Overview of the 8 Domains of CISSP
The CISSP exam covers eight large domains. And brief explanation of each domain and weight in the final score is provided as follows: However, these parameters can change periodically. Additionally, candidates must score a passing mark in all eight domains to earn the credential.
Below is an overview of the 8 domains of CISSP:
Security and Risk Management [15%]
This domain covers broad security functions and strategies employed to reduce and keep risk to an acceptable level. And this domain resonates around figuring out the relationships among risks, threats, assets and vulnerabilities an organization may face. Furthermore, security controls employed to minimize those risks are discussed comprehensively. Moreover, measurements to evaluate effectiveness of the security controls is further described in detail.
Many American and international standards, models and frameworks exist in this domain. Candidates should comprehend all American, European and international frameworks and standards. Besides, risks associated with supply chain managements and third parties are elaborated. In fact, the maturity of an organization mostly anchors on the level of education, training and awareness programs provided to its employees. This is because most risks, threats and vulnerabilities emanate from weaknesses of human factors. Therefore, this domain hence covers and notes the importance of personnel capacity development programs for a given organization.
Asset Security [10%]
This domain concentrates on identifying, inventorying and protecting tangible and intangible assets of an organization. And organizational assets include information stores, hardware, software, database, reputation, and network systems. Additionally, this domain mainly begins by classifying organizational information and assets. Classification is mainly then done through assessing criticality and sensitivity of assets. Data classification and declassification should at the end align with business requirements of the organization. Moreover, secure provisioning and de-provisioning of resources to/from concerned bodies is at the heart of asset security. Besides, organizations should establish data retention policies to properly manage and maintain their assets. And this domain covers many Data security controls and standards.
Security Architecture and Engineering [13%]
This domain is combination of two broad subdomains namely security architecture and security engineering. The security architecture part concerns with design and integration of components, processes, services, and controls appropriate to reduce information security risks to an acceptable level. Whereas the security engineering module focuses on the actual implementation of those designs and architectures. And both should base on appropriate risk management programs. This domain focuses on applying secure design principles in all phases of engineering processes. Furthermore, this domain includes old and recent security models. Cryptographic modules and different computing paradigms are comprehensively covered.
Communication and Network Security [13%]
This domain comprehensively covers computer networking and as it relates to information security. Network topologies, secure network architectures, firewalls, network devices and protocols are the emphasis of this domain. Additionally, this domain explains secure communication channels, LAN/WAN, TCP/IP and OSI reference models in detail. Candidates should have solid fundamental knowledge on communication and computer networking as it relates to on premise datacenters and cloud networks. It is one of the most prominent domains that candidates should diligently explore in detail.
Identity and Access Management [13%]
It is one of the building blocks of information security. Access to resources and services is orchestrated with proper identification and validation of entities. Entities in this regard can be people, services, and devices. This domain makes its base on four fundamental modules namely identification, authentication, authorization and accountability, aka IAAA. Controlling access to physical and logical assets is the main theme of this domain. Access controls are the nucleoli of this domain.
Security Assessment and Testing [12%]
This domain focuses on designing and validating assessments, various tests and auditing strategies. The candidate should design and develop security controls testing programs to evaluate the effectiveness of the same. And conducting security audits for information systems will uncover weakness in security controls. Additionally, candidates should have good understanding on code review, vulnerability management and penetration testing procedures.
Security Operations [13%]
This domain focuses on maintaining various aspects of security controls of an organization. Besides, this domain gives emphasis to maintain security across people, processes and technologies. And organizations should periodically assess their levels of risks and should propose mitigation strategies through security controls or perhaps business process reengineering. Conducting patch management, logging, change management and incident management activities falls under this domain.
Software Development Security [11%]
Information security programs should incorporate security functions for software development endeavors. Candidates must understand the integration of security in software development life cycle (SDLC). This domain explains and considers software development methodologies and maturity assurance models in depth.