What are the 8 CISSP domains?

The globally renowned CISSP® (Certified Information Systems Security Professional) qualification provides information security professionals with an objective measure of competence and is divided into eight domains:

  1. Security and Risk Management
  2. Asset Security
  3. Security Engineering
  4. Communications and Network Security
  5. Identity and Access Management
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security

Security and Risk Management

Security and Risk Management is the largest domain in CISSP and focuses on a number of key business topics: the concepts of confidentiality, integrity and availability; security governance principles; compliance requirements; legal and regulatory issues relating to information security; IT policies and procedures; and risk-based management concepts.

Average weight in the exam: 15%

Asset Security

Asset Security focuses on: classification and ownership of information and assets; privacy; retention periods; data security controls; and handling requirements.

Average weight in the exam: 10%

Security Engineering

Security Engineering covers several important information security concepts, including: engineering processes using secure design principles; fundamental concepts of security models; security capabilities of information systems; assessing and mitigating vulnerabilities in systems; cryptography; and designing and implementing physical security.

Average weight in the exam: 13%

Communications and Network Security

The Communications and Network Security domain looks at designing and protecting network security. It covers topics including: secure design principles for network architecture; secure network components; secure communication channels; and preventing or mitigating network attacks.

Average weight in the exam: 14%

Identity and Access Management

Identity and Access Management helps professionals understand how to control the way users can access data. It covers: physical and logical access to assets; identification and authentication; integrating identity as a service and third-party identity services; authorisation mechanisms; access control attacks; and the identity and access provisioning lifecycle.

Average weight in the exam: 13%

Security Assessment and Testing

The Security Assessment and Testing domain focuses on designing, performing and analysing security testing. Topics covered include: designing and validating assessment and test strategies; security control testing; collecting security process data; test outputs; and internal and third-party security audits.

Average weight in the exam: 12%

Security Operations

The Security Operations domain covers key topics including: understanding and supporting investigations; requirements for investigation types; logging and monitoring activities; securing the provision of resources; foundational security operations concepts; applying resource protection techniques; incident management; disaster recovery; and managing physical security.

Average weight in the exam: 13%

Software Development Security

The final CISSP domain helps professionals to understand, apply and enforce software security. It covers: security in the Software Development Life Cycle (SDLC); security controls in development environments; effectiveness of software security; and secure coding guidelines and standards.

Average weight in the exam: 10%

What were the ten domains before 2015?

  1. Access Control
  2. Application Development Security
  3. Business Continuity and Disaster Recovery Planning
  4. Cryptography
  5. Information Security Governance and Risk Management
  6. Legal Regulations, Investigations and Compliance
  7. Operations Security
  8. Physical and Environmental Security
  9. Security Architecture and Design
  10. Telecommunications and Network Security

CISSP training and revision materials

Candidates sitting the CISSP CBK (Common Body of Knowledge) exam will be tested on each of the eight domains.

The exam consists of 100-150 multiple-choice questions and lasts three hours. The pass grade is 70%.

Candidates can prepare for the exam with CISSP training and appropriate revision materials.

The Official (ISC)2 Guide to the CISSP CBK, Fourth Edition is the essential resource for those studying for the CISSP examination and provides a comprehensive overview of the eight domains.