CISSP Syllabus — Objectives by the 8 CBK Domains

Use this syllabus as your source of truth for CISSP. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Security and Risk Management (15%)
• Asset Security (10%)
• Security Architecture and Engineering (13%)
• Communication and Network Security (13%)
• Identity and Access Management (IAM) (13%)
• Security Assessment and Testing (12%)
• Security Operations (13%)
• Software Development Security (11%)

Security and Risk Management (15%)

Practice this topic →

Governance, Compliance & Security Principles

• Differentiate governance, management, and operations; map roles (board, CISO, DPO, system owner).
• Contrast security principles: CIA triad, due care/due diligence, least privilege, separation of duties, need-to-know.
• Align policies, standards, procedures, and guidelines; place them in a control hierarchy.
• Identify sources of legal and regulatory requirements (privacy, sectoral regs, cross-border data transfer).
• Explain compliance frameworks (ISO/IEC 27001, NIST CSF/800-53, SOC 2) and control mapping.
• Distinguish administrative, technical, and physical controls; preventive, detective, corrective, deterrent, compensating.

Risk Concepts, Assessment & Treatment

• Compute SLE, ARO, ALE; differentiate qualitative vs quantitative risk analysis and when to use each.
• Apply risk frameworks (ISO 27005, NIST RMF) across categorize → select → implement → assess → authorize → monitor.
• Perform risk identification using threat catalogs and asset/process maps; document assumptions and uncertainties.
• Select treatment options: avoid, accept, mitigate, transfer; define residual risk and risk appetite/tolerance.
• Prioritize controls with cost-benefit and business impact; articulate trade-offs to stakeholders.
• Integrate third-party/supply-chain risk (TPRM), SLAs, and continuous monitoring into the risk register.

Business Continuity, DR & Resilience

• Conduct Business Impact Analysis (BIA): identify critical processes, MTD, RTO/RPO, dependencies and single points of failure.
• Design recovery strategies (cold/warm/hot sites, active-active, pilot light) and data protection tiers (snapshots, replication).
• Develop and version BC/DR plans; define roles, invocation criteria, runbooks, and communications.
• Apply redundancy and resilience patterns (N+1, fault domains, geo-redundancy, chaos testing) to meet objectives.
• Plan tabletop/walkthrough/full-interruption tests; capture lessons learned and update artifacts.
• Address continuity for cloud/SaaS (shared responsibility), vendor viability, exit strategies, escrow.

Professional Ethics, Privacy & Security Awareness

• Apply (ISC)² Code of Ethics to conflicts, investigations, and whistleblowing scenarios.
• Differentiate privacy principles (data minimization, purpose limitation, DPIA) and roles (controller/processor).
• Choose consent vs legitimate interest; handle data subject rights and retention/erasure requests.
• Design awareness programs: role-based training, phishing simulations, KPI/OKR measurement.
• Document incident evidence handling requirements (legal hold, chain of custody) at a policy level.
• Recognize export controls, IP licensing, and acceptable use issues in typical case studies.

Asset Security (10%)

Practice this topic →

Information Classification & Handling

• Design a data classification scheme (public, internal, confidential, secret) with handling rules.
• Map classification to controls: encryption, access, monitoring, tagging/labeling, DLP policies.
• Define ownership (data owner, custodian, steward) and accountability boundaries.
• Implement retention schedules and defensible deletion in line with legal/regulatory needs.
• Select media sanitization methods (clear, purge, destroy) based on risk and media type.
• Integrate classification into SDLC, CI/CD, and collaboration platforms (labels, sensitivity metadata).

Asset Lifecycle & Inventory

• Build end-to-end asset lifecycle (acquire → baseline → operate → dispose) with configuration baselines.
• Maintain accurate inventories (CMDB, SBOM for software) and ownership for devices, keys, and data sets.
• Apply secure provisioning for endpoints and cloud resources (gold images, policy as code).
• Track software licensing and third-party components; handle OSS license obligations.
• Use data discovery and cataloging tools to locate sensitive data at rest/in motion/in use.
• Plan secure decommissioning workflows including key escrow and certificate revocation.

Data Security Controls

• Choose encryption at rest/in transit/in use; compare symmetric, asymmetric, and hybrid schemes.
• Apply tokenization, masking, and anonymization/pseudonymization; assess re-identification risks.
• Deploy DLP: network, endpoint, cloud; tune rules to reduce false positives while meeting policy.
• Enforce access via RBAC/ABAC/MAC/DAC aligned to classification and segregation of duties.
• Implement key management basics: generation, distribution, rotation, escrow, destruction.
• Monitor data exfiltration paths (e.g., cloud sync, email, removable media) and define response.

Physical & Environmental Security (Asset Context)

• Relate site selection, secure areas, and equipment safety to data/asset protection outcomes.
• Apply visitor controls, mantraps, CCTV, and monitoring with privacy and retention constraints.
• Protect against environmental hazards (HVAC, fire suppression types, EMI, ESD).
• Secure off-site assets: remote work, field devices, and portable media handling.
• Plan chain-of-custody for movement and storage of sensitive media.
• Coordinate with facilities for incident scenarios (power loss, flood, building access).

Security Architecture and Engineering (13%)

Practice this topic →

Security Models, Concepts & Design Principles

• Compare models (Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash) and where each applies.
• Apply design principles: least privilege, fail-secure, economy of mechanism, defense-in-depth, zero trust.
• Evaluate trust boundaries, TCB, attack surface, and privilege boundaries in reference architectures.
• Differentiate security domains: user mode vs kernel mode; process isolation and memory protection.
• Assess virtualization and container isolation trade-offs (hypervisor types, namespaces, cgroups).
• Document threat modeling outputs (STRIDE, LINDDUN) and mitigation mapping.

Cryptography & Key Management (Practical)

• Select algorithms by use case (AES, ChaCha20, RSA/ECC, SHA-2/3, HMAC) and cryptoperiod strategy.
• Explain PKI components: CA hierarchy, OCSP/CRL, certificate pinning, key escrow, HSM/KMS.
• Apply TLS profiles, PFS (ECDHE), certificate lifecycle automation (ACME), and cipher hardening.
• Use digital signatures and code signing to assure integrity/non-repudiation in pipelines.
• Recognize pitfalls (ECB mode, weak RNGs, homegrown crypto) and remediation steps.
• Plan crypto agility and post-quantum readiness at a policy/architecture level.

Physical, Embedded & Industrial Security

• Identify risks in IoT/OT/ICS (firmware trust, insecure protocols, safety vs security priorities).
• Harden embedded systems: secure boot, measured boot/TPM, code signing, least functionality.
• Segment and monitor ICS networks; map Purdue model zones and conduits.
• Mitigate TEMPEST/side-channel risks conceptually and apply shielding/spacing controls.
• Integrate safety cases and change control with security testing in regulated environments.
• Plan patching/compensating controls where uptime and safety constrain changes.

Cloud & Enterprise Reference Architectures

• Map shared responsibility across IaaS/PaaS/SaaS; identify control placement and gaps.
• Design zero-trust patterns: identity-centric access, micro-segmentation, continuous verification.
• Apply SASE/ZTNA, CASB, and secure access patterns for distributed workforces.
• Use network/service meshes, API gateways, and secrets management for microservices.
• Integrate logging/telemetry (eBPF, agents) for observability and detection in cloud-native stacks.
• Evaluate multi-cloud/hybrid risks (identity sprawl, data egress, inconsistent policy).

Communication and Network Security (13%)

Practice this topic →

Network Architecture & Segmentation

• Design secure topologies: DMZs, screened subnets, tiered apps, and out-of-band management.
• Apply segmentation via VLANs, VRFs, ACLs, firewalls, and identity-aware proxies.
• Compare on-prem, SDN, and cloud virtual networking constructs (VNets/VPCs/subnets).
• Select NAT, PAT, and egress controls to reduce exposure and track flows.
• Place controls for east-west vs north-south traffic; use tap/span/mirror for monitoring.
• Plan IPv6 security (SLAAC, RA guard, DHCPv6) and dual-stack considerations.

Secure Communication Channels

• Harden transport: TLS, IPsec (tunnel/transport), MACsec; choose modes and suites appropriately.
• Compare VPN types: remote access, site-to-site, clientless; integrate MFA and posture checks.
• Secure email, DNS, and web: SPF/DKIM/DMARC, DNSSEC/DoH/DoT, HTTP security headers.
• Protect wireless: WPA3-SAE/Enterprise, 802.1X/EAP methods, management frame protection.
• Apply zero-trust access (ZTNA) and identity-aware proxies for application publishing.
• Mitigate common attacks (MitM, replay, downgrade) with protocol hardening.

Network Security Tools & Monitoring

• Deploy firewalls (stateful, NGFW, WAF), IDS/IPS, and NDR; know placement and tuning basics.
• Use NAC, posture assessment, and micro-segmentation to enforce policy at access.
• Leverage proxying (forward/reverse) and content filtering for egress control.
• Aggregate telemetry: NetFlow/sFlow/IPFIX, PCAP, and cloud flow logs into SIEM.
• Baseline normal behavior and define detection rules (signatures, heuristics, ML-assisted).
• Coordinate change windows and maintenance with monitoring thresholds to avoid blind spots.

Voice/Video, Remote Access & Edge

• Secure VoIP/UC: SIP/TLS, SRTP; protect against registration hijack and SPIT.
• Harden remote desktop and bastion patterns; broker via gateways and PAM.
• Protect CDN/edge and API endpoints with WAF, rate limiting, and token-based auth.
• Plan QoS vs security trade-offs for real-time traffic and remote work scenarios.
• Integrate mobile/edge devices into EMM/MDM with per-app VPN and containerization.
• Document service dependencies and failover for collaboration platforms.

Identity and Access Management (IAM) (13%)

Practice this topic →

Identity Foundations & Federation

• Explain identity types (workforce, customer, service, device) and lifecycle stages (JML).
• Differentiate authentication vs authorization; apply RBAC/ABAC/attribute sources.
• Compare federation protocols: SAML, OIDC/OAuth 2.0; design trust and token lifetimes.
• Implement SSO patterns across SaaS and hybrid environments; manage session security.
• Adopt passwordless (FIDO2/WebAuthn) and risk-based adaptive MFA strategies.
• Mitigate identity threats (phishing-resistant MFA, token theft, consent abuse).

Access Administration & Privileged Security

• Implement provisioning/de-provisioning via IGA and SCIM; enforce approval workflows.
• Design SoD and least privilege; review entitlements with periodic access recertification.
• Deploy PAM: vaulted credentials, just-in-time elevation, session recording and analytics.
• Secure service accounts, API keys, and workload identities with secret rotation.
• Centralize policy with PAP/PDP/PEP (e.g., XACML-style) and policy as code.
• Define KPIs: time-to-provision, orphaned accounts, stale privileges.

Directory, Endpoint & Cloud IAM

• Harden directories (tiered admin, ACL hygiene, secure replication, auditing).
• Integrate endpoints and mobile into IAM posture (device compliance, certificates).
• Map cloud IAM constructs (tenants/projects, roles, policies, conditional access).
• Control access to data/services with resource-based policies and boundary conditions.
• Apply identity segmentation (admin vs user tenants) and break-glass procedures.
• Monitor identity telemetry and correlate with UEBA for anomaly detection.

Identity Governance, Compliance & Access Reviews

• Run periodic access reviews and attestation campaigns aligned to regulations.
• Detect and remediate toxic role combinations violating SoD policies.
• Apply least privilege to CI/CD, cloud control planes, and data platforms.
• Document identity logs for forensics; define retention and legal hold.
• Measure IAM maturity; propose roadmap to improve assurance levels.
• Plan identity recovery after compromise (credential reset, token revocation, trust re-establishment).

Security Assessment and Testing (12%)

Practice this topic →

Assessment Strategy & Governance

• Define assessment scope, rules of engagement, and success criteria; manage conflicts of interest.
• Select methods: audits, vulnerability assessments, configuration reviews, tabletop exercises.
• Plan frequency based on risk and change velocity; integrate into the assurance calendar.
• Coordinate with legal/HR for testing approvals and communications.
• Establish evidence collection and reporting templates for executives vs technical teams.
• Track remediation with owners, due dates, and risk acceptance documentation.

Vulnerability Management & Penetration Testing (High Level)

• Operate vuln management lifecycle: discover → prioritize → remediate → verify.
• Interpret scanner output (CVSS/CVSS-EPSS), false positives, compensating controls.
• Outline pen test phases (planning, discovery, exploitation, post-exploitation, reporting) at a management level.
• Coordinate red/blue/purple team exercises and purple-team knowledge transfer.
• Measure MTTR for remediation and patch compliance; report risk trends.
• Integrate container and IaC scans (images, registries, templates) into CI/CD.

Testing in the SDLC

• Embed security activities in SDLC/DevSecOps (threat modeling, SAST/DAST/IAST/SCA).
• Set quality gates in CI/CD; fail builds on severity/coverage thresholds.
• Use test data management and secure secrets handling in pipelines.
• Incorporate code review, pair programming, and pre-commit hooks for policy enforcement.
• Exercise fuzzing and negative testing for input validation and resilience.
• Track defect leakage and security debt; prioritize fixes by exploitability and business impact.

Security Metrics, Logging & Continuous Assurance

• Define KPIs/KRIs for controls (patch SLAs, blocked egress attempts, MFA adoption).
• Instrument systems for telemetry (syslog, audit logs, cloud trails) with time sync and integrity.
• Correlate events in SIEM; create detection content and suppression rules thoughtfully.
• Apply control validation (BAS/attack simulation, detection engineering iteratively).
• Design dashboards for operational vs executive audiences; avoid vanity metrics.
• Close the loop: lessons learned → control updates → policy/process change.

Security Operations (13%)

Practice this topic →

Operational Security & Change

• Run configuration/change management: request, approval, testing, rollback, documentation.
• Harden baselines and golden images; enforce with configuration management tools.
• Manage endpoint security: EDR, application control, disk encryption, device health.
• Coordinate vulnerability, patch, and exception handling across fleets.
• Operate secure logging/monitoring pipelines with retention/rotation and access control.
• Plan capacity and performance monitoring to avoid security blind spots.

Incident Response & Forensics (Managerial)

• Structure IR lifecycle: prepare → detect → analyze → contain → eradicate → recover → lessons learned.
• Define triage severity, SLAs, communications, and stakeholder management.
• Preserve evidence: chain of custody, imaging basics, volatile data priorities.
• Coordinate with legal, PR, and executives; handle breach notification thresholds.
• Orchestrate response with SOAR and playbooks; measure MTTD/MTTR and containment time.
• Plan post-incident reviews and systemic fixes to reduce repeat events.

Continuity of Operations & Resource Protection

• Operate backups (3-2-1 rule, offline/immutable) and test restores; map to RTO/RPO.
• Manage key/secret rotation and certificate renewals to avoid outages.
• Enforce least functionality and secure services (disable legacy, restrict admin interfaces).
• Protect against DDoS conceptually; plan traffic engineering and upstream controls.
• Handle media control and secure disposal in operations workflows.
• Maintain service catalogs and runbooks for critical processes.

Third-Party Ops, Supply Chain & Physical

• Monitor vendor SLAs, attestation (SOC 2/ISO), and continuous control monitoring.
• Assess software supply chain risk with SBOM, code signing, and provenance checks.
• Coordinate secure logistics for hardware and spares; anti-tamper checks.
• Integrate facility security with incident plans and drills.
• Define onboarding/offboarding for MSP/MSSP access and oversight.
• Track operational exceptions and risk acceptance with expirations and reviews.

Software Development Security (11%)

Practice this topic →

Secure SDLC & Governance

• Compare SDLC models (waterfall, agile, DevOps/DevSecOps) and embed security gates.
• Define security requirements and misuse/abuse cases aligned to business risk.
• Integrate policy as code and compliance as code into pipelines.
• Establish developer training and secure coding standards usage.
• Plan defect tracking, severity schemes, and service level objectives for fixes.
• Measure maturity with SAMM/BSIMM and publish roadmaps.

Application Security Controls

• Mitigate OWASP Top 10 classes (injection, auth, access control, deserialization, SSRF, etc.).
• Enforce secure authentication/authorization flows for web/mobile/API (tokens, scopes, claims).
• Apply input validation, output encoding, and secure error handling/logging.
• Protect data with proper crypto use, secure cookie flags, and session management.
• Design secure file upload, storage, and scanning controls.
• Implement anti-automation (rate limits, CAPTCHA) while preserving usability.

DevSecOps, CI/CD & Cloud-Native

• Secure build pipelines: least privilege runners, artifact integrity, signing, and provenance.
• Scan code (SAST), dependencies (SCA), and images; gate on policy.
• Harden containers and orchestrators (namespaces, PSP/Pod Security, network policies).
• Manage secrets (vaults, KMS) and rotate keys/tokens used by apps and pipelines.
• Secure serverless/functions: least privilege, timeouts, event validation, cold-start considerations.
• Instrument apps for observability and RASP; define deployment guardrails.

Testing, QA & Release

• Design test strategies: unit, integration, e2e, security regression, and chaos experiments.
• Use threat modeling to prioritize tests; maintain test cases as living assets.
• Perform DAST/IAST and fuzzing in pre-prod; handle findings triage and false positives.
• Define blue-green/canary releases and feature flags with security controls.
• Track vulnerability disclosure and coordinate releases with PSIRT processes.
• Measure release risk and rollback readiness; capture post-release telemetry.

Tip: After each domain, take a 20–25 question drill focused on that domain, convert misses into two-bullet rules, then re-drill weak objectives within 24–48 hours.