The Ten Domains of the CISSP Certification

Note: There have been changes made to the CISSP curriculum, and now there are only 8 domains. Read about the CISSP update here.

The Certified Information Systems Security Professional (CISSP) is a globally recognized certification in the information security market. Required by some of the world’s most security conscious  organizations, the CISSP is considered the gold standard credential that assures information security leaders possess the breadth of knowledge, skills and experience required to credibly build and manage the security posture of an organization. –

CISSP Certification

The CISSP CBK (Common Body of Knowledge) consists of the following ten domains:

1. Access Control
Access control is a collection of mechanisms that work together to create a security architecture to protect the assets of the information system. It includes:

  • Concepts/methodologies/techniques
  • Effectiveness
  • Attacks

2. Telecommunications and Network Security 
Telecommunications and network security discusses network structures, transmission
methods, transport formats and security measures used to provide availability, integrity and confidentiality. It includes:

  • Network architecture and design
  • Communication channels
  • Network components
  • Network attacks

3. Information Security Governance and Risk Management 
Information security governance and risk management is the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines. It includes:

  • Security governance and policy
  • Information classification/ownership
  • Contractual agreements and procurement processes
  • Risk management concepts
  • Personnel security
  • Security education, training and awareness
  • Certification and accreditation

4. Software Development Security 
Software development security refers to the controls that are included within systems and applications software and the steps used in their development. It covers:

  • Systems development life cycle (SDLC)
  • Application environment and security controls
  • Effectiveness of application security

5. Cryptography
Cryptography is the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity. Subjects covered are:

  • Encryption concepts
  • Digital signatures
  • Cryptanalytic attacks
  • Public Key Infrastructure (PKI)
  • Information hiding alternatives

6. Security Architecture and Design 
Security architecture and design contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability. It covers:

  •  Fundamental concepts of security models
  • Capabilities of information systems (e.g. memory protection, virtualization)
  • Countermeasure principles
  • Vulnerabilities and threats (e.g. cloud computing, aggregation, data flow control)

7. Operations Security
Operations security is used to identify the controls over hardware, media and the operators with access privileges to any of these resources. It includes:

  • Resource protection
  • Incident response
  • Attack prevention and response
  • Patch and vulnerability management

8. Business Continuity and Disaster Recovery Planning
Business continuity and disaster recovery planning addresses the preservation of the business in the face of major disruptions to normal business operations. Covered:

  •  Business impact analysis
  • Recovery strategy
  • Disaster recovery process
  • Provide training

9. Legal, Regulations, Investigations and Compliance
Legal, regulations, investigations and compliance addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence. Modules include:

  • Legal issues
  • Investigations
  • Forensic procedures
  • Compliance requirements/procedures

10. Physical (Environmental) Security 
Physical (environmental) security addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information. Included modules:

  • Site/facility design considerations
  • Perimeter security
  • Internal security
  • Facilities security
Tags: ,
Previous Post

CISSP Career Opportunities in the 2016 Cybersecurity Industry


    • Lockwood
    • February 27, 2015

    Very helpful. You’re the best.

Comments are closed.