CISSP Series 8 Domains Preparation Plan

At Neuromesh, the fast-paced workstyle often made it difficult to understand who was responsible for what. The answer came through the CISSP domains — eight broad areas that map out the full spectrum of cybersecurity knowledge.

The domains created a mental model: not just reacting to issues, but understanding what kind of problem each issue actually is.

What the 8 Domains Help You Do

The domain structure helps shift the question from “what is wrong here?” to “what category of security problem am I looking at?” That is what turns scattered learning into a study system.

CISSP Domain Weightage

The CISSP exam is structured across eight domains, each carrying a different weight in the exam.

Domain Domain Name Weightage
Domain 1 Security and Risk Management 16%
Domain 2 Asset Security 10%
Domain 3 Security Architecture and Engineering 13%
Domain 4 Communication and Network Security 13%
Domain 5 Identity and Access Management (IAM) 13%
Domain 6 Security Assessment and Testing 12%
Domain 7 Security Operations 13%
Domain 8 Software Development Security 10%

Source: ISC2 CISSP Exam Outline

Domain 1 — Security and Risk Management

This domain is about responsibility, governance, and how risk is defined and managed.

What it helps you ask

  • Do we have security policies, and who approves them?
  • Are we aligned with a governance model?
  • What is the threat landscape?
  • Do we assess inherent versus residual risk?
  • How do we balance security goals with business priorities?

Key topics

  • Qualitative and quantitative risk analysis
  • Risk treatment: avoid, mitigate, transfer, accept
  • Security roles and responsibilities
  • Ethics and professional conduct
  • Compliance and legal frameworks

Domain 2 — Asset Security

Before you protect anything, you need to know what exists and how it should be handled.

What it helps you ask

  • What assets do we have?
  • How is data classified and labeled?
  • Who owns it and where is it stored?
  • What retention, backup, and disposal rules apply?

Key topics

  • Data lifecycle management
  • Privacy versus confidentiality
  • Asset handling procedures
  • Regulatory requirements for PII and sensitive data

Domain 3 — Security Architecture and Engineering

This domain is about building security in by design rather than adding it later by patchwork.

What it helps you ask

  • Do we use design principles like least privilege and defense in depth?
  • Are we using strong cryptography?
  • How is trust established between components?
  • What vulnerabilities exist in the system?

Key topics

  • Architectural patterns and security zones
  • Cryptography, hashing, and key management
  • Threat modeling
  • Cloud shared responsibility
  • Hardware, firmware, and OS vulnerabilities

Domain 4 — Communication and Network Security

This domain focuses on how systems communicate and how that communication is protected, segmented, and monitored.

What it helps you ask

  • Do internal services use encryption?
  • Are development, test, and production environments segmented?
  • Is remote access too open?

Key topics

  • Secure network design
  • Protocols such as TLS, SSH, and IPsec
  • VPN and remote access security
  • Network monitoring and detection

Domain 5 — Identity and Access Management

This is the control layer around who gets access, how that access is verified, and how it is removed.

What it helps you ask

  • Who has access to what?
  • Are permissions role-based or manually assigned?
  • How are people offboarded?

Key topics

  • Authentication factors
  • Identity lifecycle management
  • SSO, federated identity, and IDaaS
  • Access control models such as RBAC, ABAC, MAC, and DAC

Domain 6 — Security Assessment and Testing

This domain is about proving whether controls work rather than assuming they work.

What it helps you ask

  • How do we know systems are secure?
  • When was the last vulnerability scan?
  • Do we perform penetration testing?

Key topics

  • Vulnerability scanning and penetration testing
  • Static and dynamic testing
  • Security audits and assessments
  • Metrics and continuous monitoring

Domain 7 — Security Operations

This is the heartbeat of operational security: monitoring, detection, response, and continuity.

What it helps you ask

  • Are logs being collected and reviewed?
  • Who is watching for suspicious activity?
  • What happens when an incident occurs?
  • Do we have an incident response plan?

Key topics

  • SIEM
  • Forensics and digital investigation
  • Incident response lifecycle
  • Business continuity and disaster recovery

Domain 8 — Software Development Security

This domain focuses on securing what gets built from development through deployment.

What it helps you ask

  • Are secrets hardcoded?
  • Is there peer review?
  • Are there security gates in CI/CD?

Key topics

  • Secure SDLC phases
  • Threat modeling
  • Code review practices
  • OWASP Top 10
  • DevSecOps integration

Next Focus: IAM

The next featured step in the journey is Identity and Access Management, where access becomes the control every team, tool, and environment depends on.

Questions that follow naturally from this stage include identification, authentication, authorization, access control models, and what happens when access mechanisms are attacked.

Back to Series Domain Index Original Substack Article