Ready to Start Your Career?

(Requirements for a CISSP Certification) CISSP Certification Requirements An Introduction To The 8 Security Domains

Charles Owen-Jackson's profile image

By: Charles Owen-Jackson

September 8, 2021

CISSP certification requirements: An introduction to the 8 security domains

The CISSP framework encompasses information security topics across eight domains that security professionals face in their day-to-day jobs.

Earning a CISSP accreditation requires candidates to develop a broad knowledge across eight cybersecurity control categories. The ISC2, which is responsible for providing and maintaining certifications, rigorously reviews the study materials and exam content on a regular basis to reflect the most persistent challenges that today’s cybersecurity professionals face. The most recent refresh became effective on May 1, 2021. While the eight control categories are broadly the same as before, there are some important differences, thus highlighting the reasons why candidates must use up-to-date study materials.

Here are the following control domains candidates need to familiarize themselves with:

#1. Security and Risk Management

Security and risk management focuses on key security concepts and methodologies rather than technical controls alone. It makes up 15% of the CISSP exam content and serves as an introduction to the leadership and decision-making roles of CISSP certification holders. Candidates will be evaluated on areas such as security best practices and procedures and the implementation of security awareness programs. As the domain title suggests, it also covers risk-management processes, such as business continuity planning, threat modeling, and investigatory procedures. The recent refresh incorporates supply chain risk management (SCRM) concepts, an essential addition given the rapid rise of supply chain attacks.

#2. Asset Security

Encompassing 10% of the CISSP exam content, the asset security domain addresses issues and challenges around data collection, storage, retention, and destruction. It begins by introducing the roles of data owners, controllers, and custodians and the data protection methods that need to be applied throughout the data lifecycle. The latest refresh now covers the secure provisioning of resources in the age of cloud and mobile computing. Asset retention has also been expanded to cover the correct procedures for decommissioning assets at the end of their support lifecycles.

#3. Security Architecture and Engineering

With a 13% exam weight, security architecture and engineering cover the technical measures involved in designing, implementing, and maintaining information systems according to the latest security standards and regulatory practices. Candidates will be evaluated on their abilities to assess and mitigate potential system vulnerabilities across a broad range of IT architectures, including cloud systems, virtualized resources, system infiltrations, and mobile computing. The latest refresh covers several additional topics, including the mitigation of cryptanalytic attack methods and secure design principles in the development of software systems.

#4. Communications and Network Security

Communications and network security encompass 13% of the CISSP exam, down from 14% before the latest refresh. As the name suggests, this control area covers the transmission of data between networks. Candidates will be evaluated on their knowledge of assessing and implementing secure design principles for network architectures, secure network components, and secure communications channels. For example, they will have to answer questions about the secure use of cellular and wireless networks, modern communications protocols, and the safe operation of networking hardware.

#5. Identity and Access Management

Identity and access management (IAM) is one of the most critical areas of cybersecurity today since many resources and systems are now account-based and accessed remotely. As such, implementing strict controls on who has access to which data and why is crucial for building a strong security infrastructure. This domain accounts for 13% of the CISSP exam content. It addresses physical and logical asset control, the identification and authentication of people, devices, and services, and the security of third-party services. It also covers industry best practices, such as the concepts of zero-trust security and the principle of least privilege.

#6. Security Assessment and Testing

The security assessment and testing domain cover 12% of the CISSP exam, and the latest refresh does not introduce any significant changes. Nonetheless, extensive knowledge of this domain is critical for would-be security leaders since cybersecurity is, first and foremost, a process and a journey rather than a destination. This is why the domain covers the roles of strategy, auditing, and accountability in developing a robust security plan. Built upon the concept of continuous improvement, it addresses key areas like the collection of security process data, analytics, testing, and reporting.

#7. Security Operations

Security operations (SecOps) encompass 13% of the CISSP exam content and addresses the operationalization of security processes and procedures. The latest refresh incorporates the configuration management systems engineering process, including provisioning, baselining, and automation of security configurations. As in previous editions, this domain also covers implementing and testing disaster recovery plans and processes and business continuity plans. Security operations are extremely broad and constantly evolving due largely to the increasing use of automation and machine learning; hence, this topic area is one of the more challenging to study.

#8. Software Development Security

The software development security domain encompasses the remaining 11% of the CISSP exam content. This compares to a previous exam weight of 10%, though the content remains unchanged in terms of its focus. This domain is one of the most specialized and technically oriented since it covers software development procedures like secure coding and security controls. Today, security controls and policies must be hard-baked into software products throughout the entire software development lifecycle (SDLC) rather than tacked on later. Although CISSPs are not likely to be directly involved with software development and engineering, they may be tasked with overseeing them, hence the importance of this domain. The content of the CISSP framework has been updated to reflect the challenges that security professionals can expect to face in their day-to-day jobs. Earning certification requires candidates to be deeply familiar with a broad range of information security processes and best practices across the eight domains covered in this article.

Schedule Demo