CISSP 2024 Complete Study Guide: All Eight Domains

The Certified Information Systems Security Professional (CISSP) is the most prestigious and widely recognized certification in information security. Administered by (ISC)2 (International Information System Security Certification Consortium), the CISSP validates deep expertise across eight domains of cybersecurity and is widely regarded as the gold standard for security professionals aiming at senior and leadership positions.

According to the (ISC)2 Cybersecurity Workforce Study 2024, CISSP holders earn a median salary of $131,000 in the United States, making it one of the highest-paying IT certifications. The certification requires a minimum of five years of cumulative, paid work experience in two or more of the eight CISSP domains, though candidates can pass the exam first and work as an "Associate of (ISC)2" while accumulating the required experience.

The CISSP exam uses Computerized Adaptive Testing (CAT) in English, presenting 125-175 questions within a 4-hour time limit. The passing score is 700 out of 1000, and the exam adapts its difficulty based on your performance, presenting harder questions as you answer correctly.

Exam Overview

Detail	Information
Certification Body	(ISC)2
Exam Format	Computerized Adaptive Testing (CAT)
Number of Questions	125-175 (English), 250 (other languages)
Time Limit	4 hours
Passing Score	700/1000
Cost	$749 USD
Experience Required	5 years in 2+ domains (or 4 years with qualifying degree/cert)
Validity	3 years (40 CPE credits per year, 120 total)

The eight CISSP domains (updated 2024):

Security and Risk Management (16%)
Asset Security (10%)
Security Architecture and Engineering (13%)
Communication and Network Security (13%)
Identity and Access Management (IAM) (13%)
Security Assessment and Testing (12%)
Security Operations (13%)
Software Development Security (10%)

"The CISSP exam does not test whether you can configure a firewall. It tests whether you can think like a security manager. Every question ultimately asks: what is the best decision for the organization given this situation, these constraints, and these risks? If you approach CISSP like a technical exam, you will fail." -- Shon Harris, author of CISSP All-in-One Exam Guide (a foundational reference that has been continued by Fernando Maymi after Harris's passing)

Domain 1: Security and Risk Management (16%)

This is the largest domain and the one that defines the CISSP's management-level perspective. It covers the principles, frameworks, and processes that guide all security decisions.

CIA Triad

CIA triad -- the foundational model of information security consisting of three core principles: Confidentiality (ensuring information is accessible only to authorized individuals), Integrity (ensuring information is accurate and unaltered), and Availability (ensuring information is accessible when needed by authorized users).

Every CISSP question can be analyzed through the lens of the CIA triad. When a question presents a scenario and asks for the "best" answer, determine which CIA principle is most at risk and choose the answer that addresses it.

Risk Management Frameworks

The exam tests your knowledge of major risk management frameworks:

NIST Risk Management Framework (RMF): Used primarily by U.S. federal agencies. Steps include: Categorize, Select, Implement, Assess, Authorize, Monitor.
ISO 27001/27002: International standards for information security management systems (ISMS). ISO 27001 specifies requirements; ISO 27002 provides implementation guidance.
COBIT: Framework developed by ISACA for IT governance and management.

Risk assessment -- the process of identifying threats and vulnerabilities, analyzing the likelihood and potential impact of security incidents, and determining appropriate risk responses (accept, mitigate, transfer, or avoid).

Quantitative risk analysis uses specific dollar values:

Asset Value (AV): The value of the asset being protected
Exposure Factor (EF): The percentage of asset loss from a single incident
Single Loss Expectancy (SLE): AV x EF
Annual Rate of Occurrence (ARO): How often the event is expected per year
Annualized Loss Expectancy (ALE): SLE x ARO

For example, if a server is worth $200,000 (AV), a flood would destroy 50% of it (EF = 0.5), and floods occur once every 10 years (ARO = 0.1), then SLE = $100,000 and ALE = $10,000. Any mitigation costing less than $10,000 per year is cost-justified.

Legal and Regulatory Compliance

Know these major regulations at a conceptual level:

GDPR: European data privacy regulation with global reach. Requires data protection by design, consent for processing, and mandatory breach notification within 72 hours.
HIPAA: U.S. healthcare data protection law covering Protected Health Information (PHI)
SOX (Sarbanes-Oxley): U.S. financial reporting integrity law with IT controls implications
PCI DSS: Payment card industry standard for protecting cardholder data

Domain 2: Asset Security (10%)

Data Classification

Organizations classify data to determine appropriate protection levels:

Classification Level (Government)	Classification Level (Corporate)	Protection Level
Top Secret	Confidential/Restricted	Highest encryption, strict access
Secret	Private	Strong access controls
Confidential	Sensitive	Moderate controls
Unclassified	Public	Minimal controls

Data lifecycle -- the stages through which data moves from creation to destruction: Create, Store, Use, Share, Archive, Destroy. Security controls must be applied at every stage.

Data Roles

Data Owner: Senior management responsible for the classification and protection of data. Usually a business executive, not an IT person.
Data Custodian: IT staff responsible for implementing the security controls defined by the data owner
Data Processor: Entity that processes data on behalf of the data controller (relevant to GDPR)
Data Steward: Ensures data quality and adherence to policies

Domain 3: Security Architecture and Engineering (13%)

Security Models

Bell-LaPadula Model: Focuses on confidentiality. "No read up, no write down." A user at a Secret clearance level cannot read Top Secret data and cannot write to Unclassified levels.
Biba Model: Focuses on integrity. "No read down, no write up." Prevents lower-integrity data from corrupting higher-integrity data.
Clark-Wilson Model: Focuses on integrity through well-formed transactions and separation of duties.

Cryptography

Symmetric encryption -- an encryption method using the same key for both encryption and decryption (examples: AES-256, 3DES, Blowfish). Fast but requires secure key exchange.

Asymmetric encryption -- an encryption method using a key pair (public key for encryption, private key for decryption). Examples: RSA, ECC, Diffie-Hellman. Slower but solves the key distribution problem.

Key cryptographic concepts:

Hashing: One-way function producing a fixed-length digest (SHA-256, SHA-3). Used for integrity verification.
Digital signatures: Created by encrypting a message hash with the sender's private key. Provides authentication, integrity, and non-repudiation.
PKI (Public Key Infrastructure): A framework of certificate authorities (CAs), registration authorities (RAs), and digital certificates that enables trusted communication.
TLS/SSL: Transport Layer Security protocols that encrypt communication between clients and servers. TLS 1.3 is the current standard.

Domain 4: Communication and Network Security (13%)

Network Architecture

The exam tests understanding of network security at an architectural level:

Firewalls: Stateful inspection, application-layer gateways, and next-generation firewalls (NGFW). Palo Alto Networks and CrowdStrike are major vendors in this space.
IDS/IPS: Intrusion Detection Systems (passive monitoring) vs. Intrusion Prevention Systems (active blocking). Signature-based detection identifies known attacks; anomaly-based detection identifies unusual behavior.
DMZ (Demilitarized Zone): A network segment between the external internet and the internal network, hosting public-facing services like web servers.
VPN: IPsec (site-to-site) and TLS/SSL (remote access) virtual private networks

Network Attacks

DDoS: Distributed Denial of Service attacks overwhelm a target with traffic from multiple sources
Man-in-the-Middle: An attacker intercepts communication between two parties. TLS and certificate pinning are mitigations.
DNS poisoning: Corrupting DNS cache to redirect traffic to malicious servers
ARP spoofing: Sending fake ARP messages to link an attacker's MAC address with a legitimate IP address

Domain 5: Identity and Access Management (13%)

Access Control Models

DAC (Discretionary Access Control): Resource owners decide who can access their resources. Used in most operating systems (file permissions).
MAC (Mandatory Access Control): Access decisions are made by a central authority based on classifications. Used in military and government systems.
RBAC (Role-Based Access Control): Access is assigned based on the user's role in the organization. The most common enterprise model.
ABAC (Attribute-Based Access Control): Access decisions based on attributes of the user, resource, and environment. More flexible than RBAC.

Authentication Methods

Multi-factor authentication (MFA) -- authentication requiring two or more factors from different categories: something you know (password), something you have (token, smart card), and something you are (biometrics like fingerprint or facial recognition).

Microsoft reports that MFA blocks 99.9% of account compromise attacks, yet a 2024 report from the Cybersecurity and Infrastructure Security Agency (CISA) found that only 57% of organizations had fully implemented MFA across all user accounts.

Domain 6: Security Assessment and Testing (12%)

Assessment Types

Vulnerability assessment: Automated scanning to identify known weaknesses. Tools include Nessus, Qualys, and OpenVAS.
Penetration testing: Authorized simulated attacks to test security controls. Types include black box (no prior knowledge), white box (full knowledge), and gray box (partial knowledge).
Security audits: Formal evaluation of security controls against a framework or standard (SOC 2, ISO 27001)

Testing Methodologies

Reconnaissance: Gathering information about the target
Scanning: Identifying open ports, services, and vulnerabilities
Exploitation: Attempting to leverage discovered vulnerabilities
Post-exploitation: Determining the impact of successful exploitation
Reporting: Documenting findings, risk levels, and remediation recommendations

Domain 7: Security Operations (13%)

Incident Response

Incident response -- the organized approach to addressing and managing the aftermath of a security breach or cyberattack, aiming to limit damage, reduce recovery time, and prevent recurrence.

The NIST Incident Response Framework (SP 800-61) defines four phases:

Preparation: Policies, procedures, tools, training, and communication plans
Detection and Analysis: Monitoring, log analysis, and determining whether an event is an actual incident
Containment, Eradication, and Recovery: Isolating the threat, removing the cause, and restoring systems
Post-Incident Activity: Lessons learned, documentation, and process improvement

Business Continuity and Disaster Recovery

BCP (Business Continuity Planning): Ensures critical business functions continue during and after a disaster
DRP (Disaster Recovery Planning): Focuses specifically on restoring IT systems and data
RPO (Recovery Point Objective): The maximum acceptable data loss measured in time (how far back can you restore?)
RTO (Recovery Time Objective): The maximum acceptable downtime before systems must be restored

Backup site types:

Hot site: Fully equipped and operational, ready for immediate failover (most expensive)
Warm site: Equipped with hardware but requires data restoration (moderate cost)
Cold site: Empty facility with power and connectivity but no equipment (least expensive)

Domain 8: Software Development Security (10%)

Secure Development Lifecycle

SDLC (Software Development Life Cycle) -- the process for planning, creating, testing, and deploying software. Security must be integrated at every phase, not bolted on at the end.

OWASP Top 10: The Open Web Application Security Project's list of the ten most critical web application security risks. Current top risks include injection flaws, broken authentication, and security misconfiguration.
Code review: Manual or automated analysis of source code for security vulnerabilities
Static Application Security Testing (SAST): Analyzing source code without executing it
Dynamic Application Security Testing (DAST): Testing running applications for vulnerabilities
Software Composition Analysis (SCA): Identifying known vulnerabilities in third-party libraries and open-source components. This has become increasingly important as modern applications typically consist of 80-90% open-source code.

Database Security

Database security concepts that appear on the CISSP:

SQL injection: An attack where malicious SQL code is inserted into input fields to manipulate database queries. Prevented by parameterized queries and input validation.
Database encryption: Transparent Data Encryption (TDE) encrypts data at rest. Column-level encryption protects specific sensitive fields.
Polyinstantiation: Maintaining multiple instances of a database record at different classification levels to prevent inference attacks.
Aggregation and inference: The risk that combining individually non-sensitive data points reveals sensitive information. A user who can see employee names and a user who can see salary ranges should not be able to combine these views to determine individual salaries.

Development Methodologies

Understanding secure development methodologies is tested:

Waterfall: Sequential phases (requirements, design, implementation, testing, deployment). Security testing occurs late in the process.
Agile: Iterative development with security integrated into each sprint. Security stories and threat modeling occur throughout.
DevSecOps: The integration of security practices into the DevOps pipeline. Security testing is automated in CI/CD pipelines using tools like SonarQube for SAST and OWASP ZAP for DAST. Organizations including Netflix and Google have adopted DevSecOps practices to enable rapid deployment without sacrificing security posture.

Study Plan and Resources

Twelve-Week Study Plan

Weeks 1-2: Security and Risk Management (Domain 1). This is the largest domain and the foundation for all others.
Weeks 3-4: Asset Security and Security Architecture (Domains 2 and 3). Focus on data classification and cryptography.
Weeks 5-6: Network Security and IAM (Domains 4 and 5). Study network attacks, firewalls, and access control models.
Weeks 7-8: Assessment, Operations, and Software Security (Domains 6, 7, 8). Cover incident response, BCP/DRP, and OWASP.
Weeks 9-10: Full practice exams. Identify weak domains and review.
Weeks 11-12: Focused review of weak areas. Re-read domain summaries.

Recommended Resources

CISSP All-in-One Exam Guide by Shon Harris and Fernando Maymi -- the most comprehensive single-volume reference
(ISC)2 CISSP Official Study Guide by Mike Chapple, James Michael Stewart, and Darril Gibson -- the official (ISC)2 study guide
Destination Certification MindMap videos on YouTube (free): Highly visual review of all eight domains
Boson CISSP practice exams: The most realistic practice test experience available
CISSP Pocket Prep app: Mobile flashcards and practice questions for studying on the go

Luke Ahmed, author of How to Think Like a Manager for the CISSP Exam, emphasizes that "the CISSP tests managerial thinking, not technical execution. When you see a question about a data breach, your first instinct might be to think about the technical response. But the correct CISSP answer is usually about notifying management, following the incident response plan, and protecting human life first. Always think like a manager, not an engineer."

See also: CompTIA Security+ certification guide, CCSP cloud security certification path, Cybersecurity career roadmap from analyst to CISO

References

(ISC)2. "CISSP Exam Outline." (ISC)2, 2024.
(ISC)2. "Cybersecurity Workforce Study 2024." (ISC)2 Research, 2024.
Harris, Shon and Maymi, Fernando. CISSP All-in-One Exam Guide, Ninth Edition. McGraw-Hill, 2024.
NIST. "SP 800-61 Rev. 2: Computer Security Incident Handling Guide." National Institute of Standards and Technology, 2012 (updated 2024).
OWASP. "OWASP Top Ten 2021." Open Web Application Security Project, 2021.
Ahmed, Luke. How to Think Like a Manager for the CISSP Exam. Studynotesandtheory.com, 2023.

Frequently Asked Questions

How hard is the CISSP exam?

The CISSP is considered one of the most challenging IT certifications. It uses adaptive testing that adjusts difficulty based on your answers, covers eight broad domains requiring both technical and managerial knowledge, and has a 4-hour time limit. Most candidates study for 3-6 months.

Can I take the CISSP without 5 years of experience?

Yes, you can pass the CISSP exam without the required 5 years of experience. You become an Associate of (ISC)2 and have 6 years to earn the required experience. A 4-year degree or approved certification like Security+ can substitute for one year of experience.

What is the CISSP passing score?

The passing score is 700 out of 1000. The English-language exam uses Computerized Adaptive Testing (CAT) with 125-175 questions in 4 hours. The exam adapts difficulty based on performance, so receiving harder questions can be a positive sign.

Search Pass4Sure

Popular Searches