How to Study All 8 CISSP Domains: Weights, Key Concepts, and Time Allocation

The CISSP exam tests candidates across 8 knowledge domains - from governance and risk management through software development security - with each domain carrying a specific percentage weight that determines how many questions you'll face on exam day. Understanding which domains carry the most weight and where most candidates fail is the foundation of intelligent CISSP preparation.

This guide breaks down all 8 domains: what each one covers, how much weight it carries, how many study hours to allocate, and the key sub-topics that appear most frequently on the exam.

CISSP Domain Overview: Weights and Study Priority

Domain	Exam Weight	Recommended Study Hours	Difficulty
1. Security and Risk Management	16%	24–30 hours	High
2. Asset Security	10%	10–14 hours	Medium
3. Security Architecture and Engineering	13%	18–24 hours	High
4. Communication and Network Security	13%	16–20 hours	Medium-High
5. Identity and Access Management	13%	14–18 hours	Medium-High
6. Security Assessment and Testing	12%	12–16 hours	Medium
7. Security Operations	13%	16–20 hours	Medium-High
8. Software Development Security	10%	10–14 hours	Medium

Total recommended study: 120–156 hours (3–4 months at 10 hours/week)

Five domains carry 13% weight each (Domains 3–5 and 7, plus Domain 6 at 12%), with Domain 1 the clear leader at 16%. Together, Domains 1, 3, 4, 5, and 7 account for 68% of the exam.

Domain 1: Security and Risk Management (16%)

What does Domain 1 cover?

Domain 1 is the conceptual foundation of the CISSP. It covers the principles and frameworks that security professionals use to protect organizations - not the technical tools, but the governance, risk, and compliance (GRC) framework within which everything else operates.

Key topic areas:

• Confidentiality, Integrity, Availability (CIA triad)

• Security governance frameworks (NIST CSF, ISO/IEC 27001, COBIT)

• Risk management: risk identification, assessment, treatment (accept/transfer/mitigate/avoid)

• Legal and regulatory compliance (GDPR, HIPAA, SOX, FERPA, PCI-DSS context)

• Security policy hierarchy: policies → standards → procedures → guidelines

• Threat modeling methodologies (STRIDE, PASTA, DREAD)

• Business continuity planning (BCP) and disaster recovery planning (DRP)

• Personnel security (hiring, onboarding, termination procedures)

• Professional ethics and the ISC2 Code of Ethics

Why is Domain 1 the most important?

Domain 1 concepts appear embedded in questions across all other domains. When a Domain 7 (Security Operations) question asks about incident response, it's testing whether you respond according to governance principles (Domain 1 thinking) or just technical instinct. When a Domain 4 (Network Security) question asks what you do first after discovering a network breach, the Domain 1 framework - protect people, follow policy, manage risk, maintain business continuity - drives the correct answer.

Mastering Domain 1 first is the single highest-leverage study decision a CISSP candidate can make.

Most tested Domain 1 concepts:

• Risk treatment options and their appropriate application scenarios

• The difference between threats, vulnerabilities, and risks

• Business Impact Analysis (BIA) process and outputs

• Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), Recovery Point Objective (RPO)

• When to use different governance frameworks (NIST vs. ISO vs. COBIT)

Domain 2: Asset Security (10%)

What does Domain 2 cover?

Domain 2 focuses on data classification, data lifecycle management, and privacy. It covers how organizations classify, protect, handle, and dispose of data assets throughout their lifecycle.

Key topic areas:

• Data classification levels (top secret, confidential, internal, public - government vs. commercial models)

• Data ownership roles: data owner, data custodian, data processor, data controller

• Privacy regulations and data subject rights

• Data collection limitation and minimization principles

• Data lifecycle management: creation, use, archiving, destruction

• Secure data disposal and sanitization methods (clearing, purging, destruction)

• Data retention policies and legal hold requirements

Most tested Domain 2 concepts:

• Roles of data owner vs. data custodian (the owner defines policy; the custodian implements it)
• Data destruction levels: clearing (overwriting) vs. purging (degaussing/cryptographic erasure) vs. physical destruction
• Scoping and tailoring of security controls

Domain 3: Security Architecture and Engineering (13%)

What does Domain 3 cover?

Domain 3 is one of the technically densest domains, covering secure design principles, security models, cryptography, and physical security. This is where many technically-oriented candidates invest the most energy - and where non-technical candidates find the steepest learning curve.

Key topic areas:

• Security design principles (defense in depth, least privilege, separation of duties, fail-safe defaults)

• Security evaluation models and criteria (Common Criteria, TCSEC/Orange Book - historical context)

• Access control models:

• Bell-LaPadula Model - confidentiality focused; no read up, no write down

• Biba Model - integrity focused; no write up, no read down

• Clark-Wilson Model - integrity through well-formed transactions and separation of duties

• Brewer-Nash (Chinese Wall) Model - dynamic conflict of interest controls

• Cryptography: symmetric encryption (AES, 3DES), asymmetric (RSA, ECC), hashing (SHA-2, SHA-3), digital signatures, PKI

• Site and facility security: CPTED principles, physical access controls, environmental controls

• Virtualization, cloud computing security models, containerization security

• Industrial Control Systems (ICS) and SCADA security

Most tested Domain 3 concepts:

• Bell-LaPadula vs. Biba: which model applies to which security property

• PKI trust models: hierarchical, mesh, web of trust, bridge CA

• Key management: key generation, distribution, escrow, recovery, destruction

• Trusted Platform Module (TPM) and hardware security modules (HSM)

• Secure by Design principles applied to system architecture

Domain 4: Communication and Network Security (13%)

What does Domain 4 cover?

Domain 4 covers network security from physical layer to application layer - the protocols, architectures, and controls that protect data in transit.

Key topic areas:

• OSI model and TCP/IP model with security implications at each layer

• Network topology security: segmentation, DMZ design, zero-trust architecture

• Secure protocols: HTTPS/TLS, SSH, SFTP, S/MIME, DNSSEC

• Firewall types: packet filtering, stateful inspection, proxy, next-generation (NGFW)

• Intrusion Detection/Prevention Systems (IDS/IPS)

• VPN types and protocols: IPSec (tunnel vs. transport mode), SSL/TLS VPN

• Wireless security: WPA2-Enterprise, 802.1X, RADIUS

• Network attacks: MITM, ARP spoofing, DNS poisoning, session hijacking

• Voice and multimedia security (VoIP vulnerabilities)

• Software-Defined Networking (SDN) security implications

Most tested Domain 4 concepts:

• IPSec tunnel mode vs. transport mode (tunnel mode encrypts the entire packet; transport encrypts only the payload)

• DMZ placement and traffic flow rules

• Stateful vs. stateless firewalls in different scenarios

• 802.1X and NAC (Network Access Control) for endpoint authentication

Domain 5: Identity and Access Management (IAM) (13%)

What does Domain 5 cover?

Domain 5 addresses how systems authenticate users and authorize access to resources - one of the most active areas of enterprise security in 2026, with cloud and hybrid identity management particularly emphasized.

Key topic areas:

• Authentication factors: something you know, have, are, somewhere, something you do

• Multi-factor authentication (MFA) and risk-based authentication

• Single Sign-On (SSO) and federation: SAML, OAuth 2.0, OIDC

• Privileged Access Management (PAM) and just-in-time access

• Identity lifecycle: provisioning, maintenance, de-provisioning

• Access control models: MAC, DAC, RBAC, ABAC, ReBAC

• Kerberos and NTLM authentication (Windows environments)

• Zero-trust architecture (ZTA) principles

• Biometrics: FAR (False Accept Rate) vs. FRR (False Reject Rate), crossover error rate (CER)

• Directory services: LDAP, Active Directory, cloud identity (Microsoft Entra ID)

Most tested Domain 5 concepts:

• Crossover Error Rate (CER) as the metric for comparing biometric accuracy

• Kerberos ticket-granting process and its security implications

• When to use RBAC vs. ABAC vs. MAC in different scenarios

• Provisioning and the principle of least privilege enforcement

Domain 6: Security Assessment and Testing (12%)

What does Domain 6 cover?

Domain 6 covers how organizations test their security posture - through audits, vulnerability assessments, penetration tests, software testing, and ongoing monitoring.

Key topic areas:

• Vulnerability assessments vs. penetration testing: scope, methods, outputs

• Penetration testing types: black box, white box, gray box

• Software testing types: unit, integration, regression, fuzzing, static analysis (SAST), dynamic analysis (DAST)

• Security audits: internal vs. external, compliance vs. risk-based

• Log analysis and SIEM review as ongoing assessment

• Code review processes: manual review, automated scanning

• SOC 1/SOC 2/SOC 3 reports and their application to third-party security assessment

• Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for security programs

Most tested Domain 6 concepts:

• The difference between vulnerability assessment (identifies weaknesses) and penetration testing (actively exploits weaknesses)

• When to use each testing type based on scenario

• SOC 2 Type I vs. Type II reports (Type I = controls exist; Type II = controls are effective over time)

Domain 7: Security Operations (13%)

What does Domain 7 cover?

Domain 7 is the most operationally oriented domain, covering incident management, disaster recovery, forensics, and physical and administrative security controls.

Key topic areas:

• Incident response lifecycle: preparation, detection, containment, eradication, recovery, lessons learned

• Digital forensics: evidence preservation, chain of custody, forensic methodologies

• Disaster recovery planning (DRP): RTO, RPO, MTO, backup strategies

• Business continuity plan (BCP) testing types: tabletop, walkthrough, simulation, parallel, full interruption

• Change management and configuration management

• Physical security: data center security, visitor management, badge access

• Personnel security: background checks, separation of duties, job rotation, mandatory vacation

• Investigations: administrative, criminal, civil, regulatory

• Secure resource provisioning and asset management

Most tested Domain 7 concepts:

• Chain of custody requirements and evidence handling (volatile evidence preservation order: CPU registers → RAM → swap space → HDD)

• RTO vs. RPO distinctions and their role in BCP

• Types of BCP tests ordered by operational risk (tabletop is safest; full interruption is most disruptive)

Domain 8: Software Development Security (10%)

What does Domain 8 cover?

Domain 8 covers the integration of security into the software development lifecycle (SDLC) - from design through deployment and maintenance.

Key topic areas:

• SDLC models: waterfall, agile, DevSecOps integration

• Security in requirements, design, coding, testing, deployment phases

• OWASP Top 10 web application vulnerabilities

• Secure coding practices: input validation, output encoding, error handling, session management

• Code repositories and version control security

• API security and microservices security considerations

• Database security: SQL injection prevention, stored procedure security

• Software supply chain security: open-source dependency risks, SCA (software composition analysis)

Most tested Domain 8 concepts:

• OWASP Top 10: injection attacks, broken authentication, IDOR, SSRF are most frequently tested

• Where in the SDLC security is least expensive to fix (requirements/design phase)

• Static (SAST) vs. dynamic (DAST) testing and when each is applied

Which CISSP Domains Are Hardest?

Based on candidate feedback and pass rate analysis:

Hardest: Domain 1 (abstract governance concepts) and Domain 3 (cryptography + security models).

Most commonly underestimated: Domain 2 (asset security) - candidates often under-study this domain because it's "only 10%" and get surprised by the nuanced data lifecycle questions.

Most important for passing: Domain 1 - mastering it increases performance across all other domains.

Frequently Asked Questions

Conclusion

The 8 CISSP domains represent the entire Common Body of Knowledge for information security management. Domain 1's 16% weight and foundational nature makes it the highest-priority study area. The five 13%-weight domains (3, 4, 5, 7) and Domain 6 (12%) together account for 64% of the exam.

Study in proportion to exam weight, practice scenario-based questions for each domain, and remember: CISSP tests management judgment, not technical recall.

Practice CISSP domain questions with EduSum's ISC2 certification resources - scenario-based questions organized by domain for targeted gap identification.

Select ratingPoorOkayGoodGreatAwesome

Rating: 5 / 5 (1 vote)