² checklist for certification, once a candidate has successfully passed the examination, they will have nine months from the date they sat for the exam to complete the endorsement process. This involves an endorser’s review of the applicants’ work. The tester needs to prove experience in two or more of the CISSP domains. In the end, the new member will receive a certificate and ID card via mail.
Recertification is required every three years (see Renewal Requirements), with ongoing requirements to maintain the credentials, which involves primarily earning 120 Continuing Professional Education (CPE) credits every three years with a minimum of 20 CPEs earned each year after certification. If the CPE requirements are not met, as noted (ISC)², CISSPs must retake the exam to maintain certification. The CISSPs must also pay an Annual Maintenance Fee (AMF) of US$85. In addition to the three-year cycle of certification, a US$35 is the reinstatement fee that has to be paid upon recertification.
Preparing for the Test
The Certified Information Systems Security Professional certification is an exam that focuses on the tester’s familiarity of every domain in the CBK- Critical/Complete Body of Knowledge in information security. To make sure all aspects of the test are covered, candidates can use learning material, which is widely available online. The official website list textbooks and provides practice exams. In addition, the community rated resources for CISSP CBK and Skillset.com CISSP practice questions are a good place to start.
Here are a few study books, an app, and webinar for the new CISSP CBK 2015:
“The Official (ISC)² Guide to the CISSP CBK, Fourth Edition provides a comprehensive study of the refreshed 8 domains.” (ISC)² refers to it as the encyclopedia of topics.
“(ISC)² Certified Information Systems Security Professional Official Study Guide, 7th Edition covers 100% of the CISSP Common Body of Knowledge (CBK):”
“CISSP Official (ISC)² Practice Tests provides you with 1300 unique practice questions, covering all CISSP exam domains.”
“CISSP for Dummies, 5th Edition provides you with a friendly and accessible framework for studying for this highly sought-after certification.” This is (ISC)² Approved.
Aside from these, “Shon Harris’ CISSP All-in-One Exam Guide [7th Edition] is definitely worth checking out,” reports SSI Logic on its CISSPExamPractice.com website. This book is completely revised and updated for the 2015 CISSP body of knowledge.
Be sure also to check out what other online resources are available too. Other ways to study for the exam include:
The Official (ISC)² CISSP App. “It includes flashcards, study questions and practice tests covering 100% of all exam objectives.” The app is based on the new Sybex CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide.
(ISC)²’s CBK Domain Preview – A webinar with a detailed overview of each domain of an (ISC)² credential.
Testers can contact (ISC)2 Official Training Providers and also the InfoSec Institute that offers training on Common Body of Knowledge (CBK). The Institute can ensure your preparation for the CISSP exam is complete through resources like CISSP Boot Camp course. This 7 Day CISSP Boot Camp Prep Course, is available in many locations in the US and Live Online. Students will have access to self-assessment exercises to know which of the CISSP domains they will need to spend more time reviewing, as well as take the CISSP practice exam to sharpen their knowledge and review the 8 CISSP Skillsets covering all domains.
The CISSP is one of the most sought-after certifications and can increase the marketability of computer specialists allowing them to have access, in most cases, to higher paying jobs. Preparing to take the (ISC)² Common Body of Knowledge test can also help InfoSec professionals fine-tune their skills and ensure they are knowledgeable in all important aspects of IT security.
Ehacking – ehacking.net. (2012). InfoSec Institute CISSP Course Review. Retrieved from http://www.ehacking.net/2012/07/infosec-institute-cissp-course-review.html
Ellzey, K. (2015). CISSP Domains: 2015 Update. Retrieved from http://resources.infosecinstitute.com/wp-content/uploads/The-CISSP-Domains-2015-Update.pdf
Hines, M. (2015, April 16). (ISC)2: Global Infosec Workforce Shortfall to Reach 1.5m by 2020. Retrieved from http://www.infosecurity-magazine.com/news/global-infosec-workforce-2020/
InfoSec Institute. (n.d.). CISSP. Retrieved from http://resources.infosecinstitute.com/category/certifications-training/cissp/
InfoSec Institute. (n.d.). COMMUNITY RATED RESOURCES FOR CISSP. Retrieved from http://certs.infosecinstitute.com/certification/CISSP
Intense School. (n.d.). CISSP Boot Camp. Real CISSP Training By Real CISSP Certification Experts! Retrieved from http://www.intenseschool.com/boot_camp/network_security/cissp
(ISC)² Inc. (n.d.). Celebrating its 25th anniversary, (ISC)2: Retrieved from https://learning.isc2.org/sites/learning.isc2.org/files/CISSP-WEB.pdf
(ISC)² Inc. (n.d.). CISSP Domains. Retrieved from https://www.isc2.org/cissp-domains/default.aspx
(ISC)² Inc. (n.d.). CISSP Information. Retrieved from https://www.isc2.org/uploadedfiles/credentials_and_certifcation/cissp/cissp-information.pdf
(ISC)² Inc. (n.d.). (ISC)² Overview. Retrieved from https://www.isc2.org/uploadedfiles/(isc)2_public_content/(isc)2-company-overview.pdf?utm_campaign=aboutisc2&utm_source=pearson&utm_medium=relatedlink&utm_content=sidenav
Skillset. (n.d.). Take our CISSP practice exam engine for a test drive! Retrieved from https://www.skillset.com/certifications/cissp
Recent Articles and Updates
- Adding a Section to PE Binary
- API Call Logging Part I
- Security Awareness Training for the European Union General Data Protection Regulation (EU GDPR)
- An Introduction to tmux
- USV CTF
- An Examination of the Caesar Methodology, Ciphers, Vectors, and Block Chaining
- Analysis of a spam bot
- Stapler Walkthrough
- Integrate WHONIX with Kali Linux to Achieve Anonymity
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Unprotected MongoDB Installations: child's play for hackers
- A Brief Summary of Encryption Method Used in Widespread Ransomware