Certified Information Systems Security Professional (CISSP®)

Course subjects

This course provides in-depth coverage of the eight domains required to prepare for the CISSP exam. Refer to the CISSP Exam Outline for a deeper dive into the CISSP domains.

1. Security and Risk Management

• Understand, adhere to, and promote professional ethics

• Understand and apply security concepts

• Evaluate and apply security governance principles

• Determine compliance and other requirements

• Understand legal and regulatory issues that pertain to information security in a holistic context

• Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)

• Develop, document, and implement security policy, standards, procedures, and guidelines

• Identify, analyse, and prioritise Business Continuity (BC) requirements

• Contribute to and enforce personnel security policies and procedures

• Understand and apply risk management concepts

• Understand and apply threat modeling concepts and methodologies

• Apply Supply Chain Risk Management (SCRM) concepts

• Establish and maintain a security awareness, education, and training program

2. Asset Security

• Identify and classify information and assets

• Establish information and asset handling requirements

• Provision resources securely

• Manage data lifecycle

• Ensure appropriate asset retention (e.g. End-of-Life (EOL), End-of-Support (EOS))

• Determine data security controls and compliance requirements

3. Security Architecture and Engineering

• Research, implement and manage engineering processes using secure design principles

• Understand the fundamental concepts of security models (e.g. Biba, Star Model, Bell-LaPadula)

• Select controls based upon systems security requirements

• Understand security capabilities of Information Systems (IS) (e.g. memory protection, Trusted Platform Module (TPM), encryption/decryption)

• Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

• Select and determine cryptographic solutions

• Understand methods of cryptanalytic attacks

• Apply security principles to site and facility design

• Design site and facility security controls

4. Communication and Network Security

• Assess and implement secure design principles in network architectures

• Secure network components

• Implement secure communication channels according to design

5. Identity and Access Management (IAM)

• Control physical and logical access to assets

• Manage identification and authentication of people, devices, and services

• Federated identity with a third-party service

• Implement and manage authorisation mechanisms

• Manage the identity and access provisioning lifecycle

• Implement authentication systems

6. Security Assessment and Testing

• Design and validate assessment, test, and audit strategies

• Conduct security control testing

• Collect security process data (e.g. technical and administrative)

• Analyse test output and generate reports

• Conduct or facilitate security audits

7. Security Operations

• Understand and comply with investigations

• Conduct logging and monitoring activities

• Perform Configuration Management (CM) (e.g. provisioning, baselining, automation)

• Apply foundational security operations concepts

• Apply resource protection

• Conduct incident management

• Operate and maintain detective and preventative measures

• Implement and support patch and vulnerability management

• Understand and participate in change management processes

• Implement recovery strategies

• Implement Disaster Recovery (DR) processes

• Test Disaster Recovery Plans (DRP)

• Participate in Business Continuity (BC) planning and exercises

• Implement and manage physical security

• Address personnel safety and security concerns

8. Software Development Security

• Understand and integrate security in the Software Development Life Cycle (SDLC)

• Identify and apply security controls in development environments

• Assess the effectiveness of software security

• Assess security impact of acquired software

• Define and apply secure coding guidelines and standards