0xnhl

Back

CISSP Domains

Created: 1/12/2026 Updated: 1/12/2026
#gcpc#cybersec

The 8 CISSP security domains#

  • Security and risk management: defines security goals and objectives, risk mitigation, compliance, business continuity, and the law.
  • Asset security: Secures digital and physical assets. It’s also related to the storage, maintenance, retention, and destruction of data.
  • Security architecture and engineering: Optimizes data security by ensuring effective tools, systems, and processes are in place.
  • Communication and network security: Manage and secure physical networks and wireless communications.
  • Identity and access management: Keeps data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications. ^3f4c32
  • Security assessment and testing: conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.
  • Security operations: conducting investigations and implementing preventative measures.
  • Software development security: Uses secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services.
    CISSP Domains

Domain one: Security and risk management#

All organizations must develop their security posture. Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. Elements of the security and risk management domain that impact an organization’s security posture include:

  • Security goals and objectives
  • Risk mitigation processes
  • Compliance
  • Business continuity plans
  • Legal regulations
  • Professional and organizational ethics

Information security, or InfoSec, is also related to this domain and refers to a set of processes established to secure information. An organization may use playbooks and implement training as a part of their security and risk management program, based on their needs and perceived risk. There are many InfoSec design processes, such as:

  • Incident response
  • Vulnerability management
  • Application security
  • Cloud security
  • Infrastructure security

As an example, a security team may need to alter how personally identifiable information (PII) is treated in order to adhere to the European Union’s General Data Protection Regulation (GDPR).

Domain two: Asset security#

Asset security involves managing the cybersecurity processes of organizational assets, including the storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft of assets can expose an organization and increase the level of risk, keeping track of assets and the data they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing data exposure will depend on the level of risk associated with each asset. Security analysts may need to store, maintain, and retain data by creating backups to ensure they are able to restore the environment if a security incident places the organization’s data at risk.

Domain three: Security architecture and engineering#

This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in place helps protect an organization’s assets and data. Security architects and engineers create these processes.

One important aspect of this domain is the concept of shared responsibility. Shared responsibility means all individuals involved take an active role in lowering risk during the design of a security system. Additional design principles related to this domain, which are discussed later in the program, include:

  • Threat modeling
  • Least privilege
  • Defense in depth
  • Fail securely
  • Separation of duties
  • Keep it simple
  • Zero trust
  • Trust but verify

An example of managing data is the use of a security information and event management (SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting to access private data.

Domain four: Communication and network security#

This domain focuses on managing and securing physical networks and wireless communications. This includes on-site, remote, and cloud communications. 

Organizations with remote, hybrid, and on-site work environments must ensure data remains secure, but managing external connections to make certain that remote workers are securely accessing an organization’s networks is a challenge. Designing network security controls—such as restricted network access—can help protect users and ensure an organization’s network remains secure when employees travel or work outside of the main office.

Domain five: Identity and access management#

The identity and access management (IAM) domain focuses on keeping data secure. It does this by ensuring user identities are trusted and authenticated and that access to physical and logical assets is authorized. This helps prevent unauthorized users, while allowing authorized users to perform their tasks.

Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer’s issue; then remove access when the customer’s issue is resolved.
There are four main components to IAM.

  • Identification is when a user verifies who they are by providing a user name, an access card, or biometric data such as a fingerprint.
  • Authentication is the verification process to prove a person’s identity, such as entering a password or PIN.
  • Authorization takes place after a user’s identity has been confirmed and relates to their level of access, which depends on the role in the organization.
  • Accountability refers to monitoring and recording user actions, like login attempts, to prove systems and data are used properly.

Domain six: Security assessment and testing #

The security assessment and testing domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessments help organizations determine whether their internal systems are secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat actor. 

This domain suggests that organizations conduct security control testing, as well as collect and analyze data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may be tasked with auditing user permissions to validate that users have the correct levels of access to internal systems.

Domain seven: Security operations #

The security operations domain focuses on the investigation of a potential data breach and the implementation of preventative measures after a security incident has occurred. This includes using strategies, processes, and tools such as:

  • Training and awareness
  • Reporting and documentation
  • Intrusion detection and prevention
  • SIEM tools   
  • Log management
  • Incident management
  • Playbooks
  • Post-breach forensics
  • Reflecting on lessons learned

The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization’s internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors.  

Domain eight: Software development security#

The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users.
Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought.
Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data.