You’ve made an intelligent choice to aim for CISSP as your next certification, but the sheer volume of CISSP study materials can be intimidating. CISSP study guides can also be overwhelming. Moreover, the CISSP exam is long, and you need a brief outline to help you remember how to tie all the exam concepts together.
The good news is, you’ve come to the right place: this CISSP cheat sheet is the brief outline you need. We’ve drawn a roadmap of top ideas to help you navigate this challenging certification. It highlights the concepts which are the foundations of the other concepts.
We hope this CISSP exam cheat sheet helps you prepare well for this examination wherever you are in your cyber security career. Download this cheat sheet here, and let’s get started.
What is the CISSP Certification?
Certified Information Systems Security Professional (CISSP) is a highly sought-after information security certification developed by (ISC)2, an abbreviation for the nonprofit “International Information System Security Certification Consortium.”
To become CISSP-certified, you need to:
- Pass the CISSP examination to become an Associate;
- Submit the required documentation showing you have cumulative paid full-time work experience of five years, or four years plus proof of having gained a four-year tertiary degree or (ISC)2-approved credential; and
- Get endorsed by a member of (ISC)2.
Find the details on CISSP work experience requirements here.
The following diagram illustrates the eight domains of the CISSP Common Body of Knowledge (CBK).
Here is an overview of the two CISSP exam formats available:
|Exam format||Dynamic; Computerized Adaptive Testing (CAT)||Linear; fixed-form|
|Language(s) available||✔ English||✔ French|
✔ Spanish (Modern)
✔ Simplified Chinese
|Number of questions||125–175||250|
|Can I change answers to earlier questions?||No||Yes|
The passing mark is 700 out of 1000, and you can only take the examination on a computer via Pearson VUE. The exam consists of multiple-choice (four options, one correct answer) and scenario-based questions. As CISSP is a long examination, candidates may take breaks but won’t get compensation in the form of extra exam time.
Remember to pick up (ISC)2’s CISSP Ultimate Guide and Exam Action Plan.
Table Of Contents
- What is the CISSP Certification?
- Frequently Asked Questions
We’ve broken down the concepts and terms of the CBKs below. You may find the latest updates on the exam here. Remember to check out our Security+ cheat sheet, as both syllabi have overlapping concepts.
Security and Risk Management
This domain is the basis for all other domains, covering fundamental risk mitigation, legal and regulatory issues, professional ethics, and security concepts in an organizational context.
|CIA||Confidentiality, Integrity, Availability|
|DAD||Disclosure, Alteration, Destruction|
|IAAA||Identification and Authentication, Authorization and Accountability|
|Least privilege||Minimum necessary access|
|Need to know||Just enough data to do your job|
|Non-repudiation||One cannot deny having done something|
|PCI-DSS||Payment Card Industry Data Security Standard|
|OCTAVE||Operationally Critical Threat, Asset, and Vulnerability Evaluation|
|FRAP||Facilitated Risk Analysis Process|
|COBIT||Control Objectives for Information and Related Technology|
|COSO||Committee of Sponsoring Organizations|
|ITIL||Information Technology Infrastructure Library|
|ISMS||Information security management system|
|ISO||International Organization for Standardization|
|IEC||International Electrotechnical Commission|
|ISO/IEC 27000 series||International standards on how to develop and maintain an ISMS developed by ISO and IEC|
|Defense in Depth/Layered Defense/Onion Defense||Multiple overlapping security controls to protect assets|
|Liability||Who is held accountable; C-level executives (senior leadership/management) are ultimately liable|
|Due care||Implementing security practices and patches|
Memory aid: Do Correct
|Due diligence||Checking for vulnerabilities|
Memory aid: Do Detect
|Negligence||Opposite of due care, without which you may become liable|
|GDPR||General Data Protection Regulation|
|Court-admissible evidence||• Relevant|
|HIPAA||Health Insurance Portability and Accountability Act|
|ECPA||Electronic Communications Privacy Act|
|USA PATRIOT ACT||2001 legislation expanding law enforcement electronic monitoring|
|CFAA||Computer Fraud and Abuse Act—Title 18 Section 1030 for prosecuting computer crimes|
|SOX||Sarbanes-Oxley Act (2002)|
|Red team, blue team, purple team, etc.||(Refer to graphic below)|
Check out our articles on cyber security rules and regulations here.
What do terms like “red team” and “blue team” mean in penetration testing?
The primary colors red, blue, and yellow refer to attackers, defenders, and builders of a system respectively. The secondary colors are combinations of these roles. For example, purple team members have dual attack/defense roles. The white team supervises the hack.
Key concepts involving data and information are here.
|Data at rest||On computer storage|
|Data in use/processing||In RAM being accessed|
|Data in transit/motion||Traveling along cables or broadcasting wirelessly|
|DRM||Digital Rights Management|
|CASB||Cloud Access Security Broker|
|DLP||Data Loss Prevention|
|Soft destruction||Preserve storage hardware|
|Full physical destruction||Destroy storage hardware|
Security Architecture and Engineering
Here we focus on the most important methods to protect our assets.
Secure architecture and design
A well-designed computer system/network can deter many attacks.
|Zachman framework||• What/data, How/function, Where/network, Who/people, When/time, and Why/motivation|
• Planner, Owner, Designer, Builder, Implementer, and Worker
|TOGAF||The Open Group Architecture Framework|
|DoDAF||Department of Defense Architecture Framework|
|MODAF||Ministry of Defence Architecture Framework|
|SABSA||Sherwood Applied Business Security Architecture|
|The Red Book||Trusted Network Interpretation (TNI); part of a Rainbow Series|
|The Orange Book||The Trusted Computer System Evaluation Criteria (TCSEC); part of a Rainbow Series|
|Type 1 hypervisor||Bare or native metal|
|Type 2 hypervisor||App-like virtual machine on the operating system|
|IaaS||Infrastructure as a service|
|PaaS||Platform as a service|
|SaaS||Software as a service|
“A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.”—Auguste Kerckhoffs, cryptographer
• key length
• block size
• number of rounds
• Diffie-Hellman key exchange
• Elliptic-curve cryptography
|Hashing||One-way, deterministic process of transforming a string of characters into another|
|Salting||Characters appended to a string (e.g., password) before hashing|
|Steganography||Hide data inside other data|
|Quantum||Exploit quantum mechanics|
|Post-quantum||Secure against cryptanalysis by quantum computer|
|Brute-force attack||Trying character combinations|
Variant: spraying (trying the same password across different accounts)
|Dictionary attack||Using lists of probable passwords|
|Rainbow tables||Using pre-calculated password hashes|
|Key stretching||Method that strengthens weak passwords|
A given physical security measure can fall into one or more categories below.
|Preventative||For preventing attacks, e.g., tall fences, locked doors, bollards|
|Detective||For detecting attacks, e.g., CCTV, alarms|
|Deterrent||For obstructing an attack, e.g., fences, security guards, dogs, lights, warning signs.|
|Compensating||To compensate for other controls, e.g., locks, alarms, sensors, shock absorbers in data center|
|Administrative||Compliance, policies, procedures, staff training, etc.|
Communication and Network Security
Here, we cover network and communications concepts that warrant review and how to protect such channels.
|Half-duplex||Send/receive one at a time only|
|Baseband||One channel, send one signal at a time|
|Broadband||Multiple channels, send/receive many signals at a time|
|OSI model||Open Systems Interconnect:|
2. Data Link
Memory aid: Please Do Not Throw Sausage Pizza Away
|ARP||Address Resolution Protocol|
|NAT||Network Address Translation|
|PAT||Port Address Translation|
|DHCP||Dynamic Host Configuration Protocol|
|PANA||Protocol for Carrying Authentication for Network Access|
|SLIP||Serial Line Internet Protocol|
|DMZ||Demilitarized zone (screened subnet):|
• External network
• External router
• Perimeter network
• Internal router
• Internal network
Learn more about ports and protocols with our Common Ports Cheat Sheet here.
Identity and Access Management (IAM)
Logical and physical controls, identity-related services, and access control attacks comprise this domain.
|FRR||False rejection rate|
|FAR||False acceptance rate|
|CER/EER||Crossover error rate/equal error rate|
|IDaaS||Identity as a Service|
|Kerberos||Ticketing-based authentication protocol|
|SESAME||Secure European System for Applications in a Multi-vendor Environment|
|RADIUS||Remote Authentication Dial-In User Service|
|TACACS||Terminal Access Controller Access Control System|
|XTACACS||TACACS with separate authentication, authorization, and auditing processes|
|TACACS+||XTACACS plus 2FA|
|Diameter||Like RADIUS and TACACS+ with more flexibility|
|PAP||Password Authentication Protocol|
|CHAP||Challenge-Handshake Authentication Protocol|
Security Assessment and Testing
Penetration testing (pentesting) falls under this domain, which, being much more expansive, encompasses technical stress tests and reporting of vulnerabilities to non-technical members of the organization.
|Static testing||Passively test code but not run it|
|Dynamic testing||Test code during execution|
|Fuzzing (Fuzz testing)||Input random characters and expect spurious results|
|Penetration testing (pentesting)||Actively exploit vulnerabilities|
|Black/gray/white box||Zero/Partial/extensive-knowledge pentesting|
|SOC||Service Organization Controls: 1, 2, and 3|
This domain emphasizes the aspects of information security on management, prevention, recovery, and digital forensics.
|BCP||Business continuity plan|
|BIA||Business impact analysis|
|COOP||Continuity of operations|
|DRP||Disaster Recovery Plan|
|MTBF||Mean time between failures|
|MTTF||Mean time to failure|
|MTTR||Mean time to repair|
|RTO||Recovery time objective|
|RPO||Recovery point objective|
|SIEM||Security information and event management|
|PAM||Privileged Account/Access Management|
|UEBA||User and Entity Behavior Analytics|
|Database Shadowing||Exact real-time copies of database/files to another location|
|Electronic Vaulting (E-vaulting)||Make remote backups at certain intervals or when files change|
|Remote Journaling||Sends transaction log files to a remote location, not the files themselves|
|Ways to minimize insider threats||• Least privilege|
• Need to know
• Separation of duties
• Job rotation
• Mandatory vacations
• Presentation in Court
• Court decision
• Real evidence
• Evidence integrity
• Chain of custody (to prove the integrity of the data)
○ Who handled it?
○ When did they handle it?
○ What did they do with it?
○ Where did they handle it?
|Disk-based forensic data||• Allocated space|
• Unallocated space
• Slack space
• Bad blocks/clusters/sectors
* This step is for real-world job settings only. It’s outside the CISSP exam syllabus, but in practice, the more thoroughly an organization equips its team for security incidents, the better it handles problems and the faster it recovers from them.
Software Development Security
Building security controls into software applications is a new best practice in cyber security, and a CISSP needs to know how to secure software during its development.
|EULA||End-User License Agreement|
|SDLC||Software development life cycle:|
|CI/CD||Continuous Integration/Continuous [Delivery/Deployment/Development]|
|DevOps||Cooperation between development, operations, and quality assurance|
|DevSecOps||DevOps plus security|
|Software Development Methodologies||• Waterfall|
• Extreme Programming (XP)
• Rapid Application Development (RAD)
|ORB||Object Request Broker|
|CORBA||Common Object Request Broker Architecture|
|ACID model||Atomicity, Consistency, Isolation, and Durability|
|OWASP||Open Web Application Security Project; identifies top vulnerabilities|
|CSRF/XSRF||Cross-Site Request Forgery|
|SOAR||Security Orchestration, Automation, and Response|
|Expert System||Computer system that emulates humanlike decision-making ability|
|ANN||Artificial Neural Networks|
We hope this CISSP exam cheat sheet provides a bird’s-eye view of the CISSP syllabus, accelerates your cyber security journey, and helps you realize your career ambitions.
Find our CISSP course offerings here and check out our other articles on CISSP. We wish you all the best in your CISSP exam and beyond.
Frequently Asked Questions
Can I pass the CISSP exam in three months?
Yes, depending on your level of expertise. If you’re new to (ISC)2 certifications, expect your preparation to span three months or longer. If you have hands-on experience, that can affect the time you need. If you’re a seasoned (10+ years) IT security professional, you’re more likely to pass it with less study time.
Is the CISSP exam hard?
Absolutely. This exam is challenging and encompasses a lot of material. Still, it’s an important rite of passage for those aiming to enter middle or upper management to implement information security policies.
What is the pass rate of CISSP?
(ISC)2 doesn’t provide pass-rate information to CISSP training providers. Our advice is to prepare well, do your best, and have a solid plan to retake CISSP in case you fail (a study plan scheduling your time, taking a break, and trying again).
Why do people fail CISSP?
CISSP requires you to answer as if you’re a manager and risk advisor in an ideal workplace that prioritizes information security instead of as an executive or a hands-on technician in a real-world scenario. Lawyers often excel in CISSP because they don’t read their assumptions into the questions.
Can a beginner take CISSP?
Yes. Beginners can take the exam if they’ve prepared for the steep learning curve and proceed to fulfill all accreditation requirements in the next six years. They’ll become an Associate of (ISC)2, but they can only advertise themselves as a CISSP after accruing the required years of work experience outlined here.
Does CISSP increase salary?
Yes, it does. As of January 2023, ZipRecruiter and PayScale estimate that CISSPs in the United States have annual earnings of $130,185 and $123,000, respectively. This (ISC)2 page has more information on CISSP salaries.
How many times can you fail CISSP?
Countless times, with time for you to cool down: 30 days after the first time you fail it, you may retake your exam. The cool-down period then becomes 60 days after the second failure and 90 days after the third and future attempts. Read about the (ISC)2 Retake Policy here.
Is CISSP like a Master’s degree?
Interestingly enough, yes—thanks to its rigor and the broad knowledge bases it covers. Here is a press release from (ISC)2 with a detailed explanation.
Certifications, Cheat Sheets
Cassandra Lee(Video) Why People Are Failing The CISSP Exam
Cassandra is a writer, artist, musician, and technologist who makes connections across disciplines: cyber security, writing/journalism, art/design, music, mathematics, technology, education, psychology, and more. She's been a vocal advocate for girls and women in STEM since the 2010s, having written for Huffington Post, International Mathematical Olympiad 2016, and Ada Lovelace Day, and she's honored to join StationX. You can find Cassandra on LinkedIn and Linktree.
View all posts