CISSP 8 Domains Explained: What to Study for Each (2026)

The CISSP is one of the most respected and challenging certifications in information security. Its breadth is precisely what makes it difficult: you need to demonstrate competency across eight distinct domains of the Common Body of Knowledge (CBK), not just one or two specialties. This guide breaks down each of the eight CISSP domains, their exam weight, what you actually need to study, and how to allocate your preparation time effectively in 2026.

How the CISSP Exam Is Structured

The CISSP uses Computerized Adaptive Testing (CAT) for English-language exams. You will answer between 125 and 175 questions, and the exam ends when the algorithm is statistically confident in your pass or fail status. The passing score is a scaled score of 700 out of 1000. The exam draws questions proportionally from all eight domains, so weak spots in any domain will hurt your score. Time limit is four hours.

A critical mindset shift: CISSP tests you as a manager and risk advisor, not as a technical implementer. When two answers seem technically correct, the right choice is almost always the one that reflects managerial thinking, risk-based decision making, and least privilege — not the most technically sophisticated option.

Domain 1: Security and Risk Management (16%)

The largest domain and the foundation of the entire exam. At 16% of your score, weaknesses here are costly. Topics include confidentiality, integrity, and availability (CIA triad), security governance, compliance and legal frameworks (GDPR, HIPAA, SOX), risk management concepts (threat, vulnerability, likelihood, impact), risk treatment options (accept, avoid, transfer, mitigate), business continuity planning (BCP), and professional ethics including the (ISC)² Code of Ethics.

Study tip: Memorize the risk formula and risk treatment options cold. Know the difference between qualitative and quantitative risk analysis, and understand when each is appropriate. BCP vs. DRP is a recurring exam theme — BCP is proactive and focused on continuity, DRP is reactive and focused on recovery.

Domain 2: Asset Security (10%)

Covers data classification, ownership, privacy protection, data retention, and secure handling and destruction of assets. Key topics include data classification levels (public, internal, confidential, secret), data ownership roles (owner, custodian, steward, processor), the data lifecycle, and media sanitization methods (clearing, purging, destruction).

Study tip: Know the four data ownership roles and their responsibilities precisely. Data destruction questions appear often — understand when overwriting is sufficient versus when physical destruction is required based on classification level.

Domain 3: Security Architecture and Engineering (13%)

One of the most technically deep domains. Topics span security models (Bell-LaPadula, Biba, Clark-Wilson), security evaluation criteria (Common Criteria, TCSEC), cryptography (symmetric vs. asymmetric, PKI, digital signatures, hashing algorithms), and physical security controls. Virtualization, cloud security models (IaaS, PaaS, SaaS), and side-channel attacks also appear.

Study tip: Understand the three classic security models at a conceptual level — Bell-LaPadula enforces confidentiality, Biba enforces integrity, Clark-Wilson enforces integrity through well-formed transactions. Cryptography questions test conceptual understanding more than mathematical depth, but you must know when to use symmetric vs. asymmetric encryption and how PKI chains of trust work.

Domain 4: Communication and Network Security (13%)

Covers the OSI and TCP/IP models, network protocols (DNS, DHCP, HTTP/S, SMTP, TLS), network segmentation, firewalls, IDS/IPS, VPNs, wireless security protocols (WPA2/WPA3), and secure network architecture design. Attacks like man-in-the-middle, ARP poisoning, and DNS spoofing are also tested.

Study tip: Map security controls to OSI layers. Know which protocols operate at which layers and what their vulnerabilities are. Wireless security questions often test the weaknesses of WEP versus WPA2 and the security improvements in WPA3.

Domain 5: Identity and Access Management (13%)

IAM covers identification, authentication, authorization, and accountability (the four As). Topics include authentication factors (something you know/have/are), multi-factor authentication, SSO, federation (SAML, OAuth, OpenID Connect), access control models (DAC, MAC, RBAC, ABAC), directory services, and privileged access management.

Study tip: Know the access control models and which situations call for each. MAC is most common in government/military environments with strict need-to-know requirements. RBAC is the most practical for most enterprise environments. Questions on IAM often test the principle of least privilege — always select the most restrictive access that still permits the user to do their job.

Domain 6: Security Assessment and Testing (12%)

Covers vulnerability assessments, penetration testing, log reviews, security audits, and software testing methodologies. Topics include black-box vs. white-box vs. gray-box testing, the difference between vulnerability scanning and penetration testing, SAST vs. DAST, and audit types (internal, external, third-party).

Domain 7: Security Operations (13%)

The second-largest domain by weight. Topics include incident response lifecycle, digital forensics (chain of custody, evidence handling), disaster recovery, backup strategies, change management, patch management, physical security, and personnel security (separation of duties, dual control, mandatory vacation).

Study tip: Incident response phases (preparation, identification, containment, eradication, recovery, lessons learned) and forensic evidence handling procedures appear frequently. Understand chain of custody and why it matters legally. Backup strategies — full, incremental, differential — and their recovery time tradeoffs are also commonly tested.

Domain 8: Software Development Security (10%)

Covers the software development lifecycle (SDLC), secure coding practices, OWASP Top 10, database security, and software acquisition security. Agile, DevOps, and DevSecOps concepts appear alongside classic waterfall and spiral models.

Time Allocation and Hardest Domains

Most candidates find Domains 1, 3, and 5 the most difficult — Security and Risk Management requires absorbing a large volume of governance and compliance frameworks, Security Architecture has deep technical breadth, and IAM demands precision on access control model distinctions.

• Allocate 20-25% of study time to Domain 1 given its weight and conceptual density.
• Domains 3 and 4 reward candidates with networking or engineering backgrounds but require extra reading for non-technical professionals.
• Domain 6 (Security Assessment) is often underestimated — the difference between vulnerability scanning, penetration testing, and red team exercises is consistently tested.
• Domain 8 rewards developers but is accessible to all candidates through the OWASP Top 10 and SDLC phase knowledge.

When practicing domain-specific questions, use Certify Copilot to get instant explanations for any question you miss. Rather than just seeing the correct answer, you get context on why the correct answer aligns with CISSP's managerial risk mindset — which is the core skill the exam actually tests.