Key Topics Covered in the CISSP ExamThe Certified Information Systems Security Professional (CISSP) exam isstructured around eight core domains that comprise the Common Body ofKnowledge (CBK). As of the most recent updates in 2024 and 2025, the
exam places a heavy emphasis on risk management and the overalllifecycle of security operations.The following are the eight domains and the key topics you will be testedon:1. Security and Risk Management (16%)This is the most heavily weighted domain. It covers the foundationalconcepts of information security and how to align security with businessgoals.● Confidentiality, Integrity, and Availability (CIA): The core pillars ofsecurity.● Security Governance: Organizational roles, responsibilities, andlegal/regulatory compliance (GDPR, HIPAA, etc.).● Risk Management: Quantitative and qualitative risk analysis, threatmodeling, and supply chain risk.● Business Continuity (BC): Identifying requirements and developinga Business Impact Analysis (BIA).2. Asset Security (10%)Focuses on the collection, handling, and protection of data throughout itsentire lifecycle.● Information and Asset Classification: Determining how to labeland protect data based on sensitivity.● Data Lifecycle Management: From creation and storage todestruction (data remanence).● Privacy Requirements: Ensuring compliance with data protectionstandards.3. Security Architecture and Engineering (13%)
Covers the technical design of secure systems and the application ofsecurity models.● Secure Design Principles: Defense in depth, Zero Trust, and\"fail-secure\" defaults.● Security Models: Models like Bell-LaPadula (confidentiality) andBiba (integrity).● Cryptography: Symmetric/asymmetric encryption, digital signatures,and Public Key Infrastructure (PKI).● Physical Security: Site design, perimeter security, andenvironmental controls.4. Communication and Network Security (13%)Deals with the design and protection of network infrastructure.● OSI and TCP/IP Models: Understanding the layers and wheresecurity controls fit.● Secure Protocols: Implementation of IPsec, SSH, TLS, and securewireless networking.● Network Components: Securing routers, switches, and firewalls.5. Identity and Access Management (13%)Focuses on controlling how users and systems access information.● Identification and Authentication: Multi-factor authentication (MFA)and biometrics.● Identity Management: Federated identities, Single Sign-On (SSO),and SAML.● Access Control Models: Role-Based (RBAC), Discretionary (DAC),and Mandatory (MAC) access controls.For additional insights on certification training and professionaldevelopment skills that are valuable in information security roles — such asthose you’d build in courses like CISM — see this article on Top 5 SkillsYou’ll Gain in a CISM Course
6. Security Assessment and Testing (12%)Evaluates the effectiveness of security controls through testing andauditing.● Vulnerability Assessment & Penetration Testing: Identifying andexploiting weaknesses.● Audit Strategies: Internal and external audits to ensure compliance.● Log Reviews: Analyzing security process data to find anomalies.7. Security Operations (13%)Addresses the day-to-day management of security and incident response.● Incident Management: The lifecycle of detecting and responding tosecurity incidents.● Disaster Recovery (DR): Strategies for restoring operations after acatastrophic event.● Logging and Monitoring: Utilizing SIEM (Security Information andEvent Management) and UEBA.8. Software Development Security (10%)Ensures that security is integrated into the software development lifecycle(SDLC).● Secure Coding Guidelines: Avoiding common vulnerabilities likethose in the OWASP Top 10.● SDLC Methodologies: Security in Agile, DevOps, and Waterfallenvironments.● Software Acquisition: Assessing the security of third-party orcommercial-off-the-shelf (COTS) software.