Introduction

If you’re preparing for the Certified Information Systems Security Professional (CISSP) exam—or simply trying to understand what a CISSP is expected to know—you’ve probably come across the term Common Body of Knowledge (CBK).

The CBK represents the comprehensive framework of cybersecurity knowledge that CISSP candidates are tested on. It’s not about being an expert in every technical niche. Instead, it’s about demonstrating broad security knowledge, sound judgment, and the ability to think like a security manager or owner when protecting organizational assets.

This explainer breaks down the 8 CISSP domains into a digestible format. For each domain, you’ll find:

• A quick overview of what it covers.

• A practical, real-world example of how the domain comes to life in security operations.

Section 1: Understanding the CISSP CBK

The CISSP CBK is designed to ensure that certified professionals understand the essential elements of information security. Think of it as a roadmap to the course material, detailing course objectives and topics, and providing an encyclopedia of fundamental concepts, ranging from governance and risk management to the basic components of software development security.

The CBK is built on security governance and several core concepts, including principles such as responsibility and accountability, due diligence, due care, least privilege, and the Five Pillars of Security. It’s also important to understand why you would use a particular solution in a particular scenario.

Security Governance is a fundamental concept that underpins much of the CISSP body of knowledge. It serves as the security principles, foundation, or framework on which you build an organization’s security function.

You’ll also encounter the CIA Triad (part of the Five Pillars), which is the cornerstone of information security and plays a critical role across all eight CISSP domains. Mastering these principles is not just important for acing the exam but also for thriving in real-world cybersecurity roles.

• Confidentiality: ensures that sensitive data is only accessible to those with proper authorization, and includes the measures used to ensure the secrecy protection of data, objects, and resources. Techniques such as encryption, access controls, and data classification are crucial for safeguarding information in use, in transit, and at rest.

• Integrity: the idea of protecting the reliability and correctness of data, guarding against unauthorized or improper modification or destruction. Integrity ensures that data remains accurate, complete, and free from unauthorized or improper alterations. Tools such as hash functions, digital signatures, and version control systems are crucial for maintaining data integrity and reliability. Without integrity, organizations risk corrupted data stores or manipulated records, leading to operational chaos.

• Availability: ensures authorized users can access systems and information whenever needed. This involves disaster recovery plans, redundant systems, and performance optimization. Striking a balance between robust security measures and optimal system performance is crucial for ensuring business continuity and stability.

These principles often overlap and sometimes conflict - for instance, enhancing confidentiality can reduce availability. CISSP candidates must learn to navigate these trade-offs effectively in different business environments. A firm grasp of the CIA Triad lays the groundwork for understanding the broader compliance and experience requirements tied to CISSP certification.

Section 2: The 8 CISSP Domains Cheatsheet

Understanding the concepts in the eight CISSP domains is important for passing the exam and excelling in cybersecurity roles. Here’s a high-level walkthrough and a few examples of applied domain concepts to help you begin to prepare for the exam.

The 8 CISSP domains are:

1. Security and Risk Management

2. Asset Security

3. Security Architecture and Engineering

4. Communication and Network Security

5. Identity and Access Management (IAM)

6. Security Assessment and Testing

7. Security Operations

8. Software Development Security

CISSP Domain 1, Security and Risk Management

Overview: This domain, which makes up 16% of the exam, forms the backbone and fundamentals of cybersecurity. It sets the foundation by covering security governance, compliance, professional ethics, and many other core concepts. You’ll learn how to align security objectives with business goals, manage risks effectively, and ensure compliance with relevant laws and regulations.

Domain 1 encompasses security governance and its associated concepts, security management planning, security policies and roles, security frameworks, incident response and investigations, risk management, business continuity planning, threat modeling, supply chain security, and legal and compliance implications.

Example application of domain 1 concepts:

• Application: We’ll follow an example application through the eight domains. A healthcare organization aims to introduce a new AI-powered diagnostic tool to support radiologists by analyzing patient X-rays.

• Concept: Establishing a framework for how security is managed across the organization to align with business objectives.

  • Security governance principles help establish a framework for managing security across the organization, aligning with business objectives. For example, setting up an AI governance committee with representation from security, legal, data science, and medical professionals.

  • The committee collaborates with leadership to develop the overarching security strategy for the service, establishing risk tolerances for diagnostic errors and patient privacy, and ensuring compliance with HIPAA and new AI laws and regulations.

• Concept: Upholding professional ethics and ensuring systems are fair and responsible.

  • Bias detection: Conduct rigorous testing to ensure the AI's diagnostic accuracy is consistent across different demographics (e.g., age, race, gender) and doesn't exhibit bias.

  • Informed consent: Develop clear communication with patients about how their data is used to train and improve the AI service, ensuring they understand and consent to its use or have the ability to opt out.

  • Transparency and explainability: Ensure the tool's decision-making process is transparent to medical staff, preventing an over-reliance on the technology and maintaining clinical oversight.

The next domain builds on these principles by focusing on asset protection.

CISSP Domain 2, Asset Security

Overview: Comprising 10% of the exam, this domain focuses on ensuring the confidentiality, integrity, and availability of assets across the organization, including systems, data, and physical assets.

Asset identification and classification are essential first steps in developing an effective security program, and the domain offers a detailed examination of the collection, handling, and protection of assets throughout their lifecycle.

For example, asset classification and categorization can vary by organization type. Non-government organizations typically classify data into categories such as Public, Sensitive, Private, and Confidential, whereas government classification categories include Unclassified, Confidential, Secret, and Top Secret. Each classification is accompanied by specific handling and protection measures to ensure consistent security.

Clear roles are crucial for effective data management. Business executives often serve as data owners, making decisions about access and acceptable use. Data owners often delegate responsibilities for the day-to-day management and governance of specific datasets to data custodians. IT departments or system admins are often designated as custodians in practice. While the data owner is accountable for the data, the data custodian is responsible for ensuring its quality, integrity, and adherence to governance policies.

Beyond asset identification and classification, proper asset handling and safeguarding include ensuring appropriate ownership, accurate inventory management, lifecycle management of data, end-of-life/end-of-support procedures, as well as the application of data security controls and compliance requirements.

Example application of domain 2 concepts:

• Application: In our example application, the healthcare organization launching a new AI-powered diagnostic tool for X-rays must apply the concepts of asset security to protect sensitive data and manage system assets throughout their lifecycle, including the training data, the AI model itself, and its outputs.

• Concept: asset identification and classification. Before deploying the new tools, the organization must inventory and classify all related assets to determine the appropriate level of protection.

  • Asset inventory: Create a comprehensive register of all hardware, software, and data related to the new AI tool, including:

    • Data: Training data (archived X-ray images, radiology reports), input data (new patient X-rays), and output data (the AI's diagnostic findings).

    • Software: The AI model itself, the application that analyzes the images, and any application programming interfaces (APIs) used to connect with existing hospital systems like the Picture Archiving and Communication System (PACS).

    • Hardware: The servers or cloud infrastructure hosting the AI model and the workstations or mobile devices where radiologists interact with the tool.

• Concept: Data classification policy. It’s important to develop a policy that classifies the data handled by the AI tool based on its sensitivity.

  • "Highly Confidential" (e.g. Protected Health Information - PHI): The AI model's training data, input images, and resulting diagnostic reports contain PHI and require the highest level of security controls.

  • "Internal Use Only": System logs, audit trails, and performance metrics may not contain PHI but are still sensitive business assets that require careful handling.

Domain 3, Security Architecture and Engineering

Overview: This domain which comprises 13% of exam dives into the design, implementation, and management of secure systems. It includes security models, cryptography, hardware and operating system security, as well as physical protections.

This domain emphasizes secure design principles across systems, applications, and physical environments. Security models like Bell-LaPadula (focused on confidentiality), Biba (integrity), and Clark-Wilson (integrity) provide frameworks to safeguard data by implementing fundamental security concepts, processes, and procedures of a security policy.

Cryptography is key component of the domain as well. For example, the Advanced Encryption Standard (AES) offers strong symmetric encryption, while Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC) provide efficient public key solutions. Algorithms like SHA-256 ensure data integrity, and digital signatures guarantee non-repudiation. However, even the strongest algorithms can fail if key management is weak.

Physical security is also integrated into this domain. Secure facilities require access controls, environmental monitoring, and backup power systems. Data centers, in particular, need redundant cooling, fire suppression systems that won't harm equipment, and physical barriers to complement digital security.

A secure system architecture ensures resilience even when individual components fail. This idea invokes principles like defense in depth, separation of duties, and default secure configurations.

Practical Example:

• Application: In the example of the healthcare organization launching a new AI-powered diagnostic tool for X-rays, applied domain 3 concepts include using secure design principles, applying established security models to structure and enforce security policies, and deploying strong cryptography to protect patient X-ray data.

• Concept: Threat modeling. Systematically identifying potential threats to the AI tool throughout its lifecycle.

  • Analyze how attackers might attempt to poison the training data to introduce biases or manipulate the model to produce incorrect diagnoses. Identify vulnerabilities in the APIs that send and receive X-ray data from the AI service.

• Concept: Least privilege. Ensure that system components and users have only the minimum access rights necessary to perform their functions.

  • For instance, role-based access control (RBAC) could be implemented to restrict access to the raw patient X-ray data and the trained AI model. For example, the AI model training team would need access to large, de-identified datasets, while a radiologist would only need access to the tool’s output, and specific X-ray data for analysis.

• Concept: Data in transit. Deploy strong cryptography to protect patient X-ray data.

  • Encrypt data as it moves across networks. Use Transport Layer Security (TLS) with a secure cipher suite to encrypt all X-ray data transmitted from the hospital's PACS to the cloud-based AI service.

Domain 4, Communication and Network Security

Overview: Domain 4 makes up 13% of the exam and and focuses on protecting networks and communications — the backbone of modern organizations.

This domain revolves around designing and managing secure networks that protect data while supporting business operations. Core principles include segmentation and defense in depth. For instance, VLANs provide segmentation that can be used for isolation, while firewalls regulate communication between segments. Zero Trust architecture eliminates implicit trust, requiring verification for every access request.

Cloud security introduces shared responsibility models where providers handle infrastructure security, while customers manage configurations, access keys, and encryption.

Practical Example:

• Application: In our example of the healthcare organization launching a new AI-powered diagnostic tool for X-rays, applying CISSP Domain 4 (Communication and Network Security) principles requires securing all data flows related to the AI service. The primary goal is to ensure the confidentiality, integrity, and availability of patient data (ePHI) while in transit and at rest, and to protect the AI model itself.

• Concept: Defense in depth. Design a layered security approach to protect the AI tools and data.

  • For example, employ microsegmentation strategy that divides internal networks into very small, highly-localized zones. This reduces the risk of unauthorized access from other parts of the network and helps contains a breach if one occurs.

  • AI security posture management (AI-SPM): The organization uses continuous cybersecurity practice and set of tools designed to secure AI models, data, pipelines, and infrastructure within cloud environments.

• Concept: Wireless network security: If the AI diagnostic tool can be accessed wirelessly, use robust wireless security protocols like WPA3.

  • For example, a radiologist using a tablet to view AI results must connect via an encrypted and authenticated wireless network.

Domain 5, Identity and Access Management (IAM)

Overview: The Identity and Access Management (IAM) domain comprises 13% of the exam and is focused on ensuring that the right people (or systems) have the right access, at the right time, to the right resources.

You’ll learn how to reduce the risk of breaches and unauthorized access by understanding and implementing IAM concepts. Topics in this domain include:

• Implementing and manage modern authorization systems

• Design identification and authentication strategies

• Understand federated identity management and SSO technologies

• Design and manage rule, role, attribute, and risk-based access control models

• Manage the identity management and provisioning lifecycle

• Comprehensive strategies against identity-related attacks

• Implement authentication systems using concepts such as federation, and technologies such as SAML, and OAuth.

Practical Example:

• Application: In our AI-powered diagnostic tool example, concepts from this domain help ensure that only authorized medical professionals can use the tool, access the sensitive patient data it processes, and manage its configuration securely. The following are practical examples of applying the associated concepts.

• Concept: Identity Management. Before any access is granted, the identity of the user must be established and managed throughout their lifecycle.

  • Provisioning lifecycle: The provider organization onboards a new radiologist. An automated workflow creates their user account with the specific roles and permissions needed to operate the AI tool and access relevant images. When the radiologist leaves the organization, the account is immediately deprovisioned to prevent unauthorized access.

• Concept: Authentication and Authorization. This concept ensures that users are who they claim to be (authentication) and that their access rights are appropriate for their role (authorization).

  • Role-Based Access Control (RBAC): Access is assigned based on the user's role. Radiologists, for instance, have read access to images and can view the AI tool's diagnostic suggestions.

  • IT support staff can perform maintenance on the underlying infrastructure but are blocked from accessing the AI application or patient data.

Domain 6, Security Assessment and Testing

Overview: You can’t secure what you don’t measure. The Security Assessment and Testing domain covers 12% of the exam, and focuses on identifying vulnerabilities and testing security measures. Security assessment and testing are important mechanisms for validating the on-going effectiveness of security controls, ensuring that the controls are working as intended.

Automated vulnerability scans highlight known weaknesses, while penetration/red-team testing simulates real-world attacks to assess exploitation risks. Administrative controls, such as employee security training, are also evaluated to ensure their effectiveness.

Practical Example:

• Application: Practical examples of applying CISSP Domain 6 concepts to the AI-powered diagnostic tool involve securing data, managing technology risks, and ensuring operational resilience.

• Concept: Security testing. This area focuses on doing a comprehensive review of a system or application.

  • Establish a comprehensive testing strategy by outlining the scope, methods, and responsibilities for all security testing throughout the AI tool's lifecycle.

  • The plan should specify a combination of testing methods, including internal and third-party audits to ensure controls are in place and performing as expected. For instance, an auditor reviews the system's access controls and data retention policies to ensure they comply with healthcare regulations like the Health Insurance Portability and Accountability Act (HIPAA).

• Concept: Vulnerability assessments. The organization finds weaknesses in the system by following the steps of a vulnerability assessment:

  • Reconnaissance: passively gather possible publicly available info.

  • Enumeration: actively enumerate through target IP addresses and ports

  • Vulnerability Analysis: Identify potential vulnerabilities to be exploited

  • Execution and document findings: conduct the assessment and report on the findings and severity

  • SAST (Static Application Security Testing) could be used to identify any code vulnerabilities.

  • DAST (Dynamic Application Security Testing) for continuous system monitoring as changes occur.

Domain 7, Security Operations

Overview: This domain comprises 13% of the test, and is about the “day-to-day” security work—including incident detection, response, forensics, disaster recovery, and operational resilience. Candidates will also learn about core concepts like secure configuration and change management.

This domain includes topics such as:

• Understanding investigation types, techniques, and evidence collection

• Why logging and monitoring are core elements of security

• The importance of configuration management, including provisioning, baselining, and automation

• Applying foundational security operations concepts like least privilege, segregation of duties and split knowledge

Practical Example:

• Application: In our AI-powered diagnostic tool example, a healthcare organization must apply the concepts of this domain to manage the day-to-day security and integrity of the system and patient data. This involves meticulous planning for incident response, monitoring, and maintaining system security throughout its lifecycle

• Concept: Logging and monitoring. Continuous logging and monitoring are crucial for maintaining the AI diagnostic tool's security posture and detecting anomalous behavior.

  • System and application logs: The organization ensures the AI tool's system logs, application logs, and audit trails are collected and sent to a centralized logging server or SIEM. The logs include details on model training, updates, and access to patient data.

  • Security audits: Automated scripts are used to review access logs for inappropriate access or data retrieval. For example, an audit might flag an AI training account attempting to access live patient data, which is a significant policy violation.

• Concept: Real-time monitoring: The organization implements an AI-powered Security Operations Center (SOC) that monitors all network traffic related to the diagnostic tool. This system can detect behavioral anomalies, such as an external IP address attempting to establish a connection with the AI tool's internal database. A Security Operations Center (SOC) monitors logs 24/7.

  • If, for instance, ransomware is detected on a user’s machine, the SOC isolates the device, contains the spread, and activates the incident response plan. Later, the disaster recovery team restores critical data from secure backups.

Domain 8, Software Development Security

Overview: This domain is 10% of the exam, and covers secure coding practices, software development lifecycle (SDLC), and DevSecOps integration. Applications are frequent targets for attackers, and can present significant risks. Balancing these risks with business requirements and implementing appropriate risk mitigation is important. Organizations that develop custom software can have additional unique risks.

This domain focuses on integrating security throughout the entire software development life cycle (SDLC), including everything from secure design and coding to rigorous testing and robust change management.

Practical Example:

• Application: In our AI-powered diagnostic tool example, if the organization is developing these tools, it will be important to integrate security into the software development life cycle (SDLC).

• Concept: Requirements gathering. Specify security requirements, like the tool's ability to handle patient data according to HIPAA regulations, right alongside functional requirements. For example, explicitly defining how user roles (radiologist vs. system admin) will limit access to patient X-rays and diagnostic results.

• Concept: Design and development phases. Conduct threat modeling sessions to identify potential threats specific to AI systems. What if an attacker manipulates an X-ray image to trick the AI into a misdiagnosis? The design must include controls to prevent this, such as data integrity checks and model validation.

• Concept: Testing phase. Include security testing as part of the quality assurance process, using dedicated teams or automated tools.

• Concept: Operations and maintenance phase: Implement a secure and automated deployment pipeline (DevSecOps). Monitor the tool for performance degradation or unusual activity that could indicate a security breach.

Section 3: Pulling It All Together

The 8 domains may feel distinct, but in practice, they overlap constantly. Consider a ransomware attack:

• Risk Management assesses potential business impact.

• Asset Security identifies which systems/data are critical.

• Architecture and Engineering ensures resilience.

• Network Security helps contain the spread.

• IAM limits attacker privileges.

• Assessment and Testing identifies missed vulnerabilities.

• Security Operations handles incident response.

• Software Development Security prevents insecure applications from being exploited in the first place.

The CISSP CBK ensures you can see the big picture and apply knowledge holistically across an organization.

Conclusion

The CISSP CBK is broad, but that’s by design. As a CISSP, you’re expected to protect information assets by balancing business goals, risk, and security best practices.

Use this explainer as a quick reference for the 8 domains—and as a reminder that effective security is not about isolated controls, but about building a comprehensive, layered, and business-aligned security program.

If you’re on your CISSP journey, keep studying, keep connecting the dots, and remember: the exam tests your judgment as much as your knowledge.

Reach out if you need help or want a customized study plan.