Certified Information Security Professional (CISSP)

Understand and apply concepts of confidentiality, integrity and availability

Evaluate and apply security governance principles
- Alignment of security function to business strategy, goals, mission, and objectives
- Organizational processes (e.g., acquisitions, divestitures, governance committees)
- Organizational roles and responsibilities
- Security control frameworks
- Due care/due diligence

Determine compliance requirements
- Contractual, legal, industry standards, and regulatory requirements
- Privacy requirements

Understand legal and regulatory issues that pertain to information security in a global context
- Cyber crimes and data breaches
- Licensing and intellectual property requirements
- Import/export controls
- Trans-border data flow
- Privacy

Understand, adhere to, and promote professional ethics
- (ISC)² Code of Professional Ethics - Organizational code of ethics

Develop, document, and implement security policy, standards, procedures, and guidelines
Identify, analyze, and prioritize Business Continuity (BC) requirements
- Develop and document scope and plan
- Business Impact Analysis (BIA)

Contribute to and enforce personnel security policies and procedures
- Candidate screening and hiring
- Employment agreements and policies
- Onboarding and termination processes
- Vendor, consultant, and contractor agreements and controls
- Compliance policy requirements
- Privacy policy requirements

Understand and apply risk management concepts
- Identify threats and vulnerabilities
- Risk assessment/analysis
- Risk response
- Countermeasure selection and implementation
- Applicable types of controls (e.g., preventive, detective, corrective)
- Security Control Assessment (SCA)
- Monitoring and measurement
- Asset valuation
- Reporting
- Continuous improvement
- Risk frameworks

Understand and apply threat modeling concepts and methodologies
- Threat modeling methodologies
- Threat modeling concepts

Apply risk-based management concepts to the supply chain
- Risks associated with hardware, software, and services
- Third-party assessment and monitoring
- Minimum security requirements
- Service-level requirements

Establish and maintain a security awareness, education, and training program
- Methods and techniques to present awareness and training
- Periodic content reviews
- Program effectiveness evaluation

Asset Security

Identify and classify information and assets
- Data classification
- Asset Classification

Determine and maintain information and asset ownership

Protect privacy
- Data owners
- Data processers
- Data remanence
- Collection limitation

Ensure appropriate asset retention

Determine data security controls
- Understand data states
- Scoping and tailoring
- Standards selection
- Data protection methods

Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- Client-based systems
- Server-based systems
- Database systems
- Cryptographic systems
- Industrial Control Systems (ICS)
- Cloud-based systems
- Distributed systems
- Internet of Things (IoT)

Apply cryptography
- Cryptographic life cycle (e.g., key management, algorithm selection)
- Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
- Public Key Infrastructure (PKI)
- Key management practices
- Digital signatures
- Non-repudiation
- Integrity (e.g., hashing)
- Understand methods of cryptanalytic attacks
- Digital Rights Management (DRM)
Apply security principles to site and facility design

Implement site and facility security controls
- Wiring closets/intermediate distribution facilities
- Server rooms/data centers
- Media storage facilities
- Evidence storage
- Restricted and work area security
- Utilities and Heating, Ventilation, and Air

Conditioning (HVAC)
- Environmental issues
- Fire prevention, detection, and suppression

Communication and Network Security

Implement secure design principles in network architectures
- Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
- Internet Protocol (IP) networking
- Implications of multilayer protocols
- Converged protocols
- Software-defined networks
- Wireless networks

Secure network components
- Operation of hardware
- Transmission media
- Network Access Control (NAC) devices
- Endpoint security
- Content-distribution networks

Implement secure communication channels according to design
- Voice
- Multimedia collaboration
- Remote access
- Data communications
- Virtualized networks

Identity and Access Management (IAM)

Control physical and logical access to assets
- Information
- Systems
- Devices
- Facilities

Manage identification and authentication of people, devices, and services
- Identity management implementation
- Single/multi-factor authentication
- Accountability
- Session management
- Registration and proofing of identity
- Federated Identity Management (FIM)
- Credential management systems

Integrate identity as a third-party service
- On-premise
- Cloud
- Federated

Implement and manage authorization mechanisms
- Role Based Access Control (RBAC)
- Rule-based access control
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Attribute Based Access Control (ABAC)

Manage the identity and access provisioning lifecycle
- User access review
- System account access review
- Provisioning and deprovisioning

Security Assessment and Testing

Design and validate assessment, test, and audit strategies
- Internal
- External
- Third-party

Conduct security control testing
- Vulnerability assessment
- Penetration testing
- Log reviews
- Synthetic transactions
- Code review and testing
- Misuse case testing
- Test coverage analysis
- Interface testing

Collect security process data (e.g., technical and administrative)
- Account management
- Management review and approval
- Key performance and risk indicators
- Backup verification data
- Training and awareness
- Disaster Recovery (DR) and Business Continuity (BC)

Analyze test output and generate report

Conduct or facilitate security audits
- Internal
- External
- Third-party

Security Operations

Understand and support investigations
- Evidence collection and handling
- Reporting and documentation
- Investigative techniques
- Digital forensics tools, tactics, and procedures

Understand requirements for investigation types
- Administrative
- Criminal
- Civil
- Regulatory
- Industry standards

Conduct logging and monitoring activities
- Intrusion detection and prevention
- Security Information and Event Management (SIEM)
- Continuous monitoring
- Egress monitoring

Securely provisioning resources
- Asset inventory
- Asset management
- Configuration management

Understand and apply foundational security operations concepts
- Need-to-know/least privileges
- Separation of duties and responsibilities
- Privileged account management
- Job rotation
- Information lifecycle
- Service Level Agreements (SLA)

Apply resource protection techniques
- Media management
- Hardware and software asset management

Conduct incident management
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons learned

Operate and maintain detective and preventative measures
- Firewalls
- Intrusion detection and prevention systems
- Whitelisting/blacklisting
- Third-party provided security services
- Sandboxing
- Honeypots/honeynets
- Anti-malware

Implement recovery strategies
- Backup storage strategies
- Recovery site strategies
- Multiple processing sites
- System resilience, high availability, Quality of Service (QoS), and fault tolerance

Implement Disaster Recovery (DR) processes
- Response
- Personnel
- Communications
- Assessment
- Restoration
- Training and awareness

Test Disaster Recovery Plans (DRP)
- Read-through/tabletop
- Walkthrough
- Simulation
- Parallel
- Full interruption

Participate in Business Continuity (BC) planning and exercises

Implement and manage physical security
- Perimeter security controls
- Internal security controls

Address personnel safety and security concerns
- Travel
- Security training and awareness
- Emergency management
- Duress

Software Development Security

Understand and integrate security in the Software Development Life Cycle (SDLC) - Development methodologies
- Maturity models
- Operation and maintenance
- Change management
- Integrated product team

Identify and apply security controls in development environments
- Security of the software environments
- Configuration management as an aspect of secure coding
- Security of code repositories

Assess the effectiveness of software security
- Auditing and logging of changes
- Risk analysis and mitigation

Assess security impact of acquired software

Define and apply secure coding guidelines and standards
- Security weaknesses and vulnerabilities at the source-code level
- Security of application programming interfaces
- Secure coding practices