What are the CISSP domains?

Man pressing virtual buttons

If you want to accelerate your cyber security career, then it's time to get certified. The Certified Information Systems Security Professional (CISSP) is one of the most popular certifications around. It has eight parts, known as domains. Here, we delve into the CISSP domains and explain what to expect from them.

The CISSP is a management certification from the International Information Systems Security Certification Consortium, or (ISC)2. It's certainly not the only cyber security qualification available; others include the CCSP cloud security certification or vendor-specific cyber security qualifications, like Cisco's CCNA.

Nevertheless, attaining a CISSP will boost your career while giving you a healthy education across eight domains, each of which covers a different aspect of cyber security.

Getting the certification involves more than just passing the exam. You must have at least five years of cumulative paid working experience in at least one of the domains.

Here is a rundown on each of the eight CISSP domains.

Security and risk management

Security doesn't exist in a vacuum. Organizations must look at it in the context of their overall business strategy. That's known as security governance, and it’s where the security team and the board meet.

This domain explores the basic principles of that governance, as supported by security control frameworks, including ISO 27001 and 27002, along with COBIT and the Cloud Security Alliance's CSA Star framework.

As part of that, it explores the CIA, a security principle that stands for confidentiality, integrity, and availability, and covers how to keep information private, stop it from being altered, and keep it accessible to those who need it.

This domain also looks at one of the fundamental tenets of security governance: risk and how to manage it. This includes identifying and quantifying the threats that create those risks, and the business continuity requirements that help mitigate them.

Governance doesn't work without people following the right policies, so this domain also covers security policies, standards, procedures, and guidelines, explaining how to create cyber security awareness and training programs so the staff follows them. It also covers contributions to personnel security policies and professional ethics in the cyber security space.

Asset security

Next up is asset security. Assets are the things you're securing, including data and systems. This domain will explain how to identify and classify those assets, including understanding who owns them.

Knowing what you have and who's responsible for it is only one part of asset security. The other part is putting the proper security controls in place. Asset security helps by covering data security controls, including data handling requirements, such as appropriate data labeling and storage procedures. It also explores what's suitable for data retention and privacy protection.

Security architecture and engineering

This domain covers the use of secure design principles, basic security model concepts, security architectures in key areas such as access control, and evaluation models for assessing the security of a computer system or network. There are several of these, including the US Orange Book.

Expect to explore security architectures in different computing environments, such as cloud and web-based systems and mobile and embedded IoT devices, and common vulnerability types in these systems. You'll also learn about the basic principles of cryptography and its application in different real-world situations.

Finally, this domain looks at physical security principles in facility design and operation. There's no point labeling and retaining data if someone can just walk in and steal the server.

Communication and network security

This domain covers secure network architecture design. Here's where you get to learn about the OSI and TCP/IP models, along with secure components, such as Wi-Fi protection, network access control, intrusion detection and prevention systems, and endpoint security. You'll learn how to design secure channels for different kinds of communication, including voice and email, and you'll also understand virtualized network technologies, ranging from basic VLANs to more recent software-defined networking (SDN) capabilities.

No network security learning material would be complete without a discussion of network attacks. Learn how to tell your bluejacking from your fraggle attack here, along with some basic protection techniques.

Identity and access management

This domain takes an end-to-end look at managing user identities and using them for authentication. Here's where you'll dig into controlling access to assets, ranging from systems and devices to files, with discussions of concepts, like permissions for directories and database tables. You'll also look at this in the context of physical access to facilities.

Security architects can implement identity and access management (IAM) using different tools, including single sign-on (SSO) and multi-factor authentication (MFA). This domain teaches you about those and different access control techniques to grant people privileges on various systems.

You'll learn about how cloud-based third-party identity services work and the different ways to register and manage identity information via systems like federated identity, and the various stages of identity provisioning, such as access requests and reviews.

This domain will also teach you about various access control attacks, such as social engineering and man-in-the-middle attacks.

Security assessment and testing

Having learned about all these aspects of securing systems, you must also know how to assess their implementation. This domain teaches you strategies for assessment and testing, including testing the management and operational controls that support security.

You'll learn the basics of security controls testing, which is what penetration testers do, exploring techniques like port and vulnerability scanning along with application and physical pen testing, where people try to break into software and facilities.

You'll learn how to review logs and review application source code, along with how to test security and resilience activities such as account management and backup data. You'll also learn how to design security audits so that they're broad enough in scope, and impartial.

Security operations

This part of the CISSP covers many topics that we’ve already addressed in other areas, but it looks at their day-to-day implementation. It covers basic security operations concepts, including security investigations, incident management, and disaster recovery.

Here's where you learn about in-depth security logging techniques in various areas, including intrusion detection and prevention and security information and event management (SIEM). Reviewing your security logs might help you to detect a security event, but what do you do next?

This domain covers the different incident management stages, including detection, response, mitigation, and reporting. It also encompasses security investigations, looking at different investigative techniques, tasks like evidence collection and handling, and digital forensics tools and techniques.

You'll also learn how to provision resources securely and techniques to protect them when they're in play, including basic security operations concepts. Because the CIA principle is about availability and not just security, the operations domain also explores issues like service level agreements.

Prevention is better than cure, so the operations domain also discusses preventative and detective measures to help keep operations safe, including patch and vulnerability management through sandboxing, honeypots, and anti-malware. You'll also learn about change management processes to keep system configurations in check.

Finally, you'll also learn about disaster recovery strategies in more depth, including personnel management, communications, and salvage. Business continuity — how to keep a business running after a disaster rather than simply restoring affected processes — is another thing you’ll learn in the security operations domain.

Software development security

The final domain covers security in software development. Here, you'll learn the difference between waterfall and agile development life cycles, along with software development maturity models and how to create and apply secure coding standards within your organization.

This domain talks about how to secure software in operation, including how to separate development and production environments and secure code repositories. It teaches how to assess software security, including using source code scanning tools. One important element, especially in the light of the SolarWinds hack, is how to assess third-party software effectiveness.

Plan for up to 200 hours of CISSP studying

These eight domains contain a lot of information that will set you up for your CISSP and give you a basic grounding in many IT principles. Online estimates from people who’ve passed the exam suggest carving out 160-200 hours for study, assuming five years of cyber security experience. So, if this is your chosen path, it's time to set aside some evenings and weekends for a lot of serious study.


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.