TTechclick ⚡ XP 0% All lessons
ISC2 · CISSP · All 8 Domains + AIInteractive · L1 / L2 / L3

CISSP 2026: All 8 Domains Explained — + the AI Security You Need

A clear, no-hype walkthrough of CISSP and its 8 domains — plus the AI-security risks now reshaping each one — so you can decide if this is the certification that opens your cybersecurity career.

📅 2026-06-03 · ⏱ 16 min · 1 interactive demo · 5 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

CISSP 2026 explained: all 8 domains, realistic India and global salaries, DoD 8140 value, plus the AI security risks now layered onto every domain. Start here.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why CISSP is worth it

The honest case — pay, doors, and the "gold standard" reputation.

 2

All 8 domains

What each domain tests and the one skill it makes you good at.

 3

CISSP in the AI era

The 2026 AI-security layer every domain now expects.

 4

Test yourself

Per-domain mocks + a full CAT-style exam on Techclick.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. How many domains make up the CISSP Common Body of Knowledge (CBK)?

Answered in Why CISSP is worth it.

2. Who issues the CISSP certification?

Answered in CISSP in the AI era.

3. Can a fresher who passes the CISSP exam but lacks 5 years' experience get any recognized status?

Answered in All 8 domains.

Most engineers think…

"CISSP is just a memorization exam for paper-pushers who haven't touched a keyboard in years — it's all theory, no real skill, and useless if you're a hands-on technical person."

CISSP is deliberately a manager-who-understands-the-tech exam: it tests judgment across all 8 domains, not button-clicking, which is exactly why it appears in more security job postings than any other certification and sits on the standard path to security architect and CISO roles.

Why CISSP is genuinely worth it

Here is the honest pitch: CISSP is the certification hiring managers trust before they have even met you. It is issued by ISC2, a global non-profit, and it is accredited by the ANSI National Accreditation Board (ANAB) to the ISO/IEC 17024 standard for personnel certification. That accreditation is the boring-but-powerful detail: it means an independent body audits the exam itself, so a CISSP from Lucknow carries the same weight as one from London. The same credential is recognised under the U.S. DoD 8140 framework (the successor to DoD 8570), which is why it shows up as a hard requirement in defence, banking, and Fortune-500 job posts worldwide.

The single biggest reason it is worth it: CISSP is the most-requested security certification on the planet — it appears in more cyber job listings than any other credential, well ahead of Security+ and CEH. You are not learning a niche tool; you are learning the language every enterprise security team speaks.

For an Indian fresher, the money story is real but should be read as a ceiling you grow into, not a day-one cheque. Indian salary trackers in 2025-2026 put CISSP-tagged professionals broadly in the ₹12-25 lakh range, with senior architects and CISOs crossing ₹30 lakh-plus; globally, holders commonly report USD 120k-160k+ total compensation. The bigger win is the door it opens: CISSP is the standard rung on the CISO career path, and the U.S. Bureau of Labor Statistics projects security roles to grow roughly 29% through 2034 — "much faster than average."

One caveat we will be straight about: the gold-stamp version needs five years of paid experience (one year is waivable with a degree or approved cert). Pass the exam first and you become an Associate of ISC2 while you bank the experience — so a fresher can start today.

Figure 1 — The CISSP landscape
The CISSP Common Body of Knowledge: eight domains that together define an enterprise security leader. A map of all eight CISSP 2024 domains with exam weights. Domains weighted 13% or more (Risk Management 16%, Architecture & Engineering, Network Security, IAM, Operations) are filled blue to show where the exam concentrates; Asset Security, Assessment & Testing and Software Development Security are lighter. One certification · one CBK · eight domains 1Security & Risk ManagementExam weight · 16%2Asset SecurityExam weight · 10%3Security Architecture & EngineeringExam weight · 13%4Communication & Network SecurityExam weight · 13%5Identity & Access Management (IAM)Exam weight · 13%6Security Assessment & TestingExam weight · 12%7Security OperationsExam weight · 13%8Software Development SecurityExam weight · 10% High-weight domain (≥13%) — invest your study hours here first
All eight domains on one map. The blue tiles (≥13%) are where the exam — and most jobs — concentrate. Asset Security, Assessment & Testing and Software Development are lighter but still examined.
Colour key for every diagram: trusted / high-weight lower-weight pass / allowed decision / caution fail / attacker

Four ideas every CISSP domain leans on

Flip each card — these four show up again and again across the eight domains. Lock them in now and the rest reads easier.

🔺
CIA Triad
tap to flip

Confidentiality, Integrity, Availability — the three goals every control serves. Ask "which leg am I protecting?" and most exam answers fall out.

⚖️
Risk, not fear
tap to flip

Risk = threat × vulnerability × impact. CISSP grades you on managing risk to an acceptable level — not eliminating it. "Business first" wins.

🔑
AAA
tap to flip

Identification → Authentication → Authorization → Accountability. Who are you, prove it, what may you do, and we logged it. The backbone of IAM.

🧅
Defense in depth
tap to flip

No single control is trusted alone. Layer people, process and tech so one failure never opens the whole door. Zero Trust is its modern face.

Figure 2 — The road to CISSP
The road to CISSP: study the CBK, pass the adaptive exam, then get endorsed before you can use the letters. A left-to-right flow of the CISSP journey: study the eight domains, book the exam, sit the 3-hour computer-adaptive test of 100 to 150 questions needing 700 of 1000, receive a provisional pass, get endorsed by an existing ISC2 member within nine months, become certified, then maintain it with 120 CPE credits over three years. From candidate to CISSP — and staying one 1Study the CBKAll 8 domains · 3–6 months2Book & sit examCAT · 100–150 Q · 3 hrs3Score ≥ 700/1000Provisional pass on screen4Get endorsedBy an ISC2 member · ≤ 9 mo ✓ Certified — now MAINTAIN it 120 CPE credits over a 3-year cycle + the Annual Maintenance Fee. Let it lapse and the credential suspends.
CISSP is a process, not just an exam: study → pass the adaptive test → get endorsed by an ISC2 member → maintain with CPEs. Miss the endorsement window and your pass expires.
Figure 4 — Are you eligible?
Do you qualify? Five years of experience, four with a degree, or pass first and become an Associate of ISC2. A decision tree for CISSP eligibility. Start with: do you have five years of cumulative paid work in two or more of the eight domains? If yes you can be endorsed directly. A four-year degree or an approved credential waives one year, so four years is enough. With less experience you can still pass the exam and hold Associate of ISC2 status for up to six years while you earn the time. Are you eligible for the full CISSP? 5 yrs paid experience in ≥ 2 of the 8 domains? YES NOT YET Pass → get endorsed A 4-yr degree or approved cert waives 1 year → 4 is enough Become Associate of ISC2 Pass the same exam, hold up to 6 yrs while you earn the experience Either way the exam is identical Experience decides the title (CISSP vs Associate), not the test you sit.
No five years yet? You can still pass the exam and hold Associate of ISC2 for up to six years while you earn the experience. The exam is identical either way.

Pause & Predict

A ₹50 lakh-a-year control stops an outage that costs ₹40 lakh and happens about twice a year. Worth buying? Type your guess.

Answer: Yes. ALE = ₹40 lakh × 2 = ₹80 lakh > ₹50 lakh, so it is cost-justified. CISSP always compares a control to the annualized loss, never a single incident.

The 8 domains, one by one

Here is the whole Common Body of Knowledge — eight domains, each a chapter of the security profession. For each one you get the plain-English job it does, the strong/valuable part, a real Indian-workplace scenario, and a one-tap Techclick assessment to test yourself. Notice the weights: Security & Risk Management alone is 16%, so it earns the most study hours.

Figure 3 — Where the marks are
Where the CISSP exam actually concentrates: Security & Risk Management dominates at 16%. A horizontal bar chart of the eight CISSP domain weights. Security and Risk Management is the largest at 16 percent, then a band of 13 percent domains (Architecture and Engineering, Communication and Network Security, IAM, Security Operations), then Assessment and Testing at 12 percent, and Asset Security and Software Development Security at 10 percent each. Study-time budget = domain weight D1 Security & Risk Management16%D2 Asset Security10%D3 Security Architecture & …13%D4 Communication & Network …13%D5 Identity & Access Manage…13%D6 Security Assessment & Te…12%D7 Security Operations13%D8 Software Development Sec…10%
Budget your study time to match the weights. The four 13% domains plus the 16% Risk domain are 67% of the exam between them.

Domain 1 · Security & Risk Management 16% of the exam

Domain 1 is the foundation of CISSP — and the biggest scoring chunk at 16% of the exam. Master this and you carry the mindset into every other domain. It starts with the CIA triad: confidentiality, integrity, availability. The 2024 refresh added two "pillars" — authenticity and non-repudiation — so think in five now, not three.

The core job skill here is risk thinking. You learn to put a number on danger. SLE times ARO gives ALE. That single formula tells management whether a control is worth its cost.

You also map governance: policy sits on top, then standards, procedures, and baselines below. You separate due care (doing the right thing) from due diligence (checking before you act). And in 2026 you must know India's DPDP Act 2023 — its Rules took effect November 2025, with fines up to ₹250 crore.

Why this domain is gold

Risk and governance skills travel to every job — GRC analyst, auditor, CISO track. The 2024 refresh added AI, cloud, and supply-chain risk, so this is the most future-proof domain on the exam.

Rahul at a Bengaluru fintech faces this

Procurement onboarded a KYC vendor in a hurry. Weeks later, after a near-miss data exposure, nobody can say who is accountable if that vendor leaks customer PII.

Likely cause

A vendor handling customer data has no breach-notification clause. Third-party risk is unmanaged.

CISSP move

Treat it as supply-chain risk: assess the vendor, add contractual safeguards, and keep accountability even when a processor holds the data — exactly what DPDP demands.

Test yourself · Domain 1 assessment →

Domain 2 · Asset Security 10% of the exam

Domain 2 is the "data handling" domain. It asks one simple question: do you know how to protect data from the moment it is created until it is destroyed? On the exam this is only 10% of marks, but on the job it is half your week.

Start with classification. You label data by sensitivity (Public, Internal, Confidential, Restricted). The label drives every control after it. Wrong label, wrong protection.

Next, learn the roles, because the exam loves to test them. The data owner decides the rules. The data custodian implements them. Owners decide, custodians do, users follow.

Know the three data states: at rest (TLS-encrypted disk), in transit (TLS/VPN), in use (memory). Then retention and destruction closes the lifecycle.

Why this domain is gold

It maps straight to India's DPDP Rules 2025 (notified 13 Nov 2025). Knowing residency, retention and classification makes you instantly useful in any compliance or cloud team.

Meera at a Pune SaaS startup faces this

An auditor finds customer PII copied to a US-region S3 bucket.

Likely cause

No data-residency policy; data crossed borders, breaking DPDP localisation expectations.

CISSP move

Classify the PII, pin it to an India region, and add DLP rules to block exfiltration.

Test yourself · Domain 2 assessment →
Quick check · Q1 of 10

At HDFC Bank, Priya (a security analyst) is told to set up nightly backups and recovery testing for the customer database. Aditya, the business head of that database, has already decided it is 'Confidential' and who may see it. In CISSP terms, which role is Priya performing?

Correct: a. Correct is data custodian: Priya does day-to-day protection (backup, recovery) of data whose rules someone else set. Data owner is wrong because Aditya already set classification and access — that is the owner. Data processor/controller are GDPR/DPDP legal terms, not the operational CISSP role being described, so they are tempting but mismatched distractors.

Domain 3 · Security Architecture & Engineering 13% of the exam

Domain 3 carries 13% of the CISSP exam and it is where engineering meets security. You learn to build safety into a system, not bolt it on later. The exam loves cryptography, but it never asks for formulas. It asks when to use which control.

Start with the secure design principles: least privilege, defense in depth (many layers, so one failure does not sink you), and secure defaults. Zero trust extends this: verify every request, trust no network location.

Next, the classic models. Bell-LaPadula protects confidentiality (no read up, no write down). Biba protects integrity (no write up, no read down). Swapping these two is the most common trap on exam day.

Cryptography ties it together: symmetric for speed, asymmetric and PKI for trust, hashing for integrity, digital signatures for non-repudiation. The 2024/2026 angle that interviewers love: NIST finalised post-quantum standards (ML-KEM, ML-DSA), so "harvest now, decrypt later" attacks are now a real planning item.

Why this domain is gold

It is the most transferable CISSP domain. The same crypto and design thinking lands you cloud security, zero-trust, and DPDP-compliance roles that pay the most in 2026.

Priya at an HDFC-backed fintech faces this

A banking client demands DPDP-ready storage. During review, Priya finds customer PAN and Aadhaar numbers sitting in plaintext in the production database.

Likely cause

A client demands India DPDP-ready storage. Customer PII sits in plaintext in the database.

CISSP move

Apply Privacy by Design: encrypt data at rest, enforce least-privilege access, and log every read for accountability.

Test yourself · Domain 3 assessment →

Domain 4 · Communication & Network Security 13% of the exam

Domain 4 is where security stops being theory and starts moving packets. You learn how data travels and where attackers wait along the path. The exam tests design decisions, not memorised port numbers.

Start with the models. The OSI model gives you a shared language to place any attack. An ARP spoof lives at Layer 2; a TLS issue lives at Layers 4-7. Name the layer, and the fix becomes obvious.

The high-value modern topics are segmentation and zero trust. Microsegmentation splits a flat network into tiny zones, so one hacked laptop cannot reach the database. ZTNA replaces the old VPN, granting access per-app, not per-network. The 2024 refresh also added SASE, which bundles SD-WAN with cloud security.

Why this domain is gold

This is the most hiring-aligned domain in 2026. India's DPDP Act demands strict access control and audit logs, and GCCs for HDFC, ICICI and US banks are hiring ZTNA architects fast. Master Domain 4 and your resume maps straight to open roles.

Aditya at TCS faces this

A finance laptop picks up malware and, within minutes, is quietly probing HR servers on the same flat VLAN. Nothing stopped the lateral move.

Likely cause

A finance laptop got malware, then quietly reached HR servers on the same flat VLAN. No segmentation stopped the lateral move.

CISSP move

Aditya proposes microsegmentation plus ZTNA, so each app checks identity before access and the blast radius shrinks to one zone.

Test yourself · Domain 4 assessment →

Domain 5 · Identity & Access Management (IAM) 13% of the exam

Domain 5 is 13% of the exam and the most job-relevant chapter you will study. It teaches how to control who gets to what, and prove it later. Master the AAA spine first: identification claims an identity, authentication proves it, authorization grants access, accountability logs every action.

Know your access models cold. DAC lets the owner share; MAC uses fixed labels (military-grade); RBAC ties rights to job roles; ABAC decides on live attributes like time, device, and location. Then layer MFA, SSO, and federation via SAML, OIDC, and OAuth2.

Why this domain is gold

India's DPDP Act makes IAM a legal duty, not a nice-to-have. RBAC, MFA, access revocation, and audit logs are the exact controls auditors check. Pass Domain 5 and you can walk into a Data Fiduciary compliance role.

Karthik at Wipro faces this

An access review turns up a contractor who still holds standing domain-admin rights three months after their project ended.

Likely cause

A contractor still held standing domain-admin rights three months after the project ended — classic privilege creep.

CISSP move

Move admin accounts into PAM with just-in-time access, so rights expire automatically.

Test yourself · Domain 5 assessment →

Pause & Predict

Six engineers share one "admin" login. What single CISSP move restores accountability? Type your guess.

Answer: Put it behind a PAM vault with individual check-out and session recording — now every privileged action ties back to a named person.
Quick check · Q2 of 10

Rahul, a CISSP-led IAM engineer at HDFC Bank, must let auditors confirm exactly which admin ran a risky production command at 2 AM. The bank already uses RBAC and MFA, but the breach review found nobody could attribute the action to a person because three admins shared one root account. Which Domain 5 control most directly fixes this attribution gap?

Correct: c. Correct: a PAM vault gives each admin an individual, time-boxed checkout of the privileged credential plus session recording, restoring accountability — the missing 'A' in AAA. Distractors mislead realistically: ABAC changes who can access, not who is identifiable afterward; stronger MFA still authenticates the shared account, so attribution stays broken; SAML federation handles cross-domain SSO, not per-person accountability on a shared local root.

Domain 6 · Security Assessment & Testing 12% of the exam

Domain 6 answers one question your boss will ask in week one: how do you prove a control actually works? Finding a gap before an attacker does is the whole job. This is the most hands-on, hireable domain in CISSP.

Start with the core split. A vulnerability assessment finds and lists weaknesses. A penetration test proves an attacker can use them. A scan says "port 3389 is open"; a pentest shows it leads to domain admin.

Know the team colours: red attacks, blue defends, purple sits between so both sides share findings and tune detections.

For audits, memorise the SOC tiers: SOC 1 = financial controls, SOC 2 = security/availability (the one SaaS buyers ask for), SOC 3 = a public summary. Add log review, code review, account-management reviews, and KPIs/KRIs that show trends to leadership.

Why this domain is gold

It maps straight to real titles: VAPT analyst, SOC auditor, GRC associate. India's DPDP Rules (notified Nov 2025) demand one-year audit logs and evidence-ready testing, so control-testing skills are now billable from day one.

Divya at an audit firm faces this

An enterprise client refuses to sign until they see proof the access controls actually work — and all Divya has is a vulnerability scan that lists open ports but proves no real impact.

Likely cause

A client demands proof that access controls work before signing. Divya only has a vulnerability scan, which lists open ports but proves no real impact.

CISSP move

She scopes a penetration test plus an account-management review, then packages results as a SOC 2 evidence pack the client's auditor accepts.

Test yourself · Domain 6 assessment →
Quick check · Q3 of 10

Rahul at HDFC must give a prospective enterprise client written, independent proof that the bank's data-protection and availability controls operated effectively over the past six months. The client's procurement team will not accept a self-filled questionnaire. Which deliverable should Rahul provide?

Correct: b. SOC 2 Type II independently attests that security and availability controls operated effectively over a period — exactly what the client needs. SOC 3 is only a public marketing summary without detail. An internal scan is self-produced, not independent. SOC 1 covers financial-reporting controls, not data protection.

Domain 7 · Security Operations 13% of the exam

Domain 7 is where the war room lives. While other domains design defences, Security Operations is the team that actually catches the attack at 2 AM and shuts it down. This is the most hands-on, job-ready domain in the whole exam.

The spine you must master is the incident response lifecycle from NIST SP 800-61: prepare, detect and analyse, contain, eradicate, recover, then capture lessons learned. The 2025 refresh (Rev 3) now reframes these steps around NIST CSF 2.0’s six functions (Govern, Identify, Protect, Detect, Respond, Recover), so expect questions that link IR to risk, not just firefighting.

Two skills the exam loves: contain before you eradicate (stop the bleeding first), and protect evidence with a clean chain of custody. Also know SIEM and SOAR, least privilege in ops, and backup and DR execution.

Why this domain is gold

It maps one-to-one to real SOC analyst and incident responder jobs (INR 4-15 LPA in 2026). India's DPDP Act now demands breach notification within 72 hours, so companies are hiring people who can run this lifecycle on a clock.

Arjun, an L2 SOC analyst, faces this

At 2 AM, ransomware is spreading across file servers, and Arjun’s first instinct is to wipe and rebuild the infected host immediately.

Likely cause

The pressure to “stop the spread” pushes teams to reformat first — but that is a containment mistake, not a fix.

CISSP move

Isolate the host from the network first (contain), preserve a forensic image, then eradicate. Wiping early destroys evidence the DPDP report needs.

Test yourself · Domain 7 assessment →

Pause & Predict

Ransomware hits a file server and your instinct is to reformat it fast. What does a CISSP do first instead? Type your guess.

Answer: Contain it (isolate from the network, keep it powered) and capture a forensic image. Reformatting first destroys the evidence and breaks chain of custody.

▶ Incident response, the CISSP way

Domain 7 in motion. Press Play for the disciplined path, then Break it to see the rookie mistake.

① DetectSIEM fires: ransomware note found on file server 10.20.5.40.
② ContainIsolate the host from the network — but keep it powered on.
③ EradicateCapture a forensic image first, then wipe and rebuild from known-good.
④ RecoverRestore clean data, monitor closely, then run lessons-learned.
Press Play to step through the disciplined path. Then press Break it.

Domain 8 · Software Development Security 10% of the exam

Domain 8 teaches you to bake security into software from day one, not bolt it on after launch. It carries 10% of the CISSP exam in the 2024 refresh. The core idea: shift security left into the SDLC so bugs get caught while they are cheap to fix.

You learn where each test fits. SAST reads code, DAST attacks the live app, and SCA checks third-party libraries. You also learn the OWASP Top 10, secure CI/CD pipelines, and the SBOM (Software Bill of Materials) that lists every component you ship.

Why this domain is gold

This is the most hiring-hot CISSP domain in India right now. DevSecOps roles pay ₹8–28 LPA, and a 2025 npm worm that stole API keys made SBOM skills urgent. Pair it with India's DPDP Act and you become the engineer who keeps releases compliant and breach-ready.

Vikram at a product startup faces this

A critical CVE drops in a popular logging library at 9 PM. Which services are affected?

Likely cause

No inventory of dependencies across 40 microservices, so triage means grepping every repo by hand.

CISSP move

Query the SBOM, list every service using that exact version, and patch in hours, not days.

Test yourself · Domain 8 assessment →
Quick check · Q4 of 10

Priya, a security engineer at an HDFC fintech team, must catch a SQL injection flaw in a payment API before it ever reaches production, while the developer is still writing the code in the IDE. Which control fits earliest and best?

Correct: d. Correct: SAST reads source code without running the app, so it flags the injection on commit, the earliest and cheapest point (shift-left). DAST and pen testing both need a deployed/running app, so they catch it later. WAF log review is detective and post-incident, not preventive during coding.

CISSP in the AI era (2026)

The CISSP is not frozen in the pre-AI world. After the April 15, 2024 exam refresh (driven by ISC2's triennial Job Task Analysis), AI security was woven across the existing 8 domains rather than given a separate domain. ISC2 went further on April 2, 2026, publishing formal Exam Guidance for Artificial Intelligence mapping exactly where AI now shows up — so in 2026 you can be tested on AI without it being labelled "AI."

Three skill clusters matter for the exam and the job:

💡 Why this makes you more valuable in 2026: Most CISSPs can quote ISO 27001 but freeze on "how do you secure a RAG chatbot?" Fluency in OWASP LLM + NIST AI RMF turns you from a compliance reviewer into the person the board actually asks before they ship AI.
Indian scenario: A Pune fintech gets a "CFO" voice call (AI-cloned from an earnings webinar) approving an urgent transfer. A CISSP applies India's Oct 2025 IT Rules deepfake provisions plus a call-back verification protocol — and trains staff to verify the request, not "spot the fake."

The AI-era CISSP, in four cards

The 2024 refresh and ISC2's 2026 AI guidance fold these into the existing domains — flip to see why each matters.

🛡️
AI Across 8 Domains
tap to flip

The 2024 CISSP refresh spread AI security across all 8 domains, not a new one. ISC2's April 2026 AI guidance confirms it — so AI is tested without the label.

💉
Prompt Injection #1
tap to flip

OWASP LLM Top 10 (2025) ranks prompt injection #1 again — LLMs blend instructions and data in one channel. Defend with isolation, output checks, least privilege.

🎭
Deepfake Surge
tap to flip

Deepfake incidents rose ~680% YoY in 2024 (Pindrop) and AI phishing now tops enterprise email threats. Train staff to verify the request, not spot the fake.

⚖️
Govern The AI
tap to flip

Know NIST AI RMF (Govern-Map-Measure-Manage), ISO 42001, the EU AI Act timeline, and India's 2025 deepfake IT Rules. Governance fluency makes a CISSP boardroom-ready.

🎯 Now prove it — Techclick CISSP practice exams

Reading is step one. Exam-grade retrieval is what passes. Every domain below has a free, timed Techclick assessment with full reasoning — plus a full-length mock that mirrors the real CAT experience. Sit them after each domain, then the mock the week before your booking.

📝 Full-length CISSP mock exam → 🗺 8-week study roadmap →
1

Security & Risk Management

Domain 1 · 16% · timed MCQs →

 2

Asset Security

Domain 2 · 10% · timed MCQs →

 3

Security Architecture & Engineering

Domain 3 · 13% · timed MCQs →

 4

Communication & Network Security

Domain 4 · 13% · timed MCQs →

 5

Identity & Access Management (IAM)

Domain 5 · 13% · timed MCQs →

 6

Security Assessment & Testing

Domain 6 · 12% · timed MCQs →

 7

Security Operations

Domain 7 · 13% · timed MCQs →

 8

Software Development Security

Domain 8 · 10% · timed MCQs →

All assessments live on exam.techclick.in · sign in with your Techclick account · instant scoring + per-question explanations.

📚 Go deeper — the 8 domain deep-dives

This page is the map. Each domain has its own full lesson — four sub-topics, the AI angle, five infographics, an interactive demo and its own 10-question exam. Work them in order, or jump to the one you are weakest on.

1

Security & Risk Management

Domain 1 · 16% · full deep-dive →

 2

Asset Security

Domain 2 · 10% · full deep-dive →

 3

Architecture & Engineering

Domain 3 · 13% · full deep-dive →

 4

Communication & Network Security

Domain 4 · 13% · full deep-dive →

 5

Identity & Access Management

Domain 5 · 13% · full deep-dive →

 6

Security Assessment & Testing

Domain 6 · 12% · full deep-dive →

 7

Security Operations

Domain 7 · 13% · full deep-dive →

 8

Software Development Security

Domain 8 · 10% · full deep-dive →
Figure 5 — CISSP on one card
CISSP on one page: the eight domains and the single best reason each one matters. A one-glance revision card listing all eight CISSP domains, their exam weights, and a one-line value statement for each, for last-minute review. 📌 The whole CISSP, on one card D1 · Security & Risk ManagementDomain 1 turns vague fear into rupee-priced risk — the skill every GRC, au16% of the examD2 · Asset SecurityDomain 2 maps 1:1 to India's DPDP Rules 2025 — classification and residenc10% of the examD3 · Security Architecture & EngineeringDomain 3 is the most transferable CISSP skill — crypto and secure design u13% of the examD4 · Communication & Network SecurityDomain 4 maps one-to-one to 2026's hottest hiring: ZTNA, SASE and segmenta13% of the examD5 · Identity & Access Management (IAM)IAM is identity-as-the-new-perimeter — the most hireable, DPDP-mandated sk13% of the examD6 · Security Assessment & TestingDomain 6 is the most hands-on, hireable CISSP domain — it maps straight to12% of the examD7 · Security OperationsDomain 7 maps one-to-one to real SOC and incident-responder jobs — the mos13% of the examD8 · Software Development SecurityDomain 8 maps straight to India's hottest, best-paid security roles: DevSe10% of the exam
Print this. Eight domains, eight weights, and the single best reason each one earns a place in your career. The last-night-before-the-exam glance.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from ISC2 docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Evaluate

Priya, a risk analyst at an HDFC fintech, finds that a payment server crash would cost ₹40 lakh per incident, and historical data shows it happens about twice a year. A vendor offers a redundancy solution for ₹50 lakh per year that would eliminate the outages. Using quantitative risk analysis, what should Priya recommend to management?

Correct: c. ALE = SLE (₹40 lakh) × ARO (2) = ₹80 lakh expected loss per year, which is more than the ₹50 lakh annual control cost, so the control is cost-justified. "Any control that removes downtime" ignores cost–benefit; comparing the ₹50 lakh cost to the single ₹40 lakh loss forgets it happens twice a year; and risk transfer via insurance must still be measured against the ALE, not chosen by default.
Q6 · Analyze

Aditya at HDFC designs a system where loan officers must NOT view files above their clearance, and the bank's top priority is keeping customer financial data confidential. A junior asks why he chose Bell-LaPadula over Biba. What is the correct reason?

Correct: b. Correct: Bell-LaPadula is a confidentiality model — its 'no read up' (simple security) rule blocks lower-clearance users from reading higher-classified data, exactly the stated priority. Option A and C describe Biba (integrity), the classic swap trap. Option D inverts the rule — Bell-LaPadula forbids read up, not allows it.
Q7 · Analyze

Aditya, a network engineer at an HDFC GCC, must let 4,000 remote staff reach only the payroll app, with every connection identity-checked and logged for DPDP Act audits. Broad network reach must be impossible even for valid users. Which design best meets this?

Correct: a. Correct: ZTNA verifies identity per connection and grants access to one app only, satisfying least-privilege and DPDP audit logging. The IPsec VPN and the firewall rule both drop users onto a broader network segment, enabling lateral movement. Port-based NAC authenticates the device but then admits it to the full network, which is exactly the broad reach the requirement forbids.
Q8 · Analyze

Aditya, an L2 analyst at HDFC Bank's SOC, sees ransomware actively encrypting files on a shared server at 2 AM. A junior colleague wants to immediately reformat the server to stop the spread. Per the NIST SP 800-61 lifecycle, what is the BEST next action?

Correct: d. Correct: containment (network isolation) comes before eradication, and a forensic image preserves chain of custody — vital for a DPDP breach report. Reformatting first destroys evidence and skips containment. Restoring before containment risks re-infecting from a still-compromised network. Waiting lets the damage spread; active encryption is enough signal to act now.
Q9 · Analyze

A SOC analyst at an Indian bank sees the customer-support chatbot suddenly leaking internal system instructions and account-lookup tips after users paste crafted text into chat. The model and its data both flow through one input channel. Which OWASP LLM risk is PRIMARY, and what is the BEST first control?

Correct: b. The symptom (crafted user text overriding the system prompt and exposing internal instructions) is Prompt Injection (OWASP LLM #1) leading to System Prompt Leakage (LLM07, new in 2025). Because the LLM mixes instructions and data in one channel, the BEST first defence is input/output validation, model isolation, and least-privilege on the model's tools — not retraining (that targets poisoning), key rotation (theft), or spend caps (denial of wallet).
Q10 · Evaluate

A fresher with one year of experience wants the credential that best signals enterprise-wide security judgment and opens the most doors toward a future architect/CISO role — even if they can't hold the full title yet. Which choice is the strongest fit, and why?

Correct: a. CISSP is the most-requested credential and the standard rung toward architect/CISO roles, but it normally needs ~5 years' experience. The Associate of ISC2 route lets a fresher pass the exam now and carry the breadth signal while banking experience — capturing CISSP's value immediately rather than waiting or settling for a narrower cert.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: Why does CISSP test breadth across 8 domains instead of certifying one deep technical skill like pen-testing? Then compare to the expert version.

Expert version: Because CISSP is built for the person who has to make trade-off decisions across the whole security program — connecting risk, network, software, and cloud — and that organization-wide judgment, not single-tool depth, is what employers are paying the CISSP premium for and what the CISO track demands.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

ALE (Annualized Loss Expectancy)
The money you expect to lose from one risk per year — SLE multiplied by ARO. It tells you how much a fix is worth.
Due diligence vs due care
Due diligence is checking and investigating before you act; due care is then actually doing the right, reasonable thing.
Data Fiduciary (DPDP Act)
Under India's DPDP Act, the organization that decides why and how personal data is processed — and stays accountable for protecting it.
Data owner
The accountable business person who sets a dataset's classification and how it may be used, protected and destroyed.
Data custodian
The IT/ops person who actually stores, backs up and protects the data day-to-day, following the owner's rules.
Data residency
A rule that data must physically live on servers inside a specific country, e.g. India under the DPDP framework.
Least privilege
Give each user or process only the access it strictly needs, nothing extra.
Defense in depth
Stack several independent security layers so one failure does not expose the whole system.
Post-quantum cryptography
New encryption algorithms (like NIST's ML-KEM) built to survive attacks from future quantum computers.
Microsegmentation
Splitting a network into tiny isolated zones so a hacked device cannot move sideways to other systems
ZTNA
Zero Trust Network Access: each user and device is verified before reaching one specific app, not the whole network
SASE
Secure Access Service Edge: combines wide-area networking and security into one cloud-delivered service
Federation
Logging into many apps with one trusted identity provider, no separate passwords
PAM
Privileged Access Management — vaulting and recording admin/root accounts
Just-in-time access
Granting admin rights only for the task, then auto-revoking them
SOC 2 report
An independent audit proving a company's security and availability controls work; the report SaaS buyers ask for before signing.
KRI (Key Risk Indicator)
A metric that warns risk is rising, like failed-login spikes, before it becomes an incident.
Test coverage analysis
Checking how much of your code or systems your tests actually exercise, so blind spots are visible.
Containment
Stopping an attack from spreading further before you clean it up — like sealing a leak before mopping the floor.
Chain of custody
A documented trail of who touched digital evidence and when, so it stays trustworthy in a legal case.
SOAR
Security Orchestration, Automation and Response — software that auto-runs response steps so analysts handle alerts faster.
SBOM
Software Bill of Materials: a full ingredient list of every library and component in your app, so you can instantly see what is affected when a vulnerability drops.
Shift left
Move security testing earlier in development, where flaws are far cheaper and faster to fix than after release.
SCA
Software Composition Analysis: tooling that scans your open-source dependencies for known vulnerabilities and license risks.
Prompt Injection
OWASP LLM #1 risk: malicious input that an LLM treats as a new instruction instead of data, because both share one channel — letting attackers override the system prompt or exfiltrate data.
NIST AI RMF
NIST's voluntary AI Risk Management Framework (AI 100-1, 2023). Four functions — Govern, Map, Measure, Manage — to handle AI risk across the model lifecycle (bias, transparency, security).
ISO/IEC 42001
The world's first certifiable AI Management System (AIMS) standard (2023), modelled on ISO 27001, covering AI data sourcing, training, deployment, monitoring, and retirement.
Model Drift
When a deployed AI model's accuracy degrades as real-world data shifts away from its training data — treated in the SOC as a production-security signal worth monitoring.

📚 Sources

  1. ISC2 — CISSP Exam Outline (2024 refresh) & the Official CISSP CBK. isc2.org
  2. ISC2 — Code of Professional Ethics + 2026 AI security guidance for members. isc2.org
  3. NIST — SP 800-37 Risk Management Framework & SP 800-61 Computer Security Incident Handling. csrc.nist.gov
  4. NIST — AI Risk Management Framework (AI 100-1). nist.gov
  5. OWASP — Top 10 & Top 10 for LLM Applications. owasp.org
  6. ISO/IEC — 27001:2022 (ISMS) & 42001:2023 (AI management systems). iso.org
  7. Government of India, MeitY — Digital Personal Data Protection Act 2023 & DPDP Rules 2025. meity.gov.in

What's next?

You have the whole map now. Turn reading into a pass — sit each domain’s quick assessment as you go, then the full CAT-style mock the week before your exam date.

Next · Full CISSP mock exam → Practice on exam.techclick.in →