Partnered with
iVox.ai

Certified Information Systems Security Professional (CISSP)

About CISSP

The Certified Information Systems Security Professional (CISSP) is the most globally recognized certification in the information security market. CISSP validates an information security professional's deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.

The broad spectrum of topics included in the CISSP Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of information security. Successful candidates are competent in the following eight domains:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

For more detailed information, please visit the CISSP Certification Exam Outline on the ISC2 website.

Exam Requirements

Candidates must have a minimum of five years cumulative, full-time experience in two or more of the eight domains of the current CISSP Exam Outline. Earning a post-secondary degree or an additional credential from the ISC2 approved list may satisfy up to one year of the required experience. Part-time work and internships may also count towards the experience requirement.

A candidate that doesn't have the required experience to become a CISSP may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience.

Accreditation

CISSP was the first credential in the field of information security to meet the stringent requirements of ANSI/ISO/IEC Standard 17024.

Job Task Analysis (JTA)

ISC2 has an obligation to its membership to maintain the relevancy of the CISSP. Conducted at regular intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals who are engaged in the profession defined by the CISSP. The results of the JTA are used to update the examination.

CISSP Examination Information

Length of exam 3 hours
Number of items 100 - 150
Item format Multiple choice and advanced innovative items
Passing grade 700 out of 1000 points
Exam language availability Chinese, English, German, Japanese, Spanish
Testing center ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers

Domains

1.1 - Understand, adhere to, and promote professional ethics
  • ISC2 Code of Professional Ethics
  • Organizational code of ethics
1.2 - Understand and apply security concepts
  • Confidentiality, integrity, and availability, authenticity, and nonrepudiation
1.3 - Evaluate and apply security governance principles
  • Alignment of the security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks (e.g., ISO, NIST, COBIT, SABSA, PCI, FedRAMP)
  • Due care/due diligence
1.4 - Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
  • Cybercrimes and data breaches
  • Licensing and Intellectual Property requirements
  • Import/export controls
  • Transborder data flow
  • Issues related to privacy (e.g., GDPR, CCPA, Personal Information Protection Law)
  • Contractual, legal, industry standards, and regulatory requirements
1.5 - Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
1.6 - Develop, document, and implement security policy, standards, procedures, and guidelines
  • Alignment of the security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks (e.g., ISO, NIST, COBIT, SABSA, PCI, FedRAMP)
  • Due care/due diligence
1.7 - Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
  • Business impact analysis (BIA)
  • External dependencies
1.8 - Contribute to and enforce personnel security policies and procedures
  • Candidate screening and hiring
  • Employment agreements and policy driven requirements
  • Onboarding, transfers, and termination processes
  • Vendor, consultant, and contractor agreements and controls
1.9 - Understand and apply risk management concepts
  • Threat and vulnerability identification
  • Risk analysis, assessment, and scope
  • Risk response and treatment (e.g., cybersecurity insurance)
  • Applicable types of controls (e.g., preventive, detection, corrective)
  • Control assessments (e.g., security and privacy)
  • Continuous monitoring and measurement
  • Reporting (e.g., internal, external)
  • Continuous improvement (e.g., risk maturity modeling)
  • Risk frameworks (e.g., ISO, NIST, COBIT, SABSA, PCI)
1.10 - Understand and apply threat modeling concepts and methodologies
1.11 - Apply Supply Chain Risk Management (SCRM) concepts
  • Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
  • Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
1.12 - Establish and maintain a security awareness, education, and training program
  • Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
  • Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
  • Program effectiveness evaluation
2.1 - Identify and classify information and assets
  • Data classification
  • Asset classification
2.2 - Establish information and asset handling requirements
2.3 - Provision information and assets securely
  • Information and asset ownership
  • Asset inventory (e.g., tangible, intangible)
  • Asset management
2.4 - Manage data lifecycle
  • Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
  • Data collection
  • Data location
  • Data maintenance
  • Data retention
  • Data remanence
  • Data destruction
2.5 - Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support)
2.6 - Determine data security controls and compliance requirements
  • Data states (e.g., in use, in transit, at rest)
  • Scoping and tailoring
  • Standards selection
  • Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
3.1 - Research, implement, and manage engineering processes using secure design principles
  • Threat modeling
  • Least privilege
  • Defense in depth
  • Secure defaults
  • Fail securely
  • Segregation of Duties (SoD)
  • Keep it simple and small
  • Zero trust or trust but verify
  • Privacy by design
  • Shared responsibility
  • Secure access service edge
3.2 - Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
3.3 - Select controls based upon systems security requirements
3.4 - Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 - Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
  • Client-based systems
  • Server-based systems
  • Database systems
  • Cryptographic systems
  • Industrial Control Systems (ICS)
  • Cloud-based systems (e.g., SaaS, IaaS, PaaS)
  • Distributed systems
  • Internet of Things (IoT)
  • Microservices (e.g., API)
  • Containerization
  • Serverless
  • Embedded systems
  • High-Performance Computing systems
  • Edge computing systems
  • Virtualized systems
3.6 - Select and determine cryptographic solutions
  • Cryptographic life cycle (e.g., keys, algorithm selection)
  • Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
  • Public key infrastructure (PKI) (e.g., quantum key distribution)
3.7 - Understand methods of cryptanalytic attacks
  • Brute force
  • Ciphertext only
  • Known plaintext
  • Frequency analysis
  • Chosen ciphertext
  • Implementation attacks
  • Side-channel
  • Fault injection
  • Timing
  • Man-in-the-Middle (MITM)
  • Pass the hash
  • Kerberos exploitation
  • Ransomware
3.8 - Apply security principles to site and facility design
3.9 - Design site and facility security controls
  • Wiring closets/intermediate distribution facilities
  • Server rooms/data centers
  • Media storage facilities
  • Evidence storage
  • Restricted and work area security
  • Utilities and HVAC
  • Environmental issues (e.g., natural disasters, man-made)
  • Fire prevention, detection, and suppression
  • Power (e.g., redundant, backup)
3.10 - Manage the information system lifecycle
  • Stakeholders needs and requirements
  • Requirements analysis
  • Architectural design
  • Development/implementation
  • Integration
  • Testing
  • Deployment
  • Operations and maintenance
  • Disposal
4.1 - Implement secure design principles in network architectures
  • Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
  • Internet Protocol (IP) networking (e.g., IPv4, IPv6)
  • Network security controls (e.g., firewalls, intrusion detection/prevention systems, network access control)
  • Secure network components (e.g., routers, switches, load balancers, proxies)
  • Secure communication channels (e.g., VPN, TLS, IPsec)
  • Network attacks (e.g., denial of service, man-in-the-middle, spoofing)
4.2 - Secure network components
  • Network segmentation
  • Network access control
  • Network monitoring and analysis
  • Network security protocols (e.g., SSL/TLS, SSH, HTTPS)
  • Wireless security (e.g., WPA3, WEP, WPA2)
4.3 - Implement secure communication channels according to design
  • Virtual private networks (VPNs)
  • Transport Layer Security (TLS)
  • Internet Protocol Security (IPsec)
  • Secure/Multipurpose Internet Mail Extensions (S/MIME)
  • Pretty Good Privacy (PGP)
5.1 - Control physical and logical access to assets
  • Identification and authentication of people and devices
  • Identity as a Service (IDaaS)
  • Third-party identity services (e.g., OAuth, OpenID, SAML)
  • Access control attacks (e.g., password cracking, privilege escalation)
  • Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
5.2 - Manage identification and authentication of people, devices, and services
  • Identity management implementation
  • Single sign-on (SSO)
  • Federated identity management
  • Credential management systems
5.3 - Integrate identity as a service (IDaaS)
  • Cloud identity management
  • Identity federation
  • Identity governance
5.4 - Implement and manage authorization mechanisms
  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • Mandatory access control (MAC)
  • Discretionary access control (DAC)
5.5 - Manage the identity and access provisioning lifecycle
  • Provisioning and deprovisioning
  • Account review and recertification
  • Access review and audit
6.1 - Design and validate assessment, test, and audit strategies
  • Internal and external audit controls
  • Security control testing (e.g., vulnerability assessment, penetration testing)
  • Log reviews
  • Performance and capacity testing
  • Security audits
6.2 - Conduct security control testing
  • Vulnerability assessment
  • Penetration testing
  • Log reviews
  • Code review and testing
6.3 - Collect security process data (e.g., technical and administrative)
  • Account management reviews
  • Management review and approval
  • Key performance and risk indicators
6.4 - Analyze test output and generate report
  • Test result analysis
  • Report generation
  • Remediation tracking
6.5 - Conduct or facilitate security audits
  • Internal audit
  • Third-party audit
  • Audit report review
7.1 - Understand and support investigations
  • Evidence collection and handling
  • Reporting and documentation
  • Investigation types (e.g., administrative, criminal, civil, regulatory)
7.2 - Understand requirements for investigation types
  • Administrative
  • Criminal
  • Civil
  • Regulatory
7.3 - Conduct logging and monitoring activities
  • Log management
  • Security information and event management (SIEM)
  • Continuous monitoring
7.4 - Perform configuration management (e.g., provisioning, baselining, automation)
  • Configuration management tools
  • Baseline configuration
  • Change management
7.5 - Apply foundational security operations concepts
  • Need-to-know/least privilege
  • Separation of duties
  • Job rotation
  • Mandatory vacations
7.6 - Apply resource protection techniques
  • Media management
  • Data storage
  • Data destruction
7.7 - Conduct incident management
  • Incident response
  • Incident handling
  • Incident recovery
7.8 - Operate and maintain detective and preventative measures
  • Firewalls
  • Intrusion detection/prevention systems
  • Antivirus/anti-malware
7.9 - Implement and support patch and vulnerability management
  • Patch management
  • Vulnerability management
  • Remediation
7.10 - Understand and participate in change management processes
  • Change management procedures
  • Change control board
  • Change documentation
7.11 - Implement recovery strategies
  • Backup and restore
  • Disaster recovery
  • Business continuity
7.12 - Implement disaster recovery processes
  • Disaster recovery planning
  • Disaster recovery testing
  • Disaster recovery execution
7.13 - Test disaster recovery plans
  • Testing methodologies
  • Test frequency
  • Test documentation
7.14 - Participate in business continuity planning and exercises
  • Business continuity planning
  • Business continuity exercises
  • Business continuity documentation
7.15 - Implement and manage physical security
  • Physical access controls
  • Environmental controls
  • Physical security monitoring
7.16 - Address personnel safety and security concerns
  • Personnel security policies
  • Security awareness training
  • Security incident reporting
8.1 - Understand and integrate security in the software development lifecycle (SDLC)
  • Development methodologies (e.g., Agile, DevOps, Waterfall)
  • Secure coding practices
  • Application programming interfaces (APIs)
  • Software assurance and validation
  • Software supply chain
8.2 - Identify and apply security controls in development environments
  • Development environment security
  • Version control
  • Build processes
8.3 - Assess the effectiveness of software security
  • Static and dynamic analysis
  • Software testing
  • Code review
8.4 - Assess security impact of acquired software
  • Software acquisition process
  • Third-party software security
  • Open source software security
8.5 - Define and apply secure coding guidelines and standards
  • Secure coding standards
  • Code quality tools
  • Code review processes

Additional Examination Information

Supplementary References

Candidates are encouraged to supplement their education and experience by reviewing relevant resources that pertain to the CBK and identifying areas of study that may need additional attention.

View the full list of supplementary references at www.isc2.org/certifications/references.

Examination Policies and Procedures

ISC2 recommends that CISSP candidates review exam policies and procedures prior to registering for the examination. Read the comprehensive breakdown of this important information at www.isc2.org/register-for-exam.

Exam Preparation

Preparation for the CISSP exam can be intensive. ISC2 provides a variety of resources including review manuals, online training, and interactive exam preparation resources. Candidates are encouraged to join study groups and participate in training sessions to enhance their preparation. Engaging in practical exercises and scenario-based questions is crucial for success on the exam. Additionally, using the WannaPractice platform can enhance your preparation with interactive practice questions and scenarios that are specifically tailored to the CISSP domains.

Responsive Footer