CISSP Study Path -- Certified Information Systems Security Professional¶

Table of Contents¶

1. About CISSP
2. The 8 Domains
3. Domain Mapping to Nexus Chapters
4. 12-Week Study Schedule
5. Practice Questions -- 80 Total
6. Exam Day Tips
7. Post-Exam -- Endorsement and Maintenance
8. Resources and References

About CISSP¶

What is CISSP?¶

The Certified Information Systems Security Professional (CISSP) is a globally recognized certification offered by (ISC)2 (International Information System Security Certification Consortium). It is widely regarded as the gold standard for information security professionals and validates your ability to design, implement, and manage a best-in-class cybersecurity program.

The Common Body of Knowledge (CBK)¶

The CISSP exam is built around the ISC2 Common Body of Knowledge (CBK), a framework of universally accepted industry knowledge and best practices. The CBK is divided into 8 domains, each covering a specific area of information security.

The CBK is updated periodically (the current version took effect April 15, 2024, and remains in force through 2026). Candidates must demonstrate mastery across all 8 domains, not just depth in one.

Exam Format -- CAT¶

CISSP uses Computerized Adaptive Testing (CAT) for English-language exams:

• Question count: Variable, between 100 and 150 questions
• Time limit: 3 hours
• Item types: Multiple choice and advanced innovative items (drag-and-drop, hotspot)
• Adaptive scoring: The test adjusts difficulty based on your performance
• Pass/fail: Determined by your ability estimate, not raw question count
• Non-English exams: Linear format, 250 questions, 6 hours

Prerequisites¶

To earn the CISSP, you must:

1. Have 5 years of cumulative paid work experience in 2 or more of the 8 CBK domains.
   • A 4-year college degree OR approved credential waives 1 year.
   • Part-time work (20-34 hours/week) counts proportionally.
   • Internships count if documented.
2. Pass the CISSP exam (700/1000 scaled score).
3. Agree to the ISC2 Code of Ethics.
4. Get endorsed by an active ISC2 certified professional within 9 months of passing.
5. Pay the Annual Maintenance Fee (AMF) of USD 135.
6. Earn 40 CPE credits per year (120 over a 3-year cycle).

The Endorsement Process¶

After passing the exam, ISC2 emails you an endorsement application. An existing CISSP (or other qualifying ISC2 member) must verify your work history and attest that you meet the ethical and professional standards of the certification.

• Timeline: Complete within 9 months of passing.
• Endorser: Must be an active ISC2 certified professional who can validate your experience.
• If no endorser: ISC2 itself can serve as your endorser after additional documentation review.

Annual Maintenance¶

To maintain your CISSP:

• Earn 40 CPE (Continuing Professional Education) credits per year -- 120 over 3 years.
• Pay USD 135 Annual Maintenance Fee (AMF).
• Abide by the ISC2 Code of Ethics.

CPEs can be earned through:

• Attending conferences (RSA, Black Hat, DEF CON, SANS).
• Reading security books (submit title and publisher).
• Writing articles, blogs, or whitepapers.
• Teaching or presenting on security topics.
• Completing vendor training.
• Contributing to ISC2 committees.

The 8 Domains¶

The CISSP CBK is structured around 8 domains, each with a specific weight on the exam.

pie title CISSP Domain Weights
    "D1: Security and Risk Management" : 15
    "D2: Asset Security" : 10
    "D3: Security Architecture and Engineering" : 13
    "D4: Communication and Network Security" : 13
    "D5: Identity and Access Management" : 13
    "D6: Security Assessment and Testing" : 12
    "D7: Security Operations" : 13
    "D8: Software Development Security" : 11

Domain 1: Security and Risk Management (15%)¶

The largest domain. Covers foundational concepts.

Key topics:

• Professional ethics: ISC2 Code of Ethics, organizational code of ethics.
• CIA Triad: Confidentiality, Integrity, Availability (plus Authenticity, Non-repudiation).
• Security governance: Alignment with business strategy, organizational processes.
• Compliance and legal: GDPR, HIPAA, PCI DSS, SOX, CCPA, privacy laws.
• Investigations: Administrative, criminal, civil, regulatory, industry standards.
• Security policies: Policy, standard, procedure, guideline, baseline.
• Business continuity: BIA (Business Impact Analysis), RTO, RPO, MTD, WRT.
• Personnel security: Candidate screening, NDAs, onboarding, offboarding.
• Risk management: Quantitative and qualitative risk analysis, ALE, SLE, ARO.
• Threat modeling: STRIDE, PASTA, VAST, Trike, Attack Trees.
• Supply chain risk: Hardware, software, service providers, Third-Party Risk Management (TPRM).
• Security awareness: Training programs, social engineering tests, metrics.

Domain 2: Asset Security (10%)¶

Smallest domain but critical. Covers data lifecycle.

Key topics:

• Information and asset classification: Public, Internal, Confidential, Restricted, Top Secret.
• Data ownership: Data owner, data custodian, data steward, data subject, data processor.
• Asset handling: Marking, labeling, storing, transporting, destroying.
• Data lifecycle: Create, Store, Use, Share, Archive, Destroy (CSUSAD).
• Data states: At rest, in transit, in use.
• Data security controls: Encryption, DLP, DRM, tokenization, anonymization.
• Data retention and destruction: Legal holds, secure deletion, degaussing, shredding.
• Privacy: PII, PHI, GDPR data subject rights, data minimization.

Domain 3: Security Architecture and Engineering (13%)¶

Deep technical domain. Heavy on cryptography.

Key topics:

• Security models: Bell-LaPadula (confidentiality), Biba (integrity), Clark-Wilson (well-formed transactions), Brewer-Nash (Chinese Wall).
• Evaluation criteria: TCSEC (Orange Book), ITSEC, Common Criteria (EAL1-EAL7).
• System architecture: Rings of protection, trusted computing base (TCB), reference monitor.
• Cryptography: Symmetric (AES, DES, 3DES), asymmetric (RSA, ECC, ECDSA), hashing (SHA-2, SHA-3, MD5).
• PKI: Certificate Authorities, Registration Authorities, CRLs, OCSP, X.509.
• Cryptographic attacks: Brute force, birthday, rainbow table, MITM, known plaintext, chosen ciphertext.
• Physical security: Perimeter, facility, internal controls (fences, locks, lighting, CCTV, mantraps).
• Fire suppression: Class A/B/C/D/K fires, wet/dry pipe, pre-action, deluge.
• Secure design principles: Least privilege, defense in depth, secure defaults, fail-safe.

Domain 4: Communication and Network Security (13%)¶

Classic networking domain with a security lens.

Key topics:

• OSI and TCP/IP models: 7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application).
• Network protocols: TCP, UDP, IP, ICMP, ARP, DNS, DHCP.
• Secure protocols: TLS 1.3, IPsec, SSH, HTTPS, SFTP, SNMPv3.
• Network topology: Bus, star, ring, mesh, hybrid.
• Segmentation: VLANs, subnets, DMZ, microsegmentation, Zero Trust.
• Network attacks: DDoS, ARP spoofing, DNS poisoning, session hijacking, MITM.
• Wireless: 802.11 standards, WPA2/WPA3, Bluetooth, cellular, NFC.
• Firewalls: Packet filter, stateful, application proxy, NGFW, WAF.
• IDS/IPS: Signature-based, anomaly-based, NIDS, HIDS.
• VPN: Site-to-site, remote access, IPsec (AH, ESP), SSL/TLS VPN.
• Converged protocols: iSCSI, FCoE, VoIP, InfiniBand.
• Software-defined networking (SDN) and NFV.

Domain 5: Identity and Access Management (13%)¶

Focused on who gets what access, when, and how.

Key topics:

• Identification vs authentication vs authorization vs accounting (IAAA).
• Authentication factors: Something you know, have, are, do, where you are.
• MFA: TOTP, HOTP, push, FIDO2/WebAuthn, hardware tokens (YubiKey).
• Biometrics: FRR, FAR, CER/EER, enrollment, retention.
• SSO: Kerberos (KDC, TGT, tickets), SAML, OAuth 2.0, OIDC.
• Federated identity: SAML assertions, IdP, SP, RP.
• Access control models: DAC, MAC, RBAC, ABAC, rule-based.
• Session management: Session tokens, timeout, revocation.
• Account provisioning: JML (Joiner, Mover, Leaver), privileged access management (PAM).
• Directory services: LDAP, Active Directory, Azure AD / Entra ID.
• Access control attacks: Privilege escalation, pass-the-hash, Kerberoasting, credential stuffing.

Domain 6: Security Assessment and Testing (12%)¶

Validating controls work as designed.

Key topics:

• Assessment strategies: Internal, external, third-party.
• Security testing: Vulnerability scans, penetration testing (black/gray/white box), red team, purple team.
• Code review: Static (SAST), dynamic (DAST), interactive (IAST), manual review.
• Testing reports: Executive summary, technical findings, risk ratings, remediation.
• Log reviews: SIEM, log correlation, alerting, retention.
• Synthetic transactions: Application monitoring, uptime checks.
• Compliance audits: SOC 1/2/3, ISO 27001, PCI DSS ROC/SAQ.
• KPIs and KRIs: Key Performance Indicators, Key Risk Indicators.
• Continuous monitoring: NIST SP 800-137, ConMon.

Domain 7: Security Operations (13%)¶

Day-to-day operational security.

Key topics:

• Investigations: Evidence collection, chain of custody, forensics, digital evidence.
• Logging and monitoring: Security Operations Center (SOC), SIEM, UEBA, EDR.
• Incident management: Detection, response, mitigation, reporting, recovery, remediation, lessons learned.
• Disaster recovery (DR): Hot site, warm site, cold site, mobile site, reciprocal agreement.
• Business continuity (BC): BIA, RTO, RPO, MTD, WRT, BCP testing.
• Backup strategies: Full, differential, incremental, synthetic, 3-2-1 rule.
• Patch and vulnerability management: Patch testing, emergency patching, CVSS.
• Change management: RFC, CAB, emergency changes, rollback.
• Configuration management: Baselines, drift detection, SCAP.
• Physical security: Site selection, guards, dogs, surveillance, badges, piggybacking prevention.

Domain 8: Software Development Security (11%)¶

Building secure software.

Key topics:

• SDLC models: Waterfall, Agile, Spiral, DevOps, DevSecOps.
• Security in SDLC: Requirements, design, implementation, testing, deployment, maintenance.
• Secure coding: Input validation, output encoding, parameterized queries, error handling.
• OWASP Top 10: Injection, broken auth, XSS, XXE, insecure deserialization, SSRF.
• Secure design patterns: Least privilege, defense in depth, fail securely.
• Application security testing: SAST, DAST, IAST, SCA, dependency scanning.
• API security: OWASP API Top 10, authentication, rate limiting, input validation.
• DevSecOps: CI/CD security gates, shift-left, IaC scanning.
• Database security: ACID, views, stored procedures, polyinstantiation, aggregation, inference.
• Maturity models: SAMM (Software Assurance Maturity Model), BSIMM.

Domain Mapping to Nexus Chapters¶

This section maps each CISSP domain to specific Nexus SecOps chapters. Study the Nexus chapters first to build intuition, then use a dedicated CISSP prep book to fill gaps.

Domain 1 Mapping -- Security and Risk Management¶

Domain 2 Mapping -- Asset Security¶

Domain 3 Mapping -- Security Architecture and Engineering¶

Domain 4 Mapping -- Communication and Network Security¶

Domain 5 Mapping -- Identity and Access Management¶

Domain 6 Mapping -- Security Assessment and Testing¶

Domain 7 Mapping -- Security Operations¶

Domain 8 Mapping -- Software Development Security¶

graph TD
    A[CISSP Exam] --> D1[Domain 1: Risk Mgmt 15%]
    A --> D2[Domain 2: Asset Security 10%]
    A --> D3[Domain 3: Architecture 13%]
    A --> D4[Domain 4: Network 13%]
    A --> D5[Domain 5: IAM 13%]
    A --> D6[Domain 6: Assessment 12%]
    A --> D7[Domain 7: Operations 13%]
    A --> D8[Domain 8: Software 11%]

    D1 --> Ch13[Ch13: Governance]
    D1 --> Ch40[Ch40: Leadership]
    D1 --> Ch54[Ch54: Threat Modeling]
    D1 --> Ch55[Ch55: Privacy]

    D2 --> Ch13
    D2 --> Ch55

    D3 --> Ch32[Ch32: Cryptography]
    D3 --> Ch31[Ch31: Network Arch]
    D3 --> Ch20[Ch20: Cloud]

    D4 --> Ch31
    D4 --> Ch20
    D4 --> Ch32

    D5 --> Ch33[Ch33: IAM]

    D6 --> Ch40
    D6 --> Ch35[Ch35: DevSecOps]

    D7 --> Ch09[Ch09: IR Lifecycle]
    D7 --> Ch57[Ch57: Cloud Forensics]
    D7 --> Ch40

    D8 --> Ch35

    style A fill:#4a5568,color:#fff
    style Ch09 fill:#2d3748,color:#fff
    style Ch13 fill:#2d3748,color:#fff
    style Ch20 fill:#2d3748,color:#fff
    style Ch31 fill:#2d3748,color:#fff
    style Ch32 fill:#2d3748,color:#fff
    style Ch33 fill:#2d3748,color:#fff
    style Ch35 fill:#2d3748,color:#fff
    style Ch40 fill:#2d3748,color:#fff

12-Week Study Schedule¶

gantt
    title CISSP 12-Week Study Schedule
    dateFormat  YYYY-MM-DD
    axisFormat  Week %W

    section Foundation
    Week 1: Domain 1 Part 1       :w1, 2026-01-05, 7d
    Week 2: Domain 1 Part 2 + D2  :w2, after w1, 7d

    section Architecture
    Week 3: Domain 3 Part 1 (Models) :w3, after w2, 7d
    Week 4: Domain 3 Part 2 (Crypto) :w4, after w3, 7d

    section Network and IAM
    Week 5: Domain 4 Part 1       :w5, after w4, 7d
    Week 6: Domain 4 Part 2 + D5 Part 1 :w6, after w5, 7d
    Week 7: Domain 5 Part 2       :w7, after w6, 7d

    section Assessment and Ops
    Week 8: Domain 6              :w8, after w7, 7d
    Week 9: Domain 7 Part 1       :w9, after w8, 7d
    Week 10: Domain 7 Part 2 + D8 Part 1 :w10, after w9, 7d

    section Finish
    Week 11: Domain 8 Part 2 + Review :w11, after w10, 7d
    Week 12: Full Review + Practice Exams :w12, after w11, 7d

Week 1 -- Domain 1 Part 1: Governance and Risk¶

Goal: Understand the foundations of security governance.

Daily reading targets (2-3 hours/day):

• Monday: ISC2 Code of Ethics, CIA Triad, AAA, least privilege, separation of duties. Read Sybex Ch 1 (pp 1-30).
• Tuesday: Security governance, frameworks (ISO 27001, NIST CSF, COBIT). Sybex Ch 1 (pp 30-60).
• Wednesday: Compliance (GDPR, HIPAA, PCI DSS, SOX). Sybex Ch 4 (pp 130-170).
• Thursday: Personnel security, background checks, NDAs. Sybex Ch 2.
• Friday: Risk management frameworks (NIST SP 800-30/37/39). Sybex Ch 2 (pp 60-95).
• Saturday: Quantitative risk analysis. Practice SLE/ALE/ARO calculations (20 problems).
• Sunday: Review + 20 Domain 1 practice questions.

Nexus chapters: ch13-security-governance-privacy-risk.md, ch40-security-program-leadership.md.

Week 2 -- Domain 1 Part 2 + Domain 2¶

Goal: Complete risk management; master asset security.

Daily targets:

• Monday: Qualitative risk analysis, risk treatment (accept, avoid, transfer, mitigate). Sybex Ch 2.
• Tuesday: Threat modeling (STRIDE, PASTA, Trike, VAST, Attack Trees). Nexus Ch 54.
• Wednesday: BIA, RTO, RPO, MTD, WRT. Sybex Ch 3.
• Thursday: Supply chain risk, third-party risk management. Sybex Ch 1 (pp 90-105).
• Friday: Begin Domain 2. Data classification (public, internal, confidential, restricted). Sybex Ch 5.
• Saturday: Data roles (owner, custodian, steward, subject, controller, processor). Data lifecycle.
• Sunday: Data retention, destruction, DLP. Review + 30 practice questions.

Nexus chapters: ch13-security-governance-privacy-risk.md, Chapter 55 -- Privacy Engineering.

Week 3 -- Domain 3 Part 1: Security Models and Architecture¶

Goal: Master formal security models and evaluation criteria.

Daily targets:

• Monday: Bell-LaPadula (no read up, no write down). Sybex Ch 8.
• Tuesday: Biba (no read down, no write up). Clark-Wilson (well-formed transactions).
• Wednesday: Brewer-Nash (Chinese Wall), Graham-Denning, Harrison-Ruzzo-Ullman.
• Thursday: TCSEC (Orange Book) levels. ITSEC. Common Criteria (EAL1-EAL7).
• Friday: Trusted Computing Base (TCB), reference monitor, security kernel.
• Saturday: Rings of protection, process isolation, memory management.
• Sunday: Review + 20 practice questions. Build a mental map of all models.

Week 4 -- Domain 3 Part 2: Cryptography¶

Goal: Build deep intuition for cryptographic systems.

Daily targets:

• Monday: Symmetric encryption (AES, DES, 3DES, RC4, Blowfish). Modes of operation (ECB, CBC, CTR, GCM). Sybex Ch 7.
• Tuesday: Asymmetric encryption (RSA, DH, ECC, DSA). Key exchange.
• Wednesday: Hashing (MD5, SHA-1, SHA-2, SHA-3). HMAC. Digital signatures.
• Thursday: PKI. X.509 certificates. CA, RA, CRL, OCSP.
• Friday: TLS handshake. IPsec (AH, ESP, tunnel vs transport). Nexus Ch 32.
• Saturday: Cryptographic attacks (brute force, birthday, rainbow, MITM, known plaintext, chosen ciphertext).
• Sunday: Physical security. Fire classes. Review + 25 practice questions.

Nexus chapters: ch32-cryptography-applied.md.

Week 5 -- Domain 4 Part 1: Networking Foundations¶

Goal: Solidify OSI model and protocol security.

Daily targets:

• Monday: OSI 7 layers. Protocols at each layer. Sybex Ch 11.
• Tuesday: TCP/IP model, TCP handshake, UDP. IP addressing, subnetting.
• Wednesday: DNS, DHCP, ARP. DNSSEC. DoH/DoT.
• Tuesday: Routing (OSPF, BGP, RIP). Switching (STP, VLANs).
• Friday: Firewalls (packet filter, stateful, application, NGFW, WAF). Sybex Ch 12.
• Saturday: IDS/IPS. Network segmentation. DMZ. Nexus Ch 31.
• Sunday: Review + 25 practice questions.

Nexus chapters: ch31-network-security-architecture.md.

Week 6 -- Domain 4 Part 2 + Domain 5 Part 1¶

Goal: Wireless, VPN, converged protocols. Start IAM.

Daily targets:

• Monday: Wireless (802.11a/b/g/n/ac/ax). WEP, WPA, WPA2, WPA3. Bluetooth security.
• Tuesday: VPN (IPsec, SSL/TLS VPN, split tunnel vs full tunnel).
• Wednesday: Converged protocols (iSCSI, FCoE, VoIP, SIP). SDN, NFV.
• Thursday: Network attacks (DDoS, MITM, ARP spoofing, DNS poisoning, session hijacking).
• Friday: Begin Domain 5. IAAA (Identification, Authentication, Authorization, Accounting). Sybex Ch 13.
• Saturday: Authentication factors. MFA. Biometrics (FRR, FAR, CER).
• Sunday: Review + 30 practice questions.

Week 7 -- Domain 5 Part 2: Federated Identity and Access Control¶

Goal: Master SSO, federation, and access control models.

Daily targets:

• Monday: Kerberos (KDC, AS, TGS, TGT, service tickets). Full authentication flow. Sybex Ch 14.
• Tuesday: SAML (assertions, IdP, SP). OAuth 2.0 flows. OpenID Connect.
• Wednesday: Access control models (DAC, MAC, RBAC, ABAC, rule-based).
• Thursday: Privileged access management (PAM). Just-in-time access.
• Friday: Account lifecycle (JML). Identity governance.
• Saturday: IAM attacks (pass-the-hash, Kerberoasting, credential stuffing). Nexus Ch 33.
• Sunday: Review + 30 practice questions.

Nexus chapters: ch33-identity-access-security.md.

Week 8 -- Domain 6: Security Assessment and Testing¶

Goal: Understand how to test controls.

Daily targets:

• Monday: Assessment types (vulnerability scan, pentest, red team, purple team). Sybex Ch 15.
• Tuesday: SAST, DAST, IAST, SCA. When to use each.
• Wednesday: Log reviews. SIEM. Audit logs. Clipping levels.
• Thursday: Compliance audits (SOC 1/2/3, ISO 27001, PCI DSS ROC/SAQ).
• Friday: KPIs, KRIs. Security metrics. Security awareness program metrics.
• Saturday: Continuous monitoring (NIST SP 800-137). Nexus Ch 35.
• Sunday: Review + 25 practice questions.

Nexus chapters: ch35-devsecops-pipeline.md, Purple Team Framework.

Week 9 -- Domain 7 Part 1: Incident Response and Forensics¶

Goal: Master IR lifecycle and digital forensics.

Daily targets:

• Monday: IR lifecycle (detection, response, mitigation, reporting, recovery, remediation, lessons learned). Sybex Ch 17.
• Tuesday: Forensics. Chain of custody. Evidence types (real, documentary, demonstrative, testimonial).
• Wednesday: Digital evidence collection (volatile data, order of volatility).
• Thursday: Legal investigations (criminal, civil, regulatory, administrative).
• Friday: Logging and monitoring. SOC, SIEM, UEBA, EDR.
• Saturday: Cloud forensics. Nexus Ch 57.
• Sunday: Review + 25 practice questions.

Nexus chapters: ch09-incident-response-lifecycle.md, Chapter 57 -- Cloud Forensics.

Week 10 -- Domain 7 Part 2 + Domain 8 Part 1¶

Goal: DR/BC and start software security.

Daily targets:

• Monday: Disaster recovery sites (hot, warm, cold, mobile, reciprocal). Sybex Ch 18.
• Tuesday: Backup strategies (full, differential, incremental, 3-2-1 rule).
• Wednesday: DR testing (checklist, tabletop, parallel, full interruption).
• Thursday: BCP process. BIA revisited.
• Friday: Begin Domain 8. SDLC models (Waterfall, Agile, DevOps).
• Saturday: Secure coding. OWASP Top 10. Input validation.
• Sunday: Review + 30 practice questions.

Nexus chapters: ch40-security-program-leadership.md.

Week 11 -- Domain 8 Part 2 + Review¶

Goal: Finish Domain 8 and begin cross-domain review.

Daily targets:

• Monday: Database security (ACID, polyinstantiation, aggregation, inference). Sybex Ch 21.
• Tuesday: SAST, DAST, IAST, SCA. Dependency scanning. SBOM.
• Wednesday: DevSecOps. CI/CD security gates. Shift-left. IaC scanning.
• Thursday: API security. OWASP API Top 10.
• Friday: Maturity models (SAMM, BSIMM).
• Saturday: Full-length practice exam 1 (150 questions, timed).
• Sunday: Review errors. Focus on weakest domains.

Nexus chapters: ch35-devsecops-pipeline.md.

Week 12 -- Full Review and Practice Exams¶

Goal: Peak readiness.

Daily targets:

• Monday: Full-length practice exam 2. Focus on time management.
• Tuesday: Review all incorrect answers. Create flashcards for weak areas.
• Wednesday: Full-length practice exam 3. Different provider.
• Thursday: Review models, crypto, legal compliance (heavily tested).
• Friday: Full-length practice exam 4. Target 80%+ consistently.
• Saturday: Light review. Rest. Do NOT cram.
• Sunday: Exam day (or rest day before if Monday exam). Sleep 8 hours. Eat well. Arrive early.

Practice Questions¶

This section contains 80 practice questions -- 10 per domain. Each question is scenario-based with 4 answer choices and a collapsible detailed explanation.

Domain 1: Security and Risk Management -- Questions 1 to 10¶

Question 1¶

A security architect at a hospital is designing a new patient records system. Which of the following BEST represents the primary concern from a regulatory compliance perspective?

• A. Ensuring the system uses AES-256 encryption at rest
• B. Ensuring compliance with HIPAA and associated Privacy and Security Rules
• C. Implementing multi-factor authentication for all clinicians
• D. Deploying a Web Application Firewall in front of the patient portal

Question 2¶

An organization experiences a data breach and discovers that an administrator granted a user excessive permissions 18 months ago. The permissions were never reviewed. Which security principle was MOST directly violated?

• A. Defense in depth
• B. Separation of duties
• C. Least privilege
• D. Due care

Question 3¶

Which of the following is the FIRST step in the risk management process per NIST SP 800-39?

• A. Risk assessment
• B. Risk framing
• C. Risk response
• D. Risk monitoring

Question 4¶

An asset valued at USD 200,000 has an exposure factor of 25% for a specific threat. The threat occurs on average twice per year. What is the ALE?

• A. USD 50,000
• B. USD 100,000
• C. USD 25,000
• D. USD 400,000

Question 5¶

An employee in the finance department is also assigned to audit financial transactions. What security principle is MOST directly violated?

• A. Least privilege
• B. Separation of duties
• C. Mandatory vacation
• D. Job rotation

Question 6¶

Which of the following BEST describes the purpose of a Business Impact Analysis (BIA)?

• A. To identify security vulnerabilities in critical systems
• B. To determine the financial and operational impact of business process disruptions
• C. To develop a disaster recovery plan
• D. To establish security policies and procedures

Question 7¶

Which threat modeling methodology focuses on attacker perspective and risk-based analysis?

• A. STRIDE
• B. PASTA
• C. Trike
• D. VAST

Question 8¶

An organization is subject to GDPR. A data subject requests that their personal data be deleted. Which GDPR right is being invoked?

• A. Right to access
• B. Right to erasure (right to be forgotten)
• C. Right to data portability
• D. Right to object

Question 9¶

A security policy states "All workstations must be encrypted with AES-256." This is an example of a:

• A. Policy
• B. Standard
• C. Procedure
• D. Guideline

Question 10¶

Which of the following is the BEST indication that senior management supports the security program?

• A. An approved security policy exists
• B. Security spending has increased year-over-year
• C. Management actively champions security and allocates adequate resources
• D. A CISO role has been created

Domain 2: Asset Security -- Questions 11 to 20¶

Question 11¶

Who is ULTIMATELY responsible for the protection of a specific dataset?

• A. Data custodian
• B. Data owner
• C. Data steward
• D. System administrator

Question 12¶

Which of the following is the MOST secure method of destroying magnetic hard drives that previously stored classified information?

• A. Formatting the drive multiple times
• B. Overwriting with random data 7 times (DoD 5220.22-M)
• C. Degaussing
• D. Physical destruction (shredding)

Question 13¶

Data in RAM is in which state?

• A. At rest
• B. In transit
• C. In use
• D. At destruction

Question 14¶

An organization classifies data as Public, Internal, Confidential, and Restricted. A user needs to share Confidential data with a third-party vendor. What should happen FIRST?

• A. Encrypt the data with AES-256
• B. Get approval from the data owner
• C. Sign an NDA with the vendor
• D. Use a secure file transfer protocol

Question 15¶

Which of the following is MOST effective for preventing unauthorized data exfiltration via email?

• A. Mandatory email encryption
• B. Data Loss Prevention (DLP) with content inspection
• C. Email spam filtering
• D. User security awareness training

Question 16¶

The data lifecycle stages in order are:

• A. Create, Use, Store, Share, Archive, Destroy
• B. Create, Store, Use, Share, Archive, Destroy
• C. Create, Store, Share, Use, Archive, Destroy
• D. Create, Share, Use, Store, Archive, Destroy

Question 17¶

Which privacy principle requires that only the minimum data needed for a specific purpose is collected?

• A. Purpose limitation
• B. Data minimization
• C. Accuracy
• D. Storage limitation

Question 18¶

A tape archive of 10-year-old financial records needs to be destroyed. What is the BEST method?

• A. Overwrite with random data
• B. Incineration
• C. Magnetic degaussing
• D. Chemical dissolution

Question 19¶

Which role is responsible for labeling data according to classification policy?

• A. Data subject
• B. Data controller
• C. Data owner
• D. Data processor

Question 20¶

Tokenization differs from encryption in that:

• A. Tokenization uses symmetric keys; encryption uses asymmetric
• B. Tokens are reversible; encrypted values are not
• C. Tokens have no mathematical relationship to the original data
• D. Tokenization is slower than encryption

Domain 3: Security Architecture and Engineering -- Questions 21 to 30¶

Question 21¶

In the Bell-LaPadula model, the simple security property (no read up) prevents a subject from:

• A. Writing data to a higher classification level
• B. Reading data at a higher classification level
• C. Reading data at a lower classification level
• D. Writing data to a lower classification level

Question 22¶

A CA issues a certificate with a validity period of 2 years. The private key is compromised after 6 months. What is the PRIMARY mechanism to inform relying parties?

• A. Update the CA's trust anchor
• B. Publish the certificate on a Certificate Revocation List (CRL)
• C. Reissue the certificate
• D. Disable the CA

Question 23¶

Which symmetric algorithm is a block cipher with a 128-bit block size and key sizes of 128, 192, or 256 bits?

• A. DES
• B. 3DES
• C. AES
• D. RC4

Question 24¶

A digital signature provides which of the following?

• A. Confidentiality only
• B. Integrity and authentication only
• C. Integrity, authentication, and non-repudiation
• D. Confidentiality and integrity only

Question 25¶

Which fire class involves energized electrical equipment?

• A. Class A
• B. Class B
• C. Class C
• D. Class D

Question 26¶

Which evaluation level under the Common Criteria is MOST rigorous?

• A. EAL1
• B. EAL4
• C. EAL7
• D. EAL10

Question 27¶

A mantrap is an example of what type of control?

• A. Administrative preventive
• B. Technical detective
• C. Physical preventive
• D. Physical compensating

Question 28¶

The Biba security model is primarily concerned with:

• A. Confidentiality
• B. Integrity
• C. Availability
• D. Non-repudiation

Question 29¶

Elliptic Curve Cryptography (ECC) offers which advantage over RSA?

• A. Larger key sizes for higher security
• B. Equivalent security with smaller key sizes
• C. Ability to encrypt larger messages
• D. Perfect forward secrecy by default

Question 30¶

Which attack involves pre-computing hashes for common passwords?

• A. Brute force
• B. Dictionary attack
• C. Rainbow table
• D. Birthday attack

Domain 4: Communication and Network Security -- Questions 31 to 40¶

Question 31¶

At which OSI layer does TLS operate?

• A. Layer 4 (Transport)
• B. Layer 5 (Session)
• C. Layer 6 (Presentation)
• D. Layer 7 (Application)

Question 32¶

Which of the following BEST describes a DMZ?

• A. A secure internal network zone
• B. A network segment between the internal and external networks that hosts public-facing services
• C. A VLAN for guest users
• D. A management network for network devices

Question 33¶

Which protocol provides confidentiality, integrity, and authentication at the network layer?

• A. TLS
• B. SSH
• C. IPsec
• D. HTTPS

Question 34¶

Kerberos uses which type of cryptography for ticket encryption?

• A. Asymmetric
• B. Symmetric
• C. Hash-only
• D. Steganographic

Question 35¶

A network engineer wants to prevent ARP spoofing on a switched network. Which feature helps MOST?

• A. Port security
• B. Dynamic ARP Inspection (DAI)
• C. Spanning Tree Protocol
• D. VLAN tagging

Question 36¶

WPA3 uses which protocol for key exchange (replacing the PSK handshake of WPA2)?

• A. EAP-TLS
• B. SAE (Simultaneous Authentication of Equals)
• C. PEAP
• D. TKIP

Question 37¶

Which firewall type examines the entire packet and tracks connection state?

• A. Packet filter
• B. Stateful inspection
• C. Application proxy
• D. Circuit-level gateway

Question 38¶

Which network attack floods a target with SYN packets, exhausting its connection table?

• A. Smurf attack
• B. Ping of death
• C. SYN flood
• D. Teardrop

Question 39¶

In a site-to-site VPN using IPsec, which mode is typically used?

• A. Transport mode
• B. Tunnel mode
• C. Anycast mode
• D. Multicast mode

Question 40¶

A penetration tester observes that hostnames like db01.example.com resolve to public IPs when queried externally. What is the risk?

• A. DNS poisoning
• B. Information disclosure exposing internal infrastructure
• C. BGP hijacking
• D. DNS amplification

Domain 5: Identity and Access Management -- Questions 41 to 50¶

Question 41¶

Which authentication factor is MOST susceptible to phishing?

• A. Something you know (password)
• B. Something you have (hardware token)
• C. Something you are (biometric)
• D. Somewhere you are (location)

Question 42¶

In Kerberos, the TGT (Ticket Granting Ticket) is issued by:

• A. The client
• B. The Ticket Granting Service (TGS)
• C. The Authentication Server (AS)
• D. The application server

Question 43¶

Which access control model uses attributes like user department, resource sensitivity, and time of day?

• A. DAC
• B. MAC
• C. RBAC
• D. ABAC

Question 44¶

A biometric system has an FAR of 2% and an FRR of 5%. What does this mean?

• A. 2% of authorized users are rejected; 5% of imposters are accepted
• B. 5% of authorized users are rejected; 2% of imposters are accepted
• C. The CER is 3.5%
• D. The system is highly accurate

Question 45¶

Which SSO protocol is most commonly used for modern web applications with mobile clients?

• A. Kerberos
• B. SAML 2.0
• C. OpenID Connect (OIDC)
• D. RADIUS

Question 46¶

A user is promoted from Analyst to Manager but retains Analyst permissions. This is:

• A. Privilege creep
• B. Least privilege violation
• C. Both A and B
• D. Acceptable if documented

Question 47¶

A Pass-the-Hash attack succeeds because:

• A. The attacker cracks the password offline
• B. NTLM uses the password hash as the authentication credential itself
• C. The attacker intercepts the password in transit
• D. Kerberos delegation is misconfigured

Question 48¶

Federation enables:

• A. Users to authenticate once and access multiple services within a single organization
• B. Users to authenticate with one identity provider and access services across multiple organizations
• C. Automated provisioning across HR systems
• D. Shared password stores between applications

Question 49¶

Which access control mechanism is based on the military model with mandatory labels like "Top Secret" and "Confidential"?

• A. DAC
• B. MAC
• C. RBAC
• D. ABAC

Question 50¶

Which of the following BEST describes Just-in-Time (JIT) access?

• A. Permanent assignment of admin rights
• B. Temporary elevation of privileges only when needed, with automatic expiration
• C. Scheduled nightly batch permissions
• D. Role-based access control

Domain 6: Security Assessment and Testing -- Questions 51 to 60¶

Question 51¶

Which type of test evaluates running applications by sending inputs and observing outputs?

• A. SAST
• B. DAST
• C. SCA
• D. IAST

Question 52¶

A black-box penetration test provides the tester with:

• A. Full source code and system documentation
• B. Partial information about the target environment
• C. No prior information about the target
• D. Administrative credentials

Question 53¶

A SOC 2 Type 2 report differs from Type 1 in that Type 2:

• A. Is less rigorous
• B. Covers a specific point in time
• C. Covers a period of time (typically 6-12 months) and tests operating effectiveness
• D. Is only for financial controls

Question 54¶

KRIs (Key Risk Indicators) are BEST described as:

• A. Metrics showing the current state of security posture
• B. Forward-looking metrics that signal potential risk before it materializes
• C. Compliance checklists
• D. Audit findings

Question 55¶

What is the PRIMARY purpose of a synthetic transaction?

• A. To test application performance under load
• B. To simulate user actions for availability and functionality monitoring
• C. To test disaster recovery
• D. To scan for vulnerabilities

Question 56¶

Which of the following is the BEST source of attacker TTP (Tactics, Techniques, Procedures) intelligence for detection engineering?

• A. Vendor marketing materials
• B. MITRE ATT&CK framework
• C. OWASP Top 10
• D. CVE database

Question 57¶

Which type of assessment engages both red (offensive) and blue (defensive) teams collaboratively?

• A. Black-box penetration test
• B. Red team engagement
• C. Purple team exercise
• D. Vulnerability scan

Question 58¶

Log retention for most compliance frameworks (PCI DSS, HIPAA, SOX) is typically at least:

• A. 30 days
• B. 90 days
• C. 1 year
• D. 7 years

Question 59¶

Which of the following is a code review approach where developers review each other's code before merging?

• A. SAST
• B. Peer review
• C. Formal inspection
• D. Walkthrough

Question 60¶

What is the primary output of a penetration test?

• A. A list of CVEs
• B. A detailed report with findings, exploitation evidence, risk ratings, and remediation recommendations
• C. A compliance certificate
• D. Source code

Domain 7: Security Operations -- Questions 61 to 70¶

Question 61¶

The correct order of the incident response lifecycle is:

• A. Detect, Respond, Recover, Lessons Learned
• B. Prepare, Detect and Analyze, Contain/Eradicate/Recover, Post-Incident
• C. Identify, Protect, Detect, Respond, Recover
• D. Plan, Do, Check, Act

Question 62¶

The order of volatility (most volatile to least) is:

• A. Hard disk, RAM, registers, swap
• B. Registers/cache, RAM, swap, hard disk, archival media
• C. Network traffic, hard disk, registers, RAM
• D. RAM, registers, swap, hard disk

Question 63¶

Which DR site offers the FASTEST recovery time but the HIGHEST cost?

• A. Hot site
• B. Warm site
• C. Cold site
• D. Reciprocal agreement

Question 64¶

Which backup strategy requires the fewest backup tapes to restore?

• A. Full only
• B. Full + incremental
• C. Full + differential
• D. Snapshots

Question 65¶

Chain of custody MUST include:

• A. Only the initial collector's name
• B. Every person who handled the evidence, the date, time, and purpose
• C. Only digital signatures
• D. Only the final disposition

Question 66¶

A privileged user account was used at 3 AM to access a file server from an IP 203.0.113.45 (external, unusual). The SOC should FIRST:

• A. Disable the account
• B. Investigate to determine if the activity is legitimate or malicious
• C. Reformat the file server
• D. Notify law enforcement

Question 67¶

Which RAID level provides striping WITHOUT redundancy?

• A. RAID 0
• B. RAID 1
• C. RAID 5
• D. RAID 10

Question 68¶

MTD (Maximum Tolerable Downtime) is:

• A. The maximum time a system can be down before the business suffers unacceptable damage
• B. The time it takes to restore from backup
• C. The age of the oldest data loss acceptable
• D. The time between backups

Question 69¶

Which type of evidence is a witness's verbal account of events?

• A. Real evidence
• B. Documentary evidence
• C. Testimonial evidence
• D. Demonstrative evidence

Question 70¶

A critical vulnerability (CVSS 9.8) is announced in production software. The company's change management process requires a 14-day review. What should happen?

• A. Wait the full 14 days regardless
• B. Invoke the emergency change process to patch immediately
• C. Ignore the change process and patch anyway without approval
• D. Disable the affected system indefinitely

Domain 8: Software Development Security -- Questions 71 to 80¶

Question 71¶

The OWASP Top 10 category "Injection" includes which of the following?

• A. SQL injection only
• B. SQL, LDAP, OS command, XPath injection
• C. XSS attacks
• D. Buffer overflows

Question 72¶

The BEST defense against SQL injection is:

• A. Input filtering (reject single quotes)
• B. Parameterized queries / prepared statements
• C. Web Application Firewall
• D. Output encoding

Question 73¶

In a DevSecOps CI/CD pipeline, which scan typically runs EARLIEST (shift-left)?

• A. DAST
• B. SAST
• C. Penetration test
• D. Compliance audit

Question 74¶

Which database concept prevents an unauthorized user from inferring classified information from aggregated queries?

• A. Polyinstantiation
• B. Inference control
• C. Referential integrity
• D. Normalization

Question 75¶

The Agile principle that benefits security MOST is:

• A. Comprehensive documentation over working software
• B. Following a plan over responding to change
• C. Individuals and interactions, working software, customer collaboration, responding to change
• D. Big Design Up Front (BDUF)

Question 76¶

Which SDLC phase should include threat modeling?

• A. Requirements
• B. Design
• C. Implementation
• D. Deployment

Question 77¶

Which of the following BEST describes Software Composition Analysis (SCA)?

• A. Scanning source code for vulnerabilities
• B. Scanning a running application for vulnerabilities
• C. Identifying and analyzing open-source dependencies for known CVEs and license issues
• D. Reviewing code for business logic flaws

Question 78¶

A SQL stored procedure parameterized properly still suffers SQL injection if:

• A. The procedure concatenates input into a dynamic SQL EXECUTE statement
• B. The database uses Microsoft SQL Server
• C. The procedure runs as sa
• D. The user has SELECT privileges

Question 79¶

The OWASP API Top 10 includes a category about:

• A. Buffer overflows
• B. Broken Object Level Authorization (BOLA / IDOR)
• C. Social engineering
• D. Physical attacks

Question 80¶

BSIMM and SAMM are examples of:

• A. Compliance frameworks
• B. Software security maturity models
• C. Coding standards
• D. Testing tools

Exam Day Tips¶

On Exam Day¶

CAT Strategy¶

1. Read every question twice. CISSP questions often hinge on one qualifying word (MOST, FIRST, BEST, PRIMARY, LEAST). Miss the qualifier and you miss the question.
2. Identify the domain. Before answering, ask yourself "What domain is this from?" and "What concept is being tested?"
3. Eliminate clearly wrong answers. Most CISSP questions have at least one obviously wrong option. Cross it out in your head.
4. Pick the BEST answer, not the first correct one. Two answers may be technically correct; you must choose the one that best fits the scenario.
5. Think like a manager. When stuck between a technical and managerial answer, the managerial answer is usually correct on CISSP.

Time Management¶

• Target 90 seconds per question average.
• If a question is taking more than 2 minutes, pick the best option and move on.
• For 150 questions, aim to be at question 75 around the 90-minute mark.

Breaks¶

• You can take unscheduled breaks, but the clock keeps running (except when a proctor pauses for administrative reasons).
• Plan for one 5-minute restroom break around the halfway point if needed.
• Bring water and a snack if allowed by the test center.

Managing Test Anxiety¶

1. Breathing: Before the exam, do 4-7-8 breathing (inhale 4 sec, hold 7, exhale 8).
2. Reframing: If you blank on a question, skip the panic loop -- say "this is just data, I've seen harder."
3. Anchor: Remember a successful practice exam moment. You prepared. You know this.

Handling a Hard Question¶

If you get a hard question, it likely means you're doing well (CAT algorithm gives harder questions when you answer correctly). Do NOT panic. Apply your process:

1. Identify the domain and core concept.
2. Eliminate 2 answers confidently.
3. Choose between the remaining 2 based on "BEST" / "MOST" / "FIRST".
4. Commit and move on.

What to Do If You Fail¶

If you don't pass:

1. Don't panic. Many excellent professionals fail on their first attempt. The reattempt policies allow retake after 30 days (1st retry), 90 days (2nd), and 180 days (3rd within a year).
2. Review your score report. ISC2 provides a feedback report showing weak domains.
3. Adjust your study plan to focus on weak areas.
4. Take more practice exams (Boson ExSim is closest to the real thing).
5. Consider a bootcamp if self-study isn't working.

Post-Exam¶

Receiving the Result¶

You see pass/fail on the screen at the test center. You'll receive an official email from ISC2 within 6 weeks confirming your status.

The Endorsement Process¶

1. Log in to your ISC2 account.
2. Complete the endorsement application with:
   • Work history (employers, titles, dates, job descriptions).
   • Domains you worked in.
   • Endorser information (an active CISSP who can verify your experience).
3. Submit within 9 months of passing.
4. Endorser reviews and submits.
5. ISC2 reviews (typically 4-6 weeks).

Continuing Professional Education (CPE)¶

You must earn 40 CPEs per year (120 over a 3-year cycle). CPE activities:

• Group A (Domain-related): Required 30 per year minimum.
• Group B (Professional development): Up to 10 per year, e.g., project management training.

Annual Maintenance Fee¶

• USD 135 per year, due on your anniversary date.
• Pay via ISC2 member portal.

Code of Ethics¶

All CISSPs must adhere to the ISC2 Code of Ethics:

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

Violations can result in certification revocation.

CISSP Concentrations¶

After CISSP, you can pursue concentration certifications:

graph LR
    CISSP[CISSP Base] --> ISSAP[ISSAP: Architecture]
    CISSP --> ISSEP[ISSEP: Engineering]
    CISSP --> ISSMP[ISSMP: Management]

    ISSAP --> Skills1[Architecture Frameworks<br/>Enterprise Security Arch<br/>Technology Integration]
    ISSEP --> Skills2[System Engineering<br/>NIST RMF<br/>DoD Security]
    ISSMP --> Skills3[Leadership<br/>Program Management<br/>Risk Management]

    style CISSP fill:#2d3748,color:#fff
    style ISSAP fill:#4a5568,color:#fff
    style ISSEP fill:#4a5568,color:#fff
    style ISSMP fill:#4a5568,color:#fff

CISSP vs Concentrations Comparison¶

Resources and References¶

Official ISC2 Resources¶

• ISC2 Official Website
• Official Study Guide (Sybex, 9th edition) -- Mike Chapple et al.
• Official Practice Tests (Sybex) -- Mike Chapple
• ISC2 CBK Reference -- John Warsinske et al.

Third-Party Study Resources¶

• CISSP All-in-One Exam Guide (Shon Harris legacy, Fernando Maymi co-author)
• 11th Hour CISSP Study Guide (Eric Conrad) -- short, intense refresh
• Destination CertPodcast (Rob Witcher) -- free YouTube / audio series, highly rated
• Kelly Handerhan's "Why You Will Pass the CISSP" -- motivational video
• Pete Zerger's CISSP Exam Cram (YouTube)
• Luke Ahmed's "Study Notes and Theory" -- scenario-based question practice
• Thor Pedersen's CISSP Courses (Udemy)

Practice Exam Platforms¶

• Boson ExSim CISSP -- Considered harder than the real exam; excellent final prep.
• CCCure CISSP Quiz Engine -- Large question bank.
• Learnzapp CISSP -- Mobile-friendly.

Nexus SecOps Internal Resources¶

Use these Nexus chapters in order with your CISSP study schedule:

• ch09-incident-response-lifecycle.md -- Domain 7 IR depth
• ch13-security-governance-privacy-risk.md -- Domains 1, 2
• ch20-cloud-attack-defense.md -- Domains 3, 4 cloud context
• ch31-network-security-architecture.md -- Domain 4
• ch32-cryptography-applied.md -- Domain 3 crypto
• ch33-identity-access-security.md -- Domain 5
• ch35-devsecops-pipeline.md -- Domains 6, 8
• ch40-security-program-leadership.md -- Domains 1, 6, 7

Community and Forums¶

• r/cissp (Reddit) -- Candidate experiences and study tips
• ISC2 Community Forums -- Official community
• Discord: Certification Station -- Active study groups
• LinkedIn CISSP Study Group -- Networking with current candidates

Recommended Frameworks and Standards to Read¶

• NIST SP 800-30 -- Risk Assessment
• NIST SP 800-37 -- Risk Management Framework
• NIST SP 800-53 -- Security Controls
• NIST SP 800-61r2 -- Incident Response
• NIST SP 800-137 -- Continuous Monitoring
• NIST Cybersecurity Framework (CSF) 2.0
• ISO/IEC 27001:2022 -- ISMS Requirements
• ISO/IEC 27002:2022 -- Security Controls Code of Practice
• OWASP Top 10 (2021)
• OWASP API Security Top 10 (2023)
• MITRE ATT&CK

Podcasts to Subscribe To¶

• Destination CertPodcast -- CISSP-specific
• SANS Internet Storm Center Daily Podcast
• Risky Business
• Security Now (Steve Gibson)
• Darknet Diaries

Final Checklist -- One Week Before Exam¶

Study Path Completion¶

Once you pass, update your Nexus SecOps profile, share your success (if you choose), and consider:

1. Becoming a Nexus SecOps contributor -- submit content improvements via GitHub.
2. Mentoring future CISSP candidates -- pay it forward.
3. Pursuing a concentration (ISSAP, ISSEP, ISSMP).
4. Exploring other certifications -- CCSP (cloud), CSSLP (software), SABSA, TOGAF.

Last updated: 2026-04-16 Maintained by: Nexus SecOps community Feedback and corrections: GitHub Issues