Cissp-Exam-Outline Guidelines

Certification Exam Outline
About CISSP
e Certifie In ormation S tem Securit Pro e ional CISSP i t e mo t lo all reco ni e certification
in t e in ormation ecurit mar et CISSP ali ate an in ormation ecurit ro e ional ee tec nical
an mana erial no le e an ex erience to e ecti el e i n en ineer an mana e t e o erall ecurit
o ture o an or ani ation
e roa ectrum o to ic inclu e in t e CISSP Common o o no le e C en ure it rele anc

acro all i ci line in t e fiel o in ormation ecurit Succe ul can i ate are com etent in t e ollo in
omain
• Securit an i ana ement

• et Securit
• Securit En ineerin
• Communication an et or Securit
• I entit an cce ana ement
• Securit e ment an e tin
• Securit O eration
• So t are e elo ment Securit
Experience Requirements
Can i ate mu t a e a minimum o ear cumulati e ai ull time or ex erience in or more o t e
omain o t e ISC C Can i ate ma recei e a ear ex erience ai er it a ear colle e e ree
or re ional e ui alent or a itional cre ential rom t e ISC a ro e li t t u re uirin ear o irect
ull time ro e ional ecurit or ex erience in or more o t e omain o t e CISSP C
can i ate t at oe n t a e t e re uire ex erience to ecome a CISSP ma ecome an ociate o ISC

ucce ull a in t e CISSP examination e ociate o ISC ill t en a e ear to earn t e
ear re uire ex erience
Accreditation
CISSP a t e fir t cre ential in t e fiel o in ormation ecurit to meet t e trin ent re uirement o SI
ISO IEC Stan ar
Job Task Analysis (JTA)

ISC a an o li ation to it mem er i to maintain t e rele anc o t e CISSP Con ucte at re ular
inter al t e o a nal i i a met o ical an critical roce o eterminin t e ta t at are
er orme ecurit ro e ional o are en a e in t e ro e ion efine t e CISSP e re ult o
t e are u e to u ate t e examination i roce en ure t at can i ate are te te on t e to ic
area rele ant to t e role an re on i ilitie o to a racticin in ormation ecurit ro e ional
CISSP Certification Exam Outline 2

CISSP Examination Information
Length of exam our
Number of questions
Question format ulti le c oice an a ance inno ati e ue tion

Passing grade out o oint
Exam availability En li renc erman ra ilian Portu ue e S ani

a ane e Sim lifie C ine e orean i uall im aire
Testing center Pear on E e tin Center
CISSP Examination Weights

Domains Weight
Securit an i ana ement
et Securit
Securit En ineerin
Communication an et or Securit
I entit an cce ana ement
Securit e ment an e tin
Securit O eration
So t are e elo ment Securit
Total: 100%

Domain 1:
Security and Risk Management
1.1 Understand and apply concepts of confidentiality, integrity and availability
1.2 Apply security governance principles through:

» li nment o ecurit unction to trate oal » Securit role an re on i ilitie
mi ion an o ecti e e u ine ca e » Control rame or
u et an re ource
» ue care
» Or ani ational roce e e ac ui ition
i e titure o ernance committee » ue ili ence
1.3 Compliance
» e i lati e an re ulator com liance

» Pri ac re uirement com liance
1.4 Understand legal and regulatory issues that pertain to information security in a global
context
» Com uter crime » ran or er ata o
» icen in an intellectual ro ert e » Pri ac
co ri t tra emar i ital ri t mana ement » ata reac e
» Im ort ex ort control
1.5 Understand professional ethics
» Exerci e ISC Co e o Pro e ional Et ic

» Su ort or ani ation co e o et ic
1.6 Develop and implement documented security policy, standards, procedures, and
guidelines
1.7 Understand business continuity requirements
» e elo an ocument ro ect co e an lan

» Con uct u ine im act anal i

1.8 Contribute to personnel security policies
» Em lo ment can i ate creenin e re erence » en or con ultant an contractor control
c ec e ucation erification » Com liance
» Em lo ment a reement an olicie » Pri ac
» Em lo ment termination roce e
1.9 Understand and apply risk management concepts

» I enti t reat an ulnera ilitie » Control a e ment
» i a e ment anal i ualitati e uantitati e » onitorin an mea urement
ri » et aluation
» i a i nment acce tance e tem » e ortin
aut ori ation
» Continuou im ro ement
» Countermea ure election
» i rame or
» Im lementation
» e o control re enti e etecti e
correcti e etc
1.10 Understand and apply threat modeling

» I enti in t reat e a er arie contractor » Per ormin re uction anal i
em lo ee tru te artner » ec nolo ie an roce e to reme iate t reat
» eterminin an ia rammin otential attac e o t are arc itecture an o eration
e ocial en ineerin oofin
1.11 Integrate security risk considerations into acquisition strategy and practice
» ar are o t are an er ice » inimum ecurit re uirement

» ir art a e ment an monitorin e on » Ser ice le el re uirement
ite a e ment ocument exc an e an re ie
roce olic re ie
1.12 Establish and manage information security education, training, and awareness
» ro riate le el o a arene trainin an e ucation re uire it in or ani ation

» Perio ic re ie or content rele anc

Domain 2:
Asset Security
2.1 Classify information and supporting assets (e.g., sensitivity, criticality)
2.2 Determine and maintain ownership (e.g., data owners, system owners, business/mission
owners)
2.3 Protect privacy

» ata o ner » ata remanence
» ata roce er » Collection limitation
2.4 Ensure appropriate retention (e.g., media, hardware, personnel)
2.5 Determine data security controls (e.g., data at rest, data in transit)
» a eline » Stan ar election
» Sco in an tailorin » Cr to ra
2.6 Establish handling requirements (markings, labels, storage, destruction of sensitive

information)

Domain 3:
Security Engineering
3.1 Implement and manage engineering processes using secure design principles
3.2 Understand the fundamental concepts of security models (e.g., Confidentiality,

Integrity, and Multi-level Models)
3.3 Select controls and countermeasures based upon systems security evaluation models
3.4 Understand security capabilities of information systems (e.g., memory protection,

virtualization, trusted platform module, interfaces, fault tolerance)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution
elements
» Client a e e a let local cac e » i tri ute tem e clou com utin ri
com utin eer to eer
» Ser er a e e ata o control
» Cr to ra ic tem
» ata a e ecurit e in erence a re ation
ata minin ata anal tic are ou in » In u trial control tem e SC
» ar e cale arallel ata tem
3.6 Assess and mitigate vulnerabilities in web-based systems (e.g., XML, OWASP)
3.7 Assess and mitigate vulnerabilities in mobile systems
3.8 Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g.,
network-enabled devices, Internet of things (loT))
3.9 Apply cryptography
» Cr to ra ic li e c cle e cr to ra ic » i ital i nature

limitation al orit m rotocol o ernance » i ital ri t mana ement
» Cr to ra ic t e e mmetric a mmetric » on re u iation
elli tic cur e
» Inte rit a in an altin
» Pu lic e In ra tructure P I
» et o o cr tanal tic attac e rute orce
» e mana ement ractice ci er text onl no n laintext

3.10 Apply secure principles to site and facility design
3.11 Design and implement physical security
» irin clo et » ata center ecurit

» Ser er room » tilitie an C con i eration
» e ia tora e acilitie » ater i ue e lea a e oo in
» E i ence tora e » ire re ention etection an u re ion
» e tricte an or area ecurit e o eration
center

Domain 4:
Communication and Network Security
4.1 Apply secure design principles to network architecture (e.g., IP & non-IP protocols,
segmentation)
» OSI an CP IP mo el » So t are efine net or
» IP net or in » irele net or
» Im lication o multila er rotocol e P » Cr to ra u e to maintain communication
ecurit
» Con er e rotocol e CoE P S oIP
iSCSI
4.2 Secure network components
» O eration o ar are e mo em itc e » En oint ecurit

router irele acce oint mo ile e ice » Content i tri ution net or
» ran mi ion me ia e ire irele fi er » P ical e ice
» et or acce control e ice e
fire all roxie
4.3 Design and establish secure communication channels
» oice » ata communication e S SS

» ultime ia colla oration e remote meetin » irtuali e net or e S irtual S ue t
tec nolo in tant me a in o eratin tem ort i olation
» emote acce e P creen cra er irtual
a lication e to telecommutin
4.4 Prevent or mitigate network attacks

Domain 5:
Identity and Access Management
5.1 Control physical and logical access to assets
» In ormation
» S tem
» e ice
» acilitie
5.2 Manage identification and authentication of people and devices

» I entit mana ement im lementation e SSO » Se ion mana ement e timeout
P creen a er
» Sin le multi actor aut entication e actor » e i tration an roofin o i entit
tren t error » e erate i entit mana ement e S
» ccounta ilit » Cre ential mana ement tem
5.3 Integrate identity as a service (e.g., cloud identity)
5.4 Integrate third-party identity services (e.g., on-premise)
5.5 Implement and manage authorization mechanisms
» ole a e cce Control C met o

» ule a e acce control met o
» an ator cce Control C
» i cretionar cce Control C
5.6 Prevent or mitigate access control attacks
5.7 Manage the identity and access provisioning lifecycle (e.g., provisioning, review)

Domain 6:
Security Assessment and Testing
6.1 Design and validate assessment and test strategies
6.2 Conduct security control testing

» ulnera ilit a e ment » i u e ca e te tin
» Penetration te tin » e t co era e anal i
» o re ie » Inter ace te tin e PI I ical
» S nt etic tran action
» Co e re ie an te tin e manual namic
tatic u
6.3 Collect security process data (e.g., management and operational controls)
» ccount mana ement e e calation » ac u erification ata
re ocation » rainin an a arene
» ana ement re ie » i a ter reco er an u ine continuit
» e er ormance an ri in icator
6.4 Analyze and report test outputs (e.g., automated, manual)
6.5 Conduct or facilitate internal and third party audits

Domain 7:
Security Operations
7.1 Understand and support investigations
» E i ence collection an an lin e c ain o » In e ti ati e tec ni ue e root cau e anal i
cu to inter ie in inci ent an lin
» e ortin an ocumentin » i ital oren ic e me ia net or o t are
an em e e e ice
7.2 Understand requirements for investigation types

» O erational » e ulator
» Criminal » Electronic i co er e i co er
» Ci il
7.3 Conduct logging and monitoring activities

» Intru ion etection an re ention » E re monitorin e ata lo re ention
te ano ra atermar in
» Securit in ormation an e ent mana ement
» Continuou monitorin
7.4 Secure the provisioning of resources

» et in entor e ar are o t are » Clou a et e er ice tora e
net or
» Confi uration mana ement
» lication e or loa or ri ate clou
» P ical a et
e er ice o t are a a er ice
» irtual a et e o t are efine net or
irtual S ue t o eratin tem
7.5 Understand and apply foundational security operations concepts

» ee to no lea t ri ile e e entitlement » o rotation
a re ation tran iti e tru t » In ormation li ec cle
» Se aration o utie an re on i ilitie » Ser ice le el a reement
» onitor ecial ri ile e e o erator
a mini trator
7.6 Employ resource protection techniques

» e ia mana ement
» ar are an o t are a et mana ement

7.7 Conduct incident management
» etection » eco er
» e on e » eme iation
» iti ation » e on learne
» e ortin
7.8 Operate and maintain preventative measures
» ire all » San oxin

» Intru ion etection an re ention tem » one ot one net
» iteli tin lac li tin » nti mal are
» ir art ecurit er ice
7.9 Implement and support patch and vulnerability management
7.10 Participate in and understand change management processes (e.g., versioning, baselining,
security impact analysis)
7.11 Implement recovery strategies

» ac u tora e trate ie e o ite tora e » ulti le roce in ite e o erationall
electronic aultin ta e rotation re un ant tem
» eco er ite trate ie » S tem re ilience i a aila ilit ualit o
er ice an ault tolerance
7.12 Implement disaster recovery processes

» e on e » e ment
» Per onnel » e toration
» Communication » rainin an a arene
7.13 Test disaster recovery plans

» ea t rou » Parallel
» al t rou » ull interru tion
» Simulation
7.14 Participate in business continuity planning and exercises
7.15 Implement and manage physical security
» Perimeter e acce control an monitorin

» Internal ecurit e e cort re uirement i itor control e an loc
7.16 Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring)

Domain 8:
Software Development Security
8.1 Understand and apply security in the software development lifecycle

» e elo ment met o olo ie e ile » O eration an maintenance
ater all » C an e mana ement
» aturit mo el » Inte rate ro uct team e e O
8.2 Enforce security controls in development environments

» Securit o t e o t are en ironment » Confi uration mana ement a an a ect o
ecure co in
» Securit ea ne e an ulnera ilitie at
t e ource co e le el e u er o er o » Securit o co e re o itorie
e calation o ri ile e in ut out ut ali ation » Securit o a lication ro rammin inter ace
8.3 Assess the effectiveness of software security
» u itin an lo in o c an e
» i anal i an miti ation
» cce tance te tin
8.4 Assess security impact of acquired software

Additional Examination Information
Supplementary References
Can i ate are encoura e to u lement t eir e ucation an ex erience re ie in
rele ant re ource t at ertain to t e C an i enti in area o tu t at ma nee
a itional attention
ie t e ull li t o u lementar re erence at i c or ci c re erence
Examination Policies and Procedures

ISC recommen t at CISSP can i ate re ie exam olicie an roce ure rior to
re i terin or t e examination ea t e com re en i e rea o n o t i im ortant
in ormation at i c or exam olicie roce ure
Legal Info
or an ue tion relate to ISC le al olicie lea e contact t e ISC e al
e artment at le al i c or
Any Questions?
ISC Can i ate Ser ice
Par Place l Suite
Clear ater
ISC merica
el
Email in o i c or
ISC ia Pacific
el
Email i c a ia i c or
ISC E E
el
Email in o emea i c or

Cissp-Exam-Outline Guidelines

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cissp-Exam-Outline Guidelines

Uploaded by

Copyright:

Available Formats

Certification Exam Outline

e roa ectrum o to ic inclu e in t e CISSP Common o o no le e C en ure it rele anc

• Securit an i ana ement

can i ate t at oe n t a e t e re uire ex erience to ecome a CISSP ma ecome an ociate o ISC

Job Task Analysis (JTA)

CISSP Certification Exam Outline 2

Question format ulti le c oice an a ance inno ati e ue tion

Exam availability En li renc erman ra ilian Portu ue e S ani

CISSP Examination Weights

Securit an i ana ement

I entit an cce ana ement

Securit e ment an e tin

So t are e elo ment Securit

CISSP Certification Exam Outline 3

1.2 Apply security governance principles through:

» e i lati e an re ulator com liance

1.5 Understand professional ethics

» Exerci e ISC Co e o Pro e ional Et ic

1.7 Understand business continuity requirements

» e elo an ocument ro ect co e an lan

CISSP Certification Exam Outline 4

1.9 Understand and apply risk management concepts

1.10 Understand and apply threat modeling

» ar are o t are an er ice » inimum ecurit re uirement

» ro riate le el o a arene trainin an e ucation re uire it in or ani ation

CISSP Certification Exam Outline 5

2.3 Protect privacy

2.4 Ensure appropriate retention (e.g., media, hardware, personnel)

2.6 Establish handling requirements (markings, labels, storage, destruction of sensitive

CISSP Certification Exam Outline 6

3.2 Understand the fundamental concepts of security models (e.g., Confidentiality,

3.4 Understand security capabilities of information systems (e.g., memory protection,

3.7 Assess and mitigate vulnerabilities in mobile systems

3.9 Apply cryptography

» Cr to ra ic li e c cle e cr to ra ic » i ital i nature

CISSP Certification Exam Outline 7

3.11 Design and implement physical security

» irin clo et » ata center ecurit

CISSP Certification Exam Outline 8

4.2 Secure network components

» O eration o ar are e mo em itc e » En oint ecurit

4.3 Design and establish secure communication channels

» oice » ata communication e S SS

4.4 Prevent or mitigate network attacks

CISSP Certification Exam Outline 9

5.2 Manage identification and authentication of people and devices

5.3 Integrate identity as a service (e.g., cloud identity)

5.4 Integrate third-party identity services (e.g., on-premise)

5.5 Implement and manage authorization mechanisms

» ole a e cce Control C met o

5.6 Prevent or mitigate access control attacks

CISSP Certification Exam Outline 10

6.2 Conduct security control testing

6.4 Analyze and report test outputs (e.g., automated, manual)

6.5 Conduct or facilitate internal and third party audits

CISSP Certification Exam Outline 11

7.2 Understand requirements for investigation types

7.3 Conduct logging and monitoring activities

7.4 Secure the provisioning of resources

7.5 Understand and apply foundational security operations concepts

7.6 Employ resource protection techniques

CISSP Certification Exam Outline 12