The 8 CISSP Domains Explained (As Defined In The CBK)

3 Mins read
The 8 CISSP Domains Explained (As Defined In The CBK)

The CBK is a collection of all relevant topics – a framework that constitutes the terms and principles of cybersecurity – organized and updated annually by the (ISC)2.

The CISSP training and certification isn’t for everyone, but if you think that you might be an eligible candidate, you should take a moment to learn about the 8 CISSP domains, as defined in the CBK.

What Are The 8 CISSP Domains According To Common Body Of Knowledge?

Security and Risk Management

The Security and Risk Management domain covers general concepts in information security. It provides a comprehensive overview of topics related to information systems, different aspects of risk, security awareness, and risk management.

The topics include:

  • Confidentiality, integrity, and availability
  • Security governance principles
  • Risk management concepts
  • Security policies and procedures
  • Legal and regulatory compliance
  • Information security legal issues
  • Threat modeling

The domain comprises roughly 15 percent of the CISSP exam.

Asset Security

This domain addresses the physical requirements of information security and includes concepts, structures, principles, and standards of monitoring and securing assets. It contains topics related to data management and deals with the general idea of information ownership, among other things.

The topics tested on the CISSP exam include:

  • Data management
  • Longevity and use
  • Data standards
  • Appropriate data retention
  • Data security controls

The domain comprises roughly 10 percent of the CISSP exam.

Security Engineering

This domain is all about applying principles in information security architecture design, covering several essential information security concepts.

The candidates are tested on matters of security engineering processes, models, and design principles, including the following topics:

  • Engineering processes using secure design principles
  • Security capabilities of information systems
  • Fundamental concepts of security models
  • Assessing and mitigating vulnerabilities in systems
  • Cryptography
  • Designing and implementing physical security

The domain comprises roughly 13 percent of the CISSP exam.

Communications and Network Security

This domain deals with the design and protection of an organization’s network security, focusing on the ability to create secure communication channels.

The topics covered by the Communications and Network Security domain include:

  • Secure network architecture design principles
  • Secure network components
  • Secure communication channels
  • Network attacks and countermeasures

The domain comprises roughly 14 percent of the CISSP exam.

Identity and Access Management

This domain helps information security professionals understand the means of controlling the way that users gain access to data, along with ways to identify those who have the right to access servers and information.

The domain’s primary topics include:

  • Identification and authentication
  • Access control categories
  • Identity as a service
  • Third-party identity services
  • Authorization
  • Access and identity provisioning lifecycle
  • Access control attacks

The domain comprises roughly 13 percent of the CISSP exam.

Security Assessment and Testing

The focus of this domain is on designing, performing, and analyzing security testing.

It provides tools and techniques for assessing the system security, finding vulnerabilities, errors in code or system design, and possible areas of concern.

The topics include:

  • Assessment and test strategies
  • Security process data
  • Security control testing
  • Test outputs
  • Vulnerabilities in security architectures

The domain comprises roughly 12 percent of the CISSP exam.

Security Operations

This domain is extremely hands-on and practical. It focuses on foundational security concepts, digital forensics, and investigations, incident management, disaster recovery, as well as detection tools and firewalls.

The topics include:

  • Foundational security operations concepts
  • Investigations support and requirements
  • Logging and monitoring activities
  • Provisioning of resources
  • Resource protection techniques
  • Incident management
  • Recovery strategies
  • Disaster recovery processes and plans
  • Business continuity
  • Physical security

The domain comprises roughly 13 percent of the CISSP exam.

Software Development Security

The Software Development Security domain helps information security professionals understand, apply, and enforce software security. It provides these experts with the skill set needed to implement security controls on software within their designated environment.

The topics covered in this section include:

  • Security in the software development lifecycle
  • Development environment security controls
  • Software security effectiveness
  • Acquired software security impact
  • Software development models
  • Secure coding guidelines and standards

The domain comprises roughly 10 percent of the CISSP exam.


The 8 CISSP domains covered by the exam are compiled from the topics established in the (ISC)2 Common Body of Knowledge and are updated annually to reflect the latest, most relevant cybersecurity topics.

Now that you’ve read our overview, and have a basic understanding of what they are, you’re ready to start your official CISSP training!

Leave a Reply

Your email address will not be published. Required fields are marked *