The 8 CISSP CBK Domains Explained (and How Hard Each One Actually Is)

TL;DR

• The CISSP CBK has 8 domains. Total weight is 100% of the exam. They are NOT equally weighted — Domain 1 is the heaviest at 16%, Domain 2 and Domain 8 are the lightest at 10% each.
• Most candidates rank Domain 3 (Security Architecture and Engineering) and Domain 8 (Software Development Security) as the hardest. Domain 2 (Asset Security) and Domain 5 (IAM) are usually the easiest for working security professionals.
• The exam thinks in terms of risk management first, technical detail second. Even technical domains test management-style reasoning.

Domain 1 — Security and Risk Management (16% weight)

What it actually covers

• The CIA triad and parkerian hexad
• Security governance, organizational alignment, due care vs due diligence
• Compliance and legal — GDPR, HIPAA, PCI-DSS, SOX, regional privacy laws, intellectual property categories
• Ethics — ISC2 Code, RFC 1087
• Risk management — risk treatment options (accept, transfer, mitigate, avoid), quantitative vs qualitative analysis, ALE / SLE / ARO / EF calculations
• Business continuity — BIA, RTO, RPO, MTD, BCM, DRP
• Personnel security, vendor management, third-party risk
• Security awareness training

Why it's ranked first AND heaviest

Domain 1 trains you to think like a CISO. Every other domain's questions assume you're applying Domain 1 reasoning. Master Domain 1 and you start getting other-domain questions right by reflex ("risk-assess first, then implement").

Study tips

• Memorize the BC/DR acronyms cold (RTO, RPO, MTD, WRT, MTBF, MTTR). They appear constantly.
• Practice ALE = SLE × ARO calculations until they're reflex.
• Know the difference between "due care" (what a reasonable person would do) and "due diligence" (continuous verification it's being done).

Domain 2 — Asset Security (10% weight)

What it actually covers

• Asset and data classification (Public / Internal / Confidential / Restricted, or government variants)
• Data states: at rest, in transit, in use
• Data lifecycle: creation, classification, use, archival, destruction
• Data roles: owner, custodian, user, processor, controller, DPO
• Data retention policies
• Data destruction methods (clearing, purging, destruction; degaussing; cryptographic erasure)
• Privacy specifics (PII, PHI, cardholder data)

Difficulty

Usually the easiest domain. Most material is rote learning of role definitions and lifecycle stages. The trap is overconfidence — questions about data destruction methods for specific media types (SSD vs HDD vs optical) catch lazy preparers.

Domain 3 — Security Architecture and Engineering (13% weight, HARD)

What it actually covers

• Security engineering principles (defense in depth, fail-safe defaults, separation of duties, complete mediation)
• Security models — Bell-LaPadula (confidentiality), Biba (integrity), Clark-Wilson (integrity with separation of duties), Brewer-Nash (conflict of interest), Take-Grant, Graham-Denning
• Evaluation criteria — Common Criteria (EAL levels), TCSEC (historical), ITSEC (historical)
• Trusted Computing Base (TCB), security perimeter, reference monitor concept
• Hardware security — TPM, HSM, secure boot
• Cryptography — symmetric (AES, 3DES, RC4, Blowfish), asymmetric (RSA, ECC, ElGamal, Diffie-Hellman), hash functions (MD5, SHA family, HMAC), digital signatures, PKI (CA, RA, CRL, OCSP)
• Cryptanalysis attacks (brute force, dictionary, rainbow tables, birthday, MITM, replay, side-channel)
• Physical security controls

Why it's hard

Two reasons. One: the security models are abstract and look interchangeable — every candidate confuses BLP and Biba at least once. Two: cryptography questions reward specific recall (which mode of operation does what, which key size matches which algorithm, which attack works against which cipher) and there's no shortcut for it.

Study tips

• Pair each security model with a real-world use case (BLP = military, Biba = banking integrity, Clark-Wilson = banking transactions with separation of duties, Brewer-Nash = consulting firm conflict-of-interest walls).
• Make a flashcard for every cipher: name, type (sym/asym), key size, block size, mode support, status (current / deprecated / broken).
• Know which hash functions are broken for collisions (MD5, SHA-1) vs which are still safe.
• Practice PKI scenarios — who issues, who signs, what's in a cert, how revocation works (CRL vs OCSP vs OCSP stapling).

Domain 4 — Communication and Network Security (13% weight)

What it actually covers

• OSI model and TCP/IP stack — by layer, with example protocols at each
• Protocols — IP, TCP, UDP, ICMP, ARP, DNS, DHCP, HTTP/HTTPS, FTP, SFTP, SSH, SMTP, IMAP, POP3, SNMP, RADIUS, TACACS+, LDAP, Kerberos
• Network architecture — segmentation, VLANs, DMZ, extranet, screened subnet
• Network attacks — spoofing, scanning, DoS/DDoS, MITM, replay, session hijacking, smurf, fraggle, teardrop, SYN flood, BGP hijacking
• Wireless security — WEP (broken), WPA, WPA2, WPA3, 802.1X, EAP variants
• VPN technologies — IPsec (AH vs ESP, transport vs tunnel mode), SSL/TLS VPN, L2TP, PPTP (legacy)
• Voice and multimedia security — VoIP, SIP, SRTP
• Software-defined networking (SDN), software-defined perimeter (SDP), zero trust

Difficulty

Easy if you have a networking background. Hard if you don't — Domain 4 has the most rote-recall questions in the exam (which port runs which protocol, which OSI layer hosts which attack).

Domain 5 — Identity and Access Management (13% weight)

What it actually covers

• Authentication factors (something you know / have / are / do / are at)
• Authentication mechanisms — passwords, tokens, biometrics, MFA
• Access control models — DAC, MAC, RBAC, ABAC, RuBAC, risk-based
• SSO and federation — SAML 2.0, OAuth 2.0, OIDC, Kerberos
• Identity providers vs service providers, IdP-initiated vs SP-initiated flows
• Federated identity protocols — what FIDO2, WebAuthn, passkeys are
• Identity governance — provisioning, deprovisioning, recertification, JIT access
• Privileged access management (PAM) and just-enough-access

Difficulty

Medium. Most working security professionals have direct experience with at least half of Domain 5's material. The questions can get tricky on federation flows (which side does what in SAML) and on attack patterns (Kerberos golden ticket, silver ticket, AS-REP roasting, pass-the-hash, pass-the-ticket).

Domain 6 — Security Assessment and Testing (12% weight)

What it actually covers

• Audit strategies — internal / external / third-party, financial vs operational vs compliance vs IT audit
• Audit standards — SSAE 18 (SOC reports), ISAE 3402, ISO/IEC 27001 ISMS audit
• Vulnerability assessment vs penetration test vs red team vs purple team vs adversary simulation
• Penetration testing methodology — reconnaissance, scanning, exploitation, post-exploitation, reporting
• Common testing tools (in concept, not by command syntax)
• Code review approaches — static (SAST), dynamic (DAST), interactive (IAST), software composition analysis (SCA)
• Log review and SIEM concepts
• Test data management, account management testing, regression testing
• Breach attack simulation (BAS) tools

Difficulty

Moderate. The trap is conflating types of assessment (vuln scan ≠ pentest ≠ red team). Question writers love testing that you know which one is appropriate for which scenario.

Domain 7 — Security Operations (13% weight)

What it actually covers

• Incident response — preparation, detection, analysis, containment, eradication, recovery, lessons learned (NIST SP 800-61 phases)
• Digital forensics — evidence handling, chain of custody, hashing, write blockers, volatile data ordering (order of volatility)
• Threat intelligence — tactical, operational, strategic; CTI lifecycle; IOC vs TTP
• Configuration management, change management, patch management
• Vulnerability management lifecycle
• Logging and monitoring — what to log, log management, SIEM, SOAR
• BC/DR (deeper than Domain 1) — backup strategies (full / incremental / differential / synthetic), site types (cold / warm / hot / mobile / mirrored), failover
• Physical security operations (badges, mantraps, fencing, lighting, CCTV)
• Personnel safety, duress, evacuation

Difficulty

Moderate. Heavy on incident-response and forensics scenarios, which reward managerial thinking. The exam will test "what do you do FIRST" questions — the answer is almost always "contain the damage" or "preserve evidence integrity" or "notify management" depending on context.

Domain 8 — Software Development Security (10% weight, HARD)

What it actually covers

• SDLC models — waterfall, agile, spiral, iterative, DevOps, DevSecOps
• Software development security frameworks — BSIMM, OWASP SAMM
• OWASP Top 10 (current edition) — by name AND by example exploit
• Source code review — manual vs automated, code-as-data vs code-as-process
• SAST vs DAST vs IAST vs RASP — what each does, when each runs, what each misses
• Software composition analysis (SCA), SBOM, supply-chain attacks
• Common vulnerabilities — injection (SQL, command, LDAP, XPath), XSS (stored vs reflected vs DOM), CSRF, broken auth, IDOR, deserialization
• Secure coding practices — input validation, output encoding, parameterized queries
• API security (REST, GraphQL, SOAP)
• Database security — concurrency control, aggregation/inference attacks, polyinstantiation
• Software acceptance — testing, certification, accreditation

Why it's hard for non-developers

Domain 8 assumes you've at least seen real code. Concepts like deserialization attacks or polyinstantiation feel abstract without context. Non-developers should spend disproportionate practice-question time here.

Study tips

• Read the current OWASP Top 10 page on owasp.org. Make a flashcard per item with one example attack and one defense.
• Know the difference between SAST (looks at code), DAST (looks at running app), IAST (looks at running app from inside the app), and SCA (looks at dependencies).
• Know what a software supply-chain attack is and how SBOMs help.

How to allocate study time across domains

If you have 100 hours total to study, here's a rough split that respects both exam weight and difficulty for the average candidate:

Note that Domains 3 and 8 get MORE time than their raw weight suggests because their question difficulty is higher per topic. Domain 2 gets less because the material is relatively easy to internalize.

Frequently asked questions

Are all 8 domains tested on every exam?

Yes — every CAT exam draws questions from all 8 domains, weighted to the percentages above. You cannot skip a domain.

Are there harder and easier domains?

Yes, statistically. Domain 3 (Architecture/Engineering) and Domain 8 (Software Dev) are most frequently cited as "Below Proficiency" on failed-attempt reports. Domain 2 and Domain 5 are most often "Above Proficiency" on passed attempts.

Will the domains change again soon?

Unlikely before late 2027. ISC2 typically refreshes the CBK every 3–4 years. The 2024 refresh was substantial; the 2026 exam blueprint is the same as 2024.

Do I have to score above the threshold in every domain?

No — CISSP uses a combined scaled score (700/1000 to pass). You can score weaker in one domain if you compensate in others. But you can't completely tank one domain — the exam algorithm pulls questions until it has confidence in your overall competence.

Next steps

• Read the 90-day study plan to put this into a real timeline.
• Read the full CISSP exam guide for the broader context (cost, eligibility, exam day).
• Compare CISSP to other senior certs if you're still choosing.
• When you pass, browse GRC jobs or US cyber jobs.