In security, Common Body of Knowledge (CBK) is a comprehensive framework of all the relevant subjects a security professional should be familiar with, including skills, techniques and best practices. CBK is organized by domain and it is annually gathered and updated by the International Information Systems Security Certification Consortium, otherwise known as (ISC)2.
(ISC)2 uses the various domains of the CBK to test a certificate candidate's levels of expertise in the most critical aspects of InfoSec. The Certified Information Systems Security Professional (CISSP) certification exam covers the CBK domains: security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security.
CISSP CBK domains
The eight different CISSP domains that the (ISC) 2's CISSP Exam covers are compiled from various topics in the (ISC)2 CBK and are annually updated to reflect the most relevant topics within the profession. The CISSP CBK domains further include:
- Security and Risk Management -- this domain deals with risk management concepts, threat modeling, the security model, security governance principles, business continuity requirements, and policies and procedures.
- Asset Security -- this domain contains topics that involve data management and standards, longevity and use, how to ensure appropriate retention and how data security controls are determined.
- Security Engineering -- this domain tests a candidate on security engineering processes, models and design principles that also include database security, cryptography systems, clouds and vulnerabilities.
- Communications and Network Security -- this domain includes network security and the creation of secure communication channels, such as secure network architecture design and components including access control, transmission media and communication hardware.
- Identity and Access Management -- this domain focuses on system access, authorization, identification and authentication including access control and multifactor authentication.
- Security Assessment and Testing -- this domain covers the tools needed to find vulnerabilities, bugs and errors in code and system security, as well as vulnerability assessment, penetration testing and disaster recovery.
- Security Operations -- this domain deals with digital forensic and investigations, detection tools, firewalls and sandboxing as well as incident management.
- Software Development Security -- this domain contains information on how to implement security controls on software into an environment that the infosec expert manages.
How to study for the CISSP certification
The CISSP certification covers all eight CISSP domains, and CISSP CBK test takers are expected to be familiar with each one. The use of learning materials is encouraged; textbooks and practice exams can be found online. The official test website contains a list of CISSP resources available for purchase.