CISSP Security Domains and Framework Explained for CISSP

Domain 1, Security and Risk Management, is the largest domain and covers security governance, compliance, legal issues, professional ethics, and risk management. Risk is expressed as the product of likelihood and impact. Risk responses include accept (tolerate the risk), transfer (insurance or outsourcing), mitigate (reduce likelihood or impact with controls), and avoid (eliminate the activity that creates the risk). Security policies, standards, baselines, guidelines, and procedures form the governance hierarchy.

Domain 2, Asset Security, covers the protection of information assets throughout their lifecycle: classification, ownership, handling, retention, and disposal. Data owners are responsible for classification. Data custodians are responsible for day-to-day protection and handling. Data remnance (data that persists after deletion) requires secure disposal procedures: overwriting, degaussing, or physical destruction depending on the media type and sensitivity.

Domain 3, Security Architecture and Engineering, covers security models (Bell-LaPadula for confidentiality, Biba for integrity), secure design principles, cryptography, and physical security. The principle of least privilege, defense in depth, fail-safe defaults, and separation of duties are the foundational design principles. Domain 4, Communication and Network Security, covers network protocols, firewalls, VPNs, wireless security, and network attacks. Domain 5, Identity and Access Management (IAM), covers authentication methods, access control models (MAC, DAC, RBAC, ABAC), and federation.

The CISSP exam tests management thinking first. When presented with a security problem, the first step is always to understand the risk, not to immediately apply a technical control. The exam repeatedly rewards answers that align security decisions with business objectives, organizational risk tolerance, and cost-benefit analysis. A perfect technical solution that costs more than the asset it protects is not the right CISSP answer.

Domains 6 through 8 cover Security Assessment and Testing (audits, penetration testing, vulnerability assessment), Security Operations (incident response, investigations, recovery), and Software Development Security (SDLC integration, secure coding, code review). Security operations covers the chain of custody for forensic evidence, which requires maintaining an unbroken, documented record of evidence handling from collection through legal proceedings.

Quantitative risk analysis expresses risk in monetary terms. Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO). SLE = Asset Value x Exposure Factor. These formulas appear in CISSP questions about comparing the cost of a control against the risk it reduces. If a control costs more than the ALE it reduces, it is not cost-justified.

Think like a manager: when asked what to do first, identify and assess risk before implementing controls. Understand the problem before solving it.

Risk responses: Accept (live with it), Transfer (insurance/outsource), Mitigate (controls), Avoid (eliminate the activity). Select based on risk level and cost.

ALE = SLE x ARO. SLE = Asset Value x Exposure Factor. Control is justified if its annual cost is less than ALE it reduces.

Data owner: classifies data, accountable for protection. Data custodian: implements controls, day-to-day handling.

Bell-LaPadula: no read up, no write down (confidentiality). Biba: no write up, no read down (integrity).

Chain of custody: unbroken documentation for evidence admissibility. A gap can make evidence inadmissible.

CISSP answer pattern: business objectives and risk management first, technical controls second.