The ISC2 CISSP (Certified Information Systems Security Professional) exam is structured around eight domains that make up the Common Body of Knowledge (CBK). These domains cover everything from high-level governance and risk management to deep technical aspects of network and software security.

As of the latest updates in 2026, the exam focuses heavily on modern challenges like Cloud Security, Zero Trust Architecture, and Supply Chain Risk Management.

The 8 Domains of CISSP

Each domain carries a specific weight in the exam, reflecting its importance in a typical security leader's role.

Domain

Exam Weight

Key Topics Covered

1. Security and Risk Management

16%

Ethics, Governance, Risk Assessment, Compliance (GDPR, HIPAA), BCP, and Supply Chain Risk.

2. Asset Security

10%

Data Classification, Privacy, Data Life Cycle, and Information Ownership.

3. Security Architecture & Engineering

13%

Cryptography, Security Models (Bell-LaPadula), Physical Security, and Cloud/IoT Security.

4. Communication & Network Security

13%

Secure Network Design, OSI/TCP-IP Models, Wireless Security, and Secure Protocols.

5. Identity & Access Management (IAM)

13%

Authentication (MFA), Federation (SSO), Identity Provisioning, and Access Control (RBAC/MAC).

6. Security Assessment & Testing

12%

Vulnerability Scanning, Penetration Testing, Log Analysis, and Security Audits.

7. Security Operations

13%

Incident Response, Disaster Recovery (DRP), Forensic Investigations, and Change Management.

8. Software Development Security

10%

Secure SDLC, Secure Coding, Software Bill of Materials (SBOM), and Application Testing.

Deep Dive into Key Areas

While all domains are critical, several core concepts "bridge" across multiple sections:

  • Risk Management: This is the most heavily weighted domain. You are expected to view security through a "business lens"—it’s about managing risk to an acceptable level rather than just "buying tools."
  • The "Manager" Mindset: A common trap for candidates is thinking like a technician. CISSP is a management-level exam; questions often ask for the best course of action for the organization, which is often a policy or process change rather than a technical fix.
  • Modern Infrastructure: Current exams place a high emphasis on Cloud-native security (SaaS, PaaS, IaaS) and Zero Trust principles, moving away from traditional "perimeter-based" security.

Exam Format (2026 Update)

The exam uses Computerized Adaptive Testing (CAT). This means the exam "learns" your skill level as you go:

  • Length: 100 to 150 questions.
  • Time: 3 hours.
  • Passing Score: 700 out of 1000.
  • Experience Required: You must have 5 years of cumulative, paid work experience in at least two of the eight domains.

Note: If you have a relevant 4-year college degree or an approved certification (like Security+ or CISM), you can waive 1 year of the experience requirement.