Browse ISC2 Certification Guides

ISC2 CISSP Cheat Sheet: Security Domains and Decision Cues

April 13, 2026

ISC2 CISSP cheat sheet for security domains, decision cues, traps, and final review.

On this page

Use this for last-mile review. Treat it as a decision sheet: if a question sounds broad or ambiguous, use the tables to decide whether it is really governance, engineering, operations, or legal/compliance.

Fast lane picker

If the question is really about… Focus first on… Strongest first move
policy, ownership, or risk acceptance governance roles, policy stack, risk treatment choose the control aligned to business risk, not the flashiest tool
access, identity, or privileged admin IAM model, MFA, federation, least privilege, PIM/PAM remove standing privilege and clarify who authorizes access
confidentiality vs integrity rule conflict security models and access-control model identify what the system is protecting first
crypto, certs, or trust chain algorithm type, key use, PKI component separate encryption, signing, hashing, and authentication
breach, triage, or evidence IR phase, containment, chain of custody, volatility order preserve evidence while containing impact
outage or recovery target BIA, RTO, RPO, DR pattern translate the time target before naming the site model

CISSP answer sequence

Use this when the stem mixes governance, access, crypto, incident response, or recovery.

    flowchart TD
	  S["Scenario"] --> G["Identify governance or risk ownership"]
	  G --> I["Check identity, access, or admin control"]
	  I --> C["Check crypto, evidence, or containment"]
	  C --> R["Check recovery or continuity target"]
	  R --> E["Pick the control that matches the business risk"]

Governance hierarchy and role ownership

Item What it does Exam cue
policy top-level management intent mandatory direction
standard specific mandatory requirement uniform control implementation
baseline minimum acceptable configuration or state “at least this secure”
procedure exact step-by-step action repeatable task execution
guideline recommended practice more flexible than a standard
Role Strongest responsibility
data owner classification and protection requirements
system owner business use and system accountability
custodian operational handling and control implementation
user following policy and using data correctly
privacy officer or DPO privacy program oversight and obligations
auditor independent evidence review

Risk math and recovery terms

\[ \text{SLE} = \text{AV} \times \text{EF} \qquad \text{ALE} = \text{SLE} \times \text{ARO} \]

Term Meaning Fast recall
AV asset value what the asset is worth
EF exposure factor how much of the value one event destroys
SLE single loss expectancy one-event loss
ARO annualized rate of occurrence expected yearly frequency
ALE annualized loss expectancy expected yearly loss
Pair Keep this distinction clear
risk avoidance vs mitigation stop the activity vs reduce likelihood or impact
transfer vs acceptance shift financial impact vs knowingly live with the risk
RTO vs RPO restore time vs acceptable data loss window
MTD vs WRT maximum downtime tolerated vs time to restore or resume process work

Security model chooser

Model What it protects first Rule of thumb
Bell-LaPadula confidentiality no read up, no write down
Biba integrity no read down, no write up
Clark-Wilson integrity via well-formed transactions strong fit for commercial systems
Brewer-Nash conflict of interest control classic Chinese Wall

Access-control chooser

Model Best use Easy confusion
DAC flexible owner-controlled access weaker governance
MAC labels and clearances high-assurance confidentiality
RBAC enterprise role-driven access standard corporate choice
ABAC context and attributes drive policy dynamic, zero-trust-friendly
rule-based system-enforced if/then decisions common in firewalls and NAC

IAM and privilege-control chooser

Requirement Strongest first fit Why
strongest login assurance MFA independent factors raise confidence
enterprise SSO to many apps federation with SAML or OIDC central auth and lifecycle control
delegated API access OAuth 2.0 authorization delegation, not identity alone
privileged admin with reduced exposure PAM/PIM, JIT, JEA reduces standing privilege
rapid user lifecycle cleanup joiner-mover-leaver process with quick deprovisioning stale access is a recurring exam trap

Crypto and PKI chooser

Requirement Strongest first fit Why
confidentiality for bulk data symmetric encryption such as AES fast for bulk operations
digital signature or nonrepudiation asymmetric signature scheme proof of origin and integrity
integrity check with sender assurance HMAC hash plus shared-secret authenticity
key exchange with forward secrecy ephemeral Diffie-Hellman style exchange compromise of long-term keys should not expose old sessions
strong key protection HSM or managed key service better custody and audit controls

IR, forensics, and continuity chooser

Requirement Strongest first fit Why
active incident containment before eradication stop harm before cleanup
evidence preservation chain of custody and volatility-aware collection keep evidence admissible and credible
severe outage with low downtime tolerance hot site, active-active, preplanned failover outage-time requirement is tight
moderate downtime tolerance warm site balance readiness and cost
lowest cost recovery path cold site or backup restore slower but cheaper

What strong answers usually do

  • choose the control that is risk-aware, scalable, and auditable
  • separate governance decisions from engineering decisions and from incident-response decisions
  • prefer preventive and least-privilege controls before reactive cleanup
  • think like a security leader or architect, not a single-tool operator
Revised on Sunday, May 10, 2026
Study Plan
Sample Questions