Browse Exams — Mock Exams & Practice Tests

CISSP — Certified Information Systems Security Professional — Cheatsheet

About Fuad Efendi, MSc Mathematics — Mastery Exam Prep Sep 20, 2025 5 min read Cybersecurity Certifications ISC2 Isc2 Cissp Cheatsheet Security

High-yield CISSP review: governance & risk, security models, crypto/PKI, IAM & access models, architecture & network, cloud, SDLC & DevSecOps, operations/IR/BCP/DR, physical, legal/privacy — with quick contrasts and decision heuristics.

On this page

Use this for last-mile review. Star weak rows and turn misses into 2-bullet rules.

1) Governance, Policy Stack & Roles

  • Hierarchy: Policy → Standard → Baseline → Procedure → Guideline
  • Key roles:
    • Data Owner (sets classification), System Owner (day-to-day), Custodian (implements controls), User (follows policy), Data Steward (quality/metadata), Privacy Officer/DPO (privacy program).
  • Security program: risk-based, business-aligned, measurable (KPIs/KRIs), continuous improvement.

Classification & Handling (example)
Public → Internal → Confidential → Restricted (stricter controls as you go right).

2) Risk Management (math & methods)

  • Risk treatments: Mitigate, Transfer, Avoid, Accept (document risk appetite/exception).
  • Qualitative: heat maps, Delphi, scenarios. Quantitative: SLE/ALE/ARO.

\[ \text{SLE} = \text{AV} \times \text{EF} \quad\quad \text{ALE} = \text{SLE} \times \text{ARO} \]

  • Controls: Preventive, Detective, Corrective, Deterrent, Compensating, Recovery.
  • BIA outputs: RTO, RPO, MTD, WRT → drive DR architecture.

3) Security Models & Trust

ModelPrimary GoalRule of Thumb
Bell-LaPadulaConfidentiality (no read up, no write down)Military/classified
BibaIntegrity (no read down, no write up)Manufacturing/quality
Clark-WilsonIntegrity via well-formed transactions & separation of dutiesCommercial apps
Brewer-NashChinese Wall (conflict of interest)Consulting/finance
Graham-Denning / Harrison-Ruzzo-UllmanRights/subject–object operationsAccess administration
TCSEC/ITSEC/Common CriteriaEvaluation/assuranceEAL levels; protection profiles

4) Crypto Fundamentals

  • Hash (integrity): SHA-256/512; HMAC adds origin auth.
  • Symmetric (bulk/conf): AES (GCM/CTR), 3DES (legacy).
  • Asymmetric: RSA, ECC (P-256/Curve25519); ECDH/ECDHE for key exchange/FS; DSA/ECDSA signatures.
  • Randomness: CSPRNG; avoid reuse of IV/nonce.
  • Key mgmt: generation, distribution, rotation, storage (HSM), destruction.

Don’t confuse: Encoding ≠ Hashing ≠ Encryption ≠ Signing.

5) PKI & TLS Quick Map

  • Chain: Root → Intermediate → Leaf (end-entity).
  • Revocation: CRL (pull), OCSP (query), stapling (server includes response).
  • Cert types: DV/OV/EV, SAN, Wildcard, Code-signing, Client, Device.
  • TLS 1.3: ephemeral ECDHE + AEAD (e.g., AES-GCM/ChaCha20-Poly1305); drop legacy ciphers; enable HSTS on web.

6) Identity & Access Management (IAM)

  • Factors: know/have/are/do/where; prefer MFA.
  • SSO/Federation: SAML (XML assertions), OIDC (login on OAuth 2.0), OAuth 2.0 (delegation).
  • Provisioning: JIT, SCIM; PAM/PIM for admin; JEA/JIT to limit exposure.
  • Directory: LDAP/LDAPS, Kerberos (tickets/TGT).
  • Lifecycle: joiner → mover → leaver (revoke promptly).

7) Access Control Models & Concepts

ModelDescriptionUse
DACOwner decidesFlexible, weaker governance
MACLabels/clearancesGovt/high assurance
RBACRoles/least privilegeEnterprise standard
ABACAttributes + policyContext-aware, zero trust
Rule-BasedIf/then rulesFirewalls, NAC, WAF
  • Separation of Duties (SoD), Least Privilege, Need-to-Know, Dual control, Job rotation reduce fraud/error.

8) Secure Architecture & Design

  • Principles: economy of mechanism, fail-safe defaults, complete mediation, open design, least privilege, separation, least common mechanism, psychological acceptability.
  • Zero Trust: verify explicitly, least privilege, assume breach, microsegmentation, continuous monitoring (PDP/PEP).
  • Enterprise patterns: tiered networks, SDN/SASE, service mesh, API gateways, message queues, immutable infrastructure.

9) Network Security (OSI lens)

  • Perimeter/edge: NGFW, IPS, DDoS protection, SWG/CASB.
  • Segmentation: VLANs, VRFs, ACLs, internal firewalls, microsegmentation.
  • Wireless: WPA3-Enterprise (802.1X/EAP-TLS), disable WPS, rogue/evil-twin detection.
  • Remote: IPsec (IKEv2, ESP), TLS VPN; split/full tunnel policy.
  • Security services: DNSSEC/DoT/DoH (context), NTP auth, email auth (SPF/DKIM/DMARC).

10) Cloud, Virtualization & Container Security

  • Shared responsibility: differs across IaaS/PaaS/SaaS.
  • Hardening: baseline images, CIS benchmarks, minimal packages, patching, CSPM (misconfig) & CWPP (workload).
  • Identity-first: least-privilege roles, short-lived creds, avoid long-lived keys; use KMS/HSM.
  • Containers/K8s: image signing, SCA/SAST, namespace/RBAC, network policies, secrets management, admissions controllers, runtime policies (seccomp/AppArmor).
  • Multi-cloud: consistent guardrails, centralized logging/telemetry.

11) Data Security & Privacy

  • States: in use / in transit / at rest → apply appropriate controls (application-level, TLS, disk/db encryption).
  • DLP: endpoint, network, cloud; labeling & handling.
  • Privacy: minimization, purpose limitation, consent/DSARs, retention & disposal; roles (Controller vs Processor); pseudonymization vs anonymization.
  • Tokenization vs encryption vs hashing (reversibility & use cases).

12) SDLC, DevSecOps & Secure Coding

  • Shift-left: threat modeling (STRIDE, misuse cases), secure requirements, code reviews.
  • Pipelines: SAST, SCA (deps/SBOM), DAST, IaC scanning, image signing, artifact integrity.
  • Common vulns (OWASP style): injection, auth/session, access control, crypto failures, XXE, SSRF, deserialization, security misconfig, insufficient logging/monitoring.
  • Secure patterns: input validation, parameterized queries, output encoding, least-privileged DB/service accounts, errors without secrets.

13) Security Operations, Monitoring & Detection

  • Telemetry: logs, metrics, traces, NetFlow, EDR/XDR, DNS.
  • SIEM/UEBA: normalization, correlation, behavior analytics; tune to reduce noise.
  • SOAR: playbooks for triage/containment; case mgmt & ticketing.
  • Deception: honeypots, canaries, honey tokens; increase attacker cost.

14) Incident Response & Forensics

  • IR phases: Preparation → Identification → Containment → Eradication → Recovery → Lessons learned.
  • Containment before eradication; coordinate with legal/PR if needed.
  • Order of Volatility: CPU/Cache → RAM → Disk → Remote logs/cloud → Backups.
  • Forensics: chain of custody, hashing, time sync, write blockers, legal hold.

15) Business Continuity / Disaster Recovery

  • BIA → RTO/RPO drive solutions (active/active, warm/hot/cold).
  • Backups: full/incremental/differential; 3-2-1; test restores.
  • Continuity: alternate sites, DR runbooks, tabletop & functional exercises.
  • Single points of failure: identify & remove (N+1, multi-AZ/region).

16) Physical & Environmental

  • Controls: fences, gates, guards, CCTV, mantraps, locks, tamper seals, cable locks.
  • Safety: HVAC, hot/cold aisles, UPS/generators, fire classes (A/B/C/D/K) & agents (FM-200/inert gas), EMI/RFI shielding.
  • Media: sanitization per NIST; shredding, degauss (magnetic), crypto-erase (SSD).

17) Legal, Compliance & Ethics

  • IP: copyright, patent, trademark, trade secret.
  • Computer crime: CFAA-like laws, anti-hacking statutes; always require authorization.
  • E-discovery/evidence: admissibility, chain of custody.
  • Regimes: GDPR, HIPAA, PCI DSS, SOX, GLBA, FedRAMP, etc.
  • Ethics: (ISC)² Code of Ethics canons (protect society; act honorably; provide diligent service; advance the profession).

18) Measurements, Assurance & Testing

  • Security testing: VA scanning vs Pen test (scope/ROE).
  • Assurance: design/implementation/operational assurance; formal methods (high assurance).
  • Metrics: KPI (performance), KRI (risk); leading vs lagging.
  • Audits: internal/external; types (SOC 1/2); independence and evidence.

19) Quick Contrasts (rapid recall)

  • RBAC (roles) vs ABAC (attributes/policy) vs MAC (labels) vs DAC (owner).
  • HMAC (integrity+auth) vs hash only (integrity).
  • Tokenization (reversible via vault) vs hashing (one-way) vs encryption (two-way).
  • WAF (L7 app attacks) vs NGFW (L3-7 policy/IPS).
  • Scan (identify breadth) vs Pen test (exploit to prove impact).
  • Hot site (near-zero RTO) vs Warm (hours) vs Cold (days).
  • Fail-closed (secure) vs Fail-open (available).

20) Exam Heuristics (how to choose)

  • Favor least privilege, defense-in-depth, secure-by-default.
  • Pick preventive, auditable, scalable controls aligned to policy and risk appetite.
  • In IR scenarios: contain → eradicate → recover, preserve evidence when policy dictates.
  • In IAM scenarios: prefer MFA, federation/SSO, JIT/PIM over static admin.
  • In cloud scenarios: respect shared responsibility, deny-by-default, least-privilege roles, managed services.
  • If two answers work, pick the one with lower risk and better governance.

Use with…

  • Syllabus: domain objectives → open
  • Practice: timed scenarios & full mocks → start
  • Overview: plan & pacing → read
Syllabus
Practice