The CISSP (Certified Information Systems Security Professional) is the world’s most recognised advanced cybersecurity certification, awarded by (ISC)². It validates your ability to design, implement, and manage a best-in-class cybersecurity programme across eight critical security domains. This cissp study guide maps every domain, links to every in-depth article on SunExplains, and gives you a clear, structured roadmap from first concept to exam-ready confidence.
Whether you are starting your CISSP journey, deep in domain-by-domain revision, or looking for quick reference material before exam day, this page is your central navigation hub. Use the domain sections to jump directly to the articles you need, or follow the recommended study sequence from beginning to end.
What is CISSP? Understanding the Certification
CISSP is an advanced-level certification that demonstrates deep technical knowledge and managerial competence in information security. It is issued by (ISC)² and is widely regarded as the benchmark credential for senior security professionals — CISOs, security architects, security managers, and senior engineers.
The exam tests 125–175 questions in a Computerised Adaptive Testing (CAT) format for English-language candidates, covering all eight CISSP domains. Candidates must have a minimum of five years of cumulative paid work experience in two or more of the eight domains to earn the full certification. Those without the required experience can pass the exam and become an Associate of (ISC)² while working toward the experience requirement.
Who Should Pursue the CISSP?
The CISSP is designed for experienced security practitioners who operate at a strategic and managerial level. It is the right certification for you if you are working in or moving toward roles such as: Chief Information Security Officer (CISO), Security Architect, Security Manager, IT Director, Security Auditor, or Security Consultant. If you are earlier in your career, the CISSP provides a definitive learning framework that elevates your thinking from tactical execution to enterprise risk management.
How to Use This CISSP Study Guide
This cissp study guide is structured as a navigation and synthesis hub — not a textbook replacement. Each domain section contains a short summary of what the domain covers, the key concepts you need to understand, and direct links to the SunExplains articles that go deep on each topic. Use the Quick Revision Resources section for visual aids and condensed notes. Use the FAQ section for rapid recall of high-value exam concepts.
Study approach that works: Start with Domain 1 to build your governance and risk management foundation. Then follow the domain sequence, spending additional time on the domains with the highest exam weighting (Domains 1, 3, and 5). Use the Elite Framework content for exam-focused revision once you have covered the conceptual material.
The 8 CISSP Domains at a Glance
The CISSP CBK (Common Body of Knowledge) is organised into eight domains, each representing a core area of information security practice. Every exam question maps to one of these domains, and your study plan should ensure coverage of all eight.
| Domain | Name | Exam Weight |
|---|---|---|
| 1 | Security and Risk Management | 16% |
| 2 | Asset Security | 10% |
| 3 | Security Architecture and Engineering | 13% |
| 4 | Communication and Network Security | 13% |
| 5 | Identity and Access Management (IAM) | 13% |
| 6 | Security Assessment and Testing | 12% |
| 7 | Security Operations | 13% |
| 8 | Software Development Security | 10% |
Domain 1: Security and Risk Management
Domain 1 is the most heavily weighted CISSP domain at 16% of the exam. It establishes the governance, risk, and compliance foundation that underpins every other domain. You cannot approach CISSP as a purely technical certification — Domain 1 ensures you understand how security decisions connect to business objectives, legal obligations, and ethical responsibilities.
Core topics include: CIA triad and foundational security concepts, security governance and business alignment, security policies, standards, procedures, and guidelines, risk management processes and frameworks, legal and regulatory compliance, professional ethics, and the (ISC)² Code of Ethics.
Domain 1 Articles on SunExplains
- CISSP Domain 1 Overview: Security Governance and Risk Management — the complete domain summary and starting point
- Security Risk Management Explained — deep-dive into risk identification, assessment, and treatment
- CIA Triad and Security Concepts — foundational concepts every CISSP candidate must master
- Security Governance and Business Alignment — how security decisions connect to organisational goals
- Security Policy vs Standards vs Procedures vs Guidelines — the governance hierarchy explained clearly
- CISSP Security Frameworks Compared — NIST CSF, ISO 27001, COBIT, and SABSA side by side
- Responsibility, Accountability, Due Care, and Due Diligence — the four concepts that underpin CISSP ethics questions
- CISSP Legal, Regulatory, and Compliance — what the exam is really testing in this area
- Continuous Risk Monitoring — metrics, maturity models, and improvement cycles
Domain 2: Asset Security
Domain 2 covers how organisations classify, own, handle, and protect their information assets throughout their lifecycle. The core insight in this domain is that security controls must match the classification and sensitivity of the asset they protect. Over-protecting low-value assets wastes resources; under-protecting high-value assets creates risk.
Core topics include: data classification schemes, information and asset ownership, data lifecycle management, data security controls, privacy protection, and the relationship between asset value and control selection.
Domain 2 Articles on SunExplains
- Information and Asset Classification Explained — classification schemes, labels, and handling requirements
- Information Ownership and Asset Management — roles, responsibilities, and asset inventory practices
- Data Security — protecting data at rest, in transit, and in use across the information lifecycle
Domain 3: Security Architecture and Engineering
Domain 3 is one of the most technically rich domains in the cissp study guide. It covers the design principles, models, and technologies used to build secure systems. This includes security architecture frameworks, cryptography fundamentals, PKI, and secure design principles like defence-in-depth, zero trust, and least privilege.
Core topics include: security models (Bell-LaPadula, Biba, Clark-Wilson), trusted computing concepts, cryptography principles and algorithms, PKI and digital certificates, secure system design, vulnerability and countermeasure selection, and physical security design.
Domain 3 Articles on SunExplains
- Domain 3: Security Architecture and Engineering Complete Guide — the full domain breakdown covering all major topic areas
- Public Key Infrastructure (PKI) and Digital Certificates — how PKI works, certificate authorities, trust chains, and certificate lifecycle management
- PKI and Cryptographic Applications — applying cryptographic concepts to real-world security problems
Domain 4: Communication and Network Security
Domain 4 covers the design and protection of network infrastructure and communications channels. For CISSP candidates, this domain bridges the gap between traditional networking knowledge and the security controls that protect those networks at every layer of the OSI model.
Core topics include: network architecture and design principles, OSI and TCP/IP model security implications, secure network components, wireless network security, communication channel protection, network attacks and countermeasures, and third-party connectivity security.
Domain 4 Articles on SunExplains
- Domain 4: Network Security Complete Study Guide — comprehensive coverage of network security for the CISSP exam
- CISSP Domain 4: Network Security — foundational network security concepts and exam-focused review
Domain 5: Identity and Access Management (IAM)
Domain 5 covers how organisations control who can access what, under which conditions, and how those access decisions are made and enforced. IAM is one of the highest-frequency CISSP exam topics because it sits at the intersection of technical controls and business policy decisions.
Core topics include: identity management lifecycle, authentication methods and factors, authorisation mechanisms and models, access control models (MAC, DAC, RBAC, ABAC), identity federation and SSO, privilege management, and the principle of least privilege in practice.
Domain 5 Articles on SunExplains
- Domain 5: Identity and Access Management Complete Guide — the full domain breakdown with all IAM topics covered
- Managing Identity and Authentication — authentication factors, methods, and identity lifecycle management
- Controlling and Monitoring Access — access control models, enforcement mechanisms, and monitoring approaches
Domain 6: Security Assessment and Testing
Domain 6 covers how organisations validate that their security controls are working as intended. The core principle is that security cannot be assumed — it must be verified through structured assessment and testing programmes. This domain covers both the technical testing methods and the governance processes that make security assurance meaningful.
Core topics include: assessment and test strategies, vulnerability assessment, penetration testing, log review and analysis, synthetic transactions, code review, internal and third-party audits, security control testing, and the relationship between testing and risk management.
Domain 6 Articles on SunExplains
- Domain 6: Security Assessment and Testing Complete Guide — comprehensive coverage of assessment and testing for the exam
- Domain 6: Security Assessment and Testing — foundational concepts and exam-focused review
Domain 7: Security Operations
Domain 7 is the operational heart of the CISSP. It covers the day-to-day activities of a security operations team — from incident response and investigation through to disaster recovery and physical security. This is where the governance decisions from Domain 1 become operational reality.
Core topics include: incident management and response, investigations and digital forensics, disaster recovery planning and business continuity, physical security controls, personnel security, security operations centre management, change management, and monitoring and logging.
Domain 7 Articles on SunExplains
- Domain 7: Security Operations Complete Guide — full domain coverage for exam preparation
- Managing Security Operations — operational security management, administrative controls, and monitoring
- Preventing and Responding to Incidents — incident response lifecycle, containment, eradication, and recovery
- Disaster Recovery Planning — BCP, RPO, RTO, and recovery strategy design
- Investigations and Ethics — digital forensics, evidence handling, and professional ethics in the CISSP context
Domain 8: Software Development Security
Domain 8 closes the CISSP framework by addressing security in the software development lifecycle. Modern organisations build and consume enormous amounts of software, and vulnerabilities introduced during development represent one of the most persistent and costly attack surfaces in enterprise security.
Core topics include: software development lifecycle (SDLC) security, secure coding practices, database security, software vulnerabilities and countermeasures, code review and testing, acquired software assurance, and security assessment of development environments.
Domain 8 Articles on SunExplains
- Domain 8: Software Development Security Complete Guide — the full domain breakdown for exam preparation
- Software Development Security — secure development practices, vulnerability types, and countermeasure selection
Recommended Study Sequence
Use this sequence to structure your CISSP preparation. The order is designed to build conceptual foundations before introducing technical depth, and to group related domains for reinforced learning.
Phase 1 — Foundation (Weeks 1–3)
- CIA Triad and Security Concepts — establish the foundational vocabulary
- Domain 1 Overview — understand the governance and risk management framework
- Security Governance and Business Alignment — connect security to organisational objectives
- Security Risk Management — master the risk management process end to end
Phase 2 — Governance Depth (Weeks 4–5)
- Security Policies, Standards, Procedures, and Guidelines
- Security Frameworks Compared
- Responsibility, Accountability, Due Care, and Due Diligence
- Legal, Regulatory, and Compliance
- Continuous Risk Monitoring
Phase 3 — Asset, Architecture, and Cryptography (Weeks 6–8)
- Asset Classification — Domain 2 foundation
- Information Ownership and Asset Management
- Data Security
- Domain 3: Security Architecture and Engineering
- PKI and Digital Certificates
- Cryptographic Applications
Phase 4 — Networks, IAM, and Assessment (Weeks 9–11)
- Domain 4: Network Security
- Domain 5: Identity and Access Management
- Managing Identity and Authentication
- Controlling and Monitoring Access
- Domain 6: Security Assessment and Testing
Phase 5 — Operations and Development (Weeks 12–14)
- Domain 7: Security Operations
- Managing Security Operations
- Incident Response
- Disaster Recovery Planning
- Investigations and Ethics
- Domain 8: Software Development Security
Quick Revision Resources
Use these resources for condensed revision, visual reinforcement, and exam-day mental preparation alongside this cissp study guide.
- CISSP Notes — condensed, high-signal study notes organised for rapid review and recall across all domains
- Visual Explanations — diagram-based explanations of complex CISSP concepts including architecture models, access control frameworks, and cryptographic processes
- CISSP Elite Framework — exam-focused revision content including mind maps, carousels, and exam essentials, structured to maximise retention in the final study phase
Frequently Asked Questions: CISSP
How long does it take to prepare for the CISSP exam?
Most candidates with relevant work experience need between three and six months of dedicated study. Candidates with broad security experience across multiple domains may be ready in three months with focused preparation. Those newer to some domains, or studying alongside full-time work, should plan for five to six months. The key is consistent daily practice rather than intensive short bursts.
What is the CISSP exam format?
The English-language CISSP uses Computerised Adaptive Testing (CAT). The exam presents between 125 and 175 questions and ends when the system has determined your competency level with sufficient statistical confidence — either above or below the passing threshold. The CAT format means the exam adapts to your performance in real time, making time management and calm decision-making critical exam skills.
What work experience is required for CISSP?
Candidates must have a minimum of five years of cumulative paid work experience in two or more of the eight CISSP domains. A four-year college degree or an approved credential from the (ISC)² approved list can substitute for one year of experience. Candidates who pass the exam without meeting the experience requirement become Associates of (ISC)² and have six years to earn the required experience.
Which CISSP domain is the hardest?
Domain 3 (Security Architecture and Engineering) and Domain 5 (Identity and Access Management) are consistently rated as the most technically demanding by candidates. Domain 1 (Security and Risk Management), while conceptually broad, is often the domain where the most exam questions are answered incorrectly because candidates approach it too technically rather than from a management perspective. The correct mindset for most CISSP questions is that of a senior manager making risk-informed decisions, not a technician solving a specific problem.
Is the CISSP worth it for my career?
The CISSP is widely regarded as the most valuable credential for senior information security roles. It consistently appears in job requirements for CISO, security architect, security manager, and senior consultant positions. Beyond the credential itself, the process of preparing using a structured cissp study guide forces a comprehensive understanding of security across all eight domains — which directly improves your ability to make better security decisions in any role.
What is the difference between CISSP and CISM?
CISSP (offered by (ISC)²) covers both technical and managerial security knowledge across eight domains and is broadly recognised across all industries and geographies. CISM (offered by ISACA) focuses more narrowly on information security management and governance and is particularly valued in enterprise IT governance contexts. CISSP is generally considered the broader and more technically comprehensive of the two.
Can I use this site as my primary CISSP study guide?
SunExplains is designed as a high-quality conceptual supplement to official study materials. The domain guides, notes, visuals, and Elite Framework content are built to explain CISSP concepts clearly and help them stick — not to replace the (ISC)² official CBK or recognised study books. Use the SunExplains cissp study guide content alongside a primary text for maximum exam readiness.
Where to Go Next
Use these curated reading paths based on where you are in your CISSP preparation:
- Just starting your CISSP journey? Begin with the CIA Triad and Security Concepts and then move to the Domain 1 Overview.
- Want to master the risk management process? Read Security Risk Management Explained and Continuous Risk Monitoring.
- Struggling with governance concepts? Work through Policies, Standards, Procedures, and Guidelines and Security Frameworks Compared.
- Need to understand cryptography and PKI? Read PKI and Digital Certificates followed by Cryptographic Applications.
- Preparing for IAM questions? Start with Domain 5 Complete Guide, then Managing Identity and Authentication and Controlling and Monitoring Access.
- Studying security operations and incident response? Use Domain 7 Complete Guide, then Incident Response and Disaster Recovery Planning.
- In final revision mode? Use the CISSP Elite Framework for exam-focused content, the CISSP Notes for condensed recall, and the Visual Explanations for diagram-based reinforcement.
By profession, a CloudSecurity Consultant; by passion, a storyteller. Through SunExplains, I explain security in simple, relatable terms — connecting technology, trust, and everyday life.
Leave a Reply