Introduction

The ISC2® CISSP® Certified Information Systems Security Professional Official Study Guide, Tenth Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you've shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.

This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this CISSP Study Guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.

 The information presented here in this Introduction was based on the publicly available documentation from ISC2 as of April 15, 2024. However, these details and exam parameters are subject to change at any time based upon ISC2 operational decisions. Please consult isc2.org to confirm, verify, or learn about updated exam specifics.

Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of cumulative full-time work experience (or four years if you have a college degree) in two or more of the eight domains covered by the CISSP exam. Part-time work and internship experience is also acceptable with conditions; see www.isc2.org/certifications/cissp/cissp-experience-requirements. If you are qualified to take the CISSP exam according to ISC2, then you are sufficiently prepared to use this book to study for it. For more information on ISC2, see the next section.

Alternatively, ISC2 allows for a one-year reduction of the five-year experience requirement if you have earned one of the approved certifications from the ISC2 prerequisite pathway. As of Q1 2024, the qualified certifications are:

• AWS Certified Security - Specialty
• Certified in Governance, Risk and Compliance (CGRC)
• Certified Cloud Security Professional (CCSP)
• Certified Computer Examiner (CCE)
• Certified Ethical Hacker v8 or higher
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Certified Internal Auditor (CIA)
• Certified Protection Professional (CPP) from ASIS
• Certified in Risk and Information Systems Control (CRISC)
• Certified Secure Software Life cycle Professional (CSSLP)
• Certified Wireless Security Professional (CWSP)
• Cisco Certified CyberOps Associate/Professional
• Cisco Certified Internetwork Expert (CCIE) Security
• Cisco Certified Network Associate Security (CCNA Security)
• Cisco Certified Network Professional Security (CCNP Security)
• CIW Web Security Professional
• CIW Web Security Specialist
• CompTIA Advanced Security Practitioner (CASP+)
• CompTIA CySA+
• CompTIA Security+
• Computer Hacking Forensic Investigator (CHFI)
• CSA Certificate of Cloud Security Knowledge (CCSK)
• EC-Council Certified Security Specialist (ECSS)
• EC-Council Certified SOC Analyst (CSA)
• GIAC Certified Enterprise Defender (GCED)
• GIAC Certified Incident Handler (GCIH)
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Cyber Threat Intelligence (GCTI)
• GIAC Global Industrial Cyber Security Professional (GICSP)
• GIAC Information Security Fundamentals (GISF)
• GIAC Information Security Professional (GISP)
• GIAC Security Essentials Certificate (GSEC)
• GIAC Security Leadership Certification (GSLC)
• GIAC Strategic Planning, Policy, and Leadership (GSTRT)
• GIAC Systems and Network Auditor (GSNA)
• HealthCare Information Security and Privacy Practitioner (HCISPP)
• Information Security Management Systems Lead Auditor (IRCA)
• Information Security Management Systems Principal Auditor (IRCA)
• Juniper Networks Certified Internet Expert (JNCIE-SEC)
• Microsoft Identity and Access Management
• Microsoft Security Operations Analyst
• Microsoft Certified Cybersecurity Architect
• Offensive Security Certified Professional/Expert (OSCP/E)
• Systems Security Certified Practitioner (SSCP)

For the complete and current list of qualifying certifications, visit www.isc2.org/certifications/cissp/cissp-experience-requirements.

 You can use only one of the experience reduction measures, either a college degree or a certification, not both.

ISC2 offers an entry program known as an Associate of ISC2. This program allows someone without any or enough experience to qualify as a CISSP applicant to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years of security experience. Only after providing proof of such experience, usually by means of endorsement (discussed later), can the individual be awarded the full CISSP certification.

If you are just getting started on your journey to CISSP certification and do not yet have the work experience, then our book can still be a useful tool in your preparation for the exam. However, you may find that some of the topics covered assume knowledge that you don't have. For those topics, you may need to do some additional research using other materials, and then return to this book to continue learning about the CISSP topics.

ISC2

The CISSP exam is governed by the International Information System Security Certification Consortium ISC2. ISC2 is a global nonprofit organization. It has the mission of “ISC2 strengthens the influence, diversity and vitality of the field through advocacy, expertise and workforce empowerment that accelerates cyber safety and cybersecurity in an interconnected world.”

ISC2 is operated by a board of directors elected from the ranks of its certified practitioners.

ISC2 supports and provides a wide variety of certifications, including CISSP, ISSAP, ISSMP, ISSEP, SSCP, CCSM, CCSP, CGRCSM, and CSSLP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about ISC2 and its other certifications from its website at isc2.org.

The CISSP credential is for security professionals “with the knowledge, skills and abilities to lead an organization's information security program.”

Topical Domains

The CISSP certification covers material from the eight topical domains. These eight domains are as follows:

• Domain 1: Security and Risk Management
• Domain 2: Asset Security
• Domain 3: Security Architecture and Engineering
• Domain 4: Communication and Network Security
• Domain 5: Identity and Access Management (IAM)
• Domain 6: Security Assessment and Testing
• Domain 7: Security Operations
• Domain 8: Software Development Security

These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide.

Prequalifications

ISC2 has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ work experience or with four years’ experience and a recent IT or IS degree or an approved security certification (as mentioned previously). Professional experience is defined as security work performed (with or without pay) within two or more of the eight CISSP domains.

Second, you must agree to adhere to a formal code of ethics. The ISC2 Code of Ethics is a set of guidelines ISC2 wants all certification candidates to follow to maintain professionalism in the field of information systems security. You can find the ISC2 Code of Ethics at isc2.org/ethics.

Overview of the CISSP Exam

The CISSP exam focuses on security from an overview perspective; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you'll need to be familiar with every domain but not necessarily be a master of each domain.

The CISSP exam is in an adaptive format that ISC2 calls CISSP CAT (Computerized Adaptive Testing). For complete details of this form of exam presentation, please see www.isc2.org/certifications/CISSP/CISSP-CAT.

The CISSP CAT exam has a minimum of 100 questions and a maximum of 150. Not all items (i.e., questions) presented count toward your proficiency level, competency requirements, or passing status. There are 25 unscored questions that are called pre-test or unscored items by ISC2, whereas the scored questions are called operational items. The questions are not labeled on the exam as to whether they are scored (i.e., operational items) or unscored (i.e., pre-test questions). Test candidates will receive 25 unscored items on their exam, regardless of whether they achieve a passing rank at question 100 or see all of the 150 questions. However, an exam's pass/fail report is determined by only the last 75 operational items answered by the test candidate.

The CISSP CAT grants a maximum of three (3) hours to take...