CISSP — Frequently Asked Questions (Deep-Dive)

What is the CISSP and who is it for?

The Certified Information Systems Security Professional (CISSP) validates broad, practice-based knowledge for architects, engineers, managers, and senior practitioners. It emphasizes risk-based decisions, governance, secure architecture/engineering, operations/IR, and software development security.

What are the 8 CBK domains?

1. Security & Risk Management
2. Asset Security
3. Security Architecture & Engineering
4. Communication & Network Security
5. Identity & Access Management (IAM)
6. Security Assessment & Testing
7. Security Operations
8. Software Development Security

Depth expectation: judgment over trivia. Most items are scenario-framed (“What should the security architect recommend…?”), not rote recall.

Do I need prior experience to become CISSP certified?

Yes—typically 5 years cumulative, paid, full-time experience across the 8 domains (one year waiver possible with certain degrees/credentials). If you pass the exam without the required experience, you may become an Associate of (ISC)² until you complete it.

What’s the exam format and scoring mindset?

Items are multiple-choice plus some advanced/innovative formats (e.g., drag-and-drop, hotspot). Language and delivery can affect the exact format. Focus on consistent, risk-aware decisions rather than chasing a specific item count. Think like an architect/manager: preventive, auditable, scalable.

How is CISSP different from Security+ or CySA+?

• Security+ = baseline breadth; CISSP = leadership/architecture breadth-with-judgment.
• CySA+ = analyst detection/response; CISSP = program/architecture, governance, and lifecycle security decisions.

How should I study (and for how long)?

Typical plans run 6–10 weeks (longer if you’re new to several domains). A sensible cadence:

• Mon–Fri: 45–60 min reading + 20–25 mixed questions
• Sat: Case studies & notes → convert misses to 2-bullet rules
• Sun: Light review + quick drill on weak areas
• Final 2 weeks: at least two full mocks with thorough post-mortems

What’s a good way to use practice questions?

Use practice to pressure-test judgment, not memorize keys:

• After each set: for every miss, write two bullets: (1) why your choice was wrong, (2) why the right option aligns to policy/risk/architecture.
• Re-test the same theme within 24–48 hours (spaced repetition).

What heuristics should I use to choose answers?

• Prefer least privilege, defense-in-depth, and secure-by-default.
• Pick preventive and auditable controls that scale with policy and risk appetite.
• In IR: contain → eradicate → recover, preserve evidence if required.
• In IAM: avoid standing admin—use MFA, JIT/PIM, logging/session recording.
• In cloud: respect shared responsibility; deny-by-default; least-privilege roles; managed services; centralized keys (HSM/KMS).

What risk and BCP/DR math should I know?

Memorize the basics and when to apply them:

\[ \text{SLE} = \text{Asset Value (AV)} \times \text{Exposure Factor (EF)} \\ \text{ALE} = \text{SLE} \times \text{Annualized Rate of Occurrence (ARO)} \]

• Treatments: Mitigate, Transfer, Avoid, Accept (document exceptions).
• BIA outputs: RTO (time to restore), RPO (acceptable data loss). Drive strategy: hot/warm/cold sites, backups (3-2-1), tests.

What security models should I recognize—and when?

• Bell-LaPadula (confidentiality; no read up, no write down).
• Biba (integrity; no read down, no write up).
• Clark-Wilson (well-formed transactions, SoD).
• Brewer-Nash (Chinese Wall; conflict of interest).
• Common Criteria (assurance; EALs).
  Pick models that fit the business objective (e.g., BLP for classified data; Biba for manufacturing integrity).

IAM confusion: SAML vs OAuth vs OIDC vs Kerberos?

• SAML = web SSO via XML assertions between IdP and SP.
• OAuth 2.0 = delegation (authorize an app to access a resource).
• OIDC = authentication on top of OAuth (JSON ID token).
• Kerberos = ticket-based auth in AD realms (TGT/TGS).
  RBAC for roles; ABAC for context (attributes, policy); MAC for labels; DAC for owner decisions.

Crypto & PKI essentials for CISSP decisions

• Hashing: integrity (SHA-256/512); HMAC adds origin auth.
• Symmetric: AES (GCM preferred for AEAD).
• Asymmetric: RSA/ECC; ECDHE for forward secrecy.
• PKI: root→intermediate→leaf; revocation with OCSP/CRL (stapling when possible).
• TLS 1.3: ephemeral key exchange + AEAD suites; avoid legacy ciphers; enable HSTS.

Cloud & container security—what should I emphasize?

• Shared responsibility varies by IaaS/PaaS/SaaS—know the boundary.
• Use CSPM/CWPP for posture/workloads, CASB for SaaS.
• Least-privilege IAM, short-lived credentials, secret vaults, strong KMS/HSM practices.
• Containers/K8s: signed minimal images, SCA/SAST/IaC scanning, RBAC, network policies, admission controls, runtime rules (seccomp/AppArmor).

How does CISSP view assessment vs testing?

• Security assessment & testing (Domain 6) includes: metrics, log reviews, vulnerability scanning, pen testing (with authorization), and audit activities.
• Distinguish scan (breadth, findings/CVSS) vs pen test (authorized exploitation to prove impact). Always consider scope/ROE and business risk.

What operations & IR details matter most?

• Monitoring/telemetry: SIEM + UEBA + EDR/XDR; tune to reduce noise.
• IR phases: Preparation → Identification → Containment → Eradication → Recovery → Lessons learned.
• Forensics: order of volatility (CPU/Cache → RAM → Disk → Remote logs → Backups), chain of custody, hashing, time sync, legal hold.

What about legal/privacy/ethics?

• Understand policy/standard/procedure/guideline hierarchy and governance alignment.
• Recognize privacy principles (minimization, purpose limitation, consent/DSARs, retention, roles like Controller/Processor).
• Know the (ISC)² Code of Ethics canons and apply them in scenario choices (protect society, act honorably, provide diligent service, advance the profession).

What happens after I pass—endorsement, AMF, and CPEs?

• You’ll submit endorsement (work experience attestation) and agree to the Code of Ethics.
• Maintain the cert via CPEs (continuing professional education) and an annual maintenance fee. Track learning, projects, training, and community contributions.

How should I build a tiny CISSP lab?

• Architecture/Risk: draw data flows, trust boundaries, and classify data.
• IAM: try a small SSO/OIDC demo with a dev IdP; practice role vs attribute policies.
• Crypto/PKI: generate a lab CA, issue a leaf cert, verify chains/OCSP.
• Ops/IR: set up a syslog stack (open-source) and practice alert triage → containment decisions.

Exam-day tactics (mindset & pacing)

• First pass fast; flag time sinks.
• Read the final ask before parsing a long stem.
• Eliminate options that violate policy, least privilege, defense-in-depth, or operability.
• Prefer answers that are preventive, auditable, and aligned to business risk—not the coolest tool.
• Change an answer only with new evidence from later items.

Quick readiness checklist

• I can articulate policy→standard→procedure and key roles (owner, custodian, steward, DPO).
• I can compute SLE/ALE and choose mitigate/transfer/avoid/accept with rationale.
• I can map RBAC/ABAC/MAC/DAC to scenarios and justify least privilege.
• I can pick appropriate crypto/PKI/TLS options and spot weak configurations.
• I can design segmented, zero-trust-leaning architectures in prose.
• I can distinguish scan vs pen test, outline IR phases, and defend evidence handling.
• I’ve completed at least two full mocks and converted misses into 2-bullet rules.

What next?
Head to the Syllabus for domain objectives, keep the Cheatsheet open while drilling, and launch Practice for timed scenarios and full mocks.