🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CISSP
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CISSP ISC2 Coming Soon

CISSP®

The exam validates mastery of security governance, asset protection, architecture, network defenses, and identity management, ensuring candidates can design, implement, and assess comprehensive security programs.

240
Minutes
150
Questions
700/1000
Passing Score
$749
Exam Cost

Who Should Take This

It is intended for seasoned security professionals who have accumulated at least five years of paid experience across two or more CISSP domains, such as risk analysts, security architects, or IAM specialists. These practitioners seek formal recognition of their expertise and aim to advance into senior leadership or consultancy roles.

What's Covered

1 All eight domains of the ISC2 CISSP Common Body of Knowledge (CBK): Domain 1 Security and Risk Management
2 , Domain 2 Asset Security
3 , Domain 3 Security Architecture and Engineering
4 , Domain 4 Communication and Network Security
5 , Domain 5 Identity and Access Management
6 , Domain 6 Security Assessment and Testing
7 , Domain 7 Security Operations
8 , Domain 8 Software Development Security

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

78 learning goals
1 Domain 1: Security and Risk Management
4 topics

Security governance and organizational roles

  • Establish an information security governance framework aligned with NIST CSF, ISO 27001, or COBIT to define organizational security objectives, accountability structures, and board-level reporting mechanisms.
  • Apply the principle of due diligence and due care to assign security roles and responsibilities including CISO, data owner, data custodian, and system administrator within an organizational hierarchy.
  • Design a comprehensive security policy hierarchy comprising strategic policies, tactical standards, operational procedures, and guidelines that enforces the principle of least privilege across the enterprise.

Risk management concepts and methodologies

  • Execute quantitative risk analysis by calculating single loss expectancy, annualized rate of occurrence, annualized loss expectancy, and total cost of ownership to justify security control investments.
  • Evaluate the suitability of qualitative versus quantitative risk assessment methodologies including NIST SP 800-30, OCTAVE, FAIR, and CRAMM for different organizational contexts and decision requirements.
  • Formulate a risk treatment strategy that integrates risk avoidance, mitigation, transference, and acceptance decisions with organizational risk appetite and regulatory obligations.

Legal, regulatory, and compliance frameworks

  • Apply GDPR data protection principles including lawful basis for processing, data subject rights, data protection impact assessments, and cross-border transfer mechanisms such as standard contractual clauses and binding corporate rules.
  • Differentiate the compliance requirements of HIPAA, PCI DSS, SOX, CCPA, and GLBA to determine applicable controls for organizations operating across multiple regulatory jurisdictions.
  • Evaluate intellectual property protections including trade secrets, patents, copyrights, and trademarks to recommend appropriate safeguards for organizational knowledge assets.

Business continuity and personnel security

  • Implement a business impact analysis that identifies critical business functions, maximum tolerable downtime, recovery time objectives, and recovery point objectives to prioritize continuity investments.
  • Design a security awareness and training program that addresses role-based training requirements, phishing simulation campaigns, and metrics-driven effectiveness measurement.
2 Domain 2: Asset Security
2 topics

Data classification and lifecycle management

  • Implement a data classification scheme with sensitivity levels (public, internal, confidential, restricted) that maps to handling procedures, access controls, and retention policies based on regulatory and business requirements.
  • Apply data lifecycle management controls across creation, storage, use, sharing, archival, and destruction phases including cryptographic erasure, degaussing, and physical destruction verification.
  • Evaluate data remanence risks and recommend sanitization methods (clear, purge, destroy) appropriate to media type and classification level per NIST SP 800-88 guidelines.

Data protection and privacy controls

  • Implement data loss prevention controls including network DLP, endpoint DLP, and cloud access security broker integration to detect and prevent unauthorized data exfiltration across egress points.
  • Assess privacy-by-design principles and data minimization techniques to determine appropriate pseudonymization, anonymization, and tokenization controls for personally identifiable information.
  • Design an enterprise data governance program that assigns data ownership, establishes stewardship accountability, and enforces data quality standards across structured and unstructured repositories.
3 Domain 3: Security Architecture and Engineering
4 topics

Security models and architecture frameworks

  • Apply formal security models including Bell-LaPadula (confidentiality), Biba (integrity), Clark-Wilson (well-formed transactions), and Brewer-Nash (Chinese Wall) to enforce mandatory access control policies in system design.
  • Evaluate the SABSA and TOGAF security architecture frameworks to recommend an enterprise security architecture methodology that aligns business attributes with security services and mechanisms.
  • Analyze system evaluation criteria including Common Criteria (ISO 15408), evaluation assurance levels, and protection profiles to determine appropriate assurance requirements for security product procurement.

Cryptographic systems and key management

  • Implement symmetric encryption algorithms (AES-256, ChaCha20) and asymmetric algorithms (RSA, ECC) with appropriate key lengths to protect data at rest and in transit per NIST SP 800-57 key management recommendations.
  • Configure a public key infrastructure lifecycle including certificate authority hierarchy, certificate enrollment, renewal, revocation (CRL/OCSP), and key escrow to support enterprise digital identity and code signing requirements.
  • Analyze cryptographic attack vectors including birthday attacks, side-channel attacks, and padding oracle attacks to assess algorithm resilience and recommend cryptographic agility strategies for post-quantum migration.
  • Design a cryptographic key management program that addresses key generation, distribution, storage, rotation, destruction, and recovery procedures across on-premises and cloud environments.

Physical security and site design

  • Implement defense-in-depth physical security controls including perimeter barriers, access control vestibules, surveillance systems, environmental controls, and fire suppression appropriate to facility classification.
  • Assess site selection criteria and facility design requirements including CPTED principles, utility redundancy, and natural disaster exposure to recommend data center placement and hardening strategies.

Secure design principles and vulnerability mitigation

  • Apply secure design principles including defense in depth, zero trust, separation of duties, fail-secure defaults, and economy of mechanism to system architecture decisions.
  • Evaluate hardware security mechanisms including TPM, HSM, secure boot, and hardware root of trust to determine appropriate platform integrity assurance for enterprise workloads.
  • Recommend a zero-trust architecture implementation strategy that integrates micro-segmentation, continuous verification, least-privilege access, and assume-breach posture across hybrid cloud environments.
4 Domain 4: Communication and Network Security
3 topics

Network architecture and design

  • Apply the OSI and TCP/IP reference models to analyze protocol interactions, identify attack surfaces at each layer, and implement layer-appropriate security controls such as 802.1X, IPsec, and TLS.
  • Configure network segmentation using VLANs, subnetting, DMZ architectures, and software-defined networking to enforce least-privilege network access and contain lateral movement.
  • Design a secure enterprise network architecture incorporating SD-WAN, SASE, and cloud-native network controls that balances performance, security, and operational complexity.

Secure communication channels

  • Implement VPN technologies including IPsec (tunnel and transport modes), SSL/TLS VPN, and WireGuard to establish secure site-to-site and remote access communication channels.
  • Evaluate wireless security protocols (WPA3-Enterprise, 802.1X/EAP variants) and assess wireless attack vectors including evil twin, deauthentication, and KRACK to recommend enterprise wireless security architectures.
  • Analyze DNS security mechanisms including DNSSEC, DNS over HTTPS, and DNS over TLS to assess DNS-based attack mitigation strategies and their impact on enterprise traffic inspection capabilities.

Network security controls and monitoring

  • Deploy firewall architectures including next-generation firewalls, web application firewalls, and cloud-native security groups with rule sets that enforce network security policies.
  • Differentiate between network-based and host-based intrusion detection and prevention systems to determine optimal sensor placement and detection rule strategies for enterprise traffic analysis.
  • Evaluate network traffic analysis approaches including NetFlow, packet capture, and encrypted traffic analytics to assess visibility gaps in increasingly encrypted enterprise environments.
5 Domain 5: Identity and Access Management
3 topics

Authentication and identity management

  • Implement multi-factor authentication combining knowledge, possession, and biometric factors using protocols such as FIDO2/WebAuthn, TOTP, and smart card authentication for enterprise identity verification.
  • Configure identity federation using SAML 2.0, OAuth 2.0, and OpenID Connect to establish cross-organization single sign-on with appropriate trust relationships and token lifecycle management.
  • Evaluate biometric authentication systems by analyzing false acceptance rate, false rejection rate, crossover error rate, and enrollment failure rates to recommend appropriate biometric modalities for different security contexts.

Access control models and authorization

  • Implement role-based access control, attribute-based access control, and rule-based access control models with appropriate policy enforcement points to manage authorization across enterprise resources.
  • Compare discretionary, mandatory, and non-discretionary access control models to assess their suitability for environments with different trust levels, data sensitivities, and operational requirements.
  • Design a privileged access management strategy incorporating just-in-time access, session recording, credential vaulting, and emergency break-glass procedures to minimize standing privilege exposure.

Identity governance and provisioning

  • Establish identity lifecycle management processes including provisioning, de-provisioning, access reviews, and joiner-mover-leaver workflows integrated with HR systems and directory services.
  • Recommend an identity governance program that implements periodic access certification campaigns, segregation of duties enforcement, and role mining to reduce authorization creep and insider threat exposure.
6 Domain 6: Security Assessment and Testing
3 topics

Vulnerability assessment and penetration testing

  • Implement a vulnerability management program that integrates automated scanning, CVSS-based risk prioritization, remediation tracking, and exception management to reduce organizational attack surface.
  • Differentiate between vulnerability assessment, penetration testing, red team exercises, and bug bounty programs to determine appropriate testing methodologies for different organizational risk profiles.
  • Evaluate penetration testing scoping decisions including rules of engagement, authorized target boundaries, communication protocols, and legal considerations for internal and third-party engagements.

Security audit and assurance

  • Execute security audit procedures including evidence collection, control testing, finding classification, and report generation aligned with ISACA, IIA, or ISO 19011 audit standards.
  • Analyze SOC 1, SOC 2 Type I and Type II, and SOC 3 report contents to evaluate third-party service provider security posture and determine reliance decisions for organizational supply chain risk management.
  • Design a continuous security monitoring and assessment program that integrates automated compliance scanning, configuration drift detection, and key risk indicator dashboards for executive reporting.

Security metrics and testing strategies

  • Implement log management and analysis practices including centralized log collection, correlation rules, retention policies, and chain-of-custody procedures to support security investigations and compliance.
  • Formulate a security testing strategy that maps coverage across code review, SAST, DAST, IAST, penetration testing, and red team exercises to organizational risk priorities and SDLC integration points.
7 Domain 7: Security Operations
4 topics

Incident management and response

  • Implement an incident response plan following NIST SP 800-61 phases (preparation, detection/analysis, containment/eradication/recovery, post-incident activity) with defined escalation paths, communication templates, and stakeholder notification procedures.
  • Apply digital forensics procedures including evidence acquisition, chain of custody, forensic imaging, volatile data collection, and analysis techniques that preserve evidentiary integrity for legal proceedings.
  • Evaluate incident severity classification schemes and triage methodologies to determine appropriate response urgency, resource allocation, and executive communication cadence during active security incidents.
  • Design a lessons-learned process that translates incident post-mortems into actionable control improvements, threat intelligence updates, and training enhancements across the security program.

Security operations center and threat management

  • Configure SIEM platforms with correlation rules, alert thresholds, and enrichment pipelines to detect indicators of compromise aligned with the MITRE ATT&CK framework tactics and techniques.
  • Implement threat intelligence lifecycle processes including collection, processing, analysis, dissemination, and feedback using STIX/TAXII frameworks to enrich detection and response capabilities.
  • Assess SOAR platform integration opportunities to determine appropriate playbook automation, orchestration workflows, and analyst tier escalation paths for security operations efficiency.
  • Optimize a SOC operating model by recommending staffing structures, shift coverage, skill development programs, and outsourcing decisions that balance detection efficacy with operational cost.

Disaster recovery and resilience

  • Implement disaster recovery strategies including hot, warm, and cold sites, reciprocal agreements, cloud-based DR, and data replication topologies that satisfy recovery time and recovery point objectives.
  • Evaluate disaster recovery testing approaches including tabletop exercises, structured walkthroughs, simulation tests, and full interruption tests to assess plan effectiveness and identify gaps.
  • Design an enterprise resilience program that integrates business continuity, disaster recovery, crisis communication, and supply chain contingency planning into a unified governance framework.

Change and configuration management

  • Establish change management processes including change advisory board review, impact assessment, rollback procedures, and emergency change protocols to maintain system integrity during operational modifications.
  • Implement configuration management practices using security baselines, automated compliance verification, and configuration item tracking to detect unauthorized changes and maintain desired state.
8 Domain 8: Software Development Security
4 topics

Secure software development lifecycle

  • Implement a secure SDLC by integrating security activities (threat modeling, security requirements, secure design review, code review, security testing) into each phase of waterfall, agile, and DevOps methodologies.
  • Apply threat modeling methodologies including STRIDE, PASTA, and attack trees to identify threats, assess attack likelihood, and derive security requirements during the design phase.
  • Evaluate the maturity of an organization's secure development practices using frameworks such as BSIMM and SAMM to recommend improvement priorities and investment areas.

Software vulnerabilities and secure coding

  • Apply secure coding practices to prevent OWASP Top 10 vulnerabilities including injection, broken authentication, XSS, insecure deserialization, and server-side request forgery in web application development.
  • Analyze memory safety vulnerabilities including buffer overflows, use-after-free, and race conditions to evaluate the security implications of language choice and runtime environment selection.
  • Implement secure API design patterns including authentication, authorization, rate limiting, input validation, and output encoding to protect RESTful and GraphQL service interfaces.

Software testing and supply chain security

  • Configure static application security testing and dynamic application security testing tools within CI/CD pipelines to automate vulnerability detection with defined quality gates and false positive management workflows.
  • Assess software supply chain risks including dependency vulnerabilities, malicious packages, and build pipeline compromise to determine appropriate SBOM generation, provenance verification, and repository governance controls.
  • Design a DevSecOps integration strategy that embeds security tooling, policy-as-code enforcement, and automated compliance verification throughout the continuous integration and continuous deployment pipeline.

Database and application security architecture

  • Implement database security controls including encryption at rest and in transit, view-based access control, stored procedure auditing, and database activity monitoring to protect structured data repositories.
  • Evaluate containerization and serverless security considerations including image scanning, runtime protection, secrets management, and function-level isolation to recommend secure application deployment architectures.

Scope

Included Topics

  • All eight domains of the ISC2 CISSP Common Body of Knowledge (CBK): Domain 1 Security and Risk Management (15%), Domain 2 Asset Security (10%), Domain 3 Security Architecture and Engineering (13%), Domain 4 Communication and Network Security (13%), Domain 5 Identity and Access Management (13%), Domain 6 Security Assessment and Testing (12%), Domain 7 Security Operations (13%), Domain 8 Software Development Security (11%).
  • Enterprise security governance frameworks including NIST CSF, ISO 27001/27002, COBIT, SABSA, and TOGAF security architecture integration for organizational risk posture management.
  • Comprehensive risk management methodologies: quantitative analysis (ALE, SLE, ARO, EF), qualitative risk assessment, risk treatment strategies, business impact analysis, and continuous risk monitoring across the enterprise.
  • Cryptographic systems and protocols: symmetric and asymmetric algorithms, PKI lifecycle management, digital signatures, key management practices, TLS/IPsec implementation, and post-quantum cryptography considerations.
  • Network security architecture: OSI and TCP/IP models, secure network design patterns, segmentation strategies, zero-trust architecture, SD-WAN, SASE, VPN topologies, firewall architectures, and intrusion detection/prevention systems.
  • Identity and access management: IAM frameworks, authentication protocols (SAML, OAuth 2.0, OpenID Connect, FIDO2), directory services, privileged access management, identity governance, and federation architectures.
  • Security operations: incident response lifecycle, digital forensics procedures, disaster recovery and business continuity planning, SIEM/SOAR integration, threat intelligence, vulnerability management, and SOC operations.
  • Software security: secure SDLC models, OWASP Top 10, static and dynamic analysis, secure coding practices, API security, DevSecOps integration, and software supply chain security.
  • Legal, regulatory, and compliance frameworks: GDPR, HIPAA, PCI DSS, SOX, CCPA, international privacy laws, intellectual property protections, computer crime statutes, and cross-border data transfer mechanisms.

Not Covered

  • Vendor-specific product configuration detail that does not generalize across the CISSP CBK domains.
  • Hands-on penetration testing tool usage and exploit development depth beyond what the CISSP exam requires for conceptual understanding.
  • Current pricing for security products, services, or compliance audits that changes frequently and is not tested on the exam.
  • Entry-level security fundamentals covered by the SSCP or CC certifications that are assumed prerequisite knowledge for CISSP candidates.

Official Exam Page

Learn more at ISC2

Visit

CISSP is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.