The CISSP domains: An overview [2021 update]

April 20, 2021 by Dan Virgillito

If you want to climb the IT career ladder, you should consider getting certified. One of the most popular and respected certifications is the Certified Information Systems Security Professionals (CISSP). Developed and maintained by the international non-profit organization (ISC)², CISSP validates a professional’s skills and experience in implementing and managing security architects for their organization. 

The CISSP exam has eight parts, known as domains. You will need to be proficient in each domain to get the certification. In this post, we will break down each of the eight domains, including how much weight they hold in the exam.

But first, let’s take a look at the upcoming CISSP exam changes.

New CISSP exam version effective May 1, 2021

An updated version of the CISSP certification exam will come into effect on May 1, 2021. The new version of CISSP will reflect the most pertinent issues around cybersecurity, along with the measures for mitigating those problems. 

The names and number of domains are the same as in the 2018 CISSP exam, but the domain weights have changed for two of the eight domains. Essentially, domain four now has one percent less weight while domain eight’s weight has increased by one percent. The weights of all other domains remain unchanged.

A brief overview of the eight CISSP domains

(ISC)² defines and organizes the CISSP domains based on its survey of the cybersecurity industry (previously known as the common body of knowledge (CBK) and its annual job task study (JTA). Here are the eight domains to be studied for the refreshed CISSP exam:

Domain 1: Security and risk management

This domain makes up 15% of the CISSP exam.

The security and risk management domain covers general concepts in information security. Candidates are evaluated on skills related to the implementation of user awareness programs as well as security procedures. Emphasis is also placed on risk management concerning the acquisition of new services, hardware and software (supply chain). CISSP 2021 will also test candidates’ knowledge of phishing and social engineering defense mechanisms and how they can use gamification to bolster their company’s cybersecurity.

Domain 2: Asset security

The asset security domain covers 10% of the CISSP exam.

This is an important domain as it deals with the issues related to the collection, storage, maintenance, retention and destruction of data. It also validates candidates’ knowledge of different roles regarding data handling (owner, controller and custodian) as well as data protection methods and data states. Other topics tested include resource provision, asset classification and data lifecycle management.

Domain 3: Security architecture and engineering

Covering several important concepts in information security, this domain has 13% weight in the CISSP exam.

The security architecture and engineering part covers important security engineering topics using plans, designs and principles. Candidates are tested on assessing and mitigating information system vulnerabilities, fundamental concepts of security models and security architectures in critical areas like access control. Cloud systems, cryptography, system infiltrations (ransomware, fault-injection and more) and virtualized systems are also covered in this domain.

Domain 4: Communication and network security

Communication and network security previously comprised 14% of the exam but now has 13% weight in the latest version of CISSP.

CISSP’s fourth domain tests candidates’ ability to secure communication channels and networks. Exam takers will have to answer questions on secure and converged protocols, wireless networks, cellular networks, hardware operation (warranty and redundant power) and third-party connectivity.  IP networking (IPSec, IPv4 and IPv6) are also included in this domain.

Domain 5: Identity and access management (IAM)

This domain accounts for roughly 13% of the CISSP exam.

This section of the exam covers the attacks that target the human gateway to gain access to data. Plus, candidates are tested on ways to identify users with rights to access the information and servers. Identify and access management covers the topics of applications, Single sign-on authentication, privilege escalation, Kerberos, rule-based or risk-based access control, proofing and establishment of identity.

Domain 6: Security assessment and testing

The security assessment and testing domain covers about 12% of the CISSP exam.

This domain deals with all the techniques and tools used to find system vulnerabilities, weaknesses and potential areas of concern not addressed by security procedures and policies. Attack simulations and ethical disclosure also fall under this domain. Additionally, candidates are tested on penetration testing and vulnerability assessment. The latest version of the CISSP exam also lists compliance checks as one of the topics tested. 

Domain 7: Security operations

The seventh CISSP domain has about 13% weight in the exam.

Another practical and very broad subset, security operations covers topics ranging from investigations and digital forensic to detection and intrusion prevention tools, sandboxing and firewalls. Topics tested include user and entity behavior analytics, threat intelligence (threat hunting and threat feeds) log management, artifacts (mobile, computer and network) and machine learning and AI-based tools.

Domain 8: Software development security

The software development security domain had 10% weight in the 2018 version of CISSP but now accounts for 11% of the latest exam.

As the name indicates, this domain deals with implementing software-based security protocols within environments for which the IT professional is responsible. Risk analysis, vulnerability identification and auditing of source codes are all covered in this subset. Also, candidates are tested on software-designed security, maturity models, development methodologies, open-source and third-party development security.

Go further with CISSP certification

The CISSP is one of the most recognized information security certifications and can increase your marketability, allowing you to access better-paying roles. To ensure all domains of the certification are covered, candidates can use the learning resources from the official (ISC)² website. The site offers an official CISSP study guide, self-paced learning course and practice tests to help candidates prepare for the exam. 

Education providers like Infosec also offer live CISSP boot camps, available in person or online, as well as at-your-own pace CISSP training.


Posted: April 20, 2021
Articles Author
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.

3 responses to “The CISSP domains: An overview [2021 update]”

  1. I am interested in training on the 10 domains. Please advise as to how to go about it.

    • kenneth says:

      Tshidi Khobane,
      Good morning. Depending upon your background in information security, you might want to consider some of the following reading material. The first book that you need to read is the Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press) by Harold F. Tipton (Hardcover – December 22, 2009). In addition to that there are several books entitled “Information Security Management Handbook” Sixth Edition, also by Harold F. Tipton. Make sure you start with Volume One which is ISBN-13: 9780849374951. Then time and money permitting you can continue reading the series by purchased Volume 2, 3, 4, 5, & 6. Reading this material will give you a solid understanding of Information Security and the 10 domains. I would also recommend that you speak with InfoSec Institute regarding attending the CISSP Boot Camp once you feel comfortable with the material and want to pursue certification as a CISSP. InfoSec Institute can be contacted by phone at 011-866-471-0059, by fax at 011-708-689-0181. If you have any other questions please feel free to post the questions here and we will get you an answer.
      Kind regards,
      J Kenneth Magee

  2. Adekemi says:

    If i want the syllabus of the coures do i av to pay to get one. if i don’t have to pay can you send me one copy please. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *