ISC2 CISSP exam guide covering the eight domains, risk treatment, and control selection decisions.
This guide targets CISSP, ISC2’s flagship broad-security certification. As of April 13, 2026, ISC2’s current outline page shows the exam still uses the April 15, 2024 outline version with 8 weighted domains, Computerized Adaptive Testing (CAT), 100-150 items, and a 3-hour time limit. This guide follows that current public outline directly.
CBK: Common Body of Knowledge, the eight-domain professional body of knowledge CISSP is built around.
BIA: Business impact analysis, which identifies recovery priorities and business consequences so continuity planning can be designed correctly.
Least privilege: Security principle that grants only the minimum access needed to perform an authorized task.
| Exam fact | Current official signal |
|---|---|
| Outline effective date | April 15, 2024 |
| Exam delivery | CAT |
| Length | 3 hours |
| Number of items | 100-150 |
| Passing grade | 700 / 1000 |
| Languages on current outline page | Chinese, English, German, Japanese, Spanish |
| Experience requirement | 5 years cumulative paid experience across 2 or more domains, with limited waiver paths |
| Guide model | 8 blueprint chapters -> 16 section lessons |
CISSP is broad on purpose. Strong answers usually begin by classifying the real decision family first: governance, asset handling, architecture, network, identity, testing, operations, or software security. The trap is often not a silly answer. The trap is choosing a technically plausible answer that ignores policy, risk ownership, auditability, or long-term operability.
Read CISSP stems in this order:
ISC2’s current outline page publishes the eight domain weights. This guide follows that map directly.
| Domain | Weight | Chapter | Start here |
|---|---|---|---|
| Security and Risk Management | 16% | 1. Risk | 1.1 Governance & Compliance, 1.2 BIA & Continuity |
| Asset Security | 10% | 2. Assets | 2.1 Classification & Lifecycle, 2.2 Retention & Protection |
| Security Architecture and Engineering | 13% | 3. Architecture | 3.1 Design Principles & Models, 3.2 Crypto & Resilience |
| Communication and Network Security | 13% | 4. Network | 4.1 Segmentation & Transit, 4.2 Wireless & Zero Trust |
| Identity and Access Management (IAM) | 13% | 5. IAM | 5.1 Authentication & MFA, 5.2 Authorization & PAM |
| Security Assessment and Testing | 12% | 6. Testing | 6.1 Audits & Metrics, 6.2 Pen Testing & Validation |
| Security Operations | 13% | 7. Operations | 7.1 Incident Response, 7.2 Recovery & Resilience |
| Software Development Security | 10% | 8. Software | 8.1 SDLC & DevSecOps, 8.2 Secure Coding & APIs |
flowchart LR
A["1. Governance and asset thinking"] --> B["2. Architecture and network decisions"]
B --> C["3. Identity and assessment logic"]
C --> D["4. Operations and resilience"]
D --> E["5. Software security and final review"]
| Failure pattern | Better instinct |
|---|---|
| treating every hard stem like a network or technical-control question | check governance, ownership, and policy boundaries first |
| mixing security models, access-control models, and business roles into one blur | classify the model family before picking the control |
| jumping to eradication or hardening before preserving evidence and containing impact | follow the operational order the scenario requires |
| choosing a tool without checking whether the answer is really about risk treatment or lifecycle design | CISSP usually rewards the broader management and architecture fit |