(ISC)²

CISSP

CISSP (Certified Information Systems Security Professional)

The Certified Information Systems Security Professional (CISSP), a certification awarded by (ISC)², is universally acknowledged as the gold standard for seasoned cybersecurity practitioners. It confirms an individual's robust technical and managerial expertise necessary to effectively design, engineer, implement, and manage an organization's holistic information security program. Unlike vendor-specific certifications, the CISSP is vendor-neutral, drawing its knowledge from a broad foundation known as the Common Body of Knowledge (CBK), which spans eight domains covering areas from Security and Risk Management to Software Development Security. The certification is targeted at senior roles like Security Architects, Consultants, and aspiring CISOs, and it requires candidates to not only pass a rigorous exam but also possess a minimum of five years of relevant professional experience and commit to the (ISC)² Code of Ethics.

Duration

180 min

Questions

150

Passing Score

750

JDSMAK0

Enrolled

1k+

Get Started

Enroll in this certification track to access practice exams, study plans, and progress tracking

Exam Domains

Topics covered in this certification exam

Security and Risk Management

16%

CIA Triad

Security Governance

Due Care/Due Diligence

Security Policy

Standards

Procedures

Guidelines

Risk Management

Quantitative Risk Analysis

Qualitative Risk Analysis

ALE

SLE

ARO

Security Frameworks

NIST CSF

ISO 27001

Threat Modeling

Business Continuity Planning (BCP)

Disaster Recovery Planning (DRP)

BIA

MTD

RTO

RPO

Legal/Regulatory Compliance

GDPR

CCPA

Ethics

(ISC)² Code of Ethics

Personnel Security

Separation of Duties

Mandatory Vacations

Security Awareness Training

Asset Security

10%

Data Classification

Data Ownership

Data Custodian

Data Processor

PII

PHI

Data Handling Requirements

Data Lifetime

Data At Rest

Data In Motion

Data In Use

Data Loss Prevention (DLP)

Digital Rights Management (DRM)

Privacy Enhancing Technologies

Data Remanence

Media Sanitization

Degaussing

Destruction

Asset Inventory

Asset Lifecycle

Security Architecture and Engineering

13%

Secure Design Principles

Defense-in-Depth

Least Privilege

Fail Securely

Zero Trust Architecture

Security Models

Bell-LaPadula

Biba

Clark-Wilson

Brewer-Nash

Trusted Computing Base (TCB)

Security Kernels

Evaluation Criteria

Common Criteria

Cryptography

Symmetric Encryption

Asymmetric Encryption

Hashing

Key Management

PKI

Digital Signatures

Certificates

Hardware Security Modules (HSM)

Cloud Computing Security

IaaS

PaaS

SaaS

Physical Security

Site Selection

Perimeter Controls

Fire Suppression

HVAC

Water Leak Detection

Communication and Network Security

13%

OSI Model

TCP/IP Model

Network Segmentation

VLANs

Subnetting

Firewalls

IDS/IPS

Load Balancers

Routers

Switches

Network Access Control (NAC)

DMZ

Micro-Segmentation

Secure Protocols

IPsec

SSL/TLS

SSH

VPNs

Wireless Security

WPA3

802.1x

Rogue Access Points

Software-Defined Networking (SDN)

Network Function Virtualization (NFV)

Protocol Vulnerabilities

Identity and Access Management (IAM)

13%

Identification

Authentication

Authorization

Accounting (AAA)

Multi-Factor Authentication (MFA)

Passwords

Biometrics

FAR/FRR/CER

Access Control Models

DAC

MAC

RBAC

ABAC

Single Sign-On (SSO)

Federated Identity

SAML

OAuth

OpenID Connect

Identity Provisioning

De-provisioning

Access Review

Session Management

Least Privilege Principle.

Security Assessment and Testing

12%

Vulnerability Assessments

Penetration Testing

Black Box Testing

White Box Testing

Gray Box Testing

Security Audits

Security Control Testing

Log Review

Security Metrics

Test Coverage

Static Application Security Testing (SAST)

Dynamic Application Security Testing (DAST)

Fuzz Testing

Code Review

Interface Testing

Compliance Checks.

Security Operations

13%

Incident Management Lifecycle

Detection

Response

Containment

Eradication

Recovery

Lessons Learned

Forensics

Chain of Custody

Evidence Handling

Logging

Monitoring

SIEM

Log Aggregation

Correlation

Preventative Measures

Patch Management

Configuration Management

Change Control Process

Disaster Recovery (DR)

Business Continuity (BC)

DR Testing

Recovery Sites

Hot Site

Warm Site

Cold Site

Resource Protection

Media Protection

Personnel Safety

Software Development Security

10%

Secure Software Development Life Cycle (SDLC)

DevSecOps

Security Requirements

Design Review

Code Review

Application Security Testing

SAST

DAST

Fuzzing

Secure Coding Guidelines

Input Validation

Buffer Overflows

SQL Injection

XSS

OWASP Top Ten

Database Security

Stored Procedures

Data Warehousing Security

Source Code Repositories

Third-Party Software Acquisition

Secure API Integration

Exam Format

Multiple Choice Questions

Quick Links

Study Materials