Objectives in this domain

Control physical and logical access to assets including information, systems, devices, facilities, and applications.
Section 5.1easy
Design identification and authentication strategy for people, devices, and services including groups, roles, MFA, accountability, and session management.
Section 5.2hard
Implement and manage federated identity with a third-party service, on-premise, in the cloud, or hybrid.
Section 5.3medium
Implement and manage authorization mechanisms such as RBAC, rule-based, MAC, DAC, ABAC, and risk-based access control.
Section 5.4hard
Manage the identity and access provisioning lifecycle including provisioning, access review, role definition, and privilege escalation handling.
Section 5.5medium
Implement authentication systems such as OpenID Connect, OAuth, SAML, Kerberos, and RADIUS/TACACS+.
Section 5.6hard

Sample question from this domain

Free sampleIdentity and Access Management (IAM)easy

A facilities team is documenting the difference between physical and logical access controls before drafting a new asset protection policy. Which statement best characterises the distinction a CISSP candidate should rely on?

APhysical controls protect the perimeter of a site, while logical controls protect only the internal network segments behind that perimeter.
BPhysical controls are preventive in nature, while logical controls are detective in nature and used mainly to support investigations.
CPhysical controls govern tangible barriers and environmental measures, while logical controls govern software-enforced restrictions on data, systems, and accounts. Correct
DPhysical controls are mandatory for regulatory compliance, while logical controls are discretionary measures chosen by data owners.

Distinguish physical from logical access controls by what they protect and the medium through which they enforce restriction. CISSP treats access control as a two-pronged discipline. Physical controls reduce or prevent unauthorised contact with tangible assets and the spaces holding them, using barriers, locks, guards, lighting, and environmental measures. Logical controls operate inside information systems, using identification, authentication, authorisation, and accounting mechanisms to mediate access to data, applications, devices, and configurations. Both work together so that defeating one layer does not automatically defeat the other.

Why A is wrong: This conflates network segmentation with the broader logical access category. Logical controls cover applications, databases, files, and endpoints, not just internal network zones, so the definition is too narrow.

Why B is wrong: Both categories include preventive, detective, deterrent, and corrective examples. Treating physical as purely preventive and logical as purely detective misrepresents how control functions are classified.

Why C is correct: This captures the canonical CISSP distinction: physical controls (fences, guards, mantraps, locks) protect tangible assets and the environment, while logical controls (permissions, ACLs, MFA, encryption) enforce access in software.

Why D is wrong: Regulatory regimes mandate both categories where appropriate, and discretionary access control is a specific logical model, not a description of the whole category, so this framing is incorrect.

Other domains in this exam

Security and Risk Management16% of the exam
Asset Security10% of the exam
Security Architecture and Engineering13% of the exam
Communication and Network Security13% of the exam
Security Assessment and Testing12% of the exam
Security Operations13% of the exam
Software Development Security10% of the exam

See also the CISSP cert hub, the study guide, and the cheat sheet.