Browse Exams — Mock Exams & Practice Tests

CISSP Overview — Format, What’s Tested & How to Prepare

About Fuad Efendi, MSc Mathematics — Mastery Exam Prep Sep 20, 2025 3 min read Cybersecurity Certifications ISC2 Isc2 Cissp Overview Security

Everything to know before CISSP: exam mindset and format, who it’s for, the 8 CBK domains, a deep readiness checklist, a 6–10 week study plan, and decision heuristics that match the exam’s architect/manager focus.

On this page

Exam snapshot

  • Certification: CISSP — Certified Information Systems Security Professional
  • Audience: Security architects/engineers, senior analysts, managers, consultants, and aspirants targeting leadership roles
  • Experience target: ~5 years cumulative, paid, full-time experience across 2+ CBK domains (waivers may apply)
  • Format mindset: Judgment-heavy, scenario-driven questions that reward risk-based, policy-aligned, preventive & auditable decisions

Study funnel: Read this Overview → work the Syllabus domain-by-domain → keep the Cheatsheet open for contrasts → validate with Practice.

What CISSP measures (8 CBK domains)

  1. Security & Risk Management — Governance stack (policy→standard→procedure), ethics, risk treatments, BCP/DR math (RTO/RPO), compliance & privacy.
  2. Asset Security — Classification, ownership/stewardship, data handling and retention, masking/tokenization.
  3. Security Architecture & Engineering — Principles (least privilege, fail-safe, complete mediation), models (Bell-LaPadula, Biba, Clark-Wilson), crypto/PKI, hardware/firmware security.
  4. Communication & Network Security — Segmentation/microsegmentation, secure protocols, wireless, zero-trust patterns, secure remote access.
  5. Identity & Access Management (IAM) — Federation/SSO (SAML/OAuth/OIDC), RBAC vs ABAC vs MAC/DAC, provisioning, PAM/JIT, Kerberos/LDAP.
  6. Security Assessment & Testing — Metrics, logging, vulnerability scanning vs penetration testing, audits, assurance.
  7. Security Operations — Monitoring (SIEM/UEBA/EDR), IR phases, evidence handling & forensics basics, continuity, supply chain, investigations.
  8. Software Development Security — SDLC/DevSecOps, threat modeling, SAST/SCA/DAST, secure coding and build/signing/IaC controls.

Readiness checklist (be honest)

  • I can articulate policy → standard → baseline → procedure → guideline and key roles (Owner, Custodian, Steward, DPO).
  • I choose controls using risk appetite, least privilege, and defense-in-depth—not just “more security.”
  • I can compute SLE/ALE and pick mitigate / transfer / avoid / accept with rationale.
  • I map RBAC/ABAC/MAC/DAC to scenarios and justify PAM/JIT for admins.
  • I can pick sound crypto/PKI/TLS options and spot weak configurations.
  • I design segmented, zero-trust-leaning network/cloud architectures in prose.
  • I distinguish scan vs pen test, outline IR phases, and respect evidence handling.

If fewer than ~6 boxes are checked, slow down: rework the Cheatsheet sections + targeted drills before full mocks.

Compact 6–10 week plan

Weeks 1–2 — Governance & Architecture

  • SRM, Asset Security, BIA/BCP math; Architecture principles & security models; crypto/PKI basics
  • Daily: 20–25 mixed questions focused on risk & architecture

Weeks 3–4 — Networks, IAM & Cloud

  • Segmentation, secure protocols/wireless/remote access; IAM (SAML/OAuth/OIDC, RBAC/ABAC, PAM/JIT); cloud/shared responsibility
  • Lab: design a zero-trust sketch (IdP → PDP/PEP → segmented resources)

Weeks 5–6 — Ops/IR & Assessment/Testing

  • Monitoring (SIEM/UEBA/EDR), IR phases, evidence handling; scanning vs pentesting; assurance & audits
  • Case work: turn every miss into two bullets (why wrong, why right)

Weeks 7–8+ — Software Security & Polishing

  • SDLC/DevSecOps (SAST/SCA/DAST, signing, IaC), supply chain; two full mocks with deep post-mortems
  • Shore up weak domains; repeat targeted drills within 24–48 hours (spaced repetition)

High-yield heuristics (match the exam’s voice)

  • Choose preventive, auditable, scalable controls aligned with policy and risk.
  • Architect first: segment, minimize trust, verify explicitly, monitor continuously.
  • Operations: during incidents, contain → eradicate → recover; preserve evidence per policy.
  • IAM: prefer MFA, federation/SSO, and JIT/PAM over standing admin.
  • Cloud: respect shared responsibility; least-privilege roles; managed services; central keys (HSM/KMS).
  • If two options work, pick the one with lower risk and better governance.
  • Syllabus: domain objectives & quick links → Open
  • Cheatsheet: high-yield contrasts & decision rules → Open
  • Practice: timed scenarios & full mocks → Start
Syllabus