The CISSP domains: An overview [2021 update]
If you want to climb the IT career ladder, you should consider getting certified. One of the most popular and respected certifications is the Certified Information Systems Security Professionals (CISSP). Developed and maintained by the international non-profit organization (ISC)², CISSP validates a professional’s skills and experience in implementing and managing security architects for their organization.
The CISSP exam has eight parts, known as domains. You will need to be proficient in each domain to get the certification. In this post, we will break down each of the eight domains, including how much weight they hold in the exam.
But first, let’s take a look at the upcoming CISSP exam changes.
New CISSP exam version effective May 1, 2021
An updated version of the CISSP certification exam will come into effect on May 1, 2021. The new version of CISSP will reflect the most pertinent issues around cybersecurity, along with the measures for mitigating those problems.
The names and number of domains are the same as in the 2018 CISSP exam, but the domain weights have changed for two of the eight domains. Essentially, domain four now has one percent less weight while domain eight’s weight has increased by one percent. The weights of all other domains remain unchanged.
A brief overview of the eight CISSP domains
(ISC)² defines and organizes the CISSP domains based on its survey of the cybersecurity industry (previously known as the common body of knowledge (CBK) and its annual job task study (JTA). Here are the eight domains to be studied for the refreshed CISSP exam:
Domain 1: Security and risk management
This domain makes up 15% of the CISSP exam.
The security and risk management domain covers general concepts in information security. Candidates are evaluated on skills related to the implementation of user awareness programs as well as security procedures. Emphasis is also placed on risk management concerning the acquisition of new services, hardware and software (supply chain). CISSP 2021 will also test candidates’ knowledge of phishing and social engineering defense mechanisms and how they can use gamification to bolster their company’s cybersecurity.
Domain 2: Asset security
The asset security domain covers 10% of the CISSP exam.
This is an important domain as it deals with the issues related to the collection, storage, maintenance, retention and destruction of data. It also validates candidates’ knowledge of different roles regarding data handling (owner, controller and custodian) as well as data protection methods and data states. Other topics tested include resource provision, asset classification and data lifecycle management.
Domain 3: Security architecture and engineering
Covering several important concepts in information security, this domain has 13% weight in the CISSP exam.
The security architecture and engineering part covers important security engineering topics using plans, designs and principles. Candidates are tested on assessing and mitigating information system vulnerabilities, fundamental concepts of security models and security architectures in critical areas like access control. Cloud systems, cryptography, system infiltrations (ransomware, fault-injection and more) and virtualized systems are also covered in this domain.
Domain 4: Communication and network security
Communication and network security previously comprised 13% of the exam but now has 12% weight in the latest version of CISSP.
CISSP’s fourth domain tests candidates’ ability to secure communication channels and networks. Exam takers will have to answer questions on secure and converged protocols, wireless networks, cellular networks, hardware operation (warranty and redundant power) and third-party connectivity. IP networking (IPSec, IPv4 and IPv6) are also included in this domain.
Domain 5: Identity and access management (IAM)
This domain accounts for roughly 13% of the CISSP exam.
This section of the exam covers the attacks that target the human gateway to gain access to data. Plus, candidates are tested on ways to identify users with rights to access the information and servers. Identify and access management covers the topics of applications, Single sign-on authentication, privilege escalation, Kerberos, rule-based or risk-based access control, proofing and establishment of identity.
Domain 6: Security assessment and testing
The security assessment and testing domain covers about 12% of the CISSP exam.
This domain deals with all the techniques and tools used to find system vulnerabilities, weaknesses and potential areas of concern not addressed by security procedures and policies. Attack simulations and ethical disclosure also fall under this domain. Additionally, candidates are tested on penetration testing and vulnerability assessment. The latest version of the CISSP exam also lists compliance checks as one of the topics tested.
Domain 7: Security operations
The seventh CISSP domain has about 13% weight in the exam.
Another practical and very broad subset, security operations covers topics ranging from investigations and digital forensic to detection and intrusion prevention tools, sandboxing and firewalls. Topics tested include user and entity behavior analytics, threat intelligence (threat hunting and threat feeds) log management, artifacts (mobile, computer and network) and machine learning and AI-based tools.
Domain 8: Software development security
The software development security domain had 10% weight in the 2018 version of CISSP but now accounts for 11% of the latest exam.
As the name indicates, this domain deals with implementing software-based security protocols within environments for which the IT professional is responsible. Risk analysis, vulnerability identification and auditing of source codes are all covered in this subset. Also, candidates are tested on software-designed security, maturity models, development methodologies, open-source and third-party development security.
Go further with CISSP certification
The CISSP is one of the most recognized information security certifications and can increase your marketability, allowing you to access better-paying roles. To ensure all domains of the certification are covered, candidates can use the learning resources from the official (ISC)² website. The site offers an official CISSP study guide, self-paced learning course and practice tests to help candidates prepare for the exam.
CISSP certification exam outline, (ISC)²
CISSP domain refresh FAQ, (ISC)²