CISSP Exam Questions Topic-Wise Last-Minute Prep

Topic Content

**1.1 Professional Ethics and Conduct** Professionals must understand and follow the ISC2 Code of Professional Ethics as well as their organization's code of ethics. This includes adhering to established ethical standards, promoting ethical behavior within the workplace, and ensuring that all actions align with professional integrity and organizational values. Compliance with these ethical frameworks is essential for maintaining trust, credibility, and professional reputation in the security field. **1.2 Core Security Principles** The five pillars of information securityâ€”confidentiality, integrity, availability, authenticity, and nonrepudiationâ€”form the... **1.1 Professional Ethics and Conduct** Professionals must understand and follow the ISC2 Code of Professional Ethics as well as their organization's code of ethics. This includes adhering to established ethical standards, promoting ethical behavior within the workplace, and ensuring that all actions align with professional integrity and organizational values. Compliance with these ethical frameworks is essential for maintaining trust, credibility, and professional reputation in the security field. **1.2 Core Security Principles** The five pillars of information securityâ€”confidentiality, integrity, availability, authenticity, and nonrepudiationâ€”form the foundation of all security concepts. Confidentiality ensures that information is accessible only to authorized individuals, integrity maintains the accuracy and completeness of data, availability guarantees timely access to information, authenticity verifies the identity of users and systems, and nonrepudiation prevents denial of actions or transactions. Understanding and applying these principles is critical for designing and implementing effective security measures. **1.3 Security Governance and Framework Implementation** Security governance involves aligning security functions with business strategy, goals, mission, and organizational objectives while managing organizational processes such as acquisitions and divestitures. This includes defining clear roles and responsibilities, implementing recognized security control frameworks such as ISO, NIST, COBIT, SABSA, PCI, and FedRAMP, and practicing due care and due diligence. Effective governance ensures that security initiatives support business outcomes and maintain appropriate oversight through governance committees and structured processes. **1.4 Legal, Regulatory, and Compliance Requirements** Organizations must navigate a complex landscape of legal and regulatory requirements including laws addressing cybercrimes, data breaches, intellectual property, import/export controls, and transborder data flows. Privacy regulations such as GDPR, California Consumer Privacy Act, and similar laws impose specific obligations for protecting personal information. Additionally, contractual agreements, industry standards, and regulatory requirements must be understood and implemented to ensure compliance and mitigate legal risks. **1.5 Investigation Types and Procedures** Security professionals must understand the distinct characteristics and procedures for five types of investigations: administrative investigations conducted within the organization, criminal investigations involving law enforcement, civil investigations related to disputes, regulatory investigations by government agencies, and industry standards investigations. Each investigation type has different objectives, procedures, evidence requirements, and legal implications that must be properly understood and followed to ensure appropriate handling and documentation. **1.6 Security Policy Development and Implementation** Organizations must develop, document, and implement comprehensive security policies, standards, procedures, and guidelines that provide clear direction for security practices. These documents establish expectations for employee behavior, define security requirements, outline compliance obligations, and serve as the foundation for consistent security implementation across the organization. Regular review and updates ensure policies remain relevant and effective. **1.7 Business Continuity Planning and Requirements** Business continuity planning involves identifying and analyzing requirements to ensure organizational resilience during disruptions through business impact analysis and assessment of external dependencies. Organizations must determine critical functions, acceptable downtime, recovery priorities, and resource requirements. This comprehensive approach ensures that essential operations can continue or be rapidly restored following incidents or disasters. **1.8 Personnel Security Policies and Procedures** Personnel security encompasses the entire employee lifecycle including candidate screening and hiring, employment agreements, onboarding, transfers, and termination processes. Organizations must also establish controls for vendors, consultants, and contractors through formal agreements and oversight mechanisms. These procedures ensure that only trustworthy individuals with appropriate qualifications have access to sensitive information and systems. **1.9 Risk Management Concepts and Practices** Risk management involves identifying threats and vulnerabilities, conducting risk analysis and assessment, determining appropriate risk responses including cybersecurity insurance, and implementing applicable controls such as preventive, detection, and corrective measures. Organizations must perform control assessments, establish continuous monitoring and measurement processes, report findings internally and externally, and pursue continuous improvement through risk maturity modeling. Implementation of recognized risk frameworks such as ISO, NIST, COBIT, SABSA, and PCI provides structured approaches to managing organizational risk. **1.10 Threat Modeling Methodologies** Threat modeling is a systematic process for identifying, analyzing, and prioritizing potential threats to systems and applications. Security professionals must understand various threat modeling concepts and methodologies that help visualize attack vectors, identify vulnerabilities, and determine appropriate mitigation strategies. This proactive approach enables organizations to address security risks before systems are deployed or exploited. **1.11 Supply Chain Risk Management** Supply chain risk management addresses risks associated with acquiring products and services from external suppliers and providers, including product tampering, counterfeit components, and malicious implants. Organizations must implement risk mitigations such as third-party assessments and monitoring, establish minimum security requirements, define service level agreements, and verify security features such as silicon root of trust and physically unclonable functions. Software bill of materials documentation provides transparency into component composition and potential vulnerabilities. **1.12 Security Awareness and Training Programs** Organizations must establish and maintain comprehensive security awareness, education, and training programs using various methods and techniques such as social engineering simulations, phishing exercises, security champions programs, and gamification to increase engagement. Programs must include periodic content reviews addressing emerging technologies and trends including cryptocurrency, artificial intelligence, and blockchain. Effectiveness evaluation through metrics and assessments ensures the program achieves its objectives of improving security culture and reducing human-related security risks. See More

Topic Content

Asset Security encompasses the comprehensive management and protection of organizational information and assets throughout their lifecycle. This domain focuses on identifying and classifying both data and physical assets according to their sensitivity and value, establishing clear handling requirements and ownership structures. Organizations must maintain detailed asset inventories distinguishing between tangible and intangible assets while implementing robust asset management practices. The data lifecycle management process involves defining roles such as data owners, controllers, custodians, processors, and users, then systematically managing data... See More

Topic Content

**3.1 Secure Design Principles and Engineering Processes** This section focuses on researching, implementing, and managing engineering processes that incorporate secure design principles. Key concepts include threat modeling to identify potential security risks, least privilege to restrict user access to minimum necessary permissions, and defense in depth to implement multiple layers of security controls. Additional principles include secure defaults that prioritize security in initial configurations, fail securely to ensure systems remain protected during failures, and segregation of duties to prevent unauthorized actions.... **3.1 Secure Design Principles and Engineering Processes** This section focuses on researching, implementing, and managing engineering processes that incorporate secure design principles. Key concepts include threat modeling to identify potential security risks, least privilege to restrict user access to minimum necessary permissions, and defense in depth to implement multiple layers of security controls. Additional principles include secure defaults that prioritize security in initial configurations, fail securely to ensure systems remain protected during failures, and segregation of duties to prevent unauthorized actions. Professionals must also understand keep it simple and small to reduce complexity and attack surface, zero trust architecture that verifies all access requests, privacy by design to embed data protection throughout system development, shared responsibility models in cloud environments, and secure access service edge for protecting network traffic and user access. **3.2 Fundamental Security Models** This section requires understanding core security models that form the theoretical foundation for access control and information protection. Candidates must comprehend the Bell-LaPadula model which enforces confidentiality through read-down and write-up rules, the Biba model which prioritizes integrity through read-up and write-down restrictions, and the Star Model which combines elements of both confidentiality and integrity protection. These models provide frameworks for designing systems that prevent unauthorized information disclosure and modification while maintaining system security objectives. **3.3 Control Selection Based on Security Requirements** This section emphasizes selecting appropriate security controls aligned with specific system security requirements and organizational objectives. Professionals must evaluate various control types including preventive, detective, and corrective controls, then match them to identified threats and vulnerabilities. The selection process requires analyzing system criticality, regulatory compliance needs, risk tolerance, and resource constraints to implement controls that effectively reduce security risks while maintaining operational efficiency and cost-effectiveness. **3.4 Security Capabilities of Information Systems** This section covers understanding built-in security features and technologies available in modern information systems. Key capabilities include memory protection mechanisms that prevent unauthorized access to system memory, Trusted Platform Module (TPM) which provides hardware-based cryptographic functions and secure storage, and encryption/decryption technologies that protect data confidentiality. Professionals must understand how these capabilities function, their limitations, and how to leverage them effectively in security architecture design. **3.5 Vulnerability Assessment and Mitigation Across System Types** This section requires assessing and mitigating vulnerabilities specific to diverse system architectures and environments. Candidates must understand security challenges in client-based systems, server-based systems, database systems, and cryptographic systems, as well as specialized environments including industrial control systems, cloud services (SaaS, IaaS, PaaS), distributed systems, Internet of Things devices, microservices, containerized applications, serverless computing, embedded systems, high-performance computing, edge computing, and virtualized infrastructure. Each system type presents unique vulnerabilities requiring tailored mitigation strategies and security controls. **3.6 Cryptographic Solutions and Implementation** This section focuses on selecting and determining appropriate cryptographic solutions for protecting sensitive information. Professionals must understand the cryptographic lifecycle including key generation, storage, rotation, and retirement, as well as algorithm selection criteria based on security requirements and performance needs. Key topics include cryptographic methods such as symmetric encryption for fast bulk data protection, asymmetric encryption for key exchange and digital signatures, elliptic curve cryptography for efficient public key operations, and emerging quantum-resistant algorithms. Additionally, candidates must understand public key infrastructure components and quantum key distribution technologies for future-proof cryptographic systems. **3.7 Cryptanalytic Attacks and Exploitation Methods** This section requires understanding various attacks that compromise cryptographic systems and security mechanisms. Candidates must comprehend brute force attacks that exhaust all possible keys, ciphertext-only attacks with no plaintext knowledge, known plaintext attacks using matched plaintext-ciphertext pairs, and frequency analysis exploiting language patterns. Additional attack methods include chosen ciphertext attacks where attackers select specific ciphertexts, implementation attacks targeting flawed security implementations, side-channel attacks exploiting physical phenomena like power consumption and timing variations, fault injection attacks inducing errors to bypass security, and network-based attacks such as man-in-the-middle interception. Professionals must also understand authentication attacks including pass the hash and Kerberos exploitation, as well as ransomware threats that encrypt and extort data. **3.8 Security Principles Applied to Site and Facility Design** This section emphasizes applying fundamental security principles to the physical design and layout of facilities housing critical information systems. Professionals must integrate security considerations throughout facility planning including access control principles, surveillance requirements, environmental protections, and operational security measures. The design process requires balancing security objectives with operational needs, cost constraints, and regulatory compliance while creating facilities that protect against both physical and logical security threats. **3.9 Site and Facility Security Controls Implementation** This section covers designing and implementing specific security controls for facility infrastructure and operations. Key areas include wiring closets and intermediate distribution facilities requiring controlled access and environmental protection, server rooms and data centers needing comprehensive physical and environmental controls, media storage facilities with restricted access and proper handling procedures, and evidence storage with chain-of-custody protections. Additional controls address restricted and work area security through access controls and monitoring, utilities and HVAC systems requiring redundancy and environmental monitoring, environmental hazard mitigation for natural disasters and man-made threats, fire prevention and suppression systems, and power systems with redundancy and backup capabilities to ensure continuous operations. **3.10 Information System Lifecycle Management** This section requires managing systems throughout their complete lifecycle from conception to retirement. Professionals must address stakeholder needs and requirements gathering to understand business objectives, conduct requirements analysis to define functional and security specifications, and develop architectural designs that meet identified needs. The lifecycle continues through development and implementation phases, system integration to ensure components work together, verification and validation to confirm systems meet requirements, transition and deployment to production environments, ongoing operations and maintenance to sustain security and functionality, and finally retirement and disposal procedures ensuring secure data destruction and asset management. See More

Topic Content

4.1 - Apply Secure Design Principles in Network Architectures This section covers the foundational models and protocols essential for building secure networks, including the OSI and TCP/IP reference models that define how data is transmitted across networks. Students must understand Internet Protocol versions 4 and 6, including addressing schemes such as unicast, broadcast, multicast, and anycast communications. Secure protocols including IPSec, SSH, and SSL/TLS provide encryption and authentication mechanisms to protect data in transit. The topic extends to multilayer protocol implications... 4.1 - Apply Secure Design Principles in Network Architectures This section covers the foundational models and protocols essential for building secure networks, including the OSI and TCP/IP reference models that define how data is transmitted across networks. Students must understand Internet Protocol versions 4 and 6, including addressing schemes such as unicast, broadcast, multicast, and anycast communications. Secure protocols including IPSec, SSH, and SSL/TLS provide encryption and authentication mechanisms to protect data in transit. The topic extends to multilayer protocol implications and converged protocols like iSCSI and VoIP that combine multiple services over single networks. Transport architecture concepts encompass network topology design, separation of data, control, and management planes, and switching methods like cut-through and store-and-forward approaches. Performance metrics including bandwidth, latency, jitter, throughput, and signal-to-noise ratio are critical for evaluating network efficiency and reliability. Network segmentation strategies are explored through physical methods such as in-band, out-of-band, and air-gapped configurations, logical approaches using VLANs, VPNs, and virtual routing domains, and advanced micro-segmentation techniques employing network overlays, distributed firewalls, and zero-trust architectures. Additional architectural considerations include edge networks with ingress/egress points, wireless technologies spanning Bluetooth and Wi-Fi to satellite communications, cellular networks including 4G and 5G standards, content distribution networks for optimized content delivery, and software-defined networking approaches that leverage APIs and network function virtualization. Modern implementations also incorporate Virtual Private Cloud environments and comprehensive monitoring systems that provide network observability, traffic management, capacity planning, and fault detection capabilities. 4.2 - Secure Network Components This section addresses the physical and logical components that comprise secure network infrastructure, beginning with operational considerations such as redundant power systems, equipment warranties, and vendor support arrangements that ensure continuous availability. Transmission media security encompasses both the physical protection of cables and connections and the quality of signal propagation to prevent interception and degradation. Network Access Control systems, available in both physical and virtual implementations, regulate which devices and users can connect to network resources based on defined security policies. Endpoint security measures, particularly host-based solutions, protect individual devices connected to the network by monitoring and controlling their activities and communications. 4.3 - Implement Secure Communication Channels According to Design This section focuses on establishing protected communication pathways for various organizational needs, including voice, video, and collaborative platforms such as conferencing systems and dedicated Zoom rooms that require encryption and authentication. Remote access capabilities must be secured to protect administrative functions and network management activities from unauthorized access and interception. Data communications infrastructure, including backhaul networks and satellite links, requires protection to ensure confidential and reliable transmission of critical information. Third-party connectivity arrangements with telecommunications providers and hardware support vendors necessitate secure channels and clear security agreements to maintain the integrity of external communications and prevent unauthorized access through vendor connections. See More

Topic Content

5.1 - Control Physical and Logical Access to Assets Establish comprehensive access controls across all organizational assets including information, systems, devices, facilities, applications, and services. This involves implementing security measures that restrict unauthorized access to both physical locations and digital resources. Organizations must deploy mechanisms such as badge readers, biometric systems, and network controls to ensure only authorized personnel can access critical infrastructure. Access controls should be consistently applied across all asset categories to maintain a unified security posture. Regular audits... 5.1 - Control Physical and Logical Access to Assets Establish comprehensive access controls across all organizational assets including information, systems, devices, facilities, applications, and services. This involves implementing security measures that restrict unauthorized access to both physical locations and digital resources. Organizations must deploy mechanisms such as badge readers, biometric systems, and network controls to ensure only authorized personnel can access critical infrastructure. Access controls should be consistently applied across all asset categories to maintain a unified security posture. Regular audits and monitoring of access attempts help identify and prevent unauthorized access attempts. Documentation of access policies and procedures ensures accountability and compliance with security standards. 5.2 - Design Identification and Authentication Strategy Develop a comprehensive authentication framework that verifies the identity of people, devices, and services across the organization. This includes implementing multi-factor authentication (MFA) and password-less authentication methods to strengthen security beyond traditional passwords. Organizations should establish clear group and role structures that define user permissions and responsibilities within the system. Session management practices must be implemented to control user activity duration and prevent unauthorized session hijacking. Identity registration and proofing processes ensure accurate verification before granting access rights. Federated Identity Management (FIM) enables secure identity sharing across multiple systems and organizations, while credential management systems like password vaults centralize secure storage of authentication credentials. Single sign-on (SSO) capabilities streamline user access across multiple applications, and Just-In-Time provisioning grants temporary elevated access only when needed. 5.3 - Federated Identity with Third-Party Service Implement federated identity management solutions that enable secure identity verification and access control across on-premise, cloud, and hybrid environments. Organizations can leverage third-party identity providers to authenticate users without managing credentials directly, reducing administrative overhead and security risks. On-premise federated solutions maintain identity management within organizational infrastructure while cloud-based federation utilizes external providers for scalability and flexibility. Hybrid approaches combine both on-premise and cloud identity services to accommodate diverse organizational needs and existing systems. Federated identity protocols establish trust relationships between organizations, allowing seamless user authentication across multiple domains. Integration with third-party services requires careful security configuration and monitoring to ensure compliance with organizational policies. 5.4 - Implement and Manage Authorization Mechanisms Establish authorization frameworks that determine what authenticated users can access and perform within systems and applications. Role-Based Access Control (RBAC) assigns permissions based on predefined job roles, simplifying management of user privileges across the organization. Rule-based access control applies specific conditions and policies to grant or deny access based on defined criteria. Mandatory Access Control (MAC) enforces strict security classifications and clearance levels, commonly used in government and highly sensitive environments. Discretionary Access Control (DAC) allows resource owners to determine access permissions for their assets. Attribute-Based Access Control (ABAC) provides granular control by evaluating multiple attributes such as user characteristics, resource properties, and environmental conditions. Risk-based access control dynamically adjusts access permissions based on assessed threat levels and contextual factors. Access policy enforcement through policy decision points and policy enforcement points ensures consistent application of authorization rules across all systems. 5.5 - Manage the Identity and Access Provisioning Lifecycle Oversee the complete lifecycle of user and service accounts from creation through deactivation, including regular reviews and updates. Account access reviews verify that users retain only necessary permissions aligned with their current roles and responsibilities. Provisioning processes grant appropriate access during onboarding, while deprovisioning removes access when employees leave or change positions. Role transitions require updating permissions when employees move to different positions or departments within the organization. Privilege escalation management controls elevated access requests and maintains audit trails of administrative actions such as sudo usage. Service accounts require dedicated management practices to ensure they operate with minimal necessary permissions and are regularly reviewed for security compliance. Continuous monitoring of the provisioning lifecycle helps prevent unauthorized access and ensures adherence to least privilege principles. 5.6 - Implement Authentication Systems Deploy robust authentication systems that verify user identity through secure mechanisms and protocols across all organizational platforms. Authentication systems should support multiple verification methods including something you know (passwords), something you have (tokens or smart cards), and something you are (biometric data) to enhance security. Integration of authentication systems with centralized identity management platforms enables consistent policy enforcement and user experience across applications. Authentication logs and monitoring capabilities provide visibility into access attempts and help detect suspicious activities or unauthorized access attempts. Regular updates and patches to authentication systems address security vulnerabilities and maintain protection against emerging threats. Organizations must ensure authentication systems comply with industry standards and regulatory requirements while maintaining usability for legitimate users. See More

Topic Content

Security Assessment and Testing encompasses the comprehensive evaluation of an organization's security posture through multiple methodologies and frameworks. This domain includes designing and validating assessment strategies across internal systems within organizational control, external environments outside organizational boundaries, third-party services, and various deployment locations including on-premises, cloud, and hybrid infrastructures. Security control testing involves conducting vulnerability assessments, penetration testing through red, blue, and purple team exercises, reviewing logs, executing synthetic transactions and benchmarks, performing code reviews and testing, conducting misuse case... See More

Topic Content

Security Operations encompasses the comprehensive management and execution of security activities within an organization. Investigation and Compliance involves understanding and adhering to investigative procedures including evidence collection and handling, detailed reporting and documentation, application of investigative techniques, utilization of digital forensics tools and procedures, and identification of artifacts from various sources such as data, computers, networks, and mobile devices. Logging and Monitoring Activities requires implementing intrusion detection and prevention systems, deploying Security Information and Event Management platforms, conducting continuous monitoring... Security Operations encompasses the comprehensive management and execution of security activities within an organization. Investigation and Compliance involves understanding and adhering to investigative procedures including evidence collection and handling, detailed reporting and documentation, application of investigative techniques, utilization of digital forensics tools and procedures, and identification of artifacts from various sources such as data, computers, networks, and mobile devices. Logging and Monitoring Activities requires implementing intrusion detection and prevention systems, deploying Security Information and Event Management platforms, conducting continuous monitoring with regular tuning, performing egress monitoring, managing logs effectively, leveraging threat intelligence through feeds and threat hunting, and utilizing User and Entity Behavior Analytics to detect anomalies. Configuration Management involves provisioning systems, establishing security baselines, and implementing automation to maintain consistent security postures across the infrastructure. Foundational security operations concepts include applying the principles of need-to-know and least privilege access, enforcing Separation of Duties and clear responsibility assignments, managing privileged accounts, implementing job rotation practices, and establishing Service-Level Agreements to define performance expectations. Resource Protection focuses on media management and protection techniques while ensuring data security both at rest and in transit through appropriate encryption and access controls. Incident Management requires a structured approach encompassing detection of security events, rapid response activation, mitigation of threats, comprehensive reporting, system recovery, remediation of root causes, and documentation of lessons learned to improve future responses. Detection and Preventative Measures include operating various firewall types such as next-generation, web application, and network firewalls, maintaining Intrusion Detection and Prevention Systems, implementing whitelisting and blacklisting strategies, utilizing third-party security services, deploying sandboxing environments, operating honeypots and honeynets, maintaining anti-malware solutions, and leveraging machine learning and artificial intelligence-based security tools. Patch and Vulnerability Management involves implementing systematic processes for identifying, prioritizing, and deploying security patches while managing identified vulnerabilities throughout their lifecycle. Change Management requires understanding and actively participating in formal change control processes to ensure security considerations are evaluated before modifications to systems or infrastructure. Recovery Strategies encompass implementing diverse backup storage approaches including cloud, onsite, and offsite options, establishing recovery site strategies with considerations for cold versus hot sites and resource capacity agreements, maintaining multiple processing sites for redundancy, and ensuring system resilience through high availability, Quality of Service measures, and fault tolerance mechanisms. Disaster Recovery Processes involve developing comprehensive response procedures, identifying key personnel roles, establishing communication methods for stakeholder coordination, conducting impact assessments, executing restoration activities, providing training and awareness programs, and capturing lessons learned from recovery events. Disaster Recovery Plan Testing includes conducting read-through and tabletop exercises, performing walkthroughs and simulations, executing parallel testing, conducting full interruption tests, and maintaining clear communications with stakeholders, test coordinators, and regulatory bodies throughout the testing process. Business Continuity Planning and Exercises require active participation in developing strategies that ensure critical business functions continue during disruptions and regular execution of exercises to validate plan effectiveness. Physical Security Implementation and Management involves deploying perimeter security controls such as fencing and access gates and establishing internal security controls including surveillance systems and access restrictions to protect physical assets. Personnel Safety and Security Concerns address travel security protocols, comprehensive security training and awareness programs covering insider threats and social media risks, emergency management procedures, and duress response protocols while also considering emerging challenges such as two-factor authentication fatigue among users. See More

Topic Content

Software Development Security encompasses the integration of security throughout the Software Development Life Cycle (SDLC) across various methodologies including Agile, Waterfall, DevOps, DevSecOps, and Scaled Agile Framework, while utilizing maturity models such as CMM and SAMM to guide continuous improvement in security practices. Organizations must implement security controls throughout the development ecosystem by securing programming languages, libraries, toolsets, Integrated Development Environments, runtime environments, and establishing robust CI/CD pipelines with proper software configuration management and code repository controls. The effectiveness of... See More

CISSP Certified Information Systems Security Professional Exam Topics and Questions

Let's Practice Free ISC2 CISSP Questions Aligned with Official Exam Topics

Ready to Start Practicing?

Main Navigation

Hot Vendors

Hot Exams

CISSP Certified Information Systems Security Professional Exam Topics and Questions

Let's Practice Free ISC2 CISSP Questions Aligned with Official Exam Topics

Ready to Start Practicing?