How to pass Certified Information Systems Security Professional (CISSP)
26 min read8 domains coveredFree practice, no sign-up
CISSP is a management-level security certification, and it tests breadth across the whole discipline rather than depth in any one tool. The eight domains span governance and risk, asset and data protection, architecture, networks, identity, assessment, operations, and software security. You are not asked to configure a firewall; you are asked what a security leader should decide when a firewall, a policy, and a budget all point in different directions. The role it certifies is the person accountable for the programme, not the person at the keyboard.
It suits experienced practitioners moving into senior, lead, or management roles: security analysts and engineers with several years behind them, architects, consultants, and managers who own risk for an organisation. The exam is delivered as Computerised Adaptive Testing (CAT), 100 to 150 questions in up to three hours, and the questions are scenarios where two or three options are all defensible and only one is best. There is a five-year experience requirement across two or more domains to earn the certification, though you can sit the exam first and become an Associate of ISC2 while you accrue it.
The exam rewards judgement under ambiguity. Most questions describe a situation and ask what you should do first, or what matters most, and the wrong answers are wrong by degree rather than by fact. The skill being tested is choosing the response a thoughtful risk manager would choose, which is why practising on scenario questions with a worked explanation, and a reason every distractor is wrong, beats memorising definitions.
CISSP rewards the manager's judgement - the answer that manages risk, follows due process, and protects people first - not the technician's reflex, so train on scenarios where several options look correct and only one is best.
Difficulty
Advanced
Best for
Experienced security practitioners stepping into senior, lead, or management roles: analysts and engineers with several years behind them, security architects, consultants, and managers who own organisational risk.
Prerequisites
Five years of cumulative paid work experience across two or more of the eight domains to certify (a relevant degree or approved credential waives one year). You can sit the exam first and become an Associate of ISC2 while you accrue the experience.
100-150 questions (CAT)
Questions
180 min
Time allowed
700 / 1000
Pass mark
$749
Exam cost (USD)
298
Practice questions
How this exam thinks
CISSP is written from the chair of a risk manager, not a system administrator, and that single shift explains most of the answers. The best option is usually the one that manages risk, follows governance and due process, and protects human life first. It is frequently the least hands-on choice on the screen. When one answer is to reconfigure the device and another is to assess the risk or consult the policy, the management answer is the one the exam wants, because the certification is for the person accountable for the programme rather than the person executing the task.
The core difficulty is that several options are correct and you must pick the best. The wrong answers are rarely false; they are premature, partial, or out of order. Address the root cause rather than the symptom: stopping the alert is not the same as fixing what caused it. Respect the sequence the discipline insists on - policy before technology, risk assessment before control selection, business impact analysis before a continuity plan. An answer that is technically excellent but skips a step that should come first is the distractor, not the key. When two answers survive that test, choose the one a measured professional following process would choose, and treat absolutes such as always, never, or shut it all down with suspicion, because real security is proportionate.
One format note. The exam is adaptive, so it tailors difficulty to your performance and can end anywhere between 100 and 150 questions; you cannot flag and return to earlier items, and harder questions are a signal you are doing well, not a trap. Read each question on its own terms, commit, and move on. There is no skipping back, so first-pass discipline matters more here than on a linear exam.
What each domain tests and how to study it
The CISSP blueprint is split across 8 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Read a governance, risk, legal, or ethics scenario and choose the action a security leader should take, in the order due process demands, with the risk numbers to back it.
In one sentenceThe largest and most conceptual domain: ethics, the CIA pillars, governance and policy, law and privacy, the full risk-management lifecycle, threat modelling, and business continuity requirements.
Recall check: answer these from memory first
Write the SLE and ALE formulae, then compute the ALE for an asset worth 500,000 with a 0.2 exposure factor that you expect to be hit three times a year.
State the difference between due care and due diligence in one line each, and give an example of each.
Name the four risk-treatment responses and give a one-line example of transferring risk.
What it tests. Security as a governed, risk-managed programme. The ISC2 Code of Ethics and its canons; core concepts (confidentiality, integrity, availability, plus authenticity and non-repudiation); governance aligned to business strategy and the difference between due care and due diligence; legal and regulatory issues across cybercrime, privacy, intellectual property, and transborder data flow; investigation types (administrative, criminal, civil, regulatory); the policy hierarchy (policy, standard, baseline, procedure, guideline); the risk-management lifecycle from identification through assessment, response, and continuous monitoring, with the quantitative measures SLE, ARO, and ALE; threat modelling methods such as STRIDE; supply-chain risk; and security awareness.
How to study it. This domain is 16 percent of the exam and sets the mindset for the other seven, so study it first and study it deepest. Memorise the risk formulae and compute them by hand: single loss expectancy is asset value times exposure factor, and annual loss expectancy is single loss expectancy times the annualised rate of occurrence. Learn the four risk responses (accept, avoid, transfer, mitigate) and match a business decision to each. Get due care versus due diligence exact, because the exam leans on it: diligence is the ongoing investigation and care is the action a prudent person then takes. Treat ethics questions as testing whether you protect society and act honourably, not whether you protect your employer at any cost.
Easy to confuse
Due care versus due diligence. Due diligence is doing the homework - investigating, assessing, gathering the facts; due care is taking the prudent action that homework points to. Diligence is knowing, care is doing; the exam asks which one a given activity is.
Policy versus standard versus procedure. A policy is high-level management intent (we protect customer data), a standard is the mandatory specific (use AES-256), a procedure is the step-by-step how. The exam tests which document a given statement belongs in.
Quantitative versus qualitative risk analysis. Quantitative assigns hard numbers (SLE, ARO, ALE in currency); qualitative ranks risk by judgement (high, medium, low) when data is scarce. If the question gives you dollar figures it wants quantitative; if it gives you a severity matrix it wants qualitative.
Worked example from the CISSP bank
lock_openFree sampleSecurity and Risk Managementeasy
Which statement BEST describes the relationship between the ISC2 Code of Professional Ethics canons and an employer's internal code of conduct for a CISSP-certified employee?
AThe ISC2 canons apply to certified professionals at all times and complement, rather than replace, lawful employer codes of conduct.check_circle Correct
BThe employer's code of conduct overrides the ISC2 canons whenever the two appear to conflict in the workplace.
CThe ISC2 canons only apply when the CISSP is performing security work outside of normal employment duties.
DEither code can be ignored provided the professional acts in line with applicable national law and contractual obligations.
Recognise that the ISC2 Code of Ethics binds the certified professional continuously and operates alongside, not in place of, lawful organisational codes. Holding the CISSP is a personal undertaking to abide by the ISC2 canons in every professional act, while an employer's code defines workplace duties owed to a principal. Both apply concurrently, and where a lawful employer rule and a canon point the same way the professional follows both; the canons set the floor and an organisational code can add stricter expectations on top.
Why A is correct: The canons bind the certificant personally and continuously, while a lawful employer code governs workplace duties; the two are designed to coexist, with the canons providing the professional baseline.
Why B is wrong: Tempting because employees normally follow employer policy, but a CISSP holder agreed to uphold the ISC2 canons as a condition of certification, so the canons are not displaced by internal policy.
Why C is wrong: Plausible to a candidate who thinks ethics codes only cover voluntary or external activity, but the canons attach to the certificant in every professional context, not only off-hours engagements.
Why D is wrong: Compliance with law is necessary but not sufficient; the ISC2 canons impose duties beyond legal minimums, and ignoring an employer's lawful code breaches duty owed to principals.
What you must be able to do. Given data of a stated sensitivity, choose the right classification, owner, handling rule, and protection for its lifecycle state, and dispose of it so nothing recoverable remains.
In one sentenceProtecting information by its value across its whole life: classification, the data roles, handling and labelling, retention, remanence, and the controls that fit each data state.
Recall check: answer these from memory first
Name the data owner, data custodian, and data processor, and state who is accountable for setting classification.
List the three states of data and one protection that fits each.
Why does degaussing fail on an SSD, and what reliably renders its data unrecoverable?
What it tests. Security organised around the asset, not the attack. Identifying and classifying information and assets by sensitivity and criticality; the data roles and who is accountable (owner, controller, processor, custodian, steward); handling requirements covering marking, labelling, storage, and secure destruction; the data lifecycle from collection to destruction, including data remanence and the methods that defeat it; asset retention with end-of-life and end-of-support; and determining data security controls for the three data states, with scoping and tailoring of a control baseline and tools such as DLP, DRM, and CASB.
How to study it. Anchor this domain on two things: the data roles and the data states. Learn the roles by their accountability, because the exam loves making you separate them: the data owner is a senior business person who is accountable and sets classification, the custodian implements the controls day to day, the processor acts on the controller's instructions under privacy law. Learn the three data states - at rest, in transit, in use - and the protection that fits each, because that mapping recurs across domains. For destruction, rank the methods by assurance: clearing, then purging, then physical destruction, and know that degaussing does nothing to a solid-state drive.
Easy to confuse
Data owner versus data custodian. The owner is a senior businessperson accountable for the data who sets its classification and approves access; the custodian is the technical role that implements and maintains the controls. Owner decides, custodian does; accountability never leaves the owner.
Data controller versus data processor. Under privacy law the controller determines why and how data is processed; the processor acts only on the controller's documented instructions. The cloud provider is usually the processor; the customer is usually the controller.
Clearing versus purging versus destruction. Clearing overwrites so the data resists normal recovery; purging removes it against laboratory attack (degauss, cryptographic erase); destruction physically ends the media. Match the method to the data's sensitivity and the media type, not habit.
Worked example from the CISSP bank
lock_openFree sampleAsset Securitymedium
A multinational manufacturer is establishing a data classification scheme and is debating the difference between data sensitivity and data criticality. Which statement best describes how these two attributes drive different control choices?
ASensitivity and criticality are interchangeable terms that both express the harm caused by unauthorised disclosure of the data.
BSensitivity is assigned by the data custodian based on storage cost, while criticality is assigned by the data owner based on regulatory class.
CSensitivity applies only to structured data in databases, while criticality applies only to unstructured data such as documents and media files.
DSensitivity reflects the impact if confidentiality is lost, while criticality reflects the impact on the business if the asset becomes unavailable or corrupted.check_circle Correct
Distinguish data sensitivity from data criticality and recognise that each attribute drives different security and resilience controls. Sensitivity expresses the harm caused if confidentiality is compromised and feeds into labelling, access control, and handling rules. Criticality expresses the harm to the business if the data or asset is unavailable or its integrity is lost, and feeds into recovery objectives and resilience planning. A payroll file may be highly sensitive but only moderately critical, while a real-time control signal may be low sensitivity yet highly critical, which is why the two attributes are tracked separately in a mature classification scheme.
Why A is wrong: This conflates the two concepts. Many candidates treat the words as synonyms because both relate to impact, but sensitivity speaks to disclosure harm while criticality speaks to availability and operational impact.
Why B is wrong: Both attributes are owner-led judgements aligned to business impact, not storage cost or regulatory class alone. Candidates may confuse this with role responsibilities, but classification ownership rests with the data owner in both cases.
Why C is wrong: Both attributes apply to any information asset regardless of structure. The structured or unstructured nature affects discovery and tagging mechanisms, not the attribute itself.
Why D is correct: Sensitivity is a confidentiality concept used to determine handling and labelling controls, whereas criticality is an availability and integrity concept used to drive recovery objectives and resilience controls. The two attributes can differ for the same asset.
What you must be able to do. Apply a secure design principle or formal model to a system, pick the cryptographic primitive a stated goal needs, and find the architectural weakness before it is exploited.
In one sentenceSecurity built into the design: secure principles, the formal models, control selection, system security capabilities, cryptography and PKI, cryptanalytic attacks, and physical site design.
Recall check: answer these from memory first
State the Bell-LaPadula and Biba rules in one line each, and name the security property each one protects.
Which cryptographic property does a digital signature provide that encryption alone does not, and how?
Why does a hybrid cryptosystem use asymmetric keys to exchange a symmetric key rather than encrypting the whole message asymmetrically?
What it tests. Security as an engineering property. Secure design principles (least privilege, defence in depth, zero trust, secure defaults, privacy by design); the formal security models and what each enforces (Bell-LaPadula for confidentiality, Biba for integrity, Clark-Wilson for well-formed transactions); selecting controls against security requirements, including Common Criteria and assurance levels; system security capabilities (TPM, memory protection, trusted execution); assessing and mitigating vulnerabilities across cloud, IoT, embedded, virtualised, and high-performance systems; cryptographic solutions across the lifecycle, symmetric and asymmetric methods, key management, and PKI; cryptanalytic attacks (brute force, side-channel, fault injection, pass the hash); and applying security to site and facility design, including CPTED and environmental controls.
How to study it. Two areas carry this domain: the formal models and cryptography. For the models, learn them as one-line rules about direction of flow: Bell-LaPadula protects confidentiality (no read up, no write down), Biba protects integrity (no read down, no write up). Say the property out loud with each rule so you never swap them. For cryptography, learn by purpose, not algorithm trivia: which primitive gives confidentiality, which gives integrity, which gives non-repudiation. Know that asymmetric crypto solves key distribution but is slow, so the real world uses it to exchange a fast symmetric key. Get the simple physical facts too, because they are reliable marks - the right fire suppression for a server room, why CPTED designs out crime before it adds guards.
Easy to confuse
Bell-LaPadula versus Biba. Bell-LaPadula protects confidentiality (no read up, no write down); Biba protects integrity (no read down, no write up). One keeps secrets from leaking, the other keeps bad data from rising; name the property and the rule follows.
Symmetric versus asymmetric cryptography. Symmetric uses one shared key and is fast but cannot solve key distribution at scale; asymmetric uses a key pair, solves distribution and enables signatures, but is slow. The exam pairs them: asymmetric to exchange the key, symmetric to move the data.
Encryption versus hashing. Encryption is reversible with a key and provides confidentiality; hashing is one-way and provides integrity. If the question needs the data back it is encryption; if it needs to prove the data is unchanged it is hashing.
Worked example from the CISSP bank
lock_openFree sampleSecurity Architecture and Engineeringmedium
A security architect is briefing a board on the difference between defence in depth and zero trust as guiding design principles for a new corporate platform. Which statement BEST captures the conceptual distinction between the two?
ADefence in depth layers independent controls so that the failure of any single control does not breach the asset, whereas zero trust removes implicit trust based on network location and continuously verifies each subject, device, and request.check_circle Correct
BDefence in depth is a network segmentation technique that encrypts traffic between tiers, while zero trust is a procurement requirement that all suppliers attest to their secure software development practices.
CDefence in depth replaces perimeter firewalls with identity-aware proxies, while zero trust focuses on encrypting data at rest and in transit at every storage tier.
DDefence in depth and zero trust are interchangeable terms describing layered authentication, with defence in depth being the older vendor label and zero trust being the modern one.
Distinguish defence in depth as a layered-controls strategy from zero trust as a per-request verification model that removes implicit network trust. Defence in depth assumes individual controls will fail and builds redundancy so that compromise of one layer does not breach the asset. Zero trust is a trust model that abandons the assumption that traffic from inside the network can be trusted, requiring identity, device, and context to be verified on every request. The two are complementary but conceptually distinct: one is about layering, the other is about not granting trust by location.
Why A is correct: This correctly frames defence in depth as a layered-controls strategy whose value is failure tolerance, while zero trust is a trust model that replaces network-perimeter assumptions with per-request verification of identity, device posture, and context.
Why B is wrong: This is tempting because both ideas are often discussed alongside segmentation and supply-chain trust, but defence in depth is a broader layered-controls strategy not limited to network segmentation, and zero trust is a security model rather than a procurement clause.
Why C is wrong: This inverts the two concepts: identity-aware proxies are typical of zero trust enforcement, and ubiquitous encryption is a cryptographic control rather than the essence of either principle.
Why D is wrong: Candidates sometimes treat the terms as synonyms because both involve multiple checks, but they describe different ideas: layered independent controls versus an architectural trust model with no implicit network trust.
What you must be able to do. Place a protocol, attack, or control at the right OSI layer, and choose the network design or secure channel that contains a threat without breaking the business.
In one sentenceDesigning and defending the network: the OSI and TCP/IP models, secure protocols, segmentation and micro-segmentation, SDN, the network components, and secure communication channels.
Recall check: answer these from memory first
List the seven OSI layers in order, and place a switch, a router, and TLS on the correct layer.
Name the secure replacement for Telnet, for FTP, and for HTTP, and say what each one protects.
Distinguish IPsec transport mode from tunnel mode, and say which one a site-to-site VPN uses.
What it tests. Security applied to how systems talk. Secure network architecture using the OSI and TCP/IP models, IP networking, secure protocols, segmentation, micro-segmentation, and software-defined networking; securing network components including infrastructure operation, transmission media, network access control, and endpoint security; and implementing secure communication channels for voice, multimedia collaboration, remote access, data communications, and virtualised networks, including VoIP, VPNs, and third-party connectivity.
How to study it. Make the OSI model your spine. Know all seven layers in order and learn to place protocols, devices, and attacks on the right one, because the exam constantly tests it: a switch and ARP poisoning are Layer 2, a router and IP are Layer 3, TLS sits around the session and presentation layers. Learn which secure protocol replaces which insecure one and why - SSH for Telnet, SFTP or FTPS for FTP, TLS for cleartext - and what each protects. For VPNs, know IPsec's two modes: transport encrypts the payload, tunnel encrypts the whole packet and is what site-to-site uses. Treat segmentation as the recurring answer to limiting blast radius, and micro-segmentation as its zero-trust, per-workload form.
Easy to confuse
OSI Layer 2 versus Layer 3. Layer 2 is the data link layer - MAC addresses, switches, ARP, VLANs; Layer 3 is the network layer - IP addresses, routers, routing. A question about MAC or ARP is Layer 2; one about IP or routing is Layer 3.
IPsec transport mode versus tunnel mode. Transport mode encrypts only the packet payload and leaves the original IP header; tunnel mode encrypts the entire original packet and wraps it in a new header. Site-to-site VPNs use tunnel mode; host-to-host can use transport.
Segmentation versus micro-segmentation. Segmentation splits the network into broad zones (a DMZ, a user VLAN); micro-segmentation isolates down to the individual workload with per-host policy, the zero-trust form. Both limit blast radius, but micro-segmentation does it at far finer grain.
Worked example from the CISSP bank
lock_openFree sampleCommunication and Network Securityhard
A security architect is documenting where TLS termination, IPsec encapsulation, and IEEE 802.1X authentication operate so that engineering teams can map controls to the OSI reference model consistently. Which statement correctly attributes these controls to OSI layers?
ATLS operates at the application layer, IPsec at the transport layer, and 802.1X at the network layer.
BTLS operates at the transport layer, IPsec at the data link layer, and 802.1X at the physical layer.
CTLS operates at the presentation layer, IPsec at the session layer, and 802.1X at the network layer.
DTLS operates between the transport and application layers, IPsec at the network layer, and 802.1X at the data link layer.check_circle Correct
Map common cryptographic and access controls to the correct OSI layers to support consistent architecture documentation. The OSI mapping is grounded in what each control encapsulates or authenticates: 802.1X gates a layer 2 port before frames are accepted, IPsec protects whole IP packets at layer 3 using AH or ESP, and TLS protects application data above transport without being the transport itself. Misplacing any one of these leads architects to apply controls at the wrong choke point.
Why A is wrong: This is the most common confusion: candidates remember that TLS protects HTTPS and treat it as application, place IPsec near TCP because of port-style policies, and lift 802.1X from layer 2. Each attribution is wrong because TLS is not an application protocol, IPsec wraps IP packets at layer 3, and 802.1X is a data-link port control.
Why B is wrong: TLS riding directly on TCP makes the transport label tempting, but TLS is not the transport protocol itself. IPsec does not run at layer 2 because it operates on IP packets, and 802.1X authenticates at the port (data link), not at the physical layer where only signalling occurs.
Why C is wrong: Some texts loosely place TLS at presentation, which makes the option look authoritative, but IPsec is never a session-layer protocol because it encapsulates network packets, and 802.1X is a layer 2 control, not a layer 3 one, so the overall mapping is incorrect.
Why D is correct: TLS sits above transport (commonly framed as session or presentation in OSI terms) and shields application payload, IPsec encapsulates at layer 3 and protects IP packets, and 802.1X is a port-based access control at layer 2, which matches how the controls are designed and deployed in practice.
What you must be able to do. Choose the authentication, federation, and authorisation mechanism a scenario calls for, and manage the access lifecycle so privilege is granted, reviewed, and revoked correctly.
In one sentenceWho gets in and what they can do: physical and logical access, authentication strategy and MFA, federated identity, the authorisation models, the provisioning lifecycle, and the protocols behind it.
Recall check: answer these from memory first
State the one-line rule for DAC, MAC, RBAC, and ABAC, and name the one that uses labels a user cannot change.
Name the three authentication factor types and explain why two passwords are not multifactor.
Distinguish SAML from OAuth in one line each by what each is actually for.
What it tests. Identity as the new perimeter. Controlling physical and logical access to assets; designing an identification and authentication strategy for people, devices, and services, including the authentication factors, MFA, accountability, and session management; implementing federated identity on-premises, in the cloud, or hybrid; the authorisation models (RBAC, rule-based, MAC, DAC, ABAC, and risk-based); managing the access-provisioning lifecycle from provisioning through access review, role definition, and deprovisioning, including privilege escalation; and the authentication systems themselves (OpenID Connect, OAuth, SAML, Kerberos, RADIUS, TACACS+).
How to study it. Two distinctions earn most of the marks here. First, separate the authentication models by their one-line rule: DAC lets the data owner grant access at discretion, MAC enforces access by labels no user can override, RBAC assigns by job role, ABAC decides by attributes and conditions. Second, separate authentication (proving who you are) from authorisation (deciding what you may do), because the exam mixes them deliberately - MFA strengthens authentication, least privilege governs authorisation. Learn the factors as something you know, have, and are, and know that two instances of the same factor is not multifactor. For the protocols, learn what each is for: SAML for browser SSO and federation, OAuth for delegated authorisation, Kerberos for on-network tickets, RADIUS and TACACS+ for network device access.
Easy to confuse
DAC versus MAC. Discretionary access control lets the data owner decide who gets access; mandatory access control enforces access through system-assigned labels (classifications and clearances) that no user can override. If the owner grants it, DAC; if labels and a policy decide, MAC.
Authentication versus authorisation. Authentication proves who you are; authorisation decides what you may do once proven. MFA and biometrics strengthen authentication; least privilege and the access models govern authorisation. The exam swaps the two to bait you.
SAML versus OAuth. SAML carries authentication assertions for browser single sign-on and federation between enterprises; OAuth is an authorisation framework that grants an app limited access to a resource without sharing credentials. SAML says who you are, OAuth says what an app may do on your behalf.
Worked example from the CISSP bank
lock_openFree sampleIdentity and Access Management (IAM)easy
A facilities team is documenting the difference between physical and logical access controls before drafting a new asset protection policy. Which statement best characterises the distinction a CISSP candidate should rely on?
APhysical controls protect the perimeter of a site, while logical controls protect only the internal network segments behind that perimeter.
BPhysical controls are preventive in nature, while logical controls are detective in nature and used mainly to support investigations.
CPhysical controls govern tangible barriers and environmental measures, while logical controls govern software-enforced restrictions on data, systems, and accounts.check_circle Correct
DPhysical controls are mandatory for regulatory compliance, while logical controls are discretionary measures chosen by data owners.
Distinguish physical from logical access controls by what they protect and the medium through which they enforce restriction. CISSP treats access control as a two-pronged discipline. Physical controls reduce or prevent unauthorised contact with tangible assets and the spaces holding them, using barriers, locks, guards, lighting, and environmental measures. Logical controls operate inside information systems, using identification, authentication, authorisation, and accounting mechanisms to mediate access to data, applications, devices, and configurations. Both work together so that defeating one layer does not automatically defeat the other.
Why A is wrong: This conflates network segmentation with the broader logical access category. Logical controls cover applications, databases, files, and endpoints, not just internal network zones, so the definition is too narrow.
Why B is wrong: Both categories include preventive, detective, deterrent, and corrective examples. Treating physical as purely preventive and logical as purely detective misrepresents how control functions are classified.
Why C is correct: This captures the canonical CISSP distinction: physical controls (fences, guards, mantraps, locks) protect tangible assets and the environment, while logical controls (permissions, ACLs, MFA, encryption) enforce access in software.
Why D is wrong: Regulatory regimes mandate both categories where appropriate, and discretionary access control is a specific logical model, not a description of the whole category, so this framing is incorrect.
What you must be able to do. Design the right assessment for the question being asked, pick the test that actually validates a control, and read the output to drive remediation through the proper channel.
In one sentenceChecking that controls work: assessment and audit strategies, the testing techniques from vulnerability scans to penetration tests and code review, the process data to collect, and reporting.
Recall check: answer these from memory first
State the difference between a vulnerability assessment and a penetration test in one line.
Distinguish static (SAST) from dynamic (DAST) application testing by what each one needs to run.
What separates a KPI from a KRI, and give one example of each in security.
What it tests. Security as something you verify, not assume. Designing and validating assessment, test, and audit strategies that are internal, external, and third-party; conducting security control testing including vulnerability assessment, penetration testing, log reviews, code review, and breach attack simulation; collecting security process data such as account-management records, management review, KPIs and KRIs, backup verification, and disaster-recovery results; analysing test output and generating reports covering remediation, exception handling, and ethical disclosure; and conducting or facilitating internal, external, and third-party audits.
How to study it. Get the testing techniques crisply separated, because the exam contrasts them constantly. A vulnerability assessment finds and lists weaknesses; a penetration test exploits them to prove real-world impact - scanning is not pentesting. Learn the code-testing pair: static analysis (SAST) reads source code without running it, dynamic analysis (DAST) tests the running application from outside. Know who should perform an assessment for it to be credible: a third party for independence, internal teams for routine coverage. Learn KPIs versus KRIs - a key performance indicator looks at how well a control works, a key risk indicator warns that risk is rising. And know that an audit measures against a defined standard, which is what separates it from an informal assessment.
Easy to confuse
Vulnerability assessment versus penetration test. A vulnerability assessment identifies and ranks weaknesses without exploiting them; a penetration test actively exploits them to demonstrate real impact and chained risk. Breadth and listing is the assessment; depth and proof is the pentest.
Static (SAST) versus dynamic (DAST) testing. Static analysis examines source code without executing it and finds flaws early; dynamic analysis tests the running application from the outside and finds runtime and configuration flaws. One needs the code, the other needs the app running.
KPI versus KRI. A key performance indicator measures how well a control or process is performing now; a key risk indicator is forward-looking and signals that exposure is increasing. Performance is the rear-view mirror, risk is the warning light.
Worked example from the CISSP bank
lock_openFree sampleSecurity Assessment and Testingmedium
An organisation is drafting its annual security assessment strategy and wants to distinguish a security assessment from a security audit so the right activity is scoped for each engagement. Which statement BEST captures the conceptual difference between these two activities?
AAn assessment is always performed by external parties for regulatory reasons, whereas an audit is always performed internally by the security function for management oversight.
BAn assessment evaluates the overall effectiveness of controls against stated objectives, whereas an audit verifies conformance to a defined standard or policy and produces formal evidence of compliance.check_circle Correct
CAn assessment uses automated scanning tools while an audit relies exclusively on interviews and document review, with no overlap in technique.
DAn assessment is concerned with detecting vulnerabilities and an audit is concerned with detecting fraud, so the two engagements rarely share scope or stakeholders.
Distinguish a security assessment from a security audit by purpose, rigour, and the form of evidence produced. Assessments judge whether the control set is effective at meeting risk and business objectives and tend to be advisory in tone. Audits test conformance to a defined criterion, such as a standard, regulation, or internal policy, and produce formal evidence supporting an opinion or attestation. Scoping each activity correctly avoids paying for an audit when an advisory assessment was needed, or vice versa.
Why A is wrong: Tempting because external assessors and internal auditors are common patterns, but the distinction is incorrect: assessments can be internal and audits can be external. Independence and scope are separate from the assessment-versus-audit distinction.
Why B is correct: Correct. Assessments are broader, advisory engagements that judge whether controls achieve risk-management goals, while audits are evidence-driven exercises that test conformance to a specific baseline such as ISO 27001 or an internal policy and yield an attestation.
Why C is wrong: Plausible because assessments often involve scanners and audits often involve interviews, but both activities can use a mix of automated and manual techniques. The defining difference is purpose and evidentiary rigour, not toolset.
Why D is wrong: Conflates security assessment with vulnerability assessment and audit with financial fraud detection. Security audits cover control conformance broadly, and assessments examine more than vulnerabilities; the framing is too narrow.
What you must be able to do. Given a live operational or incident scenario, take the next correct step in the right order - protecting people first, containing before eradicating, preserving evidence - and choose the recovery strategy the business impact analysis justifies.
In one sentenceThe biggest operational domain: investigations and forensics, logging and monitoring, the foundational operations principles, incident management, detective and preventative controls, and disaster recovery.
Recall check: answer these from memory first
List the incident-management phases in order, and name the phase that isolating an infected host belongs to.
Rank hot, warm, and cold recovery sites by cost and recovery speed, and say which one a tight RTO demands.
State the difference between separation of duties and job rotation, and what each one is meant to catch.
What it tests. Security run day to day. Conducting investigations with proper evidence handling, chain of custody, and digital forensics; logging and monitoring with IDS and IPS, SIEM, SOAR, threat intelligence, and UEBA; configuration management with baselining and automation; the foundational concepts (need-to-know, least privilege, separation of duties, privileged account management, job rotation); resource and media protection; incident management through detection, response, mitigation, reporting, recovery, remediation, and lessons learned; operating detective and preventative measures (firewalls, sandboxing, honeypots, anti-malware); patch and vulnerability management; change management; recovery strategies and recovery sites; the disaster-recovery process and how to test a DR plan; business continuity exercises; physical security; and personnel safety, including duress.
How to study it. This domain is broad and heavily procedural, so drill the sequences. Learn the incident-response phases in order (detection, response, mitigation or containment, reporting, recovery, remediation, lessons learned) and be ready to place a scenario at the right phase, because the exam asks what to do next far more than what something is. Learn the recovery sites by trade-off: hot is fast and expensive, cold is cheap and slow, warm sits between. Match RTO and RPO to a strategy - tight RTO needs a hot site, tight RPO needs frequent replication. Get the separation-of-duties family straight (separation of duties, job rotation, mandatory vacation) and remember the rule that runs through the whole domain: human safety always outranks asset protection.
Easy to confuse
Containment versus eradication. Containment stops the incident spreading (isolate the host, cut the connection); eradication removes the cause (delete the malware, close the vulnerability). Containment comes first - you stop the bleeding before you treat the wound.
Hot site versus warm site versus cold site. A hot site is fully equipped and running for near-immediate failover at high cost; a cold site is just space and power, cheapest but slowest; a warm site has hardware and connectivity but needs data and configuration. Cost and recovery speed move together.
Separation of duties versus job rotation. Separation of duties splits a sensitive task so no one person can complete it alone, preventing fraud; job rotation moves people through roles so collusion and hidden errors surface. One blocks fraud, the other detects it.
Worked example from the CISSP bank
lock_openFree sampleSecurity Operationshard
A security analyst at a financial services firm receives an alert that a senior trader's workstation has been communicating with a known command-and-control domain. Counsel has indicated that the matter is likely to result in civil litigation against a former employee. The workstation is still powered on and the user is at lunch. What should the analyst do FIRST?
APull the network cable to contain the threat and then image the disk using a write-blocker before counsel arrives on site.
BNotify the incident commander and legal counsel, then acquire volatile data and a forensic image under documented chain of custody following the firm's incident response plan.check_circle Correct
CLog on to the workstation with the trader's account to triage running processes and copy suspicious files to a network share for the forensic team.
DReimage the workstation from the gold build to eradicate the malware and restore productivity, then escalate the indicators of compromise to the threat intelligence team.
Recognise that anticipated litigation triggers a legal-hold and evidence-preservation workflow before any containment or remediation action is taken. Once litigation is reasonably anticipated, the duty to preserve evidence attaches. The defensible sequence is to engage the incident commander and counsel so a legal hold is documented, then collect volatile data in order of volatility and a bit-for-bit image with hashes and chain of custody. Containment, eradication and recovery follow only after preservation, otherwise the resulting evidence is open to spoliation challenges and may be excluded.
Why A is wrong: Containment instinct is reasonable, but unilaterally yanking the cable can alert malware to wipe artefacts, destroys volatile state needed for litigation, and bypasses the documented incident response and legal hold workflow that counsel must drive.
Why B is correct: The correct manager-led action is to engage the incident commander and counsel so a legal hold can be invoked, then capture volatile evidence and a forensic image with chain of custody intact, preserving admissibility for the anticipated litigation.
Why C is wrong: Logging in as the user contaminates the evidence by writing new timestamps, swapping memory pages and modifying registry hives, and copying files over SMB destroys metadata that a defensible image would have preserved.
Why D is wrong: Reimaging is an eradication step that must come after evidence preservation; doing it first destroys the disk artefacts and volatile memory that counsel and any subsequent civil action depend on.
What you must be able to do. Build security into each phase of the development lifecycle, judge the risk of code and dependencies you did not write, and pick the secure-coding control that closes a named weakness.
In one sentenceSecurity in how software is built and bought: the SDLC and its methodologies, controls across the development ecosystem, assessing software effectiveness, vetting acquired software, and secure coding.
Recall check: answer these from memory first
Why is a vulnerability cheaper to fix in design than in production, and what does that imply for where security testing belongs?
Name the conceptual fix for SQL injection and the conceptual fix for cross-site scripting.
What is the core security concern with open-source and third-party libraries, and one control that addresses it?
What it tests. Security shifted left into the build. Integrating security through the Software Development Life Cycle across methodologies (waterfall, Agile, DevSecOps) and maturity models; applying security controls in the development ecosystem - languages, libraries, tool sets, the IDE, runtime, CI/CD, and SOAR; assessing software security effectiveness through auditing, change logging, and risk analysis; assessing the security impact of acquired software, whether commercial off-the-shelf, open source, third-party, or managed services; and defining secure coding guidelines, including identifying weaknesses, securing APIs, and the OWASP categories.
How to study it. Anchor on the principle that fixing a flaw is cheaper the earlier you catch it, which is why security belongs in every SDLC phase, not a test at the end. Learn the methodologies by shape: waterfall is sequential and rigid, Agile is iterative, DevSecOps builds security into the pipeline. Know the common weaknesses and their fix at a conceptual level - injection is stopped by parameterised queries and input validation, cross-site scripting by output encoding - and recognise the OWASP families rather than memorising the full list. For acquired software, treat third-party and open-source code as inherited risk you must assess (review, scan, track dependencies), because you own the risk even when you did not write the code.
Easy to confuse
Waterfall versus Agile versus DevSecOps. Waterfall is sequential with security gated late; Agile is iterative with security folded into each sprint; DevSecOps automates security into the CI/CD pipeline so it runs continuously. The later the model, the earlier and more continuous the security.
SQL injection versus cross-site scripting. SQL injection targets the database through unvalidated input and is fixed by parameterised queries; cross-site scripting targets other users' browsers with injected script and is fixed by output encoding. One attacks your data, the other attacks your users.
Security testing versus code review. Security testing exercises the software for vulnerabilities (scanning, fuzzing, pentest); code review reads the source for flawed logic and insecure patterns a test might miss. One probes behaviour, the other inspects construction; mature programmes do both.
Worked example from the CISSP bank
lock_openFree sampleSoftware Development Securityhard
A security architect is explaining to a delivery manager why the organisation is moving from a quality gate at the end of the release pipeline to embedding security activities throughout each SDLC phase. Which statement BEST captures the underlying principle of this shift-left approach?
AIdentifying security defects in the phase that introduced them lowers remediation cost and prevents flawed assumptions from propagating into later phases.check_circle Correct
BConcentrating security review at the release gate is preferable because defects can be triaged once the system is feature-complete and behaviour is stable.
CRunning automated penetration testing against production replicas is the most efficient way to remove vulnerabilities before customers see them.
DOutsourcing security testing to an independent third party removes bias and provides a defensible assurance artefact for auditors.
Explain why integrating security activities across every SDLC phase reduces remediation cost compared with late-stage gates. The economics of defect removal are central to secure SDLC thinking: a flaw introduced in requirements that survives into production can cost orders of magnitude more to fix than one caught in the phase that produced it. Shift-left embeds threat modelling, secure design review, secure coding standards, and unit-level security tests in the phase that owns the artefact, so flawed assumptions do not propagate.
Why A is correct: This is the canonical rationale for shift-left: defect-removal economics worsen the further a flaw travels, and design-level errors found in coding or testing are expensive to unwind. Embedding requirements, threat modelling, and secure coding reviews in each phase contains that cost.
Why B is wrong: This describes the legacy waterfall posture the team is moving away from. Late discovery raises remediation cost and forces risk-based exceptions to meet release dates, which is exactly the failure shift-left is meant to address.
Why C is wrong: Pen testing against a production-like environment is valuable, but it happens late and finds only what survives earlier phases. It is a verification activity, not the principle that drives integrating security across the SDLC.
Why D is wrong: Independent assessment supports assurance but does not address when in the lifecycle security is considered. A late third-party test still inherits the cost curve that shift-left is intended to flatten.
A study plan that works
Map the eight domains and book a date
Week 1
Read the official exam outline and the eight domains with their weights. Book a provisional date now: a fixed date turns open-ended study into a plan and is the strongest predictor of actually sitting. Note that Security and Risk Management (16 percent) is the heaviest single domain and sets the mindset for the rest.
Build the risk and governance foundation (Domain 1)
Weeks 1 to 2
Start here because every other domain assumes this mindset. Get the risk lifecycle, the SLE and ALE arithmetic, the four risk responses, and due care versus due diligence exact. Use the recall checks in this guide: cover the summary, answer from memory, then reveal. If you cannot state a concept in one sentence, you do not own it yet.
Work the technical core (Domains 3, 4, and 5)
Weeks 2 to 5
Architecture, networks, and identity are 39 percent of the exam between them and the most detail-dense. Drill the security models, the OSI layer placements, the crypto-by-purpose mapping, and the access-control rules. Practise on scenario questions and read the worked explanation on every one, including the questions you got right.
Cover assets, assessment, and software (Domains 2, 6, and 8)
Weeks 5 to 7
These reward clean distinctions: the data roles and states, the testing techniques, the secure-development lifecycle. They are learnable, reliable marks. Build the data-role table and the assessment-versus-pentest contrast until they are automatic.
Drill operations and recovery (Domain 7)
Weeks 7 to 8
The broadest operational domain is heavily procedural, so rehearse the sequences: the incident-response phases, the recovery-site trade-offs, the DR test types. Be ready to answer what to do next from a scenario, and remember the rule that human safety outranks asset protection every time.
Drill weak domains, then space the review
Weeks 8 to 10
Use your per-domain accuracy to attack the two or three domains dragging you down, not to re-read what you already know. Then space it: revisit each domain's recall prompts after a few days and again a week later. Spacing roughly doubles what sticks compared with cramming.
Sit timed mocks and calibrate to the CAT format
Weeks 10 to 12
Take full timed mocks to rehearse the manager's-mindset judgement and first-pass discipline, because the adaptive format gives you no way back to earlier questions. Treat the score as a per-domain readiness signal, not a single number, and review every missed question before you book or sit.
Know when you're ready
Readiness for CISSP is a measured score on questions you have not seen before, not a feeling that the material is familiar. Those are different things, and the gap between them is where people fail. Re-reading notes builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself on fresh scenarios: if you can read a new situation, pick the best of several defensible options, and explain why each wrong one is premature, partial, or out of order, you know it. If you can only nod along to an explanation, you do not yet.
Be especially wary of the breadth. CISSP spans eight domains, and most people are strong in three or four from their day job and weak in the rest. The danger is letting your strong domains carry your confidence while a neglected domain quietly fails you. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every domain comfortably on unseen questions across more than one session, with particular attention to the management-mindset questions where the least hands-on answer is the right one.
This guide gives you the map. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free CISSP questions with worked explanations. No sign-up.
Answer as the risk manager, not the engineer. When one option fixes the device and another assesses the risk or follows the policy, the management answer is usually the one the exam wants.
Choose the best option, not merely a correct one. Two or three answers are often defensible; the wrong ones are premature, partial, or out of order rather than false.
Respect the sequence. Policy before technology, risk assessment before control selection, business impact analysis before a continuity plan - an answer that skips a step that comes first is the distractor.
Put people first. Any option that protects human life or safety outranks one that protects an asset, every time, with no exceptions.
Distrust absolutes. Options that say always, never, or shut everything down are usually wrong, because real security is a proportionate response to risk.
Commit on the first pass. The exam is adaptive and you cannot return to earlier questions, so read each one carefully, choose the best answer, and move on without second-guessing the whole paper.
Frequently asked questions
Is CISSP hard?
It is genuinely demanding, but less because the facts are obscure and more because the questions ask for the best of several defensible answers from a manager's perspective. The breadth across eight domains and the judgement under ambiguity are the real challenge, which is why scenario practice with worked explanations matters far more than memorising terms.
How long should I study for CISSP?
Most candidates with several years of security experience need three to four months of steady study. The right amount depends on how many of the eight domains your day job already covers; budget the most time for the domains furthest from your daily work, not the ones you already know.
What is the pass mark for CISSP?
700 out of 1000 on a scaled score, shown in the facts panel above. The scale is not a percentage, so aim to clear every domain comfortably on unseen practice questions rather than targeting a raw figure.
Do I need five years of experience before I can take the exam?
No. You can sit the exam first and, on passing, become an Associate of ISC2 while you accrue the required experience: five years of cumulative paid work across two or more of the eight domains, with one year waived by a relevant degree or an approved credential.
What is the CAT format, and how is it different?
Computerised Adaptive Testing tailors question difficulty to your performance, so the exam can end anywhere between 100 and 150 questions within the three hours. You cannot skip or return to earlier questions, so first-pass discipline matters, and harder questions are a sign you are doing well rather than a trap.
Which domains should I focus on?
Security and Risk Management is the heaviest at 16 percent and sets the mindset for everything else, so start there. Architecture, networks, and identity are 13 percent each and the most detail-dense. That said, your weakest domain matters more than the heaviest, so let your per-domain accuracy guide where the time goes.
How many practice questions should I do before booking?
Enough that every domain clears the pass line with margin on questions you have not seen, and a full timed mock feels comfortable on judgement and pacing. Quality of review beats raw volume: read the explanation on every question, including the ones you got right, and focus on why the wrong options are wrong.
Is CISSP worth it?
It is widely recognised as the senior security credential across industries and suits experienced practitioners who own or advise on organisational risk across a broad range of domains. The five-year experience requirement means it signals both depth and professional track record; CISM is a common companion for those who want to sharpen the governance and programme management angle.
Examworthy is not affiliated with or endorsed by (ISC)2. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. CISSP and related marks belong to their respective owners.
