top of page
Search

CISSP Made Simple

  • manishxtech
  • Aug 12
  • 3 min read

CISSP Made Simple – The 8 Security Domains Explained

The CISSP (Certified Information Systems Security Professional) certification is like a master’s toolkit for cybersecurity pros. It covers 8 big areas (called domains) that make up the (ISC)²


Common Body of Knowledge (CBK).Think of these domains as 8 pillars of security — together, they help you design, run, and protect any organization’s information systems from threats.

Here’s the beginner-friendly breakdown:


1. Security and Risk Management (16%)

This is the foundation of all security work. It’s about setting rules, understanding risks, and making sure everything you do follows the law and ethical standards.

What’s inside:

  • Setting company-wide security policies.

  • Following laws like GDPR, HIPAA, etc.

  • Assessing risks and planning how to handle them.

  • Business continuity planning (keeping things running during disasters).

  • Following ethical guidelines for security pros.


Example: A company finds that its customer database could be hacked. They assess the risk, encrypt the data, and train employees to handle customer info securely.


2. Asset Security (10%)

This domain is all about protecting “what you own” — data, systems, and devices.

What’s inside:

  • Classifying data (e.g., Public, Internal, Confidential).

  • Setting rules for storing and deleting information.

  • Protecting personal and sensitive information.


Example: An organization encrypts confidential files and securely wipes hard drives before disposing of them.


3. Security Architecture and Engineering (13%)

Here we get into secure system design — building things to be safe from the start.

What’s inside:

  • Designing secure software, hardware, and networks.

  • Using security frameworks and models.

  • Applying cryptography (encryption) to protect data.

  • Making systems resilient to attacks.


Example: A company sets up multiple layers of security — firewalls, intrusion detection, and encrypted communication — to protect against hackers.


4. Communication and Network Security (13%)

This covers protecting data while it’s moving — emails, chats, file transfers, or any network traffic.

What’s inside:

  • Designing secure networks (segmentation, VPNs, DMZs).

  • Using secure protocols for communication.

  • Securing wireless, mobile, and cloud systems.


Example: A retail business sets up a secure VPN for remote employees and encrypts all customer payment transactions.

5. Identity and Access Management (IAM) (13%)

IAM is about controlling who gets in and what they can do.

What’s inside:

  • Managing user accounts.

  • Using multi-factor authentication (MFA) and biometrics.

  • Access control models (RBAC, MAC, DAC, ABAC).

  • Single sign-on (SSO) systems.


Example: A company uses MFA and role-based access so employees only see the data they need for their job.


6. Security Assessment and Testing (12%)

You can’t improve what you don’t measure. This domain is about checking if your defenses actually work.

What’s inside:

  • Vulnerability scans.

  • Penetration testing.

  • Security audits.

  • Continuous monitoring.


Example: A security team runs monthly penetration tests to find weak spots before hackers do.


7. Security Operations (13%)

This is security in action — the day-to-day work of protecting systems.

What’s inside:

  • Incident detection and response.

  • Logging and monitoring activity.

  • Disaster recovery planning.

  • Forensics (investigating after a breach).


Example:

When a breach happens, the team uses logs to trace the attack, contains the damage, and updates defenses.


8. Software Development Security (10%)

This domain ensures that security is part of the coding process.

What’s inside:

  • Writing secure code.

  • Testing apps for vulnerabilities.

  • Secure software development lifecycle (SDLC).

  • Managing third-party software risks.


Example: Developers follow secure coding rules and use tools to detect vulnerabilities before releasing an app.


Key Notes for Quick Reading

  • CISSP = 8 domains that together cover every aspect of cybersecurity.

  • Risk Management is the foundation — know your risks before building defenses.

  • Asset Security protects what you have.

  • Architecture & Engineering builds safe systems from the start.

  • Network Security protects data while it’s traveling.

  • IAM ensures only the right people access the right data.

  • Assessment & Testing finds weaknesses before attackers do.

  • Security Operations keeps daily protection running.

  • Software Security ensures apps are safe before launch.



Comments

bottom of page