CISSP cheat sheet
A one-page reference for the ISC2 CISSP — Certified Information Systems Security Professional exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
ISC2
Level
Advanced
Questions
100
Time
180 min
Mock pass mark
70%
Domains
8
Practice Qs
129
Code
CISSP
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- CIA Triad
- The CIA triad is the trio of confidentiality, integrity, and availability that underpins nearly every information-security decision. CISSP frames controls, risks, and objectives in terms of which of the three they protect.
- Risk Management
- Risk management is the process of identifying, assessing, treating, and monitoring risk so that residual risk stays within an organization's tolerance. CISSP Domain 1 emphasizes risk-based decisions over purely technical fixes.
- Quantitative Risk Analysis
- Quantitative risk analysis expresses risk in monetary terms, chiefly through SLE × ARO = ALE (single loss expectancy times annualized rate of occurrence equals annualized loss expectancy). CISSP uses it to justify control spending.
- Residual Risk
- Residual risk is the risk that remains after controls have been applied. CISSP holds that management, not the security team, formally accepts residual risk on behalf of the business.
- Defense in Depth
- Defense in depth layers multiple independent controls so that the failure of any one does not expose the asset. CISSP treats it as a core secure-design principle alongside least privilege and secure defaults.
- Least Privilege
- Least privilege grants each subject only the access strictly required to perform its function, and no more. CISSP pairs it with need-to-know and separation of duties to limit abuse and blast radius.
- Bell-LaPadula Model
- Bell-LaPadula is a confidentiality-focused security model enforcing 'no read up, no write down' to protect classified data. CISSP contrasts it with Biba, which protects integrity with the opposite rules.
- Biba Model
- The Biba model is an integrity-focused security model enforcing 'no read down, no write up' so trusted data is not contaminated by lower-integrity sources. CISSP pairs it conceptually with Bell-LaPadula for confidentiality.
- PKI
- Public Key Infrastructure (PKI) is the framework of certificate authorities, certificates, and keys that binds identities to public keys and enables trust. CISSP Domain 3 covers PKI, key management, and certificate lifecycles.
- Symmetric Encryption
- Symmetric encryption uses a single shared secret key for both encryption and decryption, making it fast but requiring secure key distribution. CISSP contrasts it with asymmetric cryptography, which solves key distribution using key pairs.
- Access Control Models
- Access control models — DAC, MAC, RBAC, and ABAC — define how access decisions are made and who sets them. CISSP Domain 5 expects you to match each model to an appropriate scenario.
- Federated Identity
- Federated identity lets users authenticate once with a trusted identity provider and access resources across independent domains, using standards such as SAML and OIDC. CISSP covers it under identity and access management.
- RTO and RPO
- Recovery Time Objective (RTO) is the maximum tolerable time to restore a service, and Recovery Point Objective (RPO) is the maximum tolerable data loss measured in time. CISSP uses both to drive backup and disaster-recovery design.
- Security Operations
- Security operations covers the day-to-day protective work of monitoring, incident response, forensics, and change and configuration management. CISSP Domain 7 stresses evidence handling and a disciplined incident lifecycle.
- SDLC
- The Software Development Life Cycle (SDLC) is the structured process for building software, into which CISSP embeds security at every phase. Domain 8 covers secure coding, testing, and DevSecOps practices.