CISSP Exam Domains Explained (The 8 CISSP Domains)

CISSP is built on the ISC2 Common Body of Knowledge (CBK), organised into eight domains. This is a plain-English summary of what each covers and its approximate weighting; the official exam outline is authoritative.

Domain 1 — Security and Risk Management (~16%)

Governance, compliance, legal and regulatory issues, professional ethics, security policies, and the full risk management lifecycle (identify, assess, respond, monitor). The foundation of the whole exam.

Domain 2 — Asset Security (~10%)

Information and asset classification, ownership roles, data lifecycle, retention, and protecting data at rest, in transit and in use.

Domain 3 — Security Architecture and Engineering (~13%)

Secure design principles, security models (Bell-LaPadula, Biba), security capabilities of systems, vulnerabilities, and a large cryptography component.

Domain 4 — Communication and Network Security (~13%)

Secure network architecture, the OSI and TCP/IP models, secure protocols, and securing network components and channels.

Domain 5 — Identity and Access Management (~13%)

Access control models (DAC, MAC, RBAC, ABAC), the identity lifecycle, authentication and authorisation, and federation and single sign-on.

Domain 6 — Security Assessment and Testing (~12%)

Assessment and test strategies, security control testing, vulnerability and penetration testing, and reporting findings.

Domain 7 — Security Operations (~13%)

Investigations, logging and monitoring, incident management, disaster recovery and business continuity (BIA, RTO, RPO, MTD), and physical security.

Domain 8 — Software Development Security (~10%)

Security in the software development lifecycle, secure coding, and assessing the security of software you build or acquire.