Knowledge Transfer Protocol

Learning Hub

Master the fundamentals of cybersecurity, dive deep into enterprise cloud architecture, and accelerate your path to CISSP certification.

Enterprise Cloud Security Platform

Start Free Trial

CISSP Domain Breakdowns

menu_book PDF · 49 Pages

All 8 Domains Exam-Ready Format CISSP 2024 Free Download

CISSP Master Study Notes

by Krishna Chandra Muduli · CISSP · Cybersecurity Lead

A meticulously crafted 49-page rapid-review guide condensing all 8 CISSP domains into exam-ready formats — concept tables, risk formulas (ALE / SLE / ARO), security models (Bell-LaPadula, Biba, Clark-Wilson), cryptography algorithms, IAM frameworks, incident response lifecycle, OWASP Top 10, STRIDE threat model, and 50+ practice Q&As with explanations. Built from real-world practitioner experience to bridge theory and the exam mindset.

CIA Triad & Risk Math Crypto Algorithms OSI + Firewall Types DAC / MAC / RBAC / ABAC IR Lifecycle (NIST) STRIDE & OWASP Domain Mnemonics 50+ Practice Q&As

download Download Free PDF

verified Written by a certified CISSP practitioner

Domains

Pages

50+

Q&As

Security and Risk Management

15% of exam · Governance, Risk, Compliance

The LARGEST domain in CISSP. Covers the foundation of cybersecurity — how organizations manage risk, set policies, follow laws, and build a security culture. Think of it as the "CEO mindset" of cybersecurity.

★ Most Important Topics

› CIA Triad (Confidentiality, Integrity, Availability)
› Risk = Threat × Vulnerability × Asset Value
› Risk Treatment: Accept, Transfer, Mitigate, Avoid
› Security Governance & Policy Framework
› Legal, Regulatory & Compliance (GDPR, HIPAA, SOX)
› BCP vs DRP · RTO / RPO / MTD

CIA Triad

ConfidentialityOnly authorized people access data. Encryption, Access Controls.

IntegrityData accurate & untampered. SHA-256, Digital Signatures.

AvailabilitySystems up when needed. Redundancy, Backups, DDoS protection.

Risk Treatment (ATMA)

AcceptRisk low or cost to fix exceeds risk. Document it.

TransferCyber insurance or outsource to third party.

MitigateApply controls to lower probability or impact.

AvoidStop the risky activity altogether.

Key Risk Formulas

ALE = ARO × SLE (annual loss expectancy)

SLE = Asset Value × Exposure Factor

ARO = how often the threat happens per year

Residual Risk = Risk AFTER controls applied

RTO = Max time to restore a system

RPO = Max acceptable data loss (in time)

Frameworks & Laws

NIST CSFIdentify, Protect, Detect, Respond, Recover

ISO 27001Intl standard for ISMS

GDPREU — protect personal data of EU citizens

HIPAAUS — protect health info (PHI)

SOXUS — financial reporting for public companies

PCI-DSSPayment card security standard

COBITIT Governance for business alignment

Mnemonic

"Can I Access?" — Confidentiality (Can only authorized users?), Integrity (Is data accurate?), Availability (Are systems up?) | Risk Treatment = ATMA: Accept → Transfer → Mitigate → Avoid

Exam Tips & Traps

⚠ CISSP always asks from a MANAGEMENT perspective — choose what a CISO/senior manager would pick.
⚠ "First thing to do" → answer usually involves RISK ASSESSMENT or BIA first.
⚠ Due Care = doing the right thing. Due Diligence = knowing what the right thing is.
⚠ BCP = KEEPING business running during disaster. DRP = RECOVERING IT systems after.
⚠ Policy > Standard (mandatory) > Guideline (recommended) > Procedure (steps)

Quick Revision Notes

› CIA = Confidentiality, Integrity, Availability
› Risk = Threat × Vulnerability × Asset Value
› ALE = ARO × SLE; SLE = Asset Value × EF
› Risk Treatment = Accept, Transfer, Mitigate, Avoid
› Policy > Standard > Guideline > Procedure
› BCP = Keep running; DRP = Recover IT after
› RTO = Max time to restore; RPO = Max data loss
› GDPR (EU), HIPAA (health), SOX (finance), PCI-DSS (cards)

Practice Questions

Q1: A vulnerability exists but cost to fix exceeds potential loss. BEST response?

✓ B) Accept the risk and document the decision

When cost to remediate exceeds potential loss, accepting and documenting is the prudent business decision.

Q2: Formula to calculate annual expected loss from a threat?

✓ B) ALE = SLE × ARO

ALE (Annual Loss Expectancy) = SLE × ARO. SLE = Asset Value × EF.

Q3: RTO is 2 hrs but backup restore takes 6 hrs. FIRST action?

✓ A) Conduct a new BIA

FIRST step is always assessment. A new BIA confirms the RTO and guides corrective actions.

Q4: Document providing MANDATORY requirements for all staff?

✓ C) Standard

Standards are mandatory specific rules derived from policy. Guidelines are recommendations.

download Download D1 Notes PDF open_in_new ISC2 Exam Outline open_in_new NIST SP 800 Series

Asset Security

10% of exam · Classification & Privacy

Protecting information and assets throughout their entire lifecycle — from creation until secure destruction. You can't protect what you don't know you have.

★ Most Important Topics

› Data Classification (Government vs. Commercial)
› Data Roles: Owner, Custodian, User, Processor, Controller
› Data Lifecycle: Create → Store → Use → Share → Archive → Destroy
› Secure Data Destruction methods
› Privacy Protection principles (GDPR Controller vs Processor)

Government Classification

Top SecretGrave damage to national security if disclosed.

SecretSerious damage to national security.

ConfidentialDamage to national security if disclosed.

UnclassifiedNo damage. Public use acceptable.

Commercial Classification

ConfidentialTrade secrets, M&A. Very restricted.

PrivatePersonal employee data. Internal only.

SensitiveExtra protection needed. Financial data.

PublicSafe to share. Press releases, marketing.

Data Roles — Who Does What?

Data OwnerSenior exec — classifies & makes policy decisions.

Data CustodianIT team — stores & implements controls.

Data UserEnd user — accesses data per policy.

Data ProcessorGDPR: 3rd party processing on behalf of controller.

Data ControllerGDPR: decides HOW & WHY data is processed.

Data StewardEnsures data quality & governance standards.

Data Destruction Methods

Overwriting — DoD 5220.22-M: write new data multiple times.

Degaussing — Magnetic field. Only works on magnetic media (NOT SSDs).

Shredding — Physical destruction. Works on SSDs.

Crypto Erasure — Destroy encryption key → data unreadable.

Incineration — Burning. Used for classified documents.

Mnemonic

OCUP: Owner (classifies), Custodian (protects), User (accesses), Processor/Controller (GDPR) | CS-USAD: Create, Store, Use, Share, Archive, Destroy

Exam Tips & Traps

⚠ SSDs cannot be degaussed — not magnetic. Use overwriting or physical destruction.
⚠ Data Owner is NOT the IT person — usually a business executive/department head.
⚠ Deleting a file does NOT destroy data — only overwriting or physical destruction does.
⚠ GDPR: Controller = decides purpose; Processor = executes on behalf of controller.

Q1: Retiring old SSDs — MOST appropriate destruction method?

✓ C) Physical shredding or overwriting

SSDs are not magnetic — degaussing is ineffective.

Q2: Who is PRIMARILY responsible for classifying data?

✓ C) Data Owner

The Data Owner (senior exec) classifies data based on value and sensitivity.

Q3: Marketing firm processes data on behalf of e-commerce company under GDPR — what role?

✓ C) Data Processor

E-commerce = Controller (decides purpose). Marketing firm = Processor (processes data).

download Download D2 Notes PDF open_in_new GDPR Reference open_in_new NIST Data De-identification

Security Architecture & Engineering

13% of exam · Cryptography & Secure Design

Designing and building secure systems. Security must be designed INTO systems — not bolted on. Covers cryptography, security models, physical security, and cloud principles.

★ Most Important Topics

› Cryptography: Symmetric, Asymmetric, Hashing
› Security Models: Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash
› Secure Design: Least Privilege, Defense in Depth, Fail Secure
› PKI, Digital Certificates, CA
› Physical Security: Mantrap, Faraday Cage, CPTED
› Cloud Shared Responsibility: IaaS, PaaS, SaaS

Symmetric vs Asymmetric

Symmetric — Same key, FAST. Examples: AES, DES, 3DES. Best for bulk data encryption.

Asymmetric — Key pair (public/private), SLOW. Examples: RSA, ECC. Best for key exchange, digital signatures.

Hashing — One-way, NOT reversible. SHA-256, MD5 (broken). Verifies integrity.

Security Models

Bell-LaPadula — CONFIDENTIALITY. No read up, no write down. (Military)

Biba — INTEGRITY. No write up, no read down. (Prevents corruption)

Clark-Wilson — Integrity via well-formed transactions. Commercial.

Brewer-Nash — Chinese Wall. Prevents conflicts of interest.

Secure Design Principles

Least Privilege — Minimum access needed for the job.

Defense in Depth — Multiple security layers; if one fails, another catches it.

Fail Secure — Deny all on failure (IT). Fail Safe = allow all (fire doors).

Separation of Duties — Split critical tasks; prevents fraud.

Open Design — Security not reliant on secrecy of design (Kerckhoffs).

Economy of Mechanism — Keep design simple; complexity = more vulnerabilities.

Mnemonic

Bell-LaPadula = Confidentiality (CIA secrets) — "No Read Up, No Write Down." Biba is the OPPOSITE for INTEGRITY. | Asymmetric = "Public locks, Private unlocks."

Exam Tips & Traps

⚠ Hashing ≠ Encryption — you cannot "decrypt" a hash. It is one-way.
⚠ Fail Secure = deny access (IT systems). Fail Safe = allow passage (fire doors).
⚠ Bell-LaPadula = Confidentiality (military). Biba = Integrity (commercial).
⚠ AES = best symmetric; RSA = common asymmetric; SHA-256 = secure hash; MD5 = BROKEN.
⚠ Cloud IaaS: you own OS/app security. SaaS: provider owns almost everything.

Q1: System denies all access when security component fails. Which principle?

✓ B) Fail Secure

Fail Secure defaults to denied state on failure. Fail Safe allows access (life safety).

Q2: Users cannot read information at higher classification. Which model?

✓ C) Bell-LaPadula Model

"No Read Up" prevents subjects from reading data above their clearance level.

Q3: Best encryption for encrypting large amounts of data quickly?

✓ C) AES (Symmetric)

Symmetric (AES) is much faster than asymmetric for bulk data.

download Download D3 Notes PDF open_in_new FIPS 197 (AES Standard) open_in_new NIST Cryptography Guide

Communication and Network Security

13% of exam · Protocols, Firewalls, VPNs, Wireless

Covers how data travels across networks and how to protect it in transit. Most attacks happen over networks — understanding secure network design is critical.

OSI Model — All 7 Layers

7 — ApplicationHTTP, FTP, SMTP, DNS — what the user sees

6 — PresentationEncryption/Decryption, Compression, SSL/TLS

5 — SessionEstablish, manage, terminate sessions (NetBIOS, RPC)

4 — TransportTCP (reliable), UDP (fast) — port numbers here

3 — NetworkIP addressing, routing — routers work here

2 — Data LinkMAC addresses, switches, frames (ARP, Ethernet)

1 — PhysicalCables, hubs, bits — physical transmission

Firewall Types

Packet Filter — IP/ports only. Simple, no state. Layer 3.

Stateful Inspection — Tracks connection state. Layer 4.

Application-Layer (Proxy) — Understands app content. Layer 7.

NGFW — Stateful + DPI + IPS + app awareness.

WAF — Web app protection. Blocks SQLi, XSS, CSRF.

Wireless Security

WEP — BROKEN. Do not use.

WPA — Better than WEP, TKIP. Still vulnerable.

WPA2 — AES encryption. Enterprise uses 802.1X/RADIUS.

WPA3 — Latest. SAE, forward secrecy. Use this.

802.1X — Port-based NAC. Auth before network access.

Common Network Attacks

ARP Spoofing — Fake ARP replies link attacker MAC to legit IP → MITM.

DNS Poisoning — Corrupt DNS cache → redirect users to malicious sites.

SYN Flood — Many TCP SYN packets → exhausts server connection table.

DDoS — Overwhelm server with traffic from many sources.

Replay Attack — Capture and re-send valid auth data to gain access.

Evil Twin — Fake AP with same SSID → MITM on wireless users.

Mnemonic · OSI Layers (top→bottom)

"All People Seem To Need Data Processing" — Application, Presentation, Session, Transport, Network, Data Link, Physical

Exam Tips & Traps

⚠ IDS = Detect only (passive). IPS = Detect AND Block (inline, active).
⚠ IPsec AH = integrity only. ESP = encryption + integrity.
⚠ WEP is broken. WPA2 (AES) minimum. WPA3 best.
⚠ DMZ design — web servers go in DMZ; databases NEVER in DMZ.
⚠ Stateful = smarter firewall — knows if packet is part of established session.

Q1: Protect web apps from SQL injection and XSS. Which device?

✓ C) Web Application Firewall (WAF)

WAF operates at Layer 7 and specifically understands HTTP/HTTPS traffic.

Q2: Connect two remote offices securely. Most appropriate?

✓ B) Site-to-Site IPsec VPN

Site-to-Site VPN connects two networks. Remote Access VPN is for individual users.

download Download D4 Notes PDF open_in_new RFC 4301 (IPsec) open_in_new CIS Network Benchmarks

Identity and Access Management (IAM)

13% of exam · Authentication, Access Control, Zero Trust

IAM ensures only the right people, with the right permissions, access the right resources at the right time. Most breaches involve compromised credentials or excessive permissions — strong IAM is your first line of defence.

★ Most Important Topics

› Authentication Factors: Know / Have / Are / Do / Somewhere
› Access Control Models: DAC, MAC, RBAC, ABAC, Rule-Based
› SSO, SAML, OAuth 2.0, OpenID Connect, Kerberos
› Biometric Accuracy: FAR, FRR, CER (lower = better)
› Zero Trust — "Never Trust, Always Verify"
› PAM, JIT Access, Separation of Duties

Authentication Factors

Something You KnowPassword, PIN, passphrase, security questions

Something You HaveSmart card, hardware token, OTP app, key fob

Something You AreBiometrics: fingerprint, retina, face, voice

Something You DoTyping rhythm, gait analysis, behavioural

Somewhere You AreGeolocation — access from specific IP/location

Access Control Models

DAC — Owner controls access. "I decide who reads my file." (OS files)

MAC — System enforces labels. Owner CANNOT change. (Government/Military)

RBAC — Access by job role. Most common in corporations.

ABAC — Access by attributes (time, location, device). Very flexible.

Rule-Based — Predefined rules (firewall ACLs).

SSO & Identity Protocols

SSO — Log in once, access all. Single point of failure risk.

SAML — XML-based. Enterprise SSO standard.

OAuth 2.0 — AUTHORIZATION. Allows apps to access resources without sharing passwords.

OpenID Connect — AUTHENTICATION layer on top of OAuth 2.0.

Kerberos — Ticket-based. Uses KDC. Windows Active Directory.

LDAP — Directory protocol for accessing Active Directory.

Biometric Accuracy

FAR — False Acceptance Rate. Lets in unauthorized user. Security risk.

FRR — False Rejection Rate. Rejects authorized user. Usability problem.

CER/EER — Where FAR = FRR. Lower CER = more accurate system.

Zero Trust — "Never Trust, Always Verify"

› Assume breach — treat every request as untrusted.
› Verify explicitly — authenticate & authorise based on all available data.
› Use least privilege — just-in-time, just-enough access.
› Microsegmentation — granular perimeters to contain breach impact.

Exam Tips & Traps

⚠ Order always: Identification → Authentication → Authorization → Accountability
⚠ OAuth = AUTHORIZATION, not authentication. OpenID Connect adds authentication.
⚠ Two passwords = single-factor (both "something you know"). MFA needs DIFFERENT factor types.
⚠ MAC = military labels. RBAC = corporate. DAC = files/OS.
⚠ Kerberos uses TICKETS, not passwords, for subsequent authentication.

Q1: User swipes badge AND scans fingerprint. This is?

✓ B) Multi-factor authentication

Badge = Something You Have. Fingerprint = Something You Are. Two different factor types = MFA.

Q2: System A has CER 5%, System B has CER 12%. Which is more accurate?

✓ B) System A — lower CER = better accuracy

Lower CER (Crossover Error Rate) = better overall accuracy.

Q3: "Login with Google" on partner portal without sharing password. Which protocol?

✓ D) OAuth 2.0 with OpenID Connect

OAuth 2.0 enables authorization. OpenID Connect adds identity verification.

download Download D5 Notes PDF open_in_new NIST SP 800-63 (Digital Identity) open_in_new OpenID Connect Spec

Security Assessment and Testing

12% of exam · Pen Testing, Audits, Metrics

Testing and verifying that security controls are working. Controls that are never tested may not work. Regular testing finds gaps before attackers do.

★ Most Important Topics

› Vulnerability Assessment vs Penetration Testing
› Pen Testing Types: Black Box, White Box, Gray Box
› Code Review: SAST (static) vs DAST (dynamic)
› Key Metrics: MTTD, MTTR, MTTF, MTBF
› Security Audits: Internal, External, SOC 2

VA vs Pen Test

Vulnerability Assessment — Finds weaknesses. Automated scanning. Low risk. Monthly/quarterly.

Penetration Testing — Actively EXPLOITS weaknesses. Simulates real attacks. MUST have written authorization.

Pen Test Types

Black Box — No prior knowledge. Most realistic (external attacker).

White Box — Full knowledge (source code, architecture). Most thorough.

Gray Box — Partial knowledge. Balance of realism and depth.

SAST vs DAST

SAST — Static Analysis

› Analyzes source code BEFORE it runs
› Tools: Fortify, Checkmarx, SonarQube
› Finds logic flaws, insecure code patterns
› Fast — runs in CI/CD pipeline

DAST — Dynamic Analysis

› Tests RUNNING application
› Tools: OWASP ZAP, Burp Suite, Acunetix
› Finds runtime issues, injection, auth flaws
› No source code needed (black box)

Pen Testing Phases

1. Planning → 2. Reconnaissance → 3. Scanning → 4. Exploitation → 5. Post-Exploitation → 6. Reporting

Security Metrics

MTTDMean Time To Detect an incident

MTTRMean Time To Respond & contain

MTBFMean Time Between Failures (repairable)

MTTFMean Time To Failure (non-repairable)

Exam Tips & Traps

⚠ ALWAYS get written authorization before pen testing — unauthorized testing is a crime.
⚠ VA finds vulnerabilities. Pen test EXPLOITS them. Different goals!
⚠ "First thing in pen testing" = always PLANNING and written authorization.
⚠ SAST = source code (sleeping). DAST = running app (dancing).

Q1: FIRST thing before starting any pen test?

✓ B) Obtain written authorization from the client

Without written auth, the tester is committing unauthorized access — a crime.

Q2: Find SQL injection in source code BEFORE deployment. Which tool?

✓ C) SAST tool

SAST analyzes source code without running it. Ideal for early detection in development pipeline.

Q3: Measure how quickly team identifies incidents. Which metric?

✓ C) MTTD

MTTD measures average time to detect an incident. MTTR measures response time after detection.

download Download D6 Notes PDF open_in_new OWASP Testing Guide open_in_new NIST SP 800-115 (Pen Testing)

Security Operations

13% of exam · IR, Monitoring, DRP, Controls

The day-to-day work of keeping an organization secure. A great security design fails without proper operational execution. Covers incident response, monitoring, disaster recovery, and operational controls.

Incident Response Lifecycle (NIST)

1. Preparation → 2. Detection → 3. Containment → 4. Eradication → 5. Recovery → 6. Lessons Learned

Mnemonic PDCEER-L: "Please Don't Call Every Emergency Response Late"

Security Control Types

Preventive — STOP incident before. Firewall, access control, training.

Detective — FIND incident. IDS, CCTV, audit logs.

Corrective — FIX after incident. Patching, restoring backups.

Deterrent — DISCOURAGE attackers. Warning signs, visible cameras.

Compensating — Alternative when primary control isn't possible.

Recovery Site Types

Hot Site — Fully operational. Switch in MINUTES. Most expensive.

Warm Site — Partially equipped. Takes HOURS. Middle cost.

Cold Site — Empty building. Takes DAYS to weeks. Cheapest.

Cloud Recovery — Fast, scalable. Increasingly common.

Forensics & Evidence

Order of Volatility — RAM → Swap → Disk → Logs (most volatile first)

Chain of Custody — Documentation tracking evidence from collection to court.

IOC — Indicator of Compromise: suspicious IP, malware hash, unusual login.

CVSS — 0–10. Critical: 9–10. High: 7–8.9. Used to prioritize patching.

Exam Tips & Traps

⚠ In forensics: preserve evidence FIRST. Never work on originals — use forensic copy.
⚠ IR: CONTAINMENT comes before ERADICATION. Stop the spread first!
⚠ Order of volatility: RAM first (most volatile — lost on power off).
⚠ Change Management: CAB must APPROVE before implementation. Never skip.
⚠ Cold site = just a facility. You must bring all equipment.

Q1: Active ransomware attack — MOST important immediate action?

✓ C) Contain the affected systems

Containment stops the spread. Before eradicating, you must contain.

Q2: Forensic investigator — what to collect FIRST from compromised server?

✓ C) RAM contents

RAM is most volatile — lost when power off. Must be captured FIRST.

Q3: Recover within 15 minutes of disaster. Which site?

✓ D) Hot Site

Hot sites are fully operational and can take over in minutes. 15-minute RTO requires hot site.

download Download D7 Notes PDF open_in_new NIST SP 800-61 (IR Guide) open_in_new NIST SP 800-34 (BCP/DR)

Software Development Security

10% of exam · SDLC, OWASP, DevSecOps

Integrating security into software development — from design to deployment. Security must be built INTO code, not patched in later. Fixing a bug in production costs 30× more than fixing it in design.

★ Most Important Topics

› SDLC phases and security activities per phase
› OWASP Top 10 — most common web vulnerabilities
› DevSecOps — Shift Left, CI/CD security
› SAST, DAST, SCA — testing types
› SQL Injection prevention: parameterized queries
› STRIDE threat modelling, SBoM, Supply Chain Security

OWASP Top 10

A01: Broken Access Control — #1 risk. Users access beyond permissions.

A02: Cryptographic Failures — Weak/missing encryption, plain-text passwords.

A03: Injection — SQLi, OS command injection. Fix: parameterized queries.

A04: Insecure Design — No threat modelling in design phase.

A05: Security Misconfiguration — Default passwords, open storage, unnecessary services.

A06: Vulnerable Components — Outdated libraries with known CVEs (supply chain).

A07: Auth Failures — Weak passwords, no MFA, session issues.

A08: Data Integrity Failures — Untrusted code updates, insecure deserialization.

A09: Logging Failures — Insufficient logging → breaches undetected.

A10: SSRF — Server makes unintended requests to internal resources.

SDLC Phases & Security

Requirements — Gather security requirements. Threat modelling starts here.

Design — Least privilege, defense in depth, secure architecture.

Development — Secure coding standards, peer code reviews.

Testing — SAST, DAST, SCA, pen testing.

Deployment — Secure config, change control.

Maintenance — Patch management, monitoring.

Secure Coding Practices

Input Validation — Never trust user input. Validate SERVER-SIDE.

Parameterized Queries — Prevent SQL injection. No string concatenation.

Output Encoding — Encode output to prevent XSS.

Error Handling — Don't reveal internal details in error messages.

Secrets Management — Never hardcode API keys. Use Vault, AWS Secrets Mgr.

STRIDE Threat Modelling

Spoofing — impersonating another user

Tampering — modifying data/code

Repudiation — denying actions (fix: audit logs)

Information Disclosure — data exposure

Denial of Service — making systems unavailable

Elevation of Privilege — gaining higher access

DevSecOps — Shift Left

› Integrate SAST, SCA, secrets scanning in every CI/CD commit.
› SCA (Software Composition Analysis) — scans open-source libraries for known CVEs.
› SBoM (Software Bill of Materials) — list of all components; helps identify vulnerable dependencies.
› Shift Left = find bugs early in SDLC = dramatically cheaper to fix.

Exam Tips & Traps

⚠ OWASP A01 (Broken Access Control) = #1 vulnerability. Injection (A03) = classic exam topic.
⚠ Client-side validation only is useless — attackers bypass browsers. Always validate server-side.
⚠ Aggregation attack = combining non-sensitive data to derive sensitive info.
⚠ SCA scans third-party/open-source libraries. SAST only analyzes first-party source code.

Q1: String concatenation to build SQL queries with user input. Vulnerability?

✓ B) SQL Injection

Fix: use parameterized queries / prepared statements. Never concatenate user input into SQL.

Q2: Security testing integrated into every CI/CD pipeline commit. This is?

✓ C) DevSecOps (Shift Left)

DevSecOps = security in every phase of development, including automated testing at every commit.

Q3: Attacker denies sending a malicious request. STRIDE category?

✓ B) Repudiation

Repudiation = attacker denies an action. Fix: audit logs and digital signatures.

Q4: Concerned about vulnerabilities in third-party libraries. Most effective control?

✓ B) SCA (Software Composition Analysis)

SCA scans open-source components for known CVEs. SAST only covers first-party code.

download Download D8 Notes PDF open_in_new OWASP Top 10 open_in_new NIST SSDF (SP 800-218)

CISSP Aspirant Resource Hub

Everything a CISSP aspirant needs — handpicked by practitioners. Channels, free PDFs, mindset guides, and communities that have helped thousands of candidates pass one of the hardest exams in cybersecurity.

📺

YouTube Channels

Video Lessons

smart_display

Destination Certification

Arguably the highest-quality visuals in the industry. Their CISSP MindMap series is legendary — each domain summarized in 20–30 minutes with unmatched clarity.

smart_display

Prabh Nair

Known for his Coffee Shots and Dragon series. Heavy focus on exam logic and how to tackle tricky scenario-based questions.

smart_display

CISSP Exam Cram — Pete Zerger

Pete Zerger's 8-hour+ Exam Cram covers the entire syllabus in one sitting. The go-to final-review resource for thousands of successful candidates.

smart_display

Luke Ahmed — Study Notes and Theory

Deep dives into complex topics like Kerberos and the OSI stack. Essential for understanding why technology works, not just what it does.

smart_display

Cyber-KungFu

Excellent for technical breakdowns and domain-specific deep dives. Particularly strong on the architecture and engineering domains.

smart_display

Kelly Handerhan — Cybrary

Famous for the mantra "Think like a Manager." Her free Cybrary course is still highly relevant for establishing the correct exam mindset above all else.

📝

Free PDFs & Study Guides

Cheat Sheets

picture_as_pdf

Prashant Mohan's Memory Palace Must Have

A comprehensive 100+ page PDF summarizing all 8 domains. Widely considered the best free cheat sheet in existence — the closest thing to a complete study companion in one file.

picture_as_pdf

Sunflower CISSP Summary

A classic high-level summary of the entire exam. Best used for last-minute review (1–2 days before exam day) to consolidate what you already know.

picture_as_pdf

Destination Certification MindMaps (PDFs)

Downloadable PDF versions of their MindMap video series. Each domain on one page — print them, annotate them, own them.

picture_as_pdf

ISC2 Official Exam Outline

Overlooked by most candidates, yet it is the map. Use it to systematically tick off every topic you've mastered — nothing on the exam falls outside it.

download

CISSP Master Study Notes — Krishna Chandra Muduli This Site

The 49-page rapid-review guide on this page — all 8 domains, concept tables, formulas, mnemonics, and 50+ Q&As written by a practicing CISSP.

🧠

Mindset & Strategy

Think Like a Manager

Critical insight: Passing the CISSP is not just about technical knowledge — it is about adopting the Managerial Mindset. You are answering as a senior security leader making risk-based business decisions, not as a network engineer solving a technical problem.

lightbulb

"Why You Will Pass the CISSP" — Kelly Handerhan Mandatory · 15 min

Watch this before anything else. Kelly reframes how you think about answering questions. Arguably the single most valuable 15 minutes in CISSP prep.

lightbulb

"How to Think Like a Manager" — Luke Ahmed

His blog and YouTube content on this topic teaches the skill of picking the best answer among four that all seem correct — the defining challenge of the exam.

lightbulb

"50 CISSP Practice Questions" — Andrew Ramdayal

Watch a professional break down real questions in real-time. Invaluable for understanding the decision framework behind each answer — not just what is right, but why.

People

1st Priority

Process

2nd Priority

Technology

3rd Priority

💬

Community & Forums

Ask & Share

forum

r/CISSP — Reddit Most Active

The largest CISSP community online. Search for How I Passed posts — real study plans, timelines, resource stacks, and honest reflections from those who just cleared the exam.

forum

Certification Station — Discord

A massive Discord server where experts and students discuss exam questions in real-time. Active CISSP channels with dedicated SMEs answering concept doubts daily.

Pro tip: Search Reddit for posts with 200+ upvotes tagged "passed" or "how I passed". Sort by Top (All Time). These posts contain the most battle-tested study plans in existence — read at least 10 before finalising your own approach.

CISSP Free Domain References

Official standards, frameworks, and authoritative free publications mapped per domain — used by practitioners and cited in the exam.

D1 — Risk D2 — Asset

open_in_new ISC2 Official CISSP Exam Outline (free PDF) open_in_new NIST SP 800-37 Rev 2 — Risk Management Framework open_in_new GDPR Full Text & Guides (gdpr.eu)

D3 — Architecture D4 — Network

open_in_new FIPS 197 — AES Standard (NIST) open_in_new CIS Benchmarks — Network & OS Hardening (free) open_in_new NIST SP 800 Series — Full Publication Index

D5 — IAM D6 — Assessment

open_in_new NIST SP 800-63-3 — Digital Identity Guidelines open_in_new OWASP Top 10 — Web Application Security Risks open_in_new NIST SP 800-115 — Technical Guide to Security Testing

D7 — Operations D8 — Software

open_in_new NIST SP 800-61r2 — Incident Response Guide (PDF) open_in_new NIST SP 800-34 Rev 1 — Contingency Planning / BCP open_in_new NIST SP 800-218 — Secure Software Development Framework

Foundational Security

vpn_key

IAM Fundamentals

Identity, Authentication, and Authorization basics.

network_check

Network Security 101

Firewalls, IDS/IPS, and packet analysis basics.

bug_report

Understanding Vulnerabilities

CVEs, CVSS scoring, and patch management.

shield_moon

Cryptography Basics

Symmetric vs Asymmetric encryption and hashing.

Advanced Deep Dives

cloud_lock

Zero Trust Cloud Architecture

A 30-page tactical breakdown of implementing identity perimeters and micro-segmentation in hybrid environments.

Initialize Module arrow_forward

policy

Threat Intelligence & MITRE

How to operationalize threat intelligence feeds and map adversary behavior using the MITRE ATT&CK framework.

Initialize Module arrow_forward

code_blocks

DevSecOps & CI/CD Security

The ultimate guide to shifting left: embedding SAST, DAST, and SCA tooling into agile development pipelines.

Initialize Module arrow_forward

health_and_safety

Offline Healthcare AI Blueprint

A complete end-to-end roadmap for building an offline AI-powered healthcare assistant on IoT/edge devices — covering model strategy, edge deployment, safety & compliance.

Initialize Module arrow_forward

Learning Hub

Enterprise Cloud Security Platform

CISSP Domain Breakdowns

CISSP Master Study Notes

Security and Risk Management

★ Most Important Topics

CIA Triad

Risk Treatment (ATMA)

Key Risk Formulas

Frameworks & Laws

Practice Questions

Asset Security

★ Most Important Topics

Government Classification

Commercial Classification

Data Roles — Who Does What?

Data Destruction Methods

Security Architecture & Engineering

★ Most Important Topics

Symmetric vs Asymmetric

Security Models

Secure Design Principles

Communication and Network Security

OSI Model — All 7 Layers

Firewall Types

Wireless Security

Common Network Attacks

Identity and Access Management (IAM)

★ Most Important Topics

Authentication Factors

Access Control Models

SSO & Identity Protocols

Biometric Accuracy

Security Assessment and Testing

★ Most Important Topics

VA vs Pen Test

Pen Test Types

SAST vs DAST

Pen Testing Phases

Security Metrics

Security Operations

Incident Response Lifecycle (NIST)

Security Control Types

Recovery Site Types

Forensics & Evidence

Software Development Security

★ Most Important Topics

OWASP Top 10

SDLC Phases & Security

Secure Coding Practices

STRIDE Threat Modelling

CISSP Aspirant Resource Hub

YouTube Channels

Free PDFs & Study Guides

Mindset & Strategy

Community & Forums

CISSP Free Domain References

Foundational Security

IAM Fundamentals

Network Security 101

Understanding Vulnerabilities

Cryptography Basics

Advanced Deep Dives

Zero Trust Cloud Architecture

Threat Intelligence & MITRE

DevSecOps & CI/CD Security

Offline Healthcare AI Blueprint

Cyber Progression Roadmaps

SOC Analyst T1 & T2

Security Engineer

Security Architect / Lead

Enterprise Interview Playbooks

ATS-Optimized Resumes

Digital Arsenal

CISSP Complete Notes

Cloud Audit Templates

Security Checklists

Curated Tools

Next-Gen SIEM Platform

Endpoint Protection