The CISSP CBK domains: Information and updates [updated 2021]

April 6, 2021 by Daniel Brecht

These days, organizations are actively seeking qualified infosec professionals to proactively address the lack of talent to fill critical roles. It is highly advantageous for those looking for a career to get a step ahead and consider one of the most in-demand IT certifications — the CISSP (Certified Information Systems Security Professional). Such a qualification can prove a wide range of competencies and allows employers to be confident in the knowledge that their employee’s skills are genuine and current.

(ISC)² and CISSP

The (ISC)² (International Information Systems Security Certification Consortium), issues the CISSP credentials to qualified candidates via a certification process and administration of an exam that is geared towards verifying the knowledge and skills of IT security professionals across all industries. (ISC)² provides CISSP preparation material and insight, in addition to continued education in learning all there is in the field of information security.

The CISSP critical/complete body of knowledge (CBK) domains, as seen in the certification exam outline, are often updated to keep up with this ever-changing field and to ensure professionals are tested on the latest topic areas relevant to the roles and responsibilities of today’s practicing information security professionals. Many organizations rely on this test to ensure the readiness of their IT security teams; for example, the CISSP cert is approved by the U.S. Department of Defense for workers conducting information assurance (IA) functions.

There are many reasons to acquire this certification. First, it shows one’s commitment to the field. Second, such a qualification often fulfills government and organization requirements. Third, because CISSP is globally recognized and is one of the most sought-after certifications in information security. It is listed as one of the top security certifications you should acquire. 


CISSP candidates are tested on their practical skills associated with the theoretical knowledge related to CBK domains that focus on theory for designing and maintaining the security infrastructure within an organization to include the “understanding of new threats, technologies, regulations, standards and practices,” as reported on the (ISC)² website.

The (ISC)² CISSP CBK is an established common framework of information on security terms and principles, a compendium of cybersecurity topics. The CBK was finalized in 1992 and the first CISSPs were certified in 1994.

CISSP history is made of several updates and curriculum refreshes that ensure its correspondence with the skills necessary in the ever-evolving IT world. Effective May 1, 2021, (ISC)²’s CISSP credential exam will have domains refreshed to encompass the following eight domains and related amendments.

1. Security and risk management

A domain about different aspects of risk. Weight in the exam: 15%.

The domain covers general, basic concepts in information security, especially focusing on confidentiality, integrity and availability (CIA). Testers are evaluated on skills related to the implementation of security policies and procedures, as well as on the perfecting of business continuity planning and recovery points as well as implementing solid user awareness programs. Great emphasis is placed on risk management especially with the safe acquisition of new software, hardware and services.

2. Asset security

A domain about securing assets. Weight in the exam: 10%.

The domain deals with the issues related to the management of data and the concept of ownership of information. This includes knowledge of the different roles regarding data processing (owner, processor and more) as well as privacy concerns and limitations of use.

3. Security architecture and engineering

A domain on applying principles in IS architecture design. Weight in the exam: 13%.

The domain with a wide scope and covering several important concepts in information security. Candidates are tested on security engineering processes, models and design principles. Vulnerabilities, database security, cryptosystems and clouds are also covered.

4. Communications and network security

A domain on designing and protecting network security. Weight in the exam: 13%.

The domain covers network security and the ability to create secure communication channels. Testers will have to answer questions on different aspects of network architecture, communication protocols, segmentation, routing and wireless transmissions.

5. Identity and access management

A domain to understand the different styles of controlling the way users gain access to data. Weight in the exam: 13%.

The domain sheds light on attacks exploiting the human component to gain access to data and ways to identify those who have rights to access servers and information. It covers the concept of sessions, multi-factor authentication, proofing, credentials, role-based or rule-based access control, MAC and DAC.

6. Security assessment and testing

A domain that concentrates on designing, performing and analyzing security testing. Weight in the exam: 12%.

The domain covers all the tools and techniques used to assess the security of systems and find vulnerabilities, errors in coding or design, weaknesses and possible areas of concerns not corrected by policies and procedures. Vulnerability assessment and penetration testing would fall under this domain. Disaster recovery, business continuity plans and awareness training for users are also covered.

7. Security operations

A domain highlighting foundational concepts, investigations, incident management and disaster recovery. Weight in the exam: 13%.

Another broad and very practical domain covering digital forensics, investigations, intrusion prevention and detection tools, firewalls and sandboxing.

8. Software development security

A domain on understanding, applying and enforcing software security. Weight in the exam: 11%.

The domain deals with implementing security controls on software within the environment for which the security information system expert is responsible. Auditing, risk analysis and the identification of vulnerabilities in source codes are all covered in this section.

The CISSP exam

The CISSP CBK tests one’s competence in the eight domains mentioned. Learning each domain will enable the tester to get a good grasp of the topics needed to pass the test and the knowledge required to excel in this career and perform related operational duties.

The (ISC)² CISSP exam uses computerized adaptive testing (CAT) for all English exams; all other languages are administered as linear, fixed-form exams. The passing grade is 700 out of 1,000 points, which equals a 70% passing score. Tests are held at (ISC)² authorized Pearson Professional Centers (PPC) and select Pearson VUE Testing Centers (PVTC) in a proctored environment. To take the exam, candidates need to register online. The approximate cost of the CISSP exam is $749 in the U.S.; $699 in the Asia Pacific, Middle East and Africa; 650 euros in Europe; and 560 pounds in the United Kingdom.

Preparing for the test

In addition to offering training directly, (ISC)² partners with official training providers around the world that have classroom instruction or self-study on the CISSP CBK domains. As preparation is key to passing the exam, finding the right course is paramount for a more effective path towards certification.

Benefits of CISSP certification

The CISSP is one of the most sought-after certifications and can increase the marketability of computer professionals, allowing them to have access, in most cases, to higher-paying jobs. Preparing to take the (ISC)² CBK test can help Infosec specialists fine-tune their skills and ensure they are knowledgeable in all important aspects of IT security.


Posted: April 6, 2021
Articles Author
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *