What Is CISSP and Why Is It Last
The Certified Information Systems Security Professional (CISSP) from ISC² is the most widely recognized broad-spectrum security certification in the industry. It is not the deepest certification in any single domain — CISM is deeper on governance, CCIE is deeper on networking, OSCP is deeper on offensive security — but no certification tests the breadth of security knowledge that CISSP demands.
You are studying CISSP last in the sequence, and that is the right order. CISM gives you the governance and management foundation. COBIT reinforces the governance vocabulary. CCSK gives you the cloud layer. By the time you reach CISSP, Domain 1 (Security and Risk Management) — which is 16% of the exam — will be largely review. Domains 3, 4, 5, and 8 will require genuine technical depth work.
CISSP requires five years of paid work experience in at least two of the eight domains. You have that. The exam is the gate.
| Element | Detail |
|---|---|
| Questions | 100–150 (CAT adaptive for English); 250 for linear (non-English) |
| Time | 3 hours (CAT) |
| Passing score | 700 / 1000 (scaled; no raw percentage) |
| Delivery | Pearson VUE test centers |
| Price | $749 USD |
| Experience req | 5 years paid work in at least 2 of 8 domains |
| Issued by | ISC² (International Information System Security Certification Consortium) |
CAT — Computerized Adaptive Testing
CISSP's English-language exam uses Computerized Adaptive Testing (CAT). This is not how most exams work, and misunderstanding it causes anxiety. Understanding it reduces that anxiety.
- The exam starts at a difficulty level calibrated around the passing threshold (700/1000 scaled).
- If you answer correctly, the next question is harder. If you answer incorrectly, the next question is easier.
- The algorithm continuously estimates whether your demonstrated ability is above or below passing threshold.
- The exam stops when the algorithm reaches statistical confidence that you are above or below the pass line — or when you hit 150 questions, or when 3 hours expire.
- You can pass with exactly 100 questions (algorithm is confident you're above threshold) or fail with exactly 100 questions (confident you're below). You can also pass with 150 questions.
If the exam stops at 100 questions, you do NOT know if you passed or failed — many people assume "it stopped early, so I passed." That is not reliable. The algorithm stops when it has enough statistical confidence in either direction. Getting harder questions is a possible sign you're doing well, but the algorithm is more complex than a simple difficulty ramp. Focus on answering each question to the best of your ability and stop trying to infer your status from question difficulty.
The 8 CISSP Domains
| # | Domain | Weight | Approx Questions |
|---|---|---|---|
| 1 | Security and Risk Management | 16% | 16–24 |
| 2 | Asset Security | 10% | 10–15 |
| 3 | Security Architecture and Engineering | 13% | 13–20 |
| 4 | Communication and Network Security | 13% | 13–20 |
| 5 | Identity and Access Management (IAM) | 13% | 13–20 |
| 6 | Security Assessment and Testing | 12% | 12–18 |
| 7 | Security Operations | 13% | 13–20 |
| 8 | Software Development Security | 10% | 10–15 |
Domain 1: Security and Risk Management (16%)
What CISM covers: The entirety of CISM is governance, risk, strategy, and program management. CISM Domains 1 and 2 map almost entirely onto CISSP Domain 1. If you have studied CISM Domains 1 and 2 thoroughly, you have covered roughly 70% of the CISSP Domain 1 content.
What CISSP adds beyond CISM:
- ISC² Code of Ethics — four mandatory canons. Tested directly on CISSP; not in CISM. Know it cold (see below).
- Legal and regulatory frameworks: CISSP is more explicit about types of law (civil, criminal, administrative), computer crime statutes, intellectual property (copyright, trademark, patent, trade secret), and privacy laws (GDPR, CCPA, HIPAA) at a definitional level.
- Business Continuity and Disaster Recovery — CISSP covers BCP/DRP planning at a technical depth that CISM covers only at a management level. Know RTO, RPO, MTTR, MTBF, BIA methodology.
- Personnel security: Onboarding, offboarding, non-disclosure agreements, mandatory vacations, separation of duties, least privilege — CISSP is explicit where CISM is implicit.
Four mandatory canons, in priority order (highest to lowest). When canons conflict, the higher canon wins:
- 1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- 2. Act honorably, honestly, justly, responsibly, and legally.
- 3. Provide diligent and competent service to principals.
- 4. Advance and protect the profession.
The exam tests: "Canon 1 (protect society) supersedes Canon 3 (serve your client) when they conflict." If a client asks you to do something that harms society, Canon 1 says no.
Domain 2: Asset Security (10%)
CISM connection: CISM addresses data classification and information asset management at a governance level. CISSP Domain 2 adds technical specificity to the same concepts.
Key concepts for Domain 2:
- Data classification: Government (Top Secret → Secret → Confidential → Unclassified) vs. commercial (Confidential/Proprietary → Private → Sensitive → Public). Know both schemes.
- Data ownership roles: Data owner (business accountable), data custodian (IT implements controls), data steward (quality and governance), data processor (processes on behalf of controller — GDPR concept), data controller (determines purpose — GDPR concept).
- Data lifecycle: Create → Store → Use → Share → Archive → Destroy. Security controls must apply throughout, not just at storage.
- Data handling: Marking, labeling, retention policies, secure disposal methods (clearing, purging, destruction), chain of custody for evidence.
- Privacy: GDPR principles (lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability). Know the difference between data controller and data processor obligations.
Domain 3: Security Architecture and Engineering (13%)
CISM connection: Minimal. CISM does not go deep on security models, cryptography, or technical architecture. This domain requires fresh study if your background is governance-focused.
Security Models — Must Know These
| Model | Type | Core Rule | Designed to Protect |
|---|---|---|---|
| Bell-LaPadula | Confidentiality model | No read up (Simple Security Property), No write down (*-Property). "Write up, read down." | Classified information — prevents unauthorized disclosure |
| Biba | Integrity model | No write up (Simple Integrity), No read down (*-Integrity Property). Opposite of Bell-LaPadula. | Data integrity — prevents unauthorized modification |
| Clark-Wilson | Integrity model | Well-formed transactions, separation of duties, access triple (subject-program-object). Programs act as intermediaries. | Commercial data integrity through controlled change |
| Brewer-Nash (Chinese Wall) | Conflict of interest model | Subjects can only access data that doesn't conflict with data they previously accessed. | Conflict of interest prevention — consulting, finance |
| Graham-Denning | Access control model | Defines 8 basic protection rights for creating/deleting subjects and objects and managing access. | Formal specification of access control operations |
Cryptography — Core Concepts
| Type | Key Structure | Speed | Examples | Use Case |
|---|---|---|---|---|
| Symmetric | Same key to encrypt and decrypt | Fast | AES, 3DES, DES, Blowfish, RC4 | Bulk data encryption |
| Asymmetric | Public key encrypts; private key decrypts | Slow | RSA, ECC, Diffie-Hellman, DSA | Key exchange, digital signatures, small data |
| Hashing | One-way; no key | Fast | MD5 (broken), SHA-1 (weak), SHA-256, SHA-3 | Integrity verification, password storage |
Digital signatures: Signed with sender's private key, verified with sender's public key. Provides authentication, non-repudiation, and integrity. Does NOT provide confidentiality by itself.
PKI (Public Key Infrastructure): Certificate Authority (CA) issues digital certificates binding a public key to an identity. Certificate Revocation List (CRL) and OCSP (Online Certificate Status Protocol) handle revoked certificates. Trust hierarchies: Root CA → Intermediate CA → End-entity certificate.
- Diffie-Hellman is for key exchange, not encryption. Two parties agree on a shared secret over an insecure channel.
- RSA can do both encryption and digital signatures. ECC does asymmetric crypto with shorter keys than RSA for equivalent strength.
- MD5 is broken for security purposes but still appears in answer choices. Never pick MD5 for a new security design.
- "Confidentiality using asymmetric crypto" = encrypt with recipient's PUBLIC key. The recipient decrypts with their PRIVATE key.
Physical Security
Crime Prevention Through Environmental Design (CPTED): natural surveillance, natural access control, territorial reinforcement. Physical security layers: perimeter → facility → interior spaces → assets (defense in depth applied to physical). Mantrap (air lock) for high-security access. Know common physical security countermeasures: motion sensors, CCTV, bollards, fencing, guards.
Domain 4: Communication and Network Security (13%)
CISM connection: Low. Network security is not a CISM focus. This domain requires fresh study for governance-focused practitioners.
OSI Model — All 7 Layers
| Layer | Name | Protocols / Examples | Security Relevance |
|---|---|---|---|
| 7 | Application | HTTP, HTTPS, SMTP, DNS, FTP | WAF operates here; injection attacks occur here |
| 6 | Presentation | SSL/TLS (conceptually), encryption formats | Encryption/decryption, data format translation |
| 5 | Session | NetBIOS, RPC, SQL sessions | Session management; session hijacking risk |
| 4 | Transport | TCP, UDP | Firewalls (packet filtering); SYN flood attacks |
| 3 | Network | IP, ICMP, OSPF, BGP, IPSec | Routing; IP spoofing; network-level firewalls |
| 2 | Data Link | Ethernet, MAC addresses, ARP, VLANs, WPA2 | ARP poisoning, MAC flooding, VLAN hopping |
| 1 | Physical | Cables, hubs, repeaters, RF signals | Wiretapping, physical access attacks |
Key Network Security Concepts
- Firewalls: Packet filtering (Layer 3/4) → Stateful inspection (tracks connections) → Application-layer (Layer 7, DPI) → Next-gen (NGFW, includes IPS, app awareness)
- VPN: IPSec (network layer, tunnel or transport mode) vs. SSL/TLS VPN (application layer, uses browser or client). Site-to-site vs. remote access VPN.
- Wireless: WEP (broken), WPA (deprecated), WPA2 (current minimum), WPA3 (strongest). Know the attack: WEP is vulnerable to IV attacks; WPA2-Personal is vulnerable to dictionary attacks against the PSK.
- DNS security: DNSSEC adds digital signatures to DNS responses to prevent cache poisoning. DNS over HTTPS (DoH) encrypts DNS queries.
- Network segmentation: DMZ separates public-facing servers from internal network. Zero trust eliminates the concept of a trusted internal network entirely.
Domain 5: Identity and Access Management (13%)
CISM connection: Moderate. CISM addresses access control at a governance level (least privilege, separation of duties). CISSP Domain 5 goes technically deeper into the models and protocols.
Access Control Models
| Model | Who Controls Access | How Decisions Are Made | Example |
|---|---|---|---|
| DAC — Discretionary | Resource owner | Owner sets ACLs at their discretion. Subject can grant access to others. | Windows file sharing permissions; most OS file systems |
| MAC — Mandatory | System policy (admin) | Labels on subjects and objects; system enforces rules. Owner cannot override. | SELinux, government classified systems, Bell-LaPadula implementations |
| RBAC — Role-Based | Admin via roles | Permissions assigned to roles; users assigned to roles. Manage at role level. | Enterprise systems (ERP, AD groups), cloud IAM roles |
| ABAC — Attribute-Based | Policy engine | Access based on attributes of subject, object, environment. Most flexible/complex. | Cloud IAM policies, zero-trust access decisions |
Authentication Factors
- Type 1 — Something you know: Password, PIN, security question
- Type 2 — Something you have: Smart card, token, phone (TOTP)
- Type 3 — Something you are: Biometrics (fingerprint, retina, iris, voice, face)
- MFA = two or more different factor types. Two passwords = single factor (both Type 1). Password + OTP = MFA (Type 1 + Type 2).
Biometric Error Rates — Critical for the Exam
- FRR (False Rejection Rate / Type I Error): Legitimate user rejected. Higher FRR = more security, less convenience.
- FAR (False Acceptance Rate / Type II Error): Impostor accepted. Lower FAR = more security.
- CER / EER (Crossover Error Rate / Equal Error Rate): The point where FRR = FAR. Lower CER = better biometric system. CER is the standard comparison metric between biometric systems.
Key IAM Protocols
- Kerberos: Ticket-based authentication. Key Distribution Center (KDC) issues Ticket Granting Tickets (TGT) and service tickets. Prevents replay attacks via timestamps. Used in Active Directory.
- LDAP / Active Directory: Directory service protocol for user and resource management. LDAP over SSL = LDAPS (port 636).
- SAML: XML-based standard for SSO and federated identity. Assertion-based. IdP (Identity Provider) asserts identity to SP (Service Provider).
- OAuth 2.0: Authorization framework (not authentication). Grants third-party limited access to resources without exposing credentials. Tokens, not passwords.
- OpenID Connect: Identity layer on top of OAuth 2.0. Adds authentication. Returns ID tokens (JWT) along with access tokens.
Domain 6: Security Assessment and Testing (12%)
CISM connection: High. CISM Domain 2 (Risk Management) and Domain 3 (Security Program) include assessment methodologies. CISSP adds more technical specificity to testing techniques.
Key concepts:
- Vulnerability assessment vs. penetration test: Vuln assessment identifies and ranks vulnerabilities. Pen test actively exploits them to confirm impact. Pen test is more invasive and requires explicit authorization.
- Testing types by knowledge: Black box (no prior knowledge, simulates external attacker), White box (full knowledge, simulates insider threat or detailed audit), Gray box (partial knowledge — most common).
- Code review: Static analysis (examining code without executing), dynamic analysis (testing running code), fuzz testing (malformed input to find crashes/vulnerabilities).
- Audit types: Internal audit (own staff), external audit (independent third party), certification audit (against a standard like ISO 27001), compliance audit (against regulations).
- SOC reports: SOC 1 (financial controls), SOC 2 (security/availability/confidentiality/privacy/processing integrity — the one you care about), SOC 3 (public version of SOC 2). Type 1 = point in time; Type 2 = over a period.
SOC 2 Type II tests controls over a period (typically 6–12 months). When assessing a cloud vendor's security posture, requesting their SOC 2 Type II report is the correct answer for demonstrating control effectiveness over time. Type I is a snapshot assessment. Type II is the gold standard for continuous compliance evidence.
Domain 7: Security Operations (13%)
CISM connection: Very high for incident management. CISM Domain 4 covers the entirety of incident response from a management perspective. CISSP Domain 7 adds forensics, investigations, and technical operations depth.
Where CISSP goes deeper than CISM:
- Digital forensics: Order of volatility (collect most volatile evidence first: CPU registers → RAM → network connections → running processes → disk → backup/archive). Chain of custody documentation. Forensic imaging vs. live acquisition. Write blockers to preserve evidence integrity.
- Legal holds: Preservation obligations when litigation is anticipated. All relevant evidence must be preserved — applies to emails, logs, backups. Destruction of data under legal hold = spoliation.
- e-Discovery: Electronic discovery in legal proceedings. Security team's role in identifying, preserving, collecting, and producing electronically stored information (ESI).
- Patch management: Emergency patching process, patch testing, rollback procedures.
- Configuration management: Baselining, change control, configuration drift detection.
- Disaster recovery: Hot site (fully operational, immediate failover), warm site (partial infrastructure, hours to activate), cold site (facility only, days to weeks), mobile site, cloud-based DR.
Most volatile to least volatile (collect in this order during incident response / forensics):
CPU registers & cache → RAM → Swap / page file → Network connections → Running processes → Disk storage → Remote logging → Physical configuration → Archival media
RAM contains decryption keys, running malware in memory, and open connections. Once power is lost, RAM data is gone. Disk evidence is relatively stable.
Domain 8: Software Development Security (10%)
CISM connection: Low. CISM does not cover SDLC in depth. This domain requires fresh study.
Secure SDLC — Security at Each Phase
| Phase | Security Activities |
|---|---|
| Requirements | Define security requirements (functional and non-functional). Privacy impact assessment. Regulatory requirements identification. Abuse case development alongside use cases. |
| Design | Threat modeling (STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Security architecture review. Attack surface analysis. Secure design principles application. |
| Development | Secure coding standards. Code reviews. Static Application Security Testing (SAST). Developer security training. Handling secrets (no hardcoded credentials). |
| Testing | Dynamic Application Security Testing (DAST). Penetration testing. Fuzz testing. Security regression testing. Dependency scanning (SCA — Software Composition Analysis). |
| Deployment | Secure configuration baselines. Secrets management. Infrastructure as Code security scanning. Change management controls. |
| Maintenance | Vulnerability management. Patch management. Security monitoring. End-of-life planning. |
Key Application Security Concepts
- OWASP Top 10: Know the top vulnerabilities by category: injection (SQL, command), broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, XSS, insecure deserialization, using components with known vulnerabilities, insufficient logging/monitoring.
- Input validation: Never trust input from any external source. Validate on the server side (client-side validation is a UX feature, not a security control). Whitelist validation (allow known good) over blacklist (block known bad).
- Database security: Parameterized queries / prepared statements to prevent SQL injection. Stored procedures can also mitigate injection. Principle of least privilege for database accounts.
- Software supply chain: Third-party libraries, open source dependencies, and build pipelines are attack surfaces. Software Bill of Materials (SBOM) for dependency tracking.
CISM vs CISSP — Where You Stand Going In
| Area | CISM Coverage | CISSP Requires | CISM Advantage? |
|---|---|---|---|
| Governance & Risk Management | Deep — all of CISM D1 and D2 | Domain 1 (16%) | Very high — mostly review |
| Incident Management | Deep — all of CISM D4 | Domain 7 (13%) — IR portion | High — add forensics and DR technical detail |
| Security Program Management | Deep — CISM D3 | Across multiple domains | High — program concepts translate directly |
| Asset Security / Data Classification | Moderate (governance perspective) | Domain 2 (10%) | Moderate — add technical data handling specifics |
| Security Assessment & Testing | Governance-level awareness | Domain 6 (12%) | Moderate — add testing technique specifics |
| Cryptography | Not covered | Domain 3 (part of 13%) | None — new study required |
| Security Models (Bell-LaPadula, etc.) | Not covered | Domain 3 (part of 13%) | None — new study required |
| Network Security / Protocols | Not covered | Domain 4 (13%) | None — new study required |
| Identity and Access Management | Governance concepts only | Domain 5 (13%) | Low — add models, protocols, biometrics |
| Software Development Security | Not covered | Domain 8 (10%) | None — new study required |
CISSP still rewards a "think like a manager" approach on governance, risk, and program questions — your CISM training shines here. But CISSP also rewards technical knowledge on cryptography, network protocols, access control models, and SDLC. You cannot answer a question about Bell-LaPadula or AES key sizes with governance instincts alone. The mix is roughly: 40% management mindset wins, 60% requires knowing specific technical content. That's the difference from CISM where management mindset wins ~85% of the time.
Flashcards — CISSP
Click a card to flip it. Use arrow keys or buttons to navigate. Shuffle to randomize.
Practice Quiz — CISSP
10 questions covering CISSP-specific concepts across all 8 domains. Target 75%+.