CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
An organization’s overall information system security strategy would be on poor footing without security assessments, testing and audits. They give an organization the ability to assess their security controls, test pre-release versions of applications, and audit their security processes. Properly implementing these measures requires the design, validation, security process data collection, and the ability to analyze test output and report the results to organization management.
Security assessment and testing is covered by the 6th domain of the CISSP certification exam, which makes up 12% of the CISSP exam material. This article will detail the subdomains of domain 6 and will explore other information that you will need to know for the CISSP certification exam.
Earn your CISSP, guaranteed!
CISSP domain 6: Security assessment and testing
Below are the subdomains and objectives of the 6th domain of the CISSP certification exam:
Design and validate assessment, test, and audit strategies
- Internal
- External
- Third-party
Conduct security control testing
- Vulnerability assessment
- Penetration testing
- Log reviews
- Synthetic transactions
- Code review and testing
- Misuse case testing
- Test coverage analysis
- Interface testing
- Breach attack simulations
- Compliance checks
Collect security process data (e.g., technical and administrative)
- Account management
- Management review and approval
- Key performance and risk indicators
- Backup verification data
- Training and awareness
- Disaster Recovery (DR) and Business Continuity (BC)
Analyze test output and generate reports
- Remediation
- Exception handling
- Ethical disclosure
Conduct or facilitate security audits
- Internal
- External
- Third-party
Now that you know what the objectives and subdomains are, let's explore them in more detail. The security assessment and testing information below will assist you as you get ready for the CISSP certification exam. Further information, such as a full listing of the domains and CISSP linear examination weights, can be found in the CISSP exam outline.
Earn your CISSP, guaranteed!
Auditing
Every organization is different and even the best audit strategies they use need to be updated as time goes on. As such, organizational audit strategies should fit the particular organization and should be tested and assessed on a regular basis to make sure they are up to date.
There are three types of audit strategies – Internal, External, and Third-party. Internal audits should be closely aligned to the organization, the external strategy needs to ensure procedures/compliance are being followed with regular checks and complement the internal strategy. The third-party strategy is an objective, neutral approach that reviews the overall strategy for auditing the organization’s environment, methods of testing, and can also ensure that both internal and external audits are following defined policies and procedures.
Test coverage analysis
You will need to explain the coverage testing types below:
- Black box
- White box
- Dynamic
- Static
- Manual
- Automated
- Structural
- Functional
- Negative
Security controls – new for the 2021 CISSP update
There is some security controls material that is new for the 2021 CISSP update. Breach attack simulations are where you simulate real-world attacks. It is simulated across your whole environment and typically are both automatic and always running. Red and Blue teams use tools that are constantly updated and provide remediation steps and documentation. This makes the breach attack as up to date as possible in terms of attack techniques and allows for a good learning experience.
Security control compliance checks are regularly performed to assess whether the organization is currently following their controls. This may be automated and use either in-house or third-party tools. Failed compliance checks normally end up in the organization investigating and remediating the issues it found.
Awareness vs. Training vs. Education
“Training and awareness” is part of the collect security process data subdomain, but you need to flush out just what these terms mean. Some use awareness, training, and education interchangeably but to do that would be doing your organization a disservice as they are all different levels of training.
Awareness
- Knowledge level: The “what” of an organization's policy or procedure
- Objective: knowledge retention
- Testing method: short quiz post training
Training
- The “how”
- Ability to complete a task
- Application-level problem solving
Education
- The “why”
- Understanding the big picture
- Design-level problem solving with architectural exercises
Analyze test output and generate report
This subdomain has been overhauled for the 2021 CISSP exam update. Those that analyze the security of organization apps and services need to know how to handle test results. Any results of concern need to be reported to management immediately so they can be aware of potential risks and alerts. The detail in reporting to management may be on a “need to know” basis. For the exam, you will need to explain remediation, exception handling and ethical disclosure.
Conduct or facilitate security audits
Security audits should be conducted/facilitated routinely according to what has been established by the organization. Internal audits should occur most frequently of all the audit strategies. External audits should be on an established schedule and should occur quarterly or for other business reasons. Third-party audits need to be on a schedule of its own and should be a check/balance for the other audit types or to provide a more in-depth, neutral audit.
Earn your CISSP, guaranteed!
Conclusion
Security assessment and testing bring a solid level of accountability to an organization’s information systems security. This material is covered by the 6th domain of the CISSP certification exam which accounts for 12% of the overall exam material weight. Use this article as you prepare to take the 2021 CISSP exam update.
For more on the CISSP certification, view our CISSP hub.
Sources
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
