Certified Information Systems Security Professional (CISSP) Practice Exam

Certified Information Systems Security Professional (CISSP) Practice Exam

The Certified Information Systems Security Professional (CISSP) is widely known as the top certification in the field of information security worldwide. It confirms that a person has extensive technical and managerial expertise to properly plan, create, and oversee an organization's overall security measures. The wide range of subjects covered in the CISSP Common Body of Knowledge (CBK®) ensures that it remains important in all areas of information security.

Who should take the exam?

The CISSP is suitable for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles, including those working as:

• Chief Information Security Officer
• Chief Information Officer
• Director of Security
• IT Director/Manager
• Security Systems Engineer
• Security Analyst
• Security Manager
• Security Auditor
• Security Architect
• Security Consultant
• Network Architect

Experience Requirements for the Exam

To qualify, candidates need at least five years of paid work experience in two or more of the eight CISSP CBK domains. Having a four-year college degree or an approved credential from ISC2 can substitute for one year of experience, but education credit only counts for one year.

Exam Details of Certified Information Systems Security Professional (CISSP)

• Exam Code: CISSP
• Exam Name: Certified Information Systems Security Professional
• Exam Languages: English
• Exam Questions: 125-175 Questions
• Time Duration: 4 hours
• Passing Score: 700 out of 1000 points

CISSP Exam Course Outline 

The Certified Information Systems Security Professional (CISSP) Exam covers the given topics  - 

Domain 1:  Understand Security and Risk Management

• Understanding, adhering to, and promoting professional ethics
• Applying security concepts
• Evaluating and applying security governance principles
• Determining compliance and other requirements
• Understanding legal and regulatory issues that pertain to information security in a holistic context
• Understanding requirements for investigation types (i.e., administrative, criminal, civil, regulatory, and industry standards)
• Developing, documenting, and implementing security policy, standards, procedures, and guidelines
• Discovering, analyzing, and prioritizing Business Continuity (BC) requirements
• Contributing to and enforcing personnel security policies and procedures
• Applying risk management concepts
• Implementing threat modeling concepts and methodologies
• Applying Supply Chain Risk Management (SCRM) concepts
• Establishing and maintaining a security awareness, education, and training program

Domain 2: Learn about Asset Security

• Identifying and classifying information and assets
• Establishing information and asset handling requirements
• Provisioning resources securely
• Managing data lifecycle
• Ensuring appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
• Determining data security controls and compliance requirements

Domain 3: Understand Security Architecture and Engineering

• Researching, implementing and managing engineering processes using secure design principles
• Understanding the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
• Selecting controls based upon systems security requirements
• Understanding security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
• Assessing and mitigating the vulnerabilities of security architectures, designs, and solution elements
• Selecting and determining cryptographic solutions
• Understanding methods of cryptanalytic attacks
• Applying security principles to site and facility design
• Designing site and facility security controls

Domain 4: Understand about Communication and Network Security

• Assessing and implementing secure design principles in network architectures
• Securing network components
• Implementing secure communication channels according to the design

Domain 5: Learn about Identity and Access Management (IAM)

• Controlling physical and logical access to assets
• Managing identification and authentication of people, devices, and services
• Federated identity with a third-party service
• Implementing and managing authorization mechanisms
• Managing the identity and access provisioning lifecycle
• Implementing authentication systems

Domain 6: Understand Security Assessment and Testing

• Designing and validating assessment, test, and audit strategies
• Conducting security control testing
• Collecting security process data (e.g., technical and administrative)
• Analyzing test output and generate report
• Conducting or facilitating security audits

Domain 7: Explore Security Operations

• Understanding and complying with investigations
• Conducting logging and monitoring activities
• Performing Configuration Management (CM) (e.g., provisioning, baselining, automation)
• Applying foundational security operations concepts
• Applying for resource protection
• Conducting incident management
• Operating and maintaining detective and preventative measures
• Applying and supporting patch and vulnerability management
• Understanding and participating in change management processes
• Implementing recovery strategies
• Applying Disaster Recovery (DR) processes
• Testing Disaster Recovery Plans (DRP)
• Participating in Business Continuity (BC) planning and exercises
• Implementing and managing physical security
• Addressing personnel safety and security concerns

Domain 8: Understand Software Development Security

• Understanding and integrating security in the Software Development Life Cycle (SDLC)
• Identifying and applying security controls in software development ecosystems
• Assessing the effectiveness of software security
• Examining the security impact of acquired software
• Defining and applying secure coding guidelines and standards