Certified Information Systems Security Professional CISSP Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Security and Risk Management (16% of the exam)

1.1 - Understand, adhere to, and promote professional ethics

• ISC2 Code of Professional Ethics
• Organizational code of ethics

1.1 summary: This section explores the ethical responsibilities binding information security professionals. It emphasizes integrity, accountability, and the universal standards of practice outlined in the ISC2 Code of Professional Ethics. You will understand how to consistently apply ethical decision-making that supports trust and professional behavior across diverse environments.

The goal is to foster credibility and reliability in cybersecurity leadership. Strong adherence to ethics ensures that security decisions align with both organizational values and the greater good, reinforcing trust among stakeholders and peers.

1.2 - Understand and apply security concepts

• Confidentiality, integrity, and availability, authenticity, and nonrepudiation (5 Pillars of Information Security)

1.2 summary: This section focuses on the foundational principles of information security that underpin all other domains. You will learn how confidentiality, integrity, and availability—along with authenticity and nonrepudiation—form a complete framework for protecting data and systems.

These concepts provide the lens for building resilient and balanced controls. Understanding how these pillars interact enables you to design solutions that protect vital resources and ensure reliable system performance.

1.3 - Evaluate and apply security governance principles

• Alignment of the security function to business strategy, goals, mission, and objectives
• Organizational processes such as acquisitions, divestitures, and governance committees
• Organizational roles and responsibilities
• Security control frameworks (ISO, NIST, COBIT, SABSA, PCI, FedRAMP)
• Due care and due diligence

1.3 summary: This section covers how security governance integrates into an enterprise’s strategic framework. You will recognize the importance of aligning information protection efforts with business objectives and regulatory requirements using recognized control frameworks.

By evaluating governance processes, you ensure that leadership has visibility and accountability within all layers of the organization. Mastering this linkage prepares you to communicate effectively with executives and auditors while embedding compliance into standard operations.

1.4 - Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context

• Cybercrimes and data breaches
• Licensing and intellectual property requirements
• Import and export controls
• Transborder data flow
• Privacy concerns (GDPR, CCPA, PIPL, POPIA)
• Contractual, legal, industry standards, and regulatory requirements

1.4 summary: This section examines the regulatory and legal environment shaping cybersecurity practices. You will learn how laws, standards, and international privacy regulations guide secure information handling.

The emphasis is on understanding diverse legal frameworks and aligning compliance measures to corporate governance. Understanding these aspects ensures appropriate risk controls, minimizing exposure to liabilities while protecting the organization’s reputation.

1.5 - Understand requirements for investigation types (administrative, criminal, civil, regulatory, industry standards)

1.5 summary: This section outlines the various investigation types that professionals may encounter within their role. You will identify how administrative, civil, regulatory, and criminal inquiries differ in purpose, evidence handling, and process.

Through this understanding, you’ll be equipped to coordinate properly with legal counsel and external authorities. Accurate preparation for investigation procedures ensures the preservation of evidence and compliance with both organizational policy and law.

1.6 - Develop, document, and implement security policy, standards, procedures, and guidelines

1.6 summary: This section details how to create comprehensive documentation that defines and maintains security expectations. Policies, standards, and procedures communicate organizational intent and establish the foundation for consistent operation.

You will learn how to structure these documents so they remain authoritative yet adaptable. Proper documentation allows seamless implementation and accountability throughout all technical and administrative controls.

1.7 - Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements

• Business impact analysis (BIA)
• External dependencies

1.7 summary: This section focuses on developing resilient operations through continuity planning. You will use tools like the business impact analysis to identify mission-critical functions and interdependencies.

The insights gained guide the prioritization of controls and recovery objectives. Mastering this domain ensures that essential capabilities continue with minimal disruption during incidents or disasters.

1.8 - Contribute to and enforce personnel security policies and procedures

• Candidate screening and hiring
• Employment agreements and policy-driven requirements
• Onboarding, transfers, and termination processes
• Vendor, consultant, and contractor agreements and controls

1.8 summary: This section establishes secure personnel management throughout the employee lifecycle. You’ll learn how security professionals collaborate with HR and management to integrate security into every stage of employment.

Properly managed personnel policies help protect against insider threats and align external partnerships with organizational standards. Through these processes, you ensure that people remain both informed and trusted assets.

1.9 - Understand and apply risk management concepts

• Threat and vulnerability identification
• Risk analysis, assessment, and response
• Applicable types of controls
• Continuous monitoring and reporting
• Continuous improvement and risk maturity modeling
• Risk frameworks (ISO, NIST, COBIT, SABSA, PCI)

1.9 summary: This section encompasses the methodology behind identifying, analyzing, and treating organizational risk. It connects frameworks to practical decision-making so you can prioritize efforts and allocate security resources effectively.

Constant risk awareness forms the backbone of agile cybersecurity programs. By integrating evaluation and reassessment processes, organizations stay prepared for evolving threats and maintain measurable resilience.

1.10 - Understand and apply threat modeling concepts and methodologies

1.10 summary: This section introduces how to systematically anticipate and evaluate attack surfaces. You will understand threat modeling frameworks that identify vulnerabilities early in design and development.

Implementing structured models allows teams to deploy proactive defenses. The result is security engineered into every layer rather than added afterward.

1.11 - Apply Supply Chain Risk Management (SCRM) concepts

• Supply chain risks such as tampering or counterfeiting
• Risk mitigations like third-party assessments, monitoring, and service-level requirements

1.11 summary: This section examines how to manage security risks introduced through suppliers and external services. You’ll learn ways to evaluate vendor compliance, prevent counterfeit components, and maintain end-to-end trust.

Developing a structured SCRM program enhances confidence in systems and products. This proactive approach safeguards confidentiality and reliability across interconnected ecosystems.

1.12 - Establish and maintain a security awareness, education, and training program

• Awareness methods such as social engineering, phishing, gamification, and continuous content evaluation

1.12 summary: This section focuses on cultivating a culture of security awareness. You will explore creative learning methods that empower every employee to recognize and respond to risks effectively.

Regular content reviews and measurable training outcomes help maintain relevance as technology and threats evolve. Building engagement through education transforms human behavior into one of the strongest defenses against security incidents.

Domain 2: Asset Security (10% of the exam)

2.1 - Identify and classify information and assets

• Data classification
• Asset classification

2.1 summary: This section emphasizes systematically identifying and classifying assets to assign security values. You’ll learn how to categorize data according to sensitivity and business impact.

Proper classification ensures consistent protective measures across the organization. With these practices in place, information handling aligns with compliance and operational priorities.

2.2 - Establish information and asset handling requirements

2.2 summary: This section ensures that classified items are managed according to their defined requirements. You’ll set controls for labeling, storing, transmitting, and disposing of data appropriately.

Clear handling guidelines prevent accidental dissemination and maintain trust in data stewardship. Enforcement of such standards forms the basis for controlled data flow across different clearance levels.

2.3 - Provision information and assets securely

• Information and asset ownership
• Asset inventory and management

2.3 summary: This section addresses asset ownership responsibilities. Proper provisioning begins with accurate inventory and documentation, ensuring accountability throughout the lifecycle.

Using structured ownership models brings clarity and chain-of-custody assurance. It supports continuous control and security posture improvement across business units.

2.4 - Manage data lifecycle

• Data roles, collection, location, and maintenance
• Data retention, remanence, and destruction

2.4 summary: This section describes the entire journey of data from creation to destruction. You’ll define controls that keep information secure while meeting retention policies and privacy regulations.

Understanding data states and enforcing secure disposal methods minimize residual risk. This lifecycle management maintains compliance and reduces unnecessary exposure.

2.5 - Ensure appropriate asset retention (EOL, EOS)

2.5 summary: This section ensures assets and equipment are retired with integrity and proper procedure. You’ll coordinate the disposal or decommissioning of systems when they reach end-of-life or end-of-support.

The process contributes to both operational efficiency and reduced vulnerabilities. By planning lifecycle transitions, you maintain sustainable and secure technology management.

2.6 - Determine data security controls and compliance requirements

• Data states, scoping, and data protection methods like DRM, DLP, and CASB

2.6 summary: This section ties together policies, tools, and technology for safeguarding data across usage states. You’ll evaluate and apply security measures that comply with framework requirements.

Practical application of protection strategies enhances overall resilience. By matching controls to classification and context, resources remain properly shielded from compromise.

Domain 3: Security Architecture and Engineering (13% of the exam)

3.1 - Research, implement and manage engineering processes using secure design principles

• Threat modeling, least privilege, defense in depth, secure defaults, segregation of duties, simplicity, and zero trust

3.1 summary: This section introduces the guiding design philosophies for secure system architecture. It highlights integrating principles like least privilege and defense in depth at every level of development.

These practices create structures that resist compromise and promote auditability. Secure design ensures systems deliver required functionality without unnecessary exposure.

3.2 - Understand the fundamental concepts of security models (Biba, Star Model, Bell-LaPadula)

3.2 summary: This section addresses how formal security models describe information flow and access control. Each model represents specific security attributes that underpin data protection frameworks.

Familiarity with these models promotes effective policy enforcement. It allows the architect to ensure confidentiality and integrity through verifiable logic.

3.3 - Select controls based upon systems security requirements

3.3 summary: This section focuses on understanding which security controls align best with system needs. You will analyze architecture characteristics and operational demands to balance functionality with safety.

Selecting controls based on structured assessment enhances cost-effective security. Individual control choices coalesce into an efficient and resilient defense strategy.

3.4 - Understand security capabilities of Information Systems

• Memory protection, Trusted Platform Module (TPM), encryption

3.4 summary: This section explores intrinsic hardware and software mechanisms that enforce security. Knowledge of these fundamentals enables leveraging built-in capabilities for higher assurance.

Applying these protections ensures confidentiality and integrity without performance compromise. Understanding platform security fosters better integration between architecture and policy.

3.5 - Assess and mitigate vulnerabilities of security architectures, designs, and solution elements

• Client-based, server-based, database, cryptographic, industrial control, cloud, distributed, IoT, microservices, containerized, and virtualized systems

3.5 summary: This section guides you in identifying architectural weaknesses across a wide range of technologies. Each environment presents unique security challenges that must be evaluated holistically.

Appropriate mitigation preserves performance while reducing exposure. Proficiency in assessing each context ensures secure evolution in complex infrastructures.

3.6 - Select and determine cryptographic solutions

• Cryptographic life cycle, methods, and public key infrastructure

3.6 summary: This section covers cryptography as both science and process. You’ll determine suitable encryption methods based on system function, risk profile, and life cycle considerations.

Managing the complete cryptographic life cycle ensures long-term data protection. Effective key governance reinforces trust in transactions and storage systems.

3.7 - Understand methods of cryptanalytic attacks

• Examples include brute force, side-channel, and man-in-the-middle exploitation

3.7 summary: This section exposes how attackers exploit cryptographic weaknesses. By studying varied attack vectors, you’ll learn how strong cryptographic practices mitigate real-world threats.

Understanding adversarial techniques encourages proactive defenses. Applying the right countermeasures strengthens data confidentiality across digital environments.

3.8 - Apply security principles to site and facility design

3.8 summary: This section emphasizes physical layout considerations essential for information security. Well-planned facilities reduce the risk of unauthorized access or environmental harm.

Integration of physical and digital safeguards supports comprehensive protection. Effective site design adds another layer of resilience to organizational security.

3.9 - Design site and facility security controls

• Data centers, HVAC, fire and power systems, restricted zones, and environmental protections

3.9 summary: This section ensures you can translate design requirements into tangible controls. Monitoring key facility components protects both people and assets from physical and environmental hazards.

Redundant and well-managed infrastructure secures continuity of operations. Implementing layered measures safeguards the entire information ecosystem.

3.10 - Manage the information system lifecycle

• From stakeholder needs through retirement and disposal

3.10 summary: This section defines each stage of system development, operation, and decommissioning. Aligning lifecycle management with security principles ensures every change remains authorized and documented.

Applying a structured lifecycle promotes predictable performance and continuous improvement. The result is enduring systems reliability rooted in verified procedures.