Domains 1-3: Security & Risk, Asset Security, Architecture
The first three domains set up the foundation for everything else on the CISSP. Risk management and governance frame how the profession thinks. Asset and architecture topics apply those frames to data and systems.
Core Security Principles
Start with the CIA Triad: Confidentiality (prevent unauthorized disclosure), Integrity (prevent unauthorized modification), Availability (ensure authorized access when needed). This foundation drives every security control decision.
Next, understand the AAA Framework: Authentication (verify identity), Authorization (grant access rights), Accounting or Auditing (log actions). This core access control model is often extended to Identification → AAA.
Risk Management Essentials
Learn the risk formula: Risk = Threat × Vulnerability × Impact. The quantitative variant uses ALE (Annualized Loss Expectancy). Calculate it as: ALE = SLE × ARO, where SLE = Asset Value × Exposure Factor.
Understand your four risk treatment options. Accept the risk and document it. Avoid the activity entirely. Transfer risk via insurance or contracts. Mitigate by implementing controls. ISC2 expects you to choose based on cost-benefit analysis.
Grasp the difference between governance and management. Governance sets direction, policies, and oversight (board and executive level). Management executes and administers. CISSP expects you to think at the governance level, not hands-on.
Remember due care versus due diligence. Due care means acting responsibly by implementing controls. Due diligence means continuously verifying care is being taken through audits and reviews. Both are required. Failure exposes your organization and officers to liability.
Data Protection and Lifecycle
Know data classification systems. Government uses Top Secret, Secret, Confidential, Unclassified. Commercial systems use Confidential/Proprietary, Private, Sensitive, Public. Classification drives handling, labeling, and disposal.
Understand the data lifecycle: Create, Store, Use, Share, Archive, Destroy. Each stage has control requirements. The data owner sets classification. The data custodian enforces controls. The data user follows policy.
Security Models
Learn Bell-LaPadula, the confidentiality model. It enforces "no read up" (simple security property) plus "no write down" (asterisk property). This protects secrets from leaking downward. Focus: government and military environments.
Study Biba, the integrity model. It enforces "no read down" plus "no write up." This prevents lower-integrity data from corrupting higher-integrity systems. Opposite direction from Bell-LaPadula.
Examine the Clark-Wilson Model, a commercial integrity model. Access happens via well-formed transactions and separation of duties. Key concepts include CDI (constrained data items), TP (transformation procedures), and IVP (integrity verification).
Review TCSEC and Common Criteria. TCSEC (Orange Book, 1985) uses ratings D, C1, C2, B1, B2, B3, A1. Common Criteria (ISO 15408) uses Protection Profiles (PP), Security Targets (ST), and Evaluation Assurance Levels (EAL1 through EAL7).
Architecture and Infrastructure
Understand defense in depth across layers: physical, perimeter, network, host, application, data. Each layer provides independent controls. An attacker must defeat all to reach assets.
Grasp the Trusted Computing Base (TCB). It's the set of hardware, firmware, and software components critical to security. The security kernel mediates all access using a reference monitor concept. The TCB must be tamperproof, always-invoked, and small enough to verify.
Learn memory protection techniques: segmentation, paging, and hardware ring protection (0-3 on x86). These protect processes from each other and the kernel from user space. This defeats arbitrary memory access by malicious code.
Cloud and Modern Infrastructure
Know the cloud service models. IaaS means the provider handles physical and network; you handle OS, app, and data. PaaS means the provider adds OS and runtime; you handle app and data. SaaS means the provider handles almost all; you handle data and configuration.
Understand the shared responsibility model. The cloud provider secures infrastructure. You secure what you put in it. Details vary by service model. CISSP expects you to delineate responsibilities precisely.
| Term | Meaning |
|---|---|
| CIA Triad | Confidentiality (prevent unauthorized disclosure), Integrity (prevent unauthorized modification), Availability (ensure authorized access when needed). Foundation of every security control decision. |
| AAA Framework | Authentication (verify identity), Authorization (grant access rights), Accounting/Auditing (log actions). Core access control model; often extended to Identification → AAA. |
| Risk Formula | Risk = Threat × Vulnerability × Impact. Quantitative variant: ALE = SLE × ARO (Annualized Loss Expectancy = Single Loss Expectancy × Annualized Rate of Occurrence). SLE = Asset Value × Exposure Factor. |
| Risk Treatment Options | Accept (document and retain risk), Avoid (eliminate the activity), Transfer (insurance, contracts), Mitigate (reduce via controls). ISC2 order of preference varies by cost-benefit analysis. |
| Governance vs. Management | Governance sets direction, policies, and oversight (board/executive). Management executes and administers. Tested repeatedly, CISSP wants you to think at the governance level, not hands-on. |
| Due Care vs. Due Diligence | Due care: acting responsibly (implementing controls). Due diligence: continuously verifying care is being taken (audits, reviews). Both required; failure exposes organization and officers to liability. |
| Data Classification | Gov: Top Secret > Secret > Confidential > Unclassified. Commercial: Confidential/Proprietary > Private > Sensitive > Public. Classification drives handling, labeling, and disposal requirements. |
| Data Lifecycle | Create → Store → Use → Share → Archive → Destroy. Each stage has control requirements. Data owner sets classification; data custodian enforces controls; data user follows policy. |
| Security Models, Bell-LaPadula | Confidentiality model. 'No read up' (simple security property) + 'no write down' (* property). Protects secrets from leaking downward. Focus: government/military. |
| Security Models, Biba | Integrity model. 'No read down' + 'no write up.' Prevents lower-integrity data from corrupting higher-integrity systems. Opposite direction from Bell-LaPadula. |
| Clark-Wilson Model | Commercial integrity model. Access via well-formed transactions and separation of duties. Concepts: CDI (constrained data items), TP (transformation procedures), IVP (integrity verification). |
| TCSEC & Common Criteria | TCSEC (Orange Book, 1985): D/C1/C2/B1/B2/B3/A1 ratings. Common Criteria (ISO 15408): Protection Profiles (PP), Security Targets (ST), Evaluation Assurance Levels EAL1-EAL7. |
| Security Architecture Layers | Defense in depth: physical → perimeter → network → host → application → data. Each layer provides independent controls; attacker must defeat all to reach assets. |
| Trusted Computing Base (TCB) | Set of hardware, firmware, and software components critical to security. Security kernel mediates all access (reference monitor concept). Must be tamperproof, always-invoked, small enough to verify. |
| Memory Protection | Segmentation, paging, and hardware ring protection (0-3 on x86). Protects processes from each other and the kernel from user space. Defeats arbitrary memory access by malicious code. |
| Cloud Service Models | IaaS (provider handles physical/network; customer handles OS+app+data), PaaS (provider adds OS/runtime; customer handles app+data), SaaS (provider handles almost all; customer handles data and configuration). |
| Shared Responsibility Model | Cloud: provider secures infrastructure, customer secures what they put in it. Details vary by service model. Tested frequently, CISSP expects you to delineate responsibilities precisely. |
Domains 4-6: Comms Security, IAM, Security Assessment
These three domains cover the technical controls that most security engineers touch daily. Expect heavy coverage of cryptography, access control models, and assessment methodologies.
Networking and Communications
Memorize the OSI Model: Physical, Data Link, Network, Transport, Session, Presentation, Application. Learn layer functions, protocols at each layer, and attack types. Use the mnemonic: Please Do Not Throw Sausage Pizza Away.
Understand TCP/IP versus OSI. TCP/IP has 4 layers: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), Application (OSI 5-7). CISSP uses both models depending on question context.
Cryptography Fundamentals
Distinguish symmetric versus asymmetric crypto. Symmetric uses one shared key, is fast, but has a key distribution challenge (AES, 3DES). Asymmetric uses a public/private keypair, is slow, and solves key distribution (RSA, ECC). Hybrid schemes use asymmetric for key exchange and symmetric for bulk data.
Study AES (Advanced Encryption Standard). It's a symmetric block cipher with 128-bit blocks and 128/192/256-bit keys. It replaced DES and 3DES. Know its modes: ECB (avoid, shows patterns), CBC, CTR, GCM (authenticated encryption).
Understand RSA. It's asymmetric, based on difficulty of factoring large primes. It's used for key exchange, digital signatures, and small-data encryption. Typical key sizes are 2048-4096 bits. It's slower than symmetric. Use hybrid schemes.
Learn hashing with SHA-2 and SHA-3. These produce one-way, fixed-length outputs. SHA-256 and SHA-512 are commonly used. MD5 and SHA-1 are broken. Never use them for integrity. Use salt plus a slow KDF (bcrypt, Argon2) for passwords.
Grasp digital signatures. Hash the message, encrypt it with the sender's private key. This provides integrity, authentication, and non-repudiation. The recipient decrypts with the sender's public key and compares hashes.
PKI and Certificate Management
Know PKI components: CA (Certificate Authority), RA (Registration Authority), CRL/OCSP (revocation), CPS (Certificate Practice Statement), subscribers, and relying parties. Trust is anchored in root CA certificates.
Access Control and IAM
Learn access control models:
- DAC (discretionary, owner-defined, Windows NTFS)
- MAC (mandatory, labels and clearances, SELinux)
- RBAC (role-based)
- ABAC (attribute-based, policy-driven)
- RuBAC (rule-based, firewalls)
Match the model to your environment.
Understand authentication factors. Type 1 is something you know (password, PIN). Type 2 is something you have (token, smart card). Type 3 is something you are (biometric). MFA combines two or more factor types, not two of the same.
Study SSO protocols. SAML uses XML-based assertions for enterprise SSO. OAuth 2.0 provides authorization delegation via tokens. OpenID Connect (OIDC) adds an authentication layer on OAuth 2.0. Kerberos uses ticket-based, time-sensitive authentication for on-premise AD.
Learn biometric metrics: FAR (False Acceptance Rate, imposter accepted), FRR (False Rejection Rate, legit user rejected), CER or EER (Crossover Error Rate, where FAR equals FRR). Lower CER means better biometric.
Assessment and Testing
Master penetration testing methodology: Planning, reconnaissance, scanning, exploitation, post-exploitation, reporting. Know the types: black-box, white-box, gray-box. Always require written authorization covering scope and rules of engagement.
Distinguish vulnerability assessment versus penetration test. Vulnerability assessment is a broad scan identifying weaknesses without exploitation. Pen test is targeted, attempts exploitation to demonstrate impact. Both are needed.
Learn audit types: Internal (by employees), external (by independent auditors), SOC 1 (financial controls), SOC 2 (security, availability, confidentiality, processing integrity, privacy), ISO 27001 certification.
Understand log management and SIEM. Centralize, normalize, and correlate logs for detection and forensics. Examples include Splunk, QRadar, Sentinel. Require tuning to reduce false positives. Retention is driven by compliance and investigation needs.
| Term | Meaning |
|---|---|
| OSI Model | 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application. Memorize layer functions, protocols at each layer, and attack types. Please Do Not Throw Sausage Pizza Away. |
| TCP/IP vs. OSI | TCP/IP 4 layers: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), Application (OSI 5-7). CISSP uses both models depending on question context. |
| Symmetric vs. Asymmetric Crypto | Symmetric: one shared key, fast, key distribution challenge (AES, 3DES). Asymmetric: public/private keypair, slow, solves key distribution (RSA, ECC). Hybrid: asymmetric for key exchange, symmetric for bulk data. |
| AES | Advanced Encryption Standard. Symmetric block cipher, 128-bit blocks, 128/192/256-bit keys. Replaced DES/3DES. Modes: ECB (avoid, patterns), CBC, CTR, GCM (authenticated encryption). |
| RSA | Asymmetric algorithm based on difficulty of factoring large primes. Used for key exchange, digital signatures, and small-data encryption. Typical key sizes 2048-4096 bits. Slower than symmetric; use hybrid schemes. |
| Hashing (SHA-2, SHA-3) | One-way function producing fixed-length output. SHA-256/512 commonly used. MD5 and SHA-1 broken, do not use for integrity. Salt + slow KDF (bcrypt, Argon2) for passwords. |
| Digital Signatures | Hash of message encrypted with sender's private key. Provides integrity, authentication, non-repudiation. Recipient decrypts signature with sender's public key and compares hashes. |
| PKI Components | CA (Certificate Authority), RA (Registration Authority), CRL/OCSP (revocation), CPS (Certificate Practice Statement), subscribers, relying parties. Trust anchored in root CA certificates. |
| Access Control Models | DAC (owner-defined, Windows NTFS), MAC (labels and clearances, SELinux), RBAC (roles), ABAC (policy/attribute-driven), RuBAC (rule-based, firewalls). Match model to environment. |
| Authentication Factors | Type 1 something you know (password, PIN). Type 2 something you have (token, smart card). Type 3 something you are (biometric). MFA combines two or more factor types, not two of the same. |
| SSO Protocols, SAML, OAuth 2.0, OpenID Connect | SAML: XML-based assertions, enterprise SSO. OAuth 2.0: authorization delegation via tokens. OIDC: authentication layer on OAuth 2.0. Kerberos: ticket-based, time-sensitive, on-prem AD. |
| Biometrics, FAR/FRR/CER | FAR: False Acceptance Rate (imposter accepted). FRR: False Rejection Rate (legit user rejected). CER/EER: where FAR = FRR, the standard comparison metric. Lower CER = better biometric. |
| Penetration Testing Methodology | Planning → reconnaissance → scanning → exploitation → post-exploitation → reporting. Types: black-box, white-box, gray-box. Requires written authorization (scope, rules of engagement). |
| Vulnerability Assessment vs. Pen Test | Vulnerability assessment: broad scan, identifies weaknesses, doesn't exploit. Pen test: targeted, attempts exploitation to demonstrate impact. Both needed, serve different purposes. |
| Audit Types | Internal (by employees), external (by independent auditors), SOC 1 (financial controls), SOC 2 (security/availability/confidentiality/processing integrity/privacy), ISO 27001 certification. |
| Log Management (SIEM) | Centralize, normalize, correlate logs for detection and forensics. Examples: Splunk, QRadar, Sentinel. Requires tuning to reduce false positives. Retention periods driven by compliance and investigation needs. |
Domains 7-8: Security Operations & Software Development Security
These domains cover day-to-day operations, incident response, disaster recovery, and secure SDLC practices. Scenario-heavy questions test your prioritization during incidents and your selection of secure development activities.
Incident Response and Forensics
Know the incident response phases: Preparation, Detection and Analysis, Containment, Eradication, Recovery, Lessons Learned. NIST SP 800-61 defines this framework. Preparation is the most important and most overlooked phase.
Master the digital forensics process: Identification, Preservation, Collection, Examination, Analysis, Presentation. Maintain chain of custody. Use write blockers. Hash evidence before and after. Admissibility depends on procedure.
Business Continuity and Disaster Recovery
Differentiate BCP versus DRP. BCP (Business Continuity) keeps the business running during or after disruption. It has broader scope. DRP (Disaster Recovery) restores IT systems. It's a subset of BCP. BIA feeds both.
Understand BIA (Business Impact Analysis). It identifies critical business functions and determines Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Mean Time to Repair (MTTR).
Know recovery site types:
- Cold site: space, power, HVAC only (cheap, long recovery)
- Warm site: cold plus some equipment (moderate cost and recovery time)
- Hot site: fully equipped, near-live data (expensive, fastest recovery)
- Reciprocal agreement: partner organization shares resources
Learn backup strategies. Full backup gets all data (slow, most storage). Incremental backup captures changes since last backup (fastest backup, slowest restore). Differential backup captures changes since last full (middle ground). Follow the 3-2-1 rule: 3 copies, 2 different media types, 1 copy offsite.
Change and Patch Management
Follow the change management process: Request, Review, Approve, Test, Implement, Document. Formal change control prevents unintended consequences and supports audit. Emergency changes require retroactive review.
Execute patch management steps: Inventory, prioritize by risk, test in non-production, deploy, verify. Zero-day vulnerabilities and critical CVSS scores accelerate the cycle. Document exceptions for systems that cannot be patched.
Software Development Security
Understand SDLC phases: Requirements, Design, Implementation, Testing, Deployment, Maintenance. Security activities happen at every phase:
- Requirements: abuse cases
- Design: threat modeling
- Code: SAST (Static Application Security Testing)
- Test: DAST (Dynamic Application Security Testing)
- Deploy: hardening
- Maintain: patching
Study the OWASP Top 10. This rotating list covers the most critical web app risks: broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, authentication failures, integrity failures, logging failures, SSRF (Server-Side Request Forgery).
Apply secure coding practices:
- Use allow-lists for input validation (better than deny-lists)
- Use parameterized queries to prevent SQL injection
- Apply output encoding to prevent XSS
- Implement least privilege
- Use fail-secure defaults
- Handle errors without leaking information
- Reuse cryptographic libraries (don't build custom crypto)
Grasp DevSecOps. Integrate security into CI/CD pipelines using SAST on commit, SCA (Software Composition Analysis) for dependencies, DAST on staging builds, container scanning, and infrastructure-as-code scanning. This "shift-left" approach enables continuous testing.
Learn threat modeling with STRIDE: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. This Microsoft framework is used during design to enumerate threats and prioritize mitigations.
Understand container security: Image scanning (CVEs), signed images, minimal base images (Alpine, distroless), runtime protection (seccomp, AppArmor), orchestrator hardening (Kubernetes RBAC, network policies, secrets management).
Secure your databases. Control access, encrypt at rest (TDE) and in transit (TLS), prevent injection, audit all changes, separate duties (DBA versus data owner), and implement inference and aggregation controls on sensitive columns.
Know memory-safety attacks: buffer overflow, stack smashing, heap overflow, use-after-free. Mitigations include DEP/NX, ASLR, stack canaries, control flow integrity, safe languages (Rust, managed runtimes), and bounds checking.
| Term | Meaning |
|---|---|
| Incident Response Phases | Preparation → Detection & Analysis → Containment → Eradication → Recovery → Lessons Learned. NIST SP 800-61 framework. Preparation is the most important (and most overlooked) phase. |
| Digital Forensics Process | Identification → Preservation → Collection → Examination → Analysis → Presentation. Maintain chain of custody; use write blockers; hash evidence before and after. Admissibility depends on procedure. |
| BCP vs. DRP | BCP (Business Continuity): keep the business running during/after disruption; broader scope. DRP (Disaster Recovery): restore IT systems; subset of BCP. BIA feeds both. |
| BIA (Business Impact Analysis) | Identifies critical business functions, determines Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Mean Time to Repair (MTTR). |
| Recovery Site Types | Cold site: space, power, HVAC only (cheap, long recovery). Warm site: cold + some equipment (moderate). Hot site: fully equipped, near-live data (expensive, fastest recovery). Reciprocal agreement with a partner organization. |
| Backup Strategies | Full (all data, slow, most storage), Incremental (since last backup, fastest backup, slowest restore), Differential (since last full, middle ground). 3-2-1 rule: 3 copies, 2 media, 1 offsite. |
| Change Management Process | Request → Review → Approve → Test → Implement → Document. Formal change control prevents unintended consequences and supports audit. Emergency changes require retroactive review. |
| Patch Management | Inventory → prioritize by risk → test in non-prod → deploy → verify. Zero-day vulnerabilities and critical CVSS scores accelerate the cycle. Document exceptions for systems that cannot be patched. |
| SDLC Phases | Requirements → Design → Implementation → Testing → Deployment → Maintenance. Security activities at every phase: requirements (abuse cases), design (threat modeling), code (SAST), test (DAST), deploy (hardening), maintain (patching). |
| OWASP Top 10 | Rotating list of most critical web app risks: broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, auth failures, integrity failures, logging failures, SSRF. |
| Secure Coding Practices | Input validation (allow-list over deny-list), parameterized queries (prevent SQLi), output encoding (prevent XSS), least privilege, fail-secure defaults, error handling without info leakage, cryptographic library reuse over custom crypto. |
| DevSecOps | Integrates security into CI/CD pipelines: SAST on commit, SCA for dependencies, DAST on staging builds, container scanning, infrastructure-as-code scanning. Shift-left + continuous testing. |
| Threat Modeling (STRIDE) | Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Microsoft framework; used during design phase to enumerate threats and prioritize mitigations. |
| Container Security | Image scanning (CVEs), signed images, minimal base images (Alpine, distroless), runtime protection (seccomp, AppArmor), orchestrator hardening (Kubernetes RBAC, network policies, secrets management). |
| Database Security | Access control, encryption at rest (TDE) and in transit (TLS), injection prevention, auditing, separation of duties (DBA vs. data owner), inference and aggregation controls on sensitive columns. |
| Memory-Safety Attacks | Buffer overflow, stack smashing, heap overflow, use-after-free. Mitigations: DEP/NX, ASLR, stack canaries, control flow integrity, safe languages (Rust, managed runtimes), bounds checking. |
How to Study cissp Effectively
Mastering CISSP requires the right study approach, not just more hours. Cognitive science shows three techniques produce the best learning outcomes: active recall (testing yourself rather than re-reading), spaced repetition (reviewing at scientifically optimized intervals), and interleaving (mixing related topics rather than studying one in isolation). FluentFlash builds on all three.
When you study CISSP with our FSRS algorithm, every term is scheduled for review at exactly the moment you're about to forget it. This maximizes retention while minimizing study time.
Why Passive Review Fails
The most common mistake is relying on passive review methods. Re-reading notes, highlighting textbook passages, or watching lecture videos feels productive. But research shows these methods produce only 10-20% of the retention that active recall achieves. Flashcards force your brain to retrieve information, which strengthens memory pathways far more than recognition alone. Pair this with spaced repetition scheduling, and you can learn in 20 minutes what would take hours of passive review.
Your 2-4 Month Study Plan
Start by creating 15-25 flashcards covering the highest-priority concepts. Review them daily for the first week using our FSRS scheduling. As cards become easier, intervals automatically expand from minutes to days to weeks. You're always working on material at the edge of your knowledge. After 2-3 weeks of consistent practice, CISSP concepts become automatic rather than effortful to recall.
Study Steps
- Generate flashcards using FluentFlash AI or create them manually from your notes
- Study 15-20 new cards per day, plus scheduled reviews
- Use multiple study modes (flip, multiple choice, written) to strengthen recall
- Track progress and identify weak topics for focused review
- Review consistently. Daily practice beats marathon sessions
- 1
Generate flashcards using FluentFlash AI or create them manually from your notes
- 2
Study 15-20 new cards per day, plus scheduled reviews
- 3
Use multiple study modes (flip, multiple choice, written) to strengthen recall
- 4
Track your progress and identify weak topics for focused review
- 5
Review consistently, daily practice beats marathon sessions
Why Flashcards Work Better Than Other Study Methods for cissp
Flashcards aren't just for vocabulary. They're one of the most research-backed study tools for any subject, including CISSP. The reason comes down to how memory works. When you read a textbook passage, your brain stores that information in short-term memory. Without retrieval practice, it fades within hours. Flashcards force retrieval, which transfers information from short-term to long-term memory.
The Testing Effect
The testing effect, documented in hundreds of peer-reviewed studies, shows that students using flashcards consistently outperform those who re-read by 30-60% on delayed tests. This isn't because flashcards contain more information. It's because retrieval strengthens neural pathways in a way that passive exposure cannot. Every time you successfully recall a CISSP concept from a flashcard, you make that concept easier to recall next time.
FSRS Amplifies Your Results
FluentFlash amplifies this effect with the FSRS algorithm. This modern spaced repetition system schedules reviews at mathematically optimal intervals based on your actual performance. Cards you find easy get pushed further into the future. Cards you struggle with come back sooner. Over time, this builds remarkable retention with minimal time investment. Students using FSRS-based systems typically retain 85-95% of material after 30 days, compared to roughly 20% retention from passive review alone.