Examworthyexamworthy.comCertified Information Systems Security Professional (CISSP) cheat sheet
(ISC)2
Free to share. Examworthy is not affiliated with or endorsed by (ISC)2; CISSP and related marks belong to their respective owners.
At a glance
Format: Computerised Adaptive Testing (CAT), multiple choice and advanced item types, at ISC2 Authorized Pearson VUE Testing Centers (PPC and PVTC Select)
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
CISSP rewards the manager's judgement - the answer that manages risk, follows due process, and protects people first - not the technician's reflex, so train on scenarios where several options look correct and only one is best.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
The employer's code of conduct overrides the ISC2 canons whenever the two appear to conflict in the workplace.
Why it fails
Tempting because employees normally follow employer policy, but a CISSP holder agreed to uphold the ISC2 canons as a condition of certification, so the canons are not displaced by internal policy.
Security and Risk Management
Tempting but wrong
Does defence in depth replace perimeter firewalls with identity-aware proxies, while zero trust focuses on encrypting data at rest and in transit?
Why it fails
No. This inverts the two concepts. Identity-aware proxies are typical of zero trust enforcement, and ubiquitous encryption is a cryptographic control rather than the essence of either principle. Defence in depth is about layered independent controls.
Security Architecture and Engineering
Tempting but wrong
TLS operates at the application layer and IPsec at the transport layer.
Why it fails
TLS is not an application protocol; it shields application payload but sits above transport (commonly framed as session or presentation). IPsec wraps whole IP packets at layer 3, not at transport, and 802.1X is a layer 2 port control rather than a network layer protocol. Memorising TLS as application because HTTPS uses it leads to wrong choke-point selection.
Communication and Network Security
Tempting but wrong
Physical controls protect the perimeter while logical controls protect only internal network segments.
Why it fails
This conflates network segmentation with the broader logical access category. Logical controls cover applications, databases, files, endpoints, and accounts, not just internal network zones, so confining them to internal segments is too narrow a definition.
Identity and Access Management (IAM)
Tempting but wrong
Pulling the network cable first is the safest containment move when litigation is anticipated.
Why it fails
Unilaterally yanking the cable can trigger malware to wipe artefacts, destroys volatile state needed for litigation, and bypasses the documented incident response and legal hold workflow that counsel must drive. Containment instinct is reasonable but it must follow preservation once litigation is anticipated.
Security Operations
Tempting but wrong
Assessments are always external and audits are always internal.
Why it fails
Independence and source are separate from the assessment-versus-audit distinction. Assessments can be performed internally and audits can be performed externally. The defining difference is purpose and the form of evidence produced, not who carries out the engagement.
Security Assessment and Testing
Tempting but wrong
Sensitivity and criticality are interchangeable terms that both express the harm caused by unauthorised disclosure.
Why it fails
This conflates the two concepts. Many candidates treat the words as synonyms because both relate to impact, but sensitivity speaks to disclosure harm while criticality speaks to availability and operational impact.
Asset Security
Tempting but wrong
Concentrating security review at the release gate is preferable because defects can be triaged once the system is feature-complete and behaviour is stable.
Why it fails
This describes the legacy waterfall posture that shift-left is moving away from. Late discovery raises remediation cost and forces risk-based exceptions to meet release dates, which is exactly the failure shift-left is meant to address.
Software Development Security
Key terms
Exam-day rules
- Answer as the risk manager, not the engineer. When one option fixes the device and another assesses the risk or follows the policy, the management answer is usually the one the exam wants.
- Choose the best option, not merely a correct one. Two or three answers are often defensible; the wrong ones are premature, partial, or out of order rather than false.
- Respect the sequence. Policy before technology, risk assessment before control selection, business impact analysis before a continuity plan - an answer that skips a step that comes first is the distractor.
- Put people first. Any option that protects human life or safety outranks one that protects an asset, every time, with no exceptions.
- Distrust absolutes. Options that say always, never, or shut everything down are usually wrong, because real security is a proportionate response to risk.
Revision schedule
- Week 1Map the eight domains and book a date
- Weeks 1 to 2Build the risk and governance foundation (Domain 1)
- Weeks 2 to 5Work the technical core (Domains 3, 4, and 5)
- Weeks 5 to 7Cover assets, assessment, and software (Domains 2, 6, and 8)
- Weeks 7 to 8Drill operations and recovery (Domain 7)