CISSP cheat sheet

A one-page reference for the ISC2 CISSP — Certified Information Systems Security Professional exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
ISC2
Level
Advanced
Questions
100
Time
180 min
Mock pass mark
70%
Domains
8
Practice Qs
129
Code
CISSP

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

CIA Triad
The CIA triad is the trio of confidentiality, integrity, and availability that underpins nearly every information-security decision. CISSP frames controls, risks, and objectives in terms of which of the three they protect.
Risk Management
Risk management is the process of identifying, assessing, treating, and monitoring risk so that residual risk stays within an organization's tolerance. CISSP Domain 1 emphasizes risk-based decisions over purely technical fixes.
Quantitative Risk Analysis
Quantitative risk analysis expresses risk in monetary terms, chiefly through SLE × ARO = ALE (single loss expectancy times annualized rate of occurrence equals annualized loss expectancy). CISSP uses it to justify control spending.
Residual Risk
Residual risk is the risk that remains after controls have been applied. CISSP holds that management, not the security team, formally accepts residual risk on behalf of the business.
Defense in Depth
Defense in depth layers multiple independent controls so that the failure of any one does not expose the asset. CISSP treats it as a core secure-design principle alongside least privilege and secure defaults.
Least Privilege
Least privilege grants each subject only the access strictly required to perform its function, and no more. CISSP pairs it with need-to-know and separation of duties to limit abuse and blast radius.
Bell-LaPadula Model
Bell-LaPadula is a confidentiality-focused security model enforcing 'no read up, no write down' to protect classified data. CISSP contrasts it with Biba, which protects integrity with the opposite rules.
Biba Model
The Biba model is an integrity-focused security model enforcing 'no read down, no write up' so trusted data is not contaminated by lower-integrity sources. CISSP pairs it conceptually with Bell-LaPadula for confidentiality.
PKI
Public Key Infrastructure (PKI) is the framework of certificate authorities, certificates, and keys that binds identities to public keys and enables trust. CISSP Domain 3 covers PKI, key management, and certificate lifecycles.
Symmetric Encryption
Symmetric encryption uses a single shared secret key for both encryption and decryption, making it fast but requiring secure key distribution. CISSP contrasts it with asymmetric cryptography, which solves key distribution using key pairs.
Access Control Models
Access control models — DAC, MAC, RBAC, and ABAC — define how access decisions are made and who sets them. CISSP Domain 5 expects you to match each model to an appropriate scenario.
Federated Identity
Federated identity lets users authenticate once with a trusted identity provider and access resources across independent domains, using standards such as SAML and OIDC. CISSP covers it under identity and access management.
RTO and RPO
Recovery Time Objective (RTO) is the maximum tolerable time to restore a service, and Recovery Point Objective (RPO) is the maximum tolerable data loss measured in time. CISSP uses both to drive backup and disaster-recovery design.
Security Operations
Security operations covers the day-to-day protective work of monitoring, incident response, forensics, and change and configuration management. CISSP Domain 7 stresses evidence handling and a disciplined incident lifecycle.
SDLC
The Software Development Life Cycle (SDLC) is the structured process for building software, into which CISSP embeds security at every phase. Domain 8 covers secure coding, testing, and DevSecOps practices.