The 8 CISSP domains explained

Neil Ford 1st February 2024

The CISSP® (Certified Information Systems Security Professional) qualification is one of the
most respected certifications in the information security industry, demonstrating an advanced
knowledge of cyber security.

It ranks alongside CCSP (Certified Cloud Security Professional) and CSSLP (Certified Secure
Software Lifecycle Professional) as one of the most in-demand credentials when hiring C-level
leaders in information security.

Here, we explain the structure of CISSP and its domains.

CISSP was launched in 1994 and its structure was last updated by (ISC)2 in 2015, moving from
ten domains to eight. The domain weightings in the CISSP exam were changed in 2021, but from
15 April 2024 they will change again.

These regular updates made by (ISC)2 ensure that the exam remains aligned with real-world job
role expectations.

What are the 8 CISSP domains?

Current weighting Revised weighting
CISSP domain
(effective 1 May 2021) (effective 15 April 2024)
1. Security and Risk Management 15% 16%
2. Asset Security 10% 10%
3. Security Architecture and Engineering 13% 13%
4. Communication and Network Security 13% 13%
5. Identity and Access Management (IAM) 13% 13%
6. Security Assessment and Testing 12% 12%
7. Security Operations 13% 13%
8. Software Development Security 11% 10%

Our CISSP exam preparation course covers these eight domains in depth.

Summary of the CISSP domains

1. Security and Risk Management
This domain comprises 15% of the CISSP exam (16% from 15 April 2024).

This is the largest domain in CISSP, providing a comprehensive overview of information

systems management. It covers:

 The confidentiality, integrity and availability of information (known as the CIA triad);
 Security governance principles;
 Compliance requirements;
 Legal and regulatory issues relating to information security;
 IT policies and procedures;
 Risk-based management concepts; and
 (ISC)2 Code of Ethics.

This domain highlights the complexities of classifying information and helps candidates
appreciate how an organisation’s information security function interacts with other areas, such as
compliance, operational risk and IT. It also includes fundamental concepts that carry through in
every other domain.

2. Asset Security

Asset Security comprises 10% of the CISSP exam.

This domain addresses the physical requirements of information security. It covers:

 The classification and ownership of information and assets;

 Privacy;
 Asset retention, including EoL (end-of-life) and EoS (end-of-support) processes;
 Stages of the data lifecycle;
 Data security controls; and
 Handling requirements.

3. Security Architecture and Engineering

Security Architecture and Engineering comprises 13% of the CISSP exam.

This domain covers several important information security concepts, including:

 Engineering processes using secure design principles;

 Fundamental concepts of security models;
 Security capabilities of information systems;
 Assessing and mitigating vulnerabilities in systems;
 Cryptography, including methods of cryptanalytic attacks and key management practices;
and
 Security principles as applied to designing sites and facilities.
For many candidates, this is one of the most challenging domains. The exam questions are
scenario based, where candidates need to explain which option they believe is the most
strategically correct.

Mastering this domain involves understanding how the principles can be applied in context,
considering multiple stakeholders and not just fixing a problem.

4. Communication and Network Security

Communication and Network Security comprises 13% of the CISSP exam.

This domain covers the design and protection of an organisation’s networks. This includes:

 Secure design principles for network architecture;

 Secure network components;
 Secure communication channels; and
 OSI (Open System Interconnection) and TCP/IP (Transmission Control Protocol/Internet
Protocol) models.

5. Identity and Access Management

Identity and Access Management comprises 13% of the CISSP exam.

This domain helps information security professionals understand how to control the way users
can access data. It covers:

 Physical and logical access to assets;

 Identification and authentication;
 Integrating identity as a service and third-party identity services;
 Authorisation mechanisms; and
 The identity and access provisioning lifecycle.

Identity and access management are considered the first line of defence for protecting
information assets.

A number of prominent laws, regulations, standards and frameworks (such as the GDPR and the
PCI DSS) implicitly require security controls (policies, procedures and technology) to be
designed and implemented to reflect this.

SSO (single sign-on) protocols are also covered here.

6. Security Assessment and Testing

Security Assessment and Testing comprises 12% of the CISSP exam.

This domain focuses on the design, performance and analysis of security testing. It includes:
  Designing and validating assessment and test strategies;
 Security control testing;
 Collecting security process data;
 Test outputs; and
 Internal and third-party security audits.

As cyber attacks and threats evolve, regular security audits, penetration tests and ethical hacking
are increasingly important.

7. Security Operations

Security Operations comprises 13% of the CISSP exam.

This domain addresses how information security management principles are integrated into the
day-to-day running of IT functions to support business objectives. It covers:

 Understanding and supporting investigations;

 Requirements for investigation types;
 Logging and monitoring activities;
 Securing the provision of resources;
 Foundational security operations concepts;
 Applying resource protection techniques;
 Incident management;
 Disaster recovery;
 Managing physical security; and
 Business continuity.

8. Software Development Security

Software Development Security comprises 11% of the CISSP exam (10% from 15 April 2024).

This domain helps professionals understand, apply and enforce software security principles in
the development lifecycle. It covers:

 Security in the software development lifecycle;

 Security controls in software development ecosystems;
 The effectiveness of software security; and
 Secure coding guidelines and standards.

These principles can be applied when developing software for internal or commercial use, as
well as part of due diligence processes when sourcing suppliers.
Vulnerabilities, Threats, and Risks Explained
By David Puzder • April 27, 2023

These three fundamental cybersecurity concepts are related but have distinct meanings. Security
experts define these three concepts in a variety of ways, and the terms threat and risk are
sometimes used interchangeably. This article’s definitions come from paraphrasing Computer
Security: Principles and Practice by William Stallings and Lawrie Brown. Each term can be
thought of in reference to an asset or “something that needs to be protected.”

 A vulnerability is a flaw or weakness in an asset’s design, implementation, or operation

and management that could be exploited by a threat.
 A threat is a potential for a threat agent to exploit a vulnerability.
 A risk is the potential for loss when the threat happens.

Now, let us dive into each of these concepts.

Vulnerability
Identifying vulnerabilities is akin to answering the question, “How could harm occur?”
Sometimes, a vulnerability can exist simply from an asset’s implementation or deployment. For
example, a vulnerability is leaving your car unlocked in a public parking lot. Leaving the doors
unlocked does not necessarily mean harm will occur, but it is an opening for someone to go
through your car. Our office looks for vulnerabilities in WashU systems to catch them before bad
actors can exploit them.

Threat
Identifying threats is akin to answering the question, “Who or what could cause harm?” In a
broad sense, a threat is anything that could exploit a vulnerability and hinder the confidentiality,
integrity, and availability of anything valuable. Threats can either be natural or human-made and
accidental or deliberate. In our car example, the owner of the car did not lock their door, so a
carjacker could exploit the opportunity. This means the threat is human-made and deliberate.

Risk
Once we know an asset’s vulnerabilities and threats, we can determine how much risk is posed to
the asset owner. This measure is the combination of the likelihood that a threat exploits a
vulnerability and the scale of harmful consequences.

Risk = (Probability that a threat occurs) * (Cost to the asset owner)

Despite the quantitative-looking nature of risk calculation, many risk analyses use qualitative
ratings. This is because it can be extremely difficult to determine accurate probabilities and
realistic costs, especially for intangible assets like trade secrets. The aim of risk analysis is to put
risks in order of what is most urgent. This can also help the owner figure out how much effort
and resources should go into protecting the asset.

Once again, let us circle back to the car example. If you drive a fancy car and keep valuables in
it, then your cost is high. Also, if you park the unlocked car in a crime-laden area, then the
probability that a threat occurs is also high. Combining these two factors shows your car is at
elevated risk in this situation.

Managing Risk
The problem with risk is that, no matter how advanced our systems are, we cannot eliminate all
threats. This is where risk assessment and management come in: a routine, ongoing practice
where our office regularly reviews risks to minimize the potential for certain threats to occur.

You can find a list of our forms – including risk assessment forms such as the IT Procurement
Vendor Intake Form and Web Application Risk Assessment – at Forms | Office of Information
Security. For a list of approved external websites or cloud services to store, create or transmit
WashU confidential or Protected information, visit Secure Storage and Communication Services.

Reference
Stallings, W., & Brown, L. (2017). Computer security: Principles and practice (4th ed.). Pearson
Education, Inc.

Ransomware is a type of cryptovirological malware that permanently block access to the

victim's personal data unless a ransom is paid. While some simple ransomware may lock the
system without damaging any files, more advanced malware uses a technique called cryptoviral
extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom
payment to decrypt them.[1][2][3][4][5] In a properly implemented cryptoviral extortion attack,
recovering the files without the decryption key is an intractable problem, and difficult-to-trace
digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the
ransoms, making tracing and prosecuting the perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the
user is tricked into downloading or opening when it arrives as an email attachment. However,
one high-profile example, the WannaCry worm, traveled automatically between computers
without user interaction.[6]

Starting as early as 1989 with the first documented ransomware known as the AIDS trojan, the
use of ransomware scams has grown internationally.[7][8][9] There were 181.5 million ransomware
attacks in the first six months of 2018. This record marks a 229% increase over this same time
frame in 2017.[10] In June 2014, vendor McAfee released data showing that it had collected more
than double the number of ransomware samples that quarter than it had in the same quarter of the
previous year.[11] CryptoLocker was particularly successful, procuring an estimated US$3 million
before it was taken down by authorities,[12] and CryptoWall was estimated by the US Federal
Bureau of Investigation (FBI) to have accrued over US$18 million by June 2015.[13] In 2020, the
IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1
million. The losses could be more than that, according to the FBI.[14] Globally, according to
Statistica, there were about 623 million ransomware attacks in 2021, and 493 million in 2022.[15]