Security Study Guide

(ISC)² CISSP Study Guide

The (ISC)² CISSP validates the broad knowledge and managerial judgment needed to design, engineer, and lead an enterprise security program across eight domains defined by the Common Body of Knowledge (CBK). It is aimed at experienced practitioners (the cert requires five years of cumulative paid work in two or more domains) such as security managers, architects, analysts, and CISOs. The exam is delivered as a Computerized Adaptive Test (CAT) and rewards the 'manager's-eye' answer (risk-based, big-picture) over the most technical one.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6 Domain 7 Domain 8

Practice (ISC)² CISSP questions free Create free account

Domain 1: Security and Risk Management

Key concepts you must know · 84 practice questions

The CIA Triad is the foundation: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized alteration), and Availability (accessible when needed); the inverse triad is Disclosure, Alteration, and Destruction (DAD).
Risk = likelihood x impact. Quantitative formulas: SLE = Asset Value x Exposure Factor; ALE = SLE x ARO (Annualized Rate of Occurrence). A control is justified only when its annual cost is less than the reduction it produces in ALE.
The four risk treatment options are mitigate (reduce), transfer (e.g., insurance or outsourcing), avoid (eliminate the risky activity entirely when impact far exceeds benefit), and accept. Residual risk is what remains after controls are applied.
Document hierarchy: a Policy states high-level mandatory intent (approved by senior management), Standards define mandatory specifics, Procedures give step-by-step instructions, and Guidelines are optional recommendations.
Risk appetite is the amount and type of risk leadership is willing to accept in pursuit of objectives; it is set by the board. Senior management 'tone at the top' and governance buy-in are prerequisites for any program.
GDPR mandates breach notification to the supervisory authority within 72 hours of becoming aware. The controller determines purpose and means of processing; the processor acts only on the controller's instructions, governed by a Data Processing Agreement (DPA).
Adopting a unified control framework (so one audit satisfies several mandates) provides comprehensive, auditable coverage and traceability, making control gaps and overlaps visible.
Qualitative risk analysis is faster and needs less data but yields subjective, non-monetary rankings (e.g., a high/medium/low heat map); quantitative analysis assigns dollar values but requires more data.
The (ISC)² Code of Ethics canons, in priority order: (1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; (2) Act honorably, honestly, justly, responsibly, and legally; (3) Provide diligent and competent service to principals; (4) Advance and protect the profession.
Due care is doing what a reasonable person would do (the 'prudent person' rule); due diligence is the research and ongoing investigation that informs due care.
Third-party/supply-chain risk should be managed by continuous assessment of vendor posture rather than a one-time review, with data-handling and breach-notification terms defined in the contract.
Key US laws: HIPAA (health), GLBA (financial), SOX (corporate financial reporting), PCI DSS (a contractual card-industry standard, not a law), and the EU GDPR (privacy). Know which applies to which data type.
A Business Impact Analysis (BIA) identifies critical processes and sets recovery metrics (RTO, RPO, MTD); it is a prerequisite to the BCP/DRP and feeds the risk management process.
Threat modeling and security awareness training are administrative controls; controls are also categorized by function as preventive, detective, corrective, deterrent, recovery, and compensating.

Domain 2: Asset Security

Key concepts you must know · 60 practice questions

Data classification (e.g., public, internal, confidential, restricted) applies protection proportional to sensitivity, driving access controls, encryption, labeling, retention, and disposal while avoiding over-protecting low-value data.
A record inherits the highest classification of any single element it contains (aggregation can raise sensitivity).
Key data roles: the data owner (a senior business role) classifies data and bears ultimate responsibility; the data custodian implements and maintains controls; the data steward handles quality; the user follows AUP.
Under privacy law the data controller determines the purpose and means of processing; the data processor acts only on the controller's documented instructions.
Need-to-know limits access to only the information required for a specific task, and operates in addition to (not instead of) a subject's clearance/privilege level.
Data states require different controls: at rest (full-disk encryption, e.g., LUKS via cryptsetup), in transit (TLS between services), and in use (application/field-level encryption with keys in an HSM or KMS that DBAs cannot access).
Secure disposal methods scale to media and sensitivity: clearing (overwrite for reuse), purging (degaussing magnetic media), cryptographic erase (destroy the encryption key), and physical destruction (shredding, incineration, disintegration) for the highest assurance.
SSDs cannot be reliably sanitized by single-pass overwrite: wear-leveling and over-provisioning leave hidden copies, so cryptographic erase (destroying the media encryption key, e.g., on a Self-Encrypting Drive) or physical destruction is required.
Tokenization replaces sensitive data with tokens that have no mathematical relationship to the original, removing systems from PCI DSS scope without holding decryptable secrets; encryption is reversible with a key.
De-identification techniques include anonymization, aggregation, pseudonymization, data masking, and differential privacy so individuals cannot be re-identified.
Data retention policy keeps data only as long as needed (legal/operational requirement) and then destroys it securely to reduce exposure and meet compliance; tiering aged data to cheaper cold/archival storage controls cost.
Labeling should be classification-driven and tied to controls (encryption, DLP, access) that travel with the data, so protection persists wherever the data moves.
Logs and backups can contain PII, credentials, or session data and must be classified and protected at the same level as the source data, since they become a target if exposed.
Data Loss Prevention (DLP) systems inspect data at rest, in motion, and in use to enforce handling rules and prevent exfiltration of classified information.

Domain 3: Security Architecture and Engineering

Key concepts you must know · 77 practice questions

Defense-in-depth layers multiple diverse controls (perimeter, network, host, application, data) so that the failure of any single control does not lead to compromise.
Symmetric cryptography uses one shared secret key and is fast (e.g., AES, often with AES-NI hardware acceleration); asymmetric uses a public/private key pair, solving the n(n-1)/2 key-distribution problem and enabling scalable key establishment.
Hashing (a one-way function, e.g., SHA-256) provides integrity by detecting changes; it is not encryption and has no key. HMAC adds a key for authenticated integrity.
Digital signatures provide integrity, authentication, and non-repudiation: the sender signs a hash with their private key and the recipient verifies with the sender's public key.
A PKI issues, manages, and validates X.509 certificates that bind public keys to identities; the CA signs certs, the RA verifies requests, and revocation is published via CRLs or OCSP.
Authenticated encryption modes (e.g., AES-GCM) provide confidentiality plus integrity simultaneously. ECB (Electronic Codebook) mode is insecure because identical plaintext blocks produce identical ciphertext, leaking patterns.
Common OpenSSL commands: 'openssl genrsa -out server.key 4096' (private key), 'openssl req -new -key server.key -out server.csr' (CSR), and '-x509 ... -nodes' for a self-signed cert.
Bell-LaPadula enforces confidentiality (no read up / Simple Security Property, no write down / *-property); Biba enforces integrity (no read down, no write up); Clark-Wilson uses well-formed transactions and separation of duties.
An HSM (Hardware Security Module) generates, stores, and uses cryptographic keys in tamper-resistant hardware, performing operations without ever exposing the private key; a centralized HSM-backed KMS enables automated rotation at scale.
Secure design principles include secure defaults (deny by default, require explicit grants), fail-secure (deny access on an authorization service outage, e.g., fail closed), least privilege, and complete mediation.
A hardware root of trust (e.g., a TPM) anchors measured/secure boot, ensuring only verified, unaltered firmware and OS components load at startup.
Common architecture vulnerabilities: covert channels (timing/storage), TOCTOU race conditions, side-channel attacks (power, timing, electromagnetic), and emanations (mitigated by TEMPEST/Faraday shielding).
Forward secrecy (via ephemeral key exchange like ECDHE) ensures that compromise of a long-term private key does not expose past session traffic; TLS 1.3 mandates it and removes static RSA key exchange.
Cloud shared responsibility splits duties: the provider secures the cloud (physical, hypervisor) and the customer secures what is in the cloud (data, IAM, configuration); the split shifts across IaaS, PaaS, and SaaS.

Domain 4: Communication and Network Security

Key concepts you must know · 70 practice questions

The OSI model has 7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application); the TCP/IP model has 4. Map protocols to layers (e.g., IP at Layer 3, TCP/UDP at Layer 4, TLS spans 5-6).
A VPN creates an encrypted tunnel protecting confidentiality and integrity over untrusted networks. IPsec ESP (Encapsulating Security Payload) provides encryption (confidentiality) plus optional integrity/authentication; AH provides integrity/authentication only, no encryption.
Network segmentation (VLANs, subnetting with ACLs, microsegmentation) limits lateral movement and contains breaches by isolating zones.
Firewall types in increasing sophistication: packet filter (Layer 3/4 ACLs), stateful inspection (tracks connection state), and next-generation/application-layer (deep packet inspection, app awareness).
An IDS passively monitors a copy of traffic and alerts on suspicious activity (often via a SPAN/mirror port); an IPS sits inline and can actively block or drop malicious traffic in real time.
A DMZ hosts internet-facing services; sensitive back-end systems (e.g., databases) belong on an internal segment behind a second firewall, reachable only from the DMZ application tier on required ports.
TLS 1.3 removes legacy/weak ciphers and static RSA key exchange and mandates forward secrecy via ephemeral key exchange, reducing the handshake to one round trip.
Zero Trust assumes no implicit trust based on network location; every request is authenticated, authorized, and continuously verified ('never trust, always verify').
Layer 2 attacks: MAC flooding overflows the switch CAM table to force fail-open hub behavior (mitigate with port security, e.g., 'switchport port-security maximum 1'); ARP poisoning and VLAN hopping are also common.
Wireless security: WPA3-Enterprise uses 802.1X authentication; WPA2 (and the older WPA/WEP) are progressively weaker. Disable WPS and avoid WEP entirely.
A forward proxy mediates outbound client requests (egress control, content filtering); a reverse proxy fronts servers to mediate inbound requests (load balancing, TLS termination, WAF).
Useful diagnostic commands: 'openssl s_client -connect host:443' tests TLS; 'tcpdump -i eth0 -n udp port 53' captures DNS; 'iptables -A INPUT -p tcp --dport 23 -j DROP' blocks Telnet.
DNS security: DNSSEC adds origin authentication and integrity via signatures (it does not encrypt); DoH/DoT add confidentiality. DNS is a frequent vector for tunneling and cache poisoning.
Converged and modern WAN technologies: SD-WAN provides application-aware path selection over broadband and MPLS; CDNs cache and serve content from edge nodes near users to offload the origin; QoS/traffic shaping protects critical flows.

Domain 5: Identity and Access Management

Key concepts you must know · 72 practice questions

The access control sequence is Identification (claiming an identity), Authentication (proving it), Authorization (granting access), and Accountability (logging/auditing actions, also called AAA with Auditing).
MFA combines two or more factors from different categories: something you know (password/PIN), something you have (token/smartcard), and something you are (biometric); two passwords are not MFA.
Access control models: DAC (owner sets permissions, e.g., file ACLs); MAC (system enforces labels/clearances non-discretionarily, used in classified environments); RBAC (permissions tied to roles/job functions, not individuals); ABAC (policy evaluates subject, resource, action, and environment attributes).
MAC grants access only when a subject's clearance dominates an object's classification under a central policy that neither owners nor users can override.
Least privilege grants the minimum access needed to perform a function; separation of duties splits sensitive tasks so no single person can complete a critical action alone (fraud prevention).
SAML is the XML-based federation standard that exchanges authentication and authorization assertions between an Identity Provider (IdP) and a Service Provider (SP) for web SSO; the relying party must validate assertion signatures and audience/recipient restrictions.
OAuth 2.0 provides delegated authorization (API access) and issues an access token; OpenID Connect (OIDC) layers authentication on OAuth and adds an ID token to convey user identity. Use SAML or OIDC for web SSO, OAuth for delegated API access.
SSO improves user experience and cuts password-reset help-desk tickets, but the single credential becomes 'keys to the kingdom' - its compromise can grant access to all federated systems, so it must be paired with strong MFA.
Kerberos uses a Key Distribution Center (KDC) that issues tickets (TGT then service tickets); the KDC is a single point of failure and a high-value target, and clock skew between hosts breaks ticket validity.
Privileged Access Management (PAM) provides credential vaulting, session brokering/recording, and just-in-time (JIT) elevation that grants temporary admin access and automatically revokes it, replacing standing domain-admin rights.
Identity lifecycle (JML: Joiner-Mover-Leaver) should be automated so provisioning and especially deprovisioning happen promptly; orphaned and excess accounts are a major audit finding.
Biometric accuracy is measured by the False Acceptance Rate (FAR / Type II error, the dangerous one) and False Rejection Rate (FRR / Type I error); the Crossover Error Rate (CER) is where they intersect, and a lower CER means a more accurate system.
Periodic access recertification (entitlement review) confirms that users still need their access; identity governance ties this back to RBAC roles and least privilege.
Common identity commands: 'usermod -aG wheel analyst' adds a user to a privileged group; 'Disable-ADAccount -Identity jsmith' disables an AD account on departure; overly broad sudoers entries like 'NOPASSWD: ALL' are a privilege-escalation risk.

Domain 6: Security Assessment and Testing

Key concepts you must know · 83 practice questions

A vulnerability assessment identifies and prioritizes weaknesses broadly; a penetration test goes further by attempting to exploit them to demonstrate real-world impact, always under written authorization and agreed rules of engagement.
Penetration test knowledge levels: black-box (no internal knowledge), white-box (full knowledge/source), and gray-box (partial). Phases follow planning, reconnaissance, scanning, exploitation, and reporting.
Audits performed by an independent third party provide objective oversight and reduce the chance of fraud or self-review bias; auditors should not assess their own work.
SOC reports under SSAE 18: SOC 1 covers financial-reporting controls, SOC 2 covers security/availability/confidentiality (Type I is a point in time, Type II covers a period), and SOC 3 is a public summary.
A false positive is an alert on a benign condition; a false negative is a missed detection of a real issue (the more dangerous failure because the threat goes unnoticed).
Authenticated (credentialed) scans against an accurate asset inventory yield higher-fidelity results and reduce redundant low-value checks compared with unauthenticated scans.
Shift-left testing integrates automated security checks early in the CI/CD pipeline: SAST analyzes source code, DAST tests the running application, and SCA/dependency scans catch vulnerable libraries; these act as pipeline gates.
Manual testing finds business-logic flaws and chained vulnerabilities that automated scanners typically miss; automation provides breadth and speed.
Red team simulates a real adversary, blue team defends, and purple team has the two collaborate to improve detection and response.
Synthetic transactions are scripted, simulated user actions run continuously to validate that critical business workflows function from a user's perspective and to detect failures before real users are affected.
Log management for assessment requires that logs be centralized, time-synchronized (NTP), tamper-resistant, and retained per policy so events can be correlated and used as evidence.
Key metrics: Mean Time to Detect (MTTD) and Mean Time to Respond/Recover (MTTR) measure detection and response effectiveness.
Compliance scanning checks configurations against a recognized baseline; OpenSCAP runs SCAP content, e.g., 'oscap xccdf eval --profile ...cis... --report report.html ssg-rhel8-ds.xml' against a CIS Benchmark.
Common testing tools include Hydra for credential brute-forcing (e.g., 'hydra -l admin -P wordlist.txt ssh://target'), Nmap for discovery, Nessus/OpenVAS for vulnerability scanning, and Burp Suite for web app testing.

Domain 7: Security Operations

Key concepts you must know · 130 practice questions

The incident response lifecycle (NIST SP 800-61) is Preparation, Detection & Analysis, Containment/Eradication & Recovery, and Post-Incident Activity (lessons learned).
Disaster recovery metrics: RTO (Recovery Time Objective) is how fast you must restore; RPO (Recovery Point Objective) is the maximum tolerable data loss, which dictates backup/replication frequency; MTD is the maximum tolerable downtime.
Recovery site types trade cost against speed: a hot site has fully replicated systems/data ready for near-immediate takeover (lowest RTO, highest cost), a warm site has hardware but needs data/config, and a cold site is just space and power.
Backup strategy combines periodic full backups with frequent incrementals (only changed data since the last backup) or differentials (changed since the last full); test restores regularly, since untested backups are unproven.
RAID provides availability and fault tolerance but is NOT a substitute for backups: it does not protect against deletion, corruption, ransomware, or site loss.
The order of volatility for evidence collection is CPU registers/cache, then RAM, then network/process state, then disk, then archival media; collect the most volatile data first.
Forensic imaging must preserve integrity: use a write-blocker and bit-for-bit imaging (e.g., 'dd if=/dev/sdb of=evidence.img bs=4M conv=sync,noerror'), then hash the image and maintain a documented chain of custody.
A SIEM centrally aggregates, normalizes, and correlates log/event data from many sources and generates alerts on suspicious patterns; SOAR adds automated, playbook-driven orchestration and response.
Accurate time synchronization (NTP) across all systems is essential so events can be correctly ordered and correlated during an investigation.
Log integrity is protected by cryptographically signing or hashing entries and forwarding them to a write-once/centralized store so they cannot be tampered with after the fact.
Need-to-know restricts access to only the information required for a specific task even within one's privilege level; job rotation and mandatory vacation help detect fraud.
A formal change management process ensures changes are reviewed, tested, approved, documented, and reversible (with a rollback plan), reducing the risk of unauthorized or destabilizing modifications reaching production.
Patch and vulnerability management should be risk-based and follow change control; configuration management maintains secure baselines and an accurate asset inventory.
Useful operational commands: 'firewall-cmd --permanent --zone=public --add-service=https && firewall-cmd --reload' opens a service in firewalld; 'ss -tnp state established' lists active TCP connections for investigation.

Domain 8: Software Development Security

Key concepts you must know · 113 practice questions

Input validation should use a positive/allow-list (reject anything not explicitly permitted) and be performed server-side; it prevents injection and many other attacks by rejecting malformed or malicious input.
SQL injection is prevented by parameterized queries / prepared statements (which separate code from data), never by string concatenation; output encoding prevents cross-site scripting (XSS).
Cross-Site Request Forgery (CSRF) is mitigated by per-request anti-CSRF tokens combined with the SameSite cookie attribute.
Insecure Direct Object Reference (IDOR) / broken object-level authorization is fixed by enforcing server-side authorization checks that verify the caller actually owns or may access each requested object.
A TOCTOU (time-of-check to time-of-use) race condition occurs when a resource's state changes between validation and use, allowing an attacker to substitute it; mitigate with atomic operations and locking.
Shift-left / DevSecOps integrates security into design and requirements and runs SAST, DAST, and dependency/SCA scans as pipeline gates, because defects caught in design or coding cost far less to remediate than those found in production.
Threat modeling the design (e.g., STRIDE: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) enumerates threats and the mitigations each requires.
A Software Bill of Materials (SBOM) lists all components, dependencies, versions, and licenses, enabling tracking of known vulnerabilities (via the NVD) and license-compliance risk; minimize dependencies and remove unused libraries.
Software supply-chain integrity: sign and verify build artifacts, verify package integrity via signatures/checksums, and pin trusted versions; sign commits (e.g., 'git config --global commit.gpgsign true').
Secrets must never be hard-coded or written into source, build logs, or application logs; inject them at runtime from a secrets manager, rotate them regularly, and revoke them automatically on compromise.
Service-to-service authentication in microservices should use mutual TLS with short-lived, automatically rotated service identities/certificates.
Secure logging records enough to enable abuse detection, debugging, forensics, and accountability, while never logging sensitive data such as passwords, tokens, or full card numbers.
The OWASP Top 10 catalogs the most critical web application risks (e.g., broken access control, injection, security misconfiguration) and is a standard reference for secure coding and testing.
Maturity and assurance models include the SDLC security gates, Capability Maturity Model (CMM/CMMI), and software escrow agreements to protect against vendor failure.

(ISC)² CISSP exam tips

Think like a risk manager, not a technician: when several answers are technically correct, pick the one that best addresses business risk, follows policy, and reflects management's perspective (the 'best' answer, not just a 'right' one).
Always do the first thing first. Many questions ask what to do FIRST or NEXT - the answer is usually a process step like analyze/assess risk, get management approval, perform a BIA, or notify the right party, not jump straight to a technical fix.
Memorize the quantitative risk formulas (SLE = AV x EF, ALE = SLE x ARO) and the access-control models (DAC/MAC/RBAC/ABAC) and security models (Bell-LaPadula vs Biba) cold - they appear repeatedly and are easy points.
The exam is a Computerized Adaptive Test (CAT): you cannot go back to change answers, so commit to each question; the difficulty adjusts to your performance, and you can pass in as few as 100 questions.
Watch for distractors that are plausible but address the wrong CIA element or the wrong control function (preventive vs detective vs corrective); read the full scenario, eliminate two wrong answers first, then choose between the remaining two.

Study guide FAQ

How is the CISSP exam structured and scored?

The English exam is a Computerized Adaptive Test (CAT) of 100-150 questions over a maximum of 4 hours (240 minutes). You need a scaled score of 700 out of 1000 to pass. Questions are weighted by the eight domains, with Security Operations and Security and Risk Management carrying the most weight, and you cannot return to previous questions.

What experience is required to become certified?

You need at least five years of cumulative paid work experience in two or more of the eight CISSP domains. A four-year college degree or an approved credential can waive one year. If you pass the exam but lack the experience, you become an Associate of (ISC)² and have up to six years to earn the required experience, after which a current CISSP must endorse you.

How should I focus my study time across the domains?

Weight your study toward the largest domains: Security Operations (Domain 7) and Software Development Security (Domain 8) carry the most questions in this bank, followed by Security and Risk Management (Domain 1) and Security Assessment and Testing (Domain 6). Master the foundational managerial and risk concepts first, because they underpin scenario questions in every other domain.

Is CISSP a technical or managerial exam?

It is primarily managerial and conceptual, testing breadth across the CBK rather than deep configuration skill on any one product. You must understand technologies (cryptography, networking, IAM, secure development) well enough to reason about them, but the questions reward governance, risk-based judgment, and the manager's perspective over hands-on command-line expertise.

Test yourself: 689 (ISC)² CISSP practice questions