Get started Bring yourself up to speed with our introductory content.

An introduction to the (ISC)2 CISSP security certification exam

Spotlight article: Learn about the (ISC)2 CISSP security exam, the 10 CISSP domains and the exclusive CISSP prep materials offered by Shon Harris and SearchSecurity.

The Certified Information Systems Security Professional (CISSP) is an information security certification that was developed by the International Information Systems Security Certification Consortium, also known as (ISC)².

The CISSP exam covers 10 individual subject areas, which are referred to as domains. The 10 domains make up (ISC)2's Common Body of Knowledge (CBK), which is a framework and collection of information security best practices, methodologies, technologies and concepts. The CBK represents the core knowledge that (ISC)2 believes every IT security professional should have command of from a theoretical and a practical perspective.

The CISSP credential is considered to be the "gold standard" in the world of security certifications. It is the most sought-after certification and most respected credential in the information security industry. As of May 2014, (ISC)² reports that there are 93,391 individuals who hold this certification throughout 149 countries. The U.S. Department of Defense and NSA have adopted the CISSP certification and embedded it as a requirement within their education-oriented mandates for government workers who interact with sensitive computer systems and data.

CISSP exam subject areas

The content of the CISSP exam has evolved over its lifetime to keep up with the changes within the field of security and the requirements of the security profession. (ISC)² introduces new questions to the pool of potential exam questions each year and recently has added interactive question types that require the test taker to do more than choose a right answer out of four possible choices.

SearchSecurity's CISSP Essential Security School provides various question types that you might run into when taking the CISSP exam so that you will be properly prepared for all types of questions and question formats. You will be able to practice with the new "drag and drop" and "hotspot" question formats that were added to the CISSP exam in 2014.

If you take the time to study all of the items in all of the domains, your comprehensive understanding of security will open your eyes to all that is involved in practicing security effectively.

The 10 domains of the CISSP CBK are listed here:

  • Information security governance and risk management
  • Access control
  • Cryptography
  • Security architecture and design
  • Telecommunications and network security
  • Software development security
  • Business continuity and disaster recovery planning
  • Legal, regulations, investigations and compliance
  • Physical (environmental) security
  • Operations security

SearchSecurity's CISSP Essentials Security School presents e-learning lessons that cover many of the critical topics in each of these domains. While not meant to be a comprehensive review of every possible exam topic or question, these lessons are indicative of much of the subject matter included on the exam. After each domain lesson, you will have the opportunity to take the practice exam quizzes, mentioned earlier, to ensure that you fully understand the necessary concepts.

While the CISSP exam content changes over time to map to the new technologies in our industry, interesting changes have taken place recently that illustrate the maturing of the information security industry as a whole. Topics such as enterprise architecture development, security metrics, lifecycle models and governance have been integrated into the exam content. These are formalized approaches and techniques that allow for security to be practiced as a discipline in a controlled manner, a stark contrast to the ad hoc approaches of the industry's past. Through the use of these new constructs, it becomes easier to plan our enterprise security program, track its performance and improve it incrementally in a defined manner throughout its lifetime. Not only does this allow for more efficient security practices, but it also allows an organization to better identify and manage its risks. Our industry is growing up, and these changes are reflected in its most important certification exam.

Anatomy of the CISSP exam

The CISSP exam is made up of 250 questions and each test taker has up to six hours to complete it. While the content of the exam material has evolved, so has the question format. A few years ago, scenario-based questions were integrated into the test with the goal of requiring the test taker to apply his\her knowledge to a real-world situation.

In 2014, "drag and drop" and "hotspot" questions were added to the exam, which are interactive activities that require the test taker to illustrate that the material is understood from a practical perspective. Hotspot questions use graphics to illustrate concepts that must be understood to be able to answer correctly. The question requires the test taker to choose a part of the graphic that best represents the correct answer to the question. Drag-and-drop questions just require the test taker to click on the correct answer and drag it onto the right location provided within the question. In both question types, only one answer is considered correct.

Simply knowing the test material isn't enough to be eligible for the CISSP exam. Candidates need to complete experience and educational requirements to be able to sit for the exam, and in the past too many people would pass the exam without establishing these requirements. If people pass the exam but have no real experience in the field, the certification is at risk of becoming a "paper certification" and losing its market value.

Now, after an individual passes the exam, he or she must supply documentation signed off by an approved sponsor. The sponsor is either an established CISSP and\or an employer who vouches for the individual's experience and work history. Proving practical experience supports the relevance of the certification and the newly credentialed professional.

The CISSP exam itself is not a walk in the park. While many people complain about the exam's subjective nature and confusingly worded questions, these aspects of the exam have improved over the years. The most difficult thing about this exam is the sheer number of topics it covers. With CBK domains ranging from cryptography, forensics, physical security to secure software development, law and telecommunications and more, studying for this test can be overwhelming.

Unfortunately, most people are simply trying to add the CISSP credential to their business cards, so they try to study as fast as they can to get the exam behind them. If all of the topics are truly learned and not just memorized, the wealth of knowledge can be an investment that lasts a lifetime. Just having the letters behind your name is not enough: You also need to have the knowledge in your head. The CISSP material makes up the holistic foundation that every competent security professional should not only know, but also command. If you take the time to study all of the items in all of the domains, your comprehensive understanding of security will open your eyes to all that is involved in practicing security effectively. Your career opportunities will be vaster and in turn your salary more desirable.

The CISSP exam and security models

One aspect of the CISSP exam that is commonly misunderstood is the inclusion of seemingly out-of-date or obsolete topics. While the CISSP exam is not perfect, many of these topics are covered because they provide an incredible depth to crucial concepts that make up a foundational knowledgebase.

For example, many students complain about having to learn about security models (i.e., Bell-LaPadula, Biba, Lattice, etc.) stating that they will never run into them in their career. But these models are used to develop secure systems and software at an architectural level, so they are important to individuals who work in those specialized areas. More importantly, these models are taught in university information security graduate programs all over the world because they provide a foundational understanding to how systems should be designed from a security perspective. If more people in our industry actually understood even the basics of these models and knew how to apply them, every industry would enjoy more secure software deployments.

Designing software and digital systems is hard. Embedding security at the core of the architecture of a system and then throughout the system before it is built is even harder. This is why many of our systems have vulnerabilities that cannot be fixed easily with a patch. The security flaws reside so deep in the guts of system, a superficial patch is not going to fix them. A patch cannot fix a deep-rooted design flaw. These models were created to help people design system security from the ground up. Our industry keeps using the mantra "security built in, not bolted on," but to build in security requires a person to understand these models. The fact that we have so many insecure systems and so many people disregarding security models has a very interesting (and devastating) inverse relationship.

These security models are terribly complex and hard to comprehend without some real work. Many of them can be mathematically proven, which means that systems built upon them have a much higher assurance credibility than a system built upon traditional "best practices."

If the models were useless, then top government systems would not be based upon them. They are also used to derive product evaluation criteria, which, in turn, are used to test the assurance level of the different security products companies purchase every year. The Common Criteria uses evaluation tests based upon some of these models, which means they are not obsolete and very worth studying.

While you may never have to implement the formal Bell-LaPadula model in a straightforward manner, if you understand why it exists and how it provides a blueprint for integrating security within the design of a piece of software or system, you will see the evidence of the model in the real world or the lack of it. If you just memorize test-oriented aspects of the model, you won't benefit from understanding how secure systems are designed way before any code is written. If you don't "get it," you can't "use it."

Teaching and studying for the CISSP exam

All students require foundational knowledge to work from; otherwise they won't fully understand how seemingly diverse topics are related to each other and will not have a useful context for newly learned items. One reason the concepts of the CISSP exam are not properly taught or learned is because too many instructors and courses rely on a traditional training model. For this exam, training is usually intense, focused and technology oriented. Training does not always allow for the consumption of deep, complex theoretical topics that are more commonly taught in college graduate programs. CISSP training classes and exam prep material try to shove a lot of complex material into easily digestible terms and many students miss the true meanings.

When studying for the CISSP exam, don't make your end goal passing the test. The end goal should be deep, useful knowledge that you can use in the real world. For anyone who makes that their goal, passing the exam is a breeze. If you do not take the time to really study the topics of the exam, the subject matter will seem archaic, confusing and a waste of your time. The comments I hear people make about the CISSP exam always give me true insight into what they actually know compared to what they think they know.

Before moving forward with SearchSecurity's CISSP Essential Security School, take some time to carry out the provided self-assessment on the next page in order to grasp how much you may still need to learn before achieving this credential and ultimately building a career in this field.

CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as (ISC)2.

Next Steps

NEXT: Listen to an exclusive podcast with Shon Harris on the real value of the CISSP exam by Shon Harris.

RETURN to the main page of SearchSecurity's CISSP Essentials Security School.

This was last published in August 2014

Dig Deeper on CISSP certification