Career Employer

FREE CISSP Study Guide 2026: All 8 Domains

The most important things the CISSP tests — an interactive study guide with built-in quizzes and flashcards, organized by all 8 ISC2 domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CISSP

By

This free CISSP study guide walks through every content domain the Certified Information Systems Security Professional exam tests, organized to the current ISC2 exam outline (effective April 15, 2024).[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

The CISSP tests eight official domains (one Common Body of Knowledge). We teach all eight in five study modules, grouping closely related domains, and we lead with the heaviest-weighted content.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full security textbook.

CISSP is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.

CISSP Exam Snapshot

CISSP exam at a glance
DetailCISSP Exam
Questions100–150 items (English CAT); 250 (non-English linear)
FormatComputerized Adaptive Testing (CAT); multiple choice + advanced items
Time3 hours (English CAT); 6 hours (linear)
Passing score700 out of 1000 points
Administered byISC2, delivered at Pearson VUE
Certifying bodyISC2 (formerly (ISC)²)
Eligibility5 years' experience in 2+ domains (1 yr waivable); or Associate of ISC2
Cost$749 USD (Americas)
RecertificationEvery 3 years — 120 CPE credits + $135 annual maintenance fee
Outline versionEffective April 15, 2024

The CISSP covers eight domains, and unlike many exams the weights are fairly even — no single domain dominates. Security & Risk Management is the largest at 16%, and it frames everything else, so it is where to invest first.[1] Study by weight:

CISSP weighting by domain (ISC2 exam outline, 2024)
Security & Risk Management16% · Domain 1
Security Architecture & Engineering13% · Domain 3
Communication & Network Security13% · Domain 4
Identity & Access Management13% · Domain 5
Security Operations13% · Domain 7
Security Assessment & Testing12% · Domain 6
Asset Security10% · Domain 2
Software Development Security10% · Domain 8

Module 1 · Security & Risk Management

One official domain, 16% of the exam — the largest. This domain is the foundation of the whole CISSP: the goals of security, how an organization governs and manages risk, and the ethics and legal duties a security professional carries. Master it and the rest of the exam makes sense.

1.1 CIA Triad, Governance & Ethics

Everything starts with the . prevents unauthorized disclosure (encryption, access control); prevents unauthorized change (hashing, digital signatures); and keeps systems reachable for authorized users (redundancy, backups). Its mirror image is DAD — Disclosure, Alteration, Destruction — the threats to each goal.

Security must be governed from the top. Senior management owns risk and sets the tone; the security professional translates business goals into policy. Know the policy hierarchy: policies (high-level intent) → standards (mandatory specifics) → procedures (step-by-step) → guidelines (recommended, optional).

Two governance duties are heavily tested: (doing the research and building the plan) and (acting on it). Together they form the “prudent person rule.”[1]

The security document hierarchy
DocumentWhat it isMandatory?
PolicyHigh-level management statement of intent and goalsYes
StandardSpecific mandatory requirements (e.g., 'use AES-256')Yes
ProcedureDetailed step-by-step instructionsYes
BaselineA minimum required level of securityYes
GuidelineRecommended, discretionary best practiceNo

Finally, every CISSP signs the . Its four canons are applied in order: (1) protect society and the infrastructure, (2) act honorably, (3) provide diligent service to principals, and (4) advance the profession. When two canons conflict, the earlier one wins.[3]

1.2 Risk Management & Analysis

Risk is the chance a exploits a to harm an asset. The management process is a continuous loop: identify assets and threats, assess the risk, choose a treatment, implement controls, and monitor.

You assess risk two ways. Qualitative analysis is subjective — ranking risks high/medium/low (fast, but not in dollars). Quantitative analysis is objective and money-based, and the CISSP loves its formulas. The is the percentage of an asset lost per event; = Asset Value × EF; the is events per year; and = SLE × ARO is the expected yearly cost.[4]

Once you know the risk, you pick a treatment: (add controls), (insurance), (stop the activity), or (tolerate it with management sign-off). Whatever you do, remains — and a control should never cost more than the asset it protects.

The four risk treatment options
TreatmentWhat you doExample
Mitigate (reduce)Add controls to lower likelihood or impactDeploy MFA to reduce account takeover
TransferShift the financial impact to a third partyBuy cyber-insurance
AvoidStop the activity that creates the riskDiscontinue a risky product feature
AcceptFormally tolerate the residual riskManagement signs off on a low-impact risk

1.3 Business Continuity & Disaster Recovery

Business continuity keeps critical functions running through a disruption; disaster recovery restores IT afterward. The process begins with management buy-in and centers on the , which identifies critical functions and sets the recovery targets every other decision serves.

Know the recovery metrics cold. is the outer limit a function can be down. is the target time to restore it (RTO must be less than MTD). is the maximum acceptable data loss, which dictates how often you back up. And recovery site choices trade cost against speed.

Recovery objectives and recovery sites
Term / siteMeaningTrade-off
MTDMaximum Tolerable Downtime — the absolute limitDrives the RTO
RTORecovery Time Objective — target time to restoreMust be shorter than the MTD
RPORecovery Point Objective — acceptable data lossDrives backup frequency
Hot siteFully equipped, near-real-time failoverFastest recovery, most expensive
Warm siteHardware and connectivity, data restored on demandModerate cost and speed
Cold siteEmpty space with power/cooling onlyCheapest, slowest to bring online

Checkpoint · Security & Risk Management

Question 1 of 10

An organization is deciding how to handle a risk that has low likelihood but catastrophic impact if it occurs. Leadership determines that the cost of full mitigation exceeds the asset value, but the residual exposure is unacceptable. Which risk treatment is MOST appropriate?

Module 2 · Asset Security & Architecture

Two official domains, 23% of the exam combined: Asset Security (10%) and Security Architecture & Engineering (13%). This module is about protecting data through its lifecycle and understanding the models, systems, and cryptography that enforce security.

2.1 Asset Security & Data Protection

Asset security starts with — labeling data by sensitivity so the right protection is applied. The (a senior business manager) is accountable and sets the classification; the (usually IT) is responsible for implementing the controls day to day. Under privacy law, the decides why and how data is processed, and a acts on the controller’s instructions.

Protect data across its three states — at rest (encrypt the disk/database), in transit (TLS/IPsec), and in use (the hardest, e.g., enclaves). At end of life, you must defeat with proper : clearing (overwrite for internal reuse), purging (degauss/strong overwrite to release externally), or destruction (shred, pulverize, incinerate).[8]

Data roles and data states
ConceptDetail
Data ownerAccountable; sets classification and protection requirements (senior manager)
Data custodianResponsible for day-to-day controls (backups, access) — usually IT
Data controllerDecides why and how personal data is processed (privacy law)
Data processorProcesses data on the controller's instructions (often a vendor)
At restStored data — protect with full-disk/database encryption
In transitMoving data — protect with TLS, IPsec, or VPNs
In useData being processed in memory — hardest to protect

2.2 Security Models & Architecture

Security models formalize a policy into rules a system can enforce. The two you must know cold are (confidentiality) and (integrity) — they are mirror images.

A third, , protects integrity through well-formed transactions and . Underneath the models, the mediates every access between subjects and objects, implemented by the security kernel within the .

Core security models
ModelProtectsKey idea
Bell-LaPadulaConfidentialityNo read up, no write down
BibaIntegrityNo read down, no write up
Clark-WilsonIntegrityWell-formed transactions + separation of duties
Brewer-Nash (Chinese Wall)ConfidentialityAccess changes dynamically to prevent conflicts of interest

2.3 Cryptography

Cryptography delivers confidentiality, integrity, authentication, and . uses one shared key (AES) — fast but hard to distribute; uses a public/private key pair (RSA, ECC) — slower but it solves key exchange and enables signatures. Real systems use both (hybrid): asymmetric to exchange a symmetric session key.

For integrity, produces a one-way fixed-length digest (SHA-256). A hashes a message and encrypts the hash with the sender’s private key — giving integrity, authenticity, and non-repudiation. All of this trust is managed by .

Encrypt vs. sign — which key do you use?
GoalUse this keyResult
Confidentiality (encrypt for someone)Recipient's PUBLIC keyOnly the recipient's private key can decrypt
Authenticity (sign a message)Sender's PRIVATE keyAnyone can verify with the sender's public key
IntegrityHash function (no key)A changed message produces a different digest

Checkpoint · Asset Security & Architecture

Question 1 of 10

An organization is classifying data and must label information whose disclosure would cause exceptionally grave damage to national security. In the U.S. government classification scheme, this level is:

Module 3 · Network Security & IAM

Two official domains, 26% of the exam combined: Communication & Network Security (13%) and Identity & Access Management (13%). This module covers how data moves securely across networks and how the right people — and only the right people — get access.

3.1 Communication & Network Security

The backbone here is the — seven layers from Physical to Application. CISSP maps devices, protocols, and attacks to layers: switches at Layer 2, routers at Layer 3, and security protocols at various layers. then layers controls so a single failure doesn’t expose the asset.

The OSI model (with the TCP/IP mapping)
LayerOSI layerExample
7ApplicationHTTP, DNS, SMTP
6PresentationEncryption, encoding (TLS sits around 6/7)
5SessionSession setup and teardown
4TransportTCP, UDP (port numbers)
3NetworkIP, routers, IPsec
2Data LinkMAC addresses, switches
1PhysicalCables, signals, hubs

Know the secure protocols by purpose: TLS secures application traffic (HTTPS), IPsec secures IP at Layer 3 (VPN tunnels), and SSH gives secure remote administration. Segmentation (VLANs, subnets), firewalls, and strong wireless security (WPA3) round out the controls. Beware insecure legacy protocols (Telnet, FTP, WEP).

3.2 Identity & Access Management

Access control is a four-step sequence: (claim an identity) → (prove it) → (what you may do) → (log it). Strong authentication means — combining factors from different categories: something you know (password), have (token), and are (biometric).[7]

Two principles govern who gets what: (only the minimum access needed) and (no one person controls a sensitive task end to end). Authorization is enforced through access control models.

Enterprises tie it together with and federation — (ticket-based, on a network), SAML (web SSO/federation), and OAuth/OIDC (authorization and federated login for apps and APIs).

The three authentication factor categories
FactorTypeExamples
Something you knowKnowledgePassword, PIN, passphrase
Something you havePossessionSmart card, hardware token, phone
Something you areInherence (biometric)Fingerprint, iris, face

Checkpoint · Network Security & IAM

Question 1 of 10

Which firewall type inspects the state of active connections and makes decisions based on the context of traffic?

Module 4 · Assessment, Testing & Operations

Two official domains, 25% of the exam combined: Security Assessment & Testing (12%) and Security Operations (13%). This module is about proving controls work and running security day to day — including incidents and disaster recovery.

4.1 Security Assessment & Testing

You verify controls three ways. A is an automated, broad check for known weaknesses (no exploitation). A goes further — an authorized, simulated attack that actively exploits weaknesses to show real impact. A is an independent evaluation against a standard.

Assessment vs. test vs. audit
ActivityWhat it doesWho / how
Vulnerability scanFinds known weaknesses automaticallyFrequent, low-risk, automated tool
Penetration testExploits weaknesses to prove impactAuthorized testers; rules of engagement
Security auditEvaluates controls against a standardIndependent auditor (e.g., SOC 2)

Penetration tests come in flavors by knowledge: black-box (no prior knowledge, simulates an outsider), white-box (full knowledge), and gray-box (partial). Round out the domain with code review (static analysis of source vs. dynamic testing of a running app) and third-party audit reports — SOC 2 covers security/availability controls, while SOC 1 covers financial-reporting controls.

4.2 Security Operations

Operations is where security runs daily. The ISC2 lifecycle is: Detection → Response → Mitigation → Reporting → Recovery → Remediation → Lessons Learned. You detect and confirm, respond to contain, mitigate and report, recover operations, remediate root causes, and capture lessons learned.[6]

The incident response lifecycle (ISC2)
PhaseWhat happens
DetectionIdentify and confirm that an incident has occurred
ResponseContain the incident to limit damage
MitigationReduce the impact and stop the spread
ReportingNotify stakeholders and required authorities
RecoveryRestore systems to normal operation
RemediationFix the root cause so it can't recur
Lessons LearnedReview the response and improve the plan

Day-to-day operations also rely on logging and monitoring (a correlates events), (controlled, documented changes), and backups. Know backup types — full (everything), incremental (changes since the last backup of any kind; fast backup, slow restore), and differential (changes since the last full; slower backup, faster restore) — plus evidence handling and .

Backup types compared
TypeBacks upRestore
FullAll selected dataFastest (one set)
IncrementalChanges since the last backup of any typeSlowest (full + every increment)
DifferentialChanges since the last full backupFaster (full + one differential)

Checkpoint · Assessment, Testing & Operations

Question 1 of 10

Which type of security testing involves an authorized simulated attack to evaluate exploitability of vulnerabilities?

Module 5 · Software Development Security

One official domain, 10% of the exam. This domain is about building security into software rather than bolting it on — across the development lifecycle, in the code, and in the supply chain.

5.1 Secure SDLC & Application Security

A weaves security into every phase: threat modeling in design, secure coding and code review in build, and security testing before release — so flaws are caught early, when they are cheapest to fix. is a common threat-modeling taxonomy. Maturity models such as BSIMM and OWASP SAMM measure and improve a program, and DevSecOps automates security testing inside CI/CD pipelines.

Development models at a glance
ModelCharacteristic
WaterfallSequential phases; rigid, good for stable requirements
AgileIterative sprints; flexible, frequent delivery
DevSecOpsSecurity automated into continuous integration/delivery
SpiralIterative with heavy risk analysis each cycle

On the application itself, the names the highest-impact web risks — broken access control, cryptographic failures, and injection lead the list. The single most important defense against and similar attacks is rigorous input validation and parameterized queries — never trust user input.[10] Know the database threats too:inference (deducing data you can’t see directly), aggregation (combining harmless facts into sensitive ones), and polyinstantiation (a defense that stores different data at different classification levels).

Checkpoint · Software Development Security

Question 1 of 10

A buffer overflow that allows an attacker to execute code is MOST directly enabled by:

How to Use This CISSP Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight, but cover all eight. The CISSP’s weights are relatively even — start with Security & Risk Management (16%), but no domain is small enough to skip.
  • Think like a manager. CISSP questions ask for the best answer, often the one that addresses people, process, and governance — not just the most technical fix.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 700.

CISSP Concept Questions

Common CISSP concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

CISSP Glossary

The high-yield CISSP terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Accountability
Tying actions back to a specific identity through logging and monitoring.
Annualized Loss Expectancy (ALE)
The expected yearly cost of a risk: ALE = SLE × ARO. Used to cost-justify controls.
Annualized Rate of Occurrence (ARO)
The expected number of times a specific risk event will occur in one year.
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
Attribute-based access control (ABAC)
Access decided by attributes and policy (user, resource, time, location); the most granular.
Authentication
Proving a claimed identity with a credential (knowledge, possession, or inherence factor).
Authorization
Determining what an authenticated identity is permitted to access and do.
Availability
Ensuring authorized users have timely, reliable access to systems and data; protected by redundancy, backups, and fault tolerance.
Bell-LaPadula model
A confidentiality model: Simple Security Property (no read up) and *-Property (no write down) — 'no read up, no write down.'
Biba model
An integrity model: Simple Integrity Axiom (no read down) and *-Integrity Axiom (no write up) — 'no read down, no write up.'
Business continuity plan (BCP)
A plan to keep critical business functions operating during and after a disruption.
Business Impact Analysis (BIA)
An analysis that identifies critical business functions and sets recovery objectives (MTD, RTO, RPO); the heart of continuity planning.
Chain of custody
Documentation showing who handled evidence and when, preserving its integrity for legal use.
Change management
A controlled process for evaluating, approving, and documenting changes to systems.
CIA triad
The three core goals of information security: Confidentiality (no unauthorized disclosure), Integrity (no unauthorized modification), and Availability (timely, reliable access for authorized users).
Clark-Wilson model
An integrity model enforcing well-formed transactions and separation of duties through the access triple (subject-program-object).
Confidentiality
Preventing the unauthorized disclosure of data; protected primarily by encryption and access controls.
Data classification
Labeling data by sensitivity (e.g., public, confidential, secret) so the right level of protection is applied.
Data controller
Under privacy law, the entity that decides why and how personal data is processed.
Data custodian
The party (usually IT) that implements and maintains the controls protecting data day to day.
Data owner
The senior business manager accountable for data, who sets its classification and protection requirements.
Data processor
A party that processes personal data on behalf of, and on the instructions of, the controller.
Data remanence
Residual data that remains on media after deletion or formatting and may be recoverable.
Defense in depth
Layering multiple, overlapping controls so that if one fails, others still protect the asset.
Digital signature
A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
Disaster recovery (DR)
The processes and procedures to restore IT systems and operations after a disruptive event.
Discretionary access control (DAC)
Access decided by the data owner (e.g., file permissions, ACLs).
Due care
Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do.
Due diligence
Doing the research and developing the plans/policies needed to protect the organization — the homework before acting.
Exposure factor (EF)
The percentage of an asset's value that would be lost if a specific risk event occurred.
Hashing
A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256); not reversible.
Identification
A subject claiming an identity (e.g., a username) — the first step of access control.
Incident response
The structured process to detect, respond to, recover from, and learn from a security incident.
Integrity
Ensuring data is accurate and unaltered except by authorized parties; protected by hashing, digital signatures, and change control.
ISC2 Code of Ethics
Four canons every CISSP must follow, applied in order: protect society and the infrastructure; act honorably; provide diligent service to principals; advance and protect the profession.
Kerberos
A symmetric-key SSO authentication protocol using tickets and a Key Distribution Center (KDC).
Least privilege
Granting users and processes only the minimum access needed to do their job, and nothing more.
Mandatory access control (MAC)
Access enforced by the system from labels and clearances; rigid and high-security.
Maximum Tolerable Downtime (MTD)
The longest time a business function can be unavailable before the organization suffers unacceptable harm.
Media sanitization
Removing data from media via clearing, purging, or destruction so it cannot be recovered (NIST SP 800-88).
Multi-factor authentication (MFA)
Using two or more factors from different categories — something you know, have, and are.
Non-repudiation
Assurance that a party cannot deny having performed an action, achieved through digital signatures and logging.
OSI model
A seven-layer reference model for networking: Physical, Data Link, Network, Transport, Session, Presentation, Application.
OWASP Top 10
A community list of the most critical web application security risks (e.g., broken access control, injection).
Penetration test
An authorized, simulated attack that actively exploits weaknesses to demonstrate real impact.
Public Key Infrastructure (PKI)
The framework of certificate authorities, certificates, and policies that manages public keys and trust.
Recovery Point Objective (RPO)
The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
Recovery Time Objective (RTO)
The targeted time to restore a system or function after a disruption; must be shorter than the MTD.
Reference monitor
The abstract concept that mediates all access between subjects and objects; implemented by the security kernel.
Residual risk
The risk that remains after controls are applied; senior management formally accepts it.
Risk
The likelihood that a threat will exploit a vulnerability, and the resulting impact on an asset.
Risk acceptance
A documented, management-approved decision to tolerate a risk and its potential impact.
Risk avoidance
Eliminating a risk by ceasing the activity that creates it.
Risk mitigation
Reducing risk to an acceptable level by implementing controls.
Risk transference
Shifting the financial impact of a risk to a third party, such as through insurance.
Role-based access control (RBAC)
Access granted by job role rather than the individual; scales well in enterprises.
Secure SDLC
Building security into every phase of the software development lifecycle rather than testing for it at the end.
Security audit
An independent, systematic evaluation of controls against a standard or policy.
Separation of duties
Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
SIEM
Security Information and Event Management — a system that aggregates and correlates logs for detection and analysis.
Single Loss Expectancy (SLE)
The expected monetary loss from a single occurrence of a risk: SLE = Asset Value × Exposure Factor.
Single sign-on (SSO)
One authentication that grants access to multiple systems (e.g., via Kerberos or SAML).
SQL injection
An attack that inserts malicious SQL through unvalidated input to read or alter a database.
STRIDE
A threat-modeling taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
Symmetric encryption
Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is hard.
Threat
Any potential event or actor that could cause harm to an asset by exploiting a vulnerability.
Threat modeling
Systematically identifying and prioritizing threats to a system during design (e.g., using STRIDE).
Trusted Computing Base (TCB)
The totality of hardware, software, and firmware that enforces a system's security policy.
Vulnerability
A weakness in a system, process, or control that a threat can exploit.
Vulnerability scan
An automated check that identifies known weaknesses without exploiting them.

CISSP Study Guide FAQ

The English CISSP exam uses Computerized Adaptive Testing (CAT): 100 to 150 items in 3 hours. The number you see varies because the test adapts to your performance. It includes multiple-choice and advanced innovative item types. Non-English linear exams have 250 items in 6 hours.

References

  1. 1.ISC2. “CISSP Certification Exam Outline (effective April 15, 2024).” isc2.org.
  2. 2.ISC2. “CISSP — Certified Information Systems Security Professional.” isc2.org.
  3. 3.ISC2. “ISC2 Code of Ethics.” isc2.org.
  4. 4.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-61 Rev. 2: Computer Security Incident Handling Guide.” csrc.nist.gov.
  7. 7.National Institute of Standards and Technology. “SP 800-63: Digital Identity Guidelines.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov.
  9. 9.International Organization for Standardization. “ISO/IEC 27001 — Information Security Management Systems.” iso.org.
  10. 10.OWASP Foundation. “OWASP Top 10 Web Application Security Risks.” owasp.org.
  11. 101.National Institute of Standards and Technology (NIST). “Cryptographic Standards and Guidelines.” csrc.nist.gov, accessed 19 June 2026.
  12. 102.National Institute of Standards and Technology (NIST). “SP 800-115: Technical Guide to Information Security Testing.” csrc.nist.gov, accessed 19 June 2026.
  13. 103.National Institute of Standards and Technology (NIST). “SP 800-34: Contingency Planning Guide.” csrc.nist.gov, accessed 19 June 2026.
  14. 104.National Institute of Standards and Technology (NIST). “SP 800-218: Secure Software Development Framework (SSDF).” csrc.nist.gov, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.