CISSP domains overview (2024): Your complete preparation guide
The Certified Information Systems Security Professional (CISSP) certification plays a significant role in the cybersecurity industry as one of the most prestigious and difficult certifications. Offered by ISC2 (International Information System Security Certification Consortium), this rigorous exam was launched in 1994 but has remained one of the most well-known and valuable certifications over the last three decades.
The four-hour, rigorous 100- to 150-question exam remains popular as it leads to the most requested certification by hiring managers in the U.S.
Earn your CISSP, guaranteed!
The CISSP domains: An overview
The CISSP comprises eight domains to assess your competence and knowledge of advanced information security knowledge. Thanks to its robust exam content, the certification is crucial for career progression and is one of the most in-demand certifications from cybersecurity employers.
Security trends and threat vectors are always becoming more sophisticated, and exam content can quickly become outdated. The CISSP is extremely thorough and detailed, and it’s also updated roughly every three years to ensure professionals are tested on the latest knowledge in this fast-changing landscape. Check out the CISSP exam overview for an in-depth look at the exam, prerequisites, scoring, duration, study tips and more.
Detailed exploration of CISSP domains
The CISSP is an extensive test of everything in information security, including designing, implementing and managing security programs in uniquely complex environments. Now, let’s dive into the individual domains in detail.
Domain 1: Security and Risk Management (16% of scored content)
Focusing on general concepts in information security, candidates are assessed on standard security and risk management procedures. A thorough understanding of this section’s concepts lays the groundwork for advanced cybersecurity knowledge and practices.
It covers topics like professional ethics, security governance principles, different investigation types, business continuity requirements and threat modeling concepts and methodologies. In the April 2024 exam update, this domain weight grew from 15% to 16%.
Domain 2: Asset Security (10% of scored content)
Assets are one of an organization’s most valuable items, and this domain covers issues related to the collection, storage, maintenance, retention and destruction of data.
It covers classifying information, asset handling requirements, managing the data lifecycle and ensuring appropriate end-of-life and end-of-support.
Domain 3: Security Architecture and Engineering (13% of scored content)
The third domain covers important security engineering topics that use plans, designs and principles. Candidates are thoroughly assessed on their ability to create, test and deploy secure architecture design. This section includes newer concepts like threat modeling, least privilege, failing securely, separation of duties, trust and verification and more secure design principles.
Domain 4: Communication and Network Security (13% of scored content)
Secure communication and network infrastructure are mission-critical for modern organizations. This section covers the importance of secure and converged protocols, wireless networks, cellular networks, hardware operation and third-party connectivity.
Domain 5: Identity and Access Management (IAM) (13% of scored content)
Covering basic identity and access management (IAM) principles, candidates are thoroughly tested on controlling physical and logical assets to assets, user authentication through single sign-on and just-in-time and managing the identity and access provisioning lifecycle.
Domain 6: Security Assessment and Testing (12% of scored content)
The six domain tests candidates on their knowledge of maintaining and enhancing security posture through validation strategies, security control testing, security audits and different data collection processes.
Domain 7: Security Operations (13% of scored content)
In another practical but broad section, candidates must demonstrate a thorough knowledge of operational security and the importance of incident management, disaster recovery and business continuity. This includes logging and monitoring activities, configuration management, resource protection, detective and preventative measures, vulnerability management and disaster recovery plans.
Domain 8: Software Development Security (10% of scored content)
The final domain of the CISSP exam focuses on the importance of integrating security practices into the software development life cycle (SDLC). CISSP candidates need extensive knowledge of security controls like programming languages, runtime, continuous delivery automation and response, application security testing and more.
This domain weight was lowered in the April 2024 update from 11% to 10%.
Earn your CISSP, guaranteed!
Preparing for the CISSP exam
The CISSP is a challenging and rigorous exam that requires five years of experience. It’s recommended to prepare thoroughly for the CISSP to maximize your chances of passing.
Start your studying with the domain most aligned with your background and experience. Create a custom study plan for yourself that involves a mix of practice questions, self-study and certification preparation courses.
Plus, depending on your unique learning style, explore CISSP resources like books, practice exams, exam guides, online study materials, on-demand training and more. If you want live training, Infosec’s CISSP Certification Boot Camp is a six-day immersive training experience in the format of your choice — live online, in-person or team onsite.
The CISSP certification hub also lists specific study guides and books if you’re interested in materials from different subject matter experts.
CISSP’s impact on cybersecurity careers in 2024 and beyond
With the demand for CISSP certifications at an all-time high, it’s a highly valuable resume builder for senior career movement. Not only is it helpful in demonstrating a commitment to ongoing learning and education, but many advanced cybersecurity positions and senior leadership roles now require the CISSP certification.
The talent shortage of cybersecurity workers hit 4 million in 2023 and will continue to grow, highlighting the need for CISSP-skilled workers. Especially as organizations and infrastructure become more sophisticated, a next-level advanced certification like the CISSP becomes even more critical to defend against complex data breaches.
CISSP and other cybersecurity certifications
Many professionals have a mix of cybersecurity manager certifications that build upon their professional experience and knowledge. The CISSP is ideal for more advanced professionals with at least five years of paid work experience in two or more of the eight domains, and it’s often taken after a more entry-level certification like CompTIA Security+.
Since the CISSP is broad, it’s often paired with more specialized certifications depending on your career goals:
- Certified Cloud Security Professional (CCSP) for those working in cloud environments
- Certified in Governance Risk and Compliance (CGRC) exam those in governance and security risk management
- CompTIA CASP+ for advanced technical professionals like security architects and security engineers
Also, some security professionals choose to specialize in specific, popular vendors like Amazon Web Services (AWS), Microsoft Azure and Cisco. These show in-depth knowledge of the most in-demand platforms and technologies and offer even more room for specialization, such as the AWS Certified Solutions Architect – Professional certification or the Azure Fundamentals Microsoft certification.
Other certification bodies like the Information Systems Audit and Control Association (ISACA) and the International Association of Privacy Professionals (IAPP) offer more opportunities for furthering your networking and professional skills.
Take the 2024 CISSP
While a challenging exam with comprehensive subject matter, the eight CISSP domains are foundational knowledge for aspiring and current cybersecurity professionals. The CISSP exam is one of the most widely recognized and prestigious certifications, demonstrating mastery of broad, technical and emerging exam content and technology.
For 2024 and beyond, continuous learning and growth in cybersecurity are key to maintaining cutting-edge skills, commanding higher salaries and obtaining valuable promotions and advancements. It’s one of the best certifications to add to your professional resume and well worth the time and energy investment.
Earn your CISSP, guaranteed!
CISSP FAQs
Take a look at a few frequently asked questions about the CISSP certification.
What is the best strategy for studying the CISSP domains?
First, give yourself adequate time to thoroughly prep for the CISSP exam, which often means several months. Start by assessing your strengths and weaknesses within the eight CISSP domains and create a custom plan to focus on your less knowledgeable areas. Break down larger domains into smaller chunks, and utilize a mix of self-study, on-demand and live training materials.
How does CISSP certification impact salary and job prospects in cybersecurity?
The average salary for a mid-level CISSP certification holder is $151,860 in 2024, and pay continues to increase with experience. Career advancement is a crucial requirement for the highest levels of leadership, such as a Chief Information Security Officer (CISO).
Can CISSP certification help in transitioning to a cybersecurity career from another field?
Yes, absolutely. No matter your background, a CISSP certification shows a mastery of advanced security topics. Coming from a complementary field helps establish credibility and knowledge and shows you’ve thoroughly bridged any potential knowledge gaps.
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- CISSP domains overview (2024): Your complete preparation guide
- CISSP certification - The ultimate guide [updated 2021]
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
