The CISSP domains and CBK: An overview [2021 update]
If you want to climb the IT career ladder, you should consider getting certified. One of the most popular and respected certifications is the Certified Information Systems Security Professionals (CISSP). Developed and maintained by the international non-profit organization (ISC)², CISSP validates a professional’s skills and experience in implementing and managing security architects for their organization.
The CISSP exam has eight parts, known as domains. You will need to be proficient in each domain to get the certification. In this post, we will break down each of the eight domains, including how much weight they hold in the exam.
But first, let’s take a look at the upcoming CISSP exam changes.
New CISSP exam version effective May 1, 2021
An updated version of the CISSP certification exam went into effect on May 1, 2021. The new version of the CISSP common body of knowledge (CBK) reflects the most pertinent issues around cybersecurity, along with the measures for mitigating those problems.
The names and number of CISSP CBK domains are the same as in the 2018 CISSP exam, but the domain weights have changed for two of the eight domains. Essentially, domain four now has one percent less weight while domain eight’s weight has increased by one percent. The weights of all other domains remain unchanged. View the CISSP exam outline for even more detail about the (ISC)² CISSP CBK.
A brief overview of the eight CISSP domains
(ISC)² defines and organizes the CISSP domains based on its survey of the cybersecurity industry, often referred to as a job task study (JTA). The CISSP CBK domains are updated every three years to keep up ensure professionals are tested on the latest topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.
Many organizations rely on this test to ensure the readiness of their IT security teams. For example, the CISSP cert is DoD 8570 approved by the U.S. Department of Defense for workers conducting information assurance (IA) functions. Because CISSP is globally recognized and is one of the most sought-after certifications in information security, it is listed as one of the top security certifications you should acquire.
Here are the eight domains to be studied for the refreshed CISSP exam:
Domain 1: Security and risk management
The security and risk management domain covers general concepts in information security. Candidates are evaluated on skills related to the implementation of user awareness programs as well as security procedures. Emphasis is also placed on risk management concerning the acquisition of new services, hardware and software (supply chain). CISSP 2021 will also test candidates’ knowledge of phishing and social engineering defense mechanisms and how they can use gamification to bolster their company’s cybersecurity.
This domain makes up 15% of the CISSP exam and includes the following exam objectives:
- 1.1 Understand, adhere to and promote professional ethics
- 1.2 Understand and apply security concepts (This is a new section.)
- 1.3 Evaluate and apply security governance principles
- 1.4 Determine compliance and other requirements
- 1.5 Understand legal and regulatory issues that pertain to information security in a holistic context
- 1.6 Understand requirements for investigation types (administrative, criminal, civil, regulatory and industry standards)
- 1.7 Develop, document and implement security policy, standards, procedures and guidelines
- 1.8 Identify, analyze and prioritize business continuity (BC) requirements
- 1.9 Contribute to and enforce personnel security policies and procedure
- 1.10 Understand and apply risk management concepts
- 1.11 Understand and apply threat modeling concepts and methodologies
- 1.12 Apply supply chain risk management (SCRM) concepts (This represents a shift from supply chain risk-based management techniques to SCRM.)
- 1.13 Establish and maintain a security awareness, education and training program
Domain 2: Asset security
This is an important domain as it deals with the issues related to the collection, storage, maintenance, retention and destruction of data. It also validates candidates’ knowledge of different roles regarding data handling (owner, controller and custodian) as well as data protection methods and data states. Other topics tested include resource provision, asset classification and data lifecycle management.
The asset security domain makes up 10% of the CISSP exam and includes the following exam objectives:
- 2.1 Identify and classify information and assets
- 2.2 Establish information and asset handling requirements
- 2.3 Provision resources securely (There has been a shift from privacy to resource security.)
- 2.4 Manage data lifecycle
- 2.5 Ensure appropriate asset retention (end-of-life (EOL), end-of-support (EOS))
- 2.6 Determine data security controls and compliance requirements (DRM, CASB and DLP) (Mildly increased focus on compliance requirements.)
Domain 3: Security architecture and engineering
The security architecture and engineering part covers important security engineering topics using plans, designs and principles. Candidates are tested on assessing and mitigating information system vulnerabilities, fundamental concepts of security models and security architectures in critical areas like access control. Cloud systems, cryptography, system infiltrations (ransomware, fault-injection and more) and virtualized systems are also covered in this domain.
The security architecture and engineering domain makes up 13% of the CISSP exam and includes the following exam objectives:
- 3.1 Research, implement and manage engineering processes using secure design principles (New concepts are covered: threat modeling, defense in depth, least privilege, failing securely, secure defaults, separation of duties, trust but verify, privacy by design and shared responsibility.)
- 3.2 Understand the fundamental concepts of security models
- 3.3 Select controls based upon systems security requirements
- 3.4 Understand security capabilities of information systems (IS)
- 3.5 Assess and mitigate the vulnerabilities of security architectures, designs and solution elements
- 3.6 Select and determine cryptographic solutions (This is a new section.)
- 3.7 Understand methods of cryptanalytic attacks
- 3.8 Apply security principles to site and facility design
- 3.9 Design site and facility security controls
Domain 4: Communication and network security
CISSP’s fourth domain tests candidates’ ability to secure communication channels and networks. Exam takers will have to answer questions on secure and converged protocols, wireless networks, cellular networks, hardware operation (warranty and redundant power) and third-party connectivity. IP networking (IPSec, IPv4 and IPv6) are also included in this domain.
The communication and network security domain previously comprised 14% of the exam, but it was adjusted to 13% weight in the latest version of CISSP. It includes the following exam objectives:
- 4.1 Assess and implement secure design principles in network architectures (New material is covered, including micro-segmentation, wireless networks and content distribution networks (CDN).)
- 4.2 Secure network components
- 4.3 Implement secure communication channels according to design
- The weight of this material has dropped from 14% to 13%.
Domain 5: Identity and access management (IAM)
This section of the exam covers the attacks that target the human gateway to gain access to data. Plus, candidates are tested on ways to identify users with rights to access the information and servers. Identify and access management covers the topics of applications, Single sign-on authentication, privilege escalation, Kerberos, rule-based or risk-based access control, proofing and establishment of identity.
The identity and access management domain makes up 13% of the CISSP exam and includes the following exam objectives:
- 5.1 Control physical and logical access to assets
- 5.2 Manage identification and authentication of people, devices and services (New concepts are covered such as single sign-on and just-in-time.)
- 5.3 Federated identity with a third-party service
- 5.4 Implement and manage authorization mechanisms
- 5.5 Manage the identity and access provisioning lifecycle
- 5.6 Implement authentication systems (This is a new section.)
Domain 6: Security assessment and testing
This domain deals with all the techniques and tools used to find system vulnerabilities, weaknesses and potential areas of concern not addressed by security procedures and policies. Attack simulations and ethical disclosure also fall under this domain. Additionally, candidates are tested on penetration testing and vulnerability assessment. The latest version of the CISSP exam also lists compliance checks as one of the topics tested.
The security assessment and testing domain makes up 12% of the CISSP exam and includes the following exam objectives:
- 6.1 Design and validate assessment, test and audit strategies
- 6.2 Conduct security control testing
- 6.3 Collect security process data (technical and administrative)
- 6.4 Analyze test output and generate a report
- 6.5 Conduct or facilitate security audits
Domain 7: Security operations
Another practical and very broad subset, security operations covers topics ranging from investigations and digital forensic to detection and intrusion prevention tools, sandboxing and firewalls. Topics tested include user and entity behavior analytics, threat intelligence (threat hunting and threat feeds) log management, artifacts (mobile, computer and network) and machine learning and AI-based tools.
The security operations domain makes up 13% of the CISSP exam and includes the following exam objectives:
- 7.1 Understand and comply with investigations
- 7.2 Conduct logging and monitoring activities
- 7.3 Perform configuration management (CM)
- 7.4 Apply foundational security operations concepts
- 7.5 Apply resource protection
- 7.6 Conduct incident management
- 7.7 Operate and maintain detective and preventive measures
- 7.8 Implement and support patch and vulnerability management
- 7.9 Understand and participate in change management processes
- 7.10 Implement recovery strategies
- 7.11 Implement disaster recovery (DR) processes
- 7.12 Test disaster recovery plans (DRP)
- 7.13 Participate in business continuity (BC) planning and exercises
- 7.14 Implement and manage physical security
- 7.15 Address personnel safety and security concerns
Domain 8: Software development security
As the name indicates, this domain deals with implementing software-based security protocols within environments for which the IT professional is responsible. Risk analysis, vulnerability identification and auditing of source codes are all covered in this subset. Also, candidates are tested on software-designed security, maturity models, development methodologies, open-source and third-party development security.
The software development security domain previously comprised 10% of the exam, but it was adjusted to 11% weight in the latest version of CISSP. It includes the following exam objectives:
- 8.1 Understand and integrate security in the software development life cycle (SDLC)
- 8.2 Identify and apply security controls in software development ecosystems (New concepts are covered, including programming languages, toolsets, runtime, integrated development environment, continuous delivery automation and response, continuous integration, application security testing and dynamic application security testing.)
- 8.3 Assess the effectiveness of software security
- 8.4 Assess security impact of acquired software
- 8.5 Define and apply secure coding guidelines and standards
More about the CISSP exam
The CISSP CBK tests your competence in the eight domains mentioned. Learning each domain will give you the knowledge you need to pass the exam, excel in this career and perform related operational duties. The (ISC)² CISSP exam uses computerized adaptive testing (CAT) for all English exams; all other languages are administered as linear, fixed-form exams. Read our article about the CISSP exam to learn more about the exam format, duration and scheduling.
The CISSP is one of the most recognized information security certifications and can increase your marketability, allowing you to move into better-paying roles. Get our free ebook of CISSP exam tips for advice on passing the exam on your first attempt.