CISSP Resources — Official References, Frameworks, Tools & Lab Ideas

Use this page as your launchpad. Pair it with the Syllabus, Cheatsheet, and Practice.

ISC2 official

• CISSP exam page — outline, pricing, languages, scheduling
  https://www.isc2.org/certifications/cissp
• Exam outline / CBK domains — official blueprint
  https://www.isc2.org/certifications/cissp/exam-outline
• Candidate information — policies, accommodations, ID requirements
  https://www.isc2.org/certifications/candidate-information-bulletin
• Endorsement & experience — post-exam process
  https://www.isc2.org/endorsement
• CPEs & AMF — maintain your certification
  https://www.isc2.org/members/cpe-credits
• Pearson VUE scheduling — test center or online proctoring
  https://home.pearsonvue.com/isc2

Governance, risk & compliance (GRC)

• NIST Cybersecurity Framework (CSF)
  https://www.nist.gov/cyberframework
• NIST Risk Management Framework (RMF) (SP 800-37) & Risk Assessment (SP 800-30)
  https://csrc.nist.gov/projects/risk-management
• NIST SP 800-53 (controls catalog)
  https://csrc.nist.gov/publications/sp
• ISO/IEC 27001/27002 — ISMS & control practices
  https://www.iso.org/isoiec-27001-information-security.html
• CIS Critical Security Controls
  https://www.cisecurity.org/controls
• SOC 2 / Trust Services Criteria (AICPA)
  https://www.aicpa-cima.com/resources/article/soc-2-faq

Architecture, zero trust & design principles

• NIST SP 800-207 — Zero Trust Architecture
  https://csrc.nist.gov/publications/detail/sp/800-207/final
• Common Criteria / Protection Profiles
  https://www.commoncriteriaportal.org/
• Microsoft SDL practices (reference)
  https://www.microsoft.com/en-us/securityengineering/sdl

Identity, access & federation

• NIST SP 800-63 Digital Identity Guidelines
  https://pages.nist.gov/800-63-3/
• SAML (OASIS), OAuth 2.0, OpenID Connect
  https://docs.oasis-open.org/security/saml/ • https://oauth.net/2/ • https://openid.net/connect/
• SCIM (provisioning)
  https://www.simplecloud.info/

Cryptography, PKI & TLS

• TLS 1.3 (RFC 8446)
  https://datatracker.ietf.org/doc/rfc8446/
• NIST SP 800-57 (key management), SP 800-38 series (modes; GCM in 38D)
  https://csrc.nist.gov/projects/cryptography
• PKI basics & revocation (OCSP/CRL) (Let’s Encrypt docs)
  https://letsencrypt.org/docs/
• OpenSSL / GnuPG manuals
  https://www.openssl.org/docs/ • https://gnupg.org/documentation/

Networking, application security & secure coding

• OWASP Top 10, Cheat Sheet Series, ASVS, SAMM
  https://owasp.org/www-project-top-ten/ • https://cheatsheetseries.owasp.org/ • https://owasp.org/www-project-asvs/ • https://owasp.org/www-project-samm/
• IETF BCP 38 (anti-spoofing)
  https://datatracker.ietf.org/doc/bcp38/

Cloud, virtualization & containers

• Shared responsibility models
  • AWS: https://aws.amazon.com/compliance/shared-responsibility-model/
  • Azure: https://learn.microsoft.com/azure/security/fundamentals/shared-responsibility
  • Google Cloud: https://cloud.google.com/security/shared-responsibility
• CSA CCM / CAIQ / Guidance (Cloud Security Alliance)
  https://cloudsecurityalliance.org/
• CIS Benchmarks (secure baselines)
  https://www.cisecurity.org/cis-benchmarks
• Kubernetes security (RBAC, admission, network policies)
  https://kubernetes.io/docs/concepts/security/

Operations, monitoring, IR & forensics

• NIST SP 800-61 — Computer Security Incident Handling Guide
  https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
• NIST SP 800-86 — Integrating Forensics Techniques
  https://csrc.nist.gov/publications/detail/sp/800-86/final
• SANS DFIR posters & resources
  https://www.sans.org/posters/
• BIA/BCP/DR — NIST SP 800-34 Rev.1
  https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

Privacy & legal references

• GDPR — official portal
  https://gdpr.eu/
• ISO/IEC 27701 — Privacy Information Management
  https://www.iso.org/standard/71670.html
• HIPAA Security Rule summary (HHS)
  https://www.hhs.gov/hipaa/for-professionals/security/index.html
• Electronic discovery & evidence primers (NIST)
  https://www.nist.gov/itl/ssd/cybersecurity

Tools to recognize (open-source / free tiers)

• Recon & scanning: Nmap, OpenVAS/Nessus (community/learners)
  https://nmap.org/ • https://www.openvas.org/
• Traffic & logs: Wireshark, Zeek, tcpdump, Elastic Stack (ELK)
  https://www.wireshark.org/ • https://zeek.org/
• Web testing: OWASP ZAP, Burp (community)
  https://www.zaproxy.org/ • https://portswigger.net/burp/communitydownload
• Exploitation (lab only): Metasploit Framework
  https://www.metasploit.com/
• Endpoint/Windows triage: Sysinternals (ProcMon, Autoruns, TCPView)
  https://learn.microsoft.com/sysinternals/
• Forensics: Volatility, Autopsy/Sleuth Kit
  https://www.volatilityfoundation.org/ • https://www.sleuthkit.org/autopsy/
• Crypto toolchains: OpenSSL, GPG
  https://www.openssl.org/ • https://gnupg.org/

Safe hands-on lab ideas

• Zero trust sketch: draw data flows, trust boundaries, and PDP/PEP decisions; propose segmentation/microsegmentation and least-privilege IAM.
• PKI/TLS drill: create a lab CA, issue a leaf cert, enable OCSP stapling on a local web server, verify chains with openssl s_client.
• SIEM mini-SOC: forward logs to ELK; practice alert triage → containment vs eradication; document evidence and chain of custody.
• Cloud posture sandbox: apply CIS Benchmarks; test KMS/HSM-backed encryption, short-lived credentials, and basic CSPM checks.
• Secure coding pipeline: run SAST/SCA/DAST against a demo app (e.g., OWASP Juice Shop) and implement allow-listing + parameterized queries.

Always follow laws, scope/ROE, and ethics. Keep testing in isolated labs only.

Study funnel (pair these with your plan)

• Syllabus: 8-domain CBK objectives → Open
• Cheatsheet: high-yield contrasts & decision heuristics → Open
• Practice: timed scenarios & full mocks → Start
• Overview: exam mindset & 6–10 week plan → Read