What experience do I need for CISSP?

You need five years of paid, full-time work experience in at least two of the eight CISSP domains. A four-year college degree or an approved credential (like Security+) substitutes for one year of experience. You can pass the exam first and become an Associate of ISC2 while you accumulate the experience.

How is the CISSP different from CISM?

CISSP (ISC2) is broader in technical and management coverage across 8 domains. CISM (ISACA) is more narrowly focused on security management, governance, and risk — it is often preferred by CISOs and security programme managers. Both are globally recognised. Many senior practitioners hold both.

ISC2 Certification Prep — CISSP, CCSP, SSCP Study Guides

CAT format · 125–175 questions · 4 hours

CISSP — Certified Information Systems Security Professional

The gold-standard management-level security certification, recognised globally and required for CISOs, security directors, and senior architects. The CISSP uses Computerised Adaptive Testing (CAT) — each question adapts based on your prior answers, meaning question difficulty fluctuates intentionally. You need five years of work experience in at least two of the eight domains (or four years with a qualifying degree).

The eight CISSP domains

Domain 1 · 16%

Security and Risk Management

Security governance, compliance frameworks, legal and regulatory landscape (GDPR, HIPAA, SOX), ethics, risk identification and quantitative/qualitative risk analysis, business continuity planning, personnel security, and security awareness programme design. High weight — study this domain thoroughly.

Domain 2 · 10%

Asset Security

Data classification schemes, ownership and custodianship roles, data retention and destruction policies, privacy protection requirements, and asset handling procedures across the information lifecycle.

Domain 3 · 13%

Security Architecture and Engineering

Security models (Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash), trusted computing base (TCB), security evaluation criteria (Common Criteria, FIPS), cryptography (PKI, key management, algorithms), physical security design, and secure hardware architecture.

Domain 4 · 13%

Communication and Network Security

OSI model security at each layer, network topology and segmentation, secure protocols (TLS, SSH, IPsec, DNSSEC), wireless security, content distribution networks, VPN types, and converged protocols (MPLS, VoIP, IP storage).

Domain 5 · 13%

Identity and Access Management

Identity proofing, authentication factors and protocols (Kerberos, RADIUS, SAML, OAuth, OpenID Connect), access control models (MAC, DAC, RBAC, ABAC), directory services, federated identity management, and privileged access management.

Domain 6 · 13%

Security Assessment and Testing

Security assessment types (vulnerability scans, penetration tests, red team exercises), code review and SAST/DAST, log auditing, SOC reports (SOC 1, SOC 2, SOC 3), and key performance indicator design for security programmes.

Domain 7 · 13%

Security Operations

Incident management lifecycle, digital forensics (evidence handling, chain of custody), disaster recovery planning and BCP testing, patch management, change management, configuration management, and physical security operations including data centre controls.

Domain 8 · 9%

Software Development Security

Secure SDLC integration, DevSecOps, common vulnerabilities (OWASP Top 10), code review practices, secure coding standards, acquired software supply chain security, and database security.

CISSP exam strategy — think like a manager

The CISSP is infamous for questions where multiple answers appear correct. The key differentiator is the managerial perspective: the exam expects you to think like a senior security professional advising leadership, not a hands-on technician. When in doubt, select the answer that:

Protects the organisation first, then systems
Involves planning, policy, or risk assessment before technical implementation
Considers people and process before technology
Chooses the most complete or systematic option (e.g., "conduct a risk assessment" before "implement a firewall")

150 questions · 4 hours

CCSP — Certified Cloud Security Professional

The practitioner-level cloud security credential from ISC2. Validates expertise in cloud architecture, governance, risk, compliance, and operations. Requires five years IT experience with three years in information security and one year in cloud security. Co-developed with the Cloud Security Alliance (CSA).

Domain 1 · 17%

Cloud Concepts, Architecture & Design

Cloud computing definitions (NIST SP 800-145), service and deployment models, key cloud characteristics, shared responsibility matrix, cloud security reference architecture (CSA CCM), cloud design patterns, and business continuity in cloud contexts.

Domain 2 · 20%

Cloud Data Security

Data lifecycle management in cloud, data classification, encryption strategies (server-side, client-side, BYOK, HYOK), data loss prevention, data masking and tokenisation, cloud storage security, and eDiscovery considerations.

Domain 3 · 17%

Cloud Platform & Infrastructure Security

Virtualisation security, container and Kubernetes security, serverless security, cloud network security (VPCs, security groups, NACLs), cloud workload protection, and cloud provider shared infrastructure risks.

Domain 4 · 17%

Cloud Application Security

Cloud-native application security, software development lifecycle integration, OWASP Top 10 in cloud contexts, API security, IAM for applications (OAuth 2.0, OIDC, SAML), and secure supply chain for cloud applications.

Domain 5 · 17%

Cloud Security Operations

Cloud SIEM and log management, incident response in cloud environments, forensics challenges in cloud (ephemeral instances, shared logs), patch management for cloud workloads, and Cloud Access Security Broker (CASB) deployment.

Domain 6 · 12%

Legal, Risk & Compliance

International privacy and data protection regulations (GDPR, CCPA, LGPD), cloud-specific compliance frameworks (FedRAMP, ISO 27017, ISO 27018, CSA STAR), contract and vendor assurance, and jurisdictional considerations for cloud data.

125 questions · 3 hours

SSCP — Systems Security Certified Practitioner

The practitioner-level credential for IT and security administrators responsible for the technical implementation of security controls. Requires one year of work experience in at least one domain. A good stepping stone before CISSP.

Domain 1 · 15%

Security Operations and Administration

Security policies and procedures, security documentation, asset inventory and configuration management, change management, and the security principles of confidentiality, integrity, and availability in daily operations.

Domain 2 · 17%

Access Controls

Authentication methods, access control models, directory service security, identity lifecycle management, privileged account management, and remote access security implementation.

Domain 3 · 17%

Risk Identification, Monitoring & Analysis

Risk assessment methodologies, security monitoring tools, intrusion detection and prevention systems (IDS/IPS), log analysis, security testing (vulnerability scans, penetration testing basics), and risk treatment decisions.

Domain 4 · 16%

Incident Response and Recovery

Incident response planning, detection and reporting procedures, containment and recovery actions, forensic evidence preservation, business continuity and disaster recovery planning, and backup and restore procedures.

Domain 5 · 16%

Cryptography

Cryptographic concepts (symmetric, asymmetric, hashing), PKI and certificate management, common cryptographic algorithms and their use cases (AES, RSA, ECDSA, SHA-2), TLS/SSL, and encryption application scenarios.

Domain 6 · 19%

Network and Communications Security

Network security fundamentals, secure protocols, wireless security, VPN implementation, firewall rule review, network segmentation, and defence-in-depth implementation for network infrastructure.

175 questions · 4 hours

CSSLP — Certified Secure Software Lifecycle Professional

ISC2's credential for software developers, engineers, and architects responsible for integrating security throughout the software development lifecycle. Requires four years of software development lifecycle experience with at least one year in one or more of the eight domains.

Domain 1

Secure Software Concepts

Core software security concepts, CIA triad in software contexts, authentication and authorisation in applications, security design principles (least privilege, fail-safe defaults, economy of mechanism, separation of duties), and software vulnerability classification.

Domain 2

Secure Software Requirements

Security requirements elicitation, abuse case development, privacy requirements (data minimisation, consent, retention), regulatory requirements for software (PCI DSS, HIPAA, GDPR), and security acceptance criteria.

Domain 3

Secure Software Architecture & Design

Threat modelling (STRIDE, PASTA, DREAD, LINDDUN), secure architecture patterns, attack surface reduction, secure interface design, trust boundaries, and security patterns for cloud-native and microservices architectures.

Domain 4

Secure Software Implementation

Secure coding standards (CERT C/C++, OWASP, SANS CWE Top 25), input validation, output encoding, error and exception handling, memory management, cryptographic implementation pitfalls, and third-party library security.

Domain 5

Secure Software Testing

SAST, DAST, IAST, SCA (software composition analysis), penetration testing of applications, fuzz testing, security regression testing, bug bounty programme integration, and quality gates in CI/CD.

Domain 6

Secure Software Lifecycle Management

DevSecOps pipeline security, security in Agile and Scrum, third-party and open-source component security (SBOM), end-of-life software handling, security metrics for software programmes, and continuous improvement.

Formerly CAP

CGRC — Certified in Governance, Risk & Compliance

Validates the skills required to authorise and maintain information systems within a risk management framework. Aligned to NIST RMF. Particularly valued in U.S. federal government and defence contractor environments. Requires two years of experience in one or more of the seven domains.

Domain 1

Information Security Risk Management Program

Risk management frameworks (NIST RMF, ISO 31000), organisational risk tolerance, programme governance, and the relationship between security and business objectives.

Domain 2

Scope of the Information System

System boundary definition, information type identification, categorisation using FIPS 199 and NIST SP 800-60, overlays, and security impact analysis.

Domain 3

Selection and Approval of Security Controls

NIST SP 800-53 control selection, tailoring, scoping, common controls, compensating controls, and the system security plan (SSP) development.

Domain 4

Implementation of Security Controls

Control implementation documentation, configuration management baselines, security control implementation evidence, and integration with enterprise architecture.

Domain 5

Assessment of Security Controls

Security assessment planning, assessment procedures (NIST SP 800-53A), security assessment report (SAR), findings classification, and remediation planning.

Domain 6

Authorization of Information System

Plan of action and milestones (POA&M), risk acceptance decision, authorisation to operate (ATO), authorisation boundaries, and interconnection agreements.

Domain 7

Continuous Monitoring

Continuous monitoring strategy, ongoing assessment cadence, security status reporting, configuration and change control monitoring, and ongoing authorisation.

CISSP sample questions

Practice Questions — CISSP

CISSP questions require a management mindset. When you see multiple plausible answers, select the one that demonstrates the most comprehensive and risk-informed thinking.

1. A company is planning to outsource its payroll processing to a third-party provider. Which of the following should be the security team's FIRST action?

A) Implement data encryption for all payroll data
B) Conduct a risk assessment of the third-party provider
C) Require the provider to undergo a SOC 2 Type II audit
D) Sign an NDA with the provider before sharing data

Answer: B The CISSP management mindset demands risk assessment first. Before implementing controls (A), specifying audit requirements (C), or proceeding with agreements (D), you must understand the risk landscape of the vendor relationship. The risk assessment informs all subsequent decisions, including which controls and contractual requirements are appropriate.

2. Which security model is primarily concerned with preventing unauthorised disclosure of information and enforces a "no read up, no write down" policy?

A) Biba Integrity Model
B) Clark-Wilson Model
C) Bell-LaPadula Model
D) Brewer-Nash (Chinese Wall) Model

Answer: C The Bell-LaPadula model focuses on confidentiality and defines two key properties: the Simple Security Property (no read up — subjects cannot read objects at a higher classification) and the Star (*) Property (no write down — subjects cannot write to objects at a lower classification). Biba (A) focuses on integrity with opposing rules.

3. An organisation has suffered a ransomware attack that encrypted its production database. The incident response team has contained the attack. What should be the NEXT step?

A) Pay the ransom to restore operations as quickly as possible
B) Restore from the most recent clean backup and begin eradication
C) Immediately notify all customers of the breach
D) Rebuild all servers from scratch before doing anything else

Answer: B After containment, the IR lifecycle moves to eradication and recovery. Restoring from a verified clean backup is the controlled recovery path. Paying the ransom (A) is a policy and legal matter that doesn't guarantee decryption. Customer notification (C) is a legal obligation that follows after understanding the scope — premature notification without full analysis is counterproductive. Rebuilding from scratch (D) is part of eradication but should happen alongside or after restoring critical operations from backups. Reference: NIST SP 800-61r2, Section 3.

4. A security manager is developing a business case for a new security tool. Which calculation correctly quantifies whether the investment is financially justified?

A) (ALE before − ALE after) > annual cost of the control
B) (SLE × ARO) / annual cost of the control
C) Asset value + exposure factor − annual cost of the control
D) (MTBF × MTTR) / annual cost of the control

Answer: A The CISSP quantitative risk model: SLE (Single Loss Expectancy) = Asset Value × Exposure Factor. ALE (Annual Loss Expectancy) = SLE × ARO (Annualised Rate of Occurrence). A control is financially justified when the reduction in ALE exceeds its annual cost — i.e., (ALE_before − ALE_after) > cost of control. This formula recurs throughout CISSP Domain 1 and is the basis for security investment decisions presented to executives.

5. An organisation's PKI root CA certificate is set to expire in 6 months. What is the MOST critical risk if no action is taken?

A) All certificates issued by the CA will become unverifiable, breaking TLS, code signing, and authentication
B) The organisation will be fined for operating an expired CA
C) The organisation will lose its domain name registrations
D) Attackers will be able to read encrypted communications

Answer: A When a root CA certificate expires, all certificates in its trust chain — including TLS server certs, code-signing certs, and client authentication certs — become untrusted. This can cause authentication failures across the entire organisation simultaneously: HTTPS warnings on every website, signed binaries rejected by Windows, S/MIME email failures, and 802.1X Wi-Fi authentication breaking. Root CA certificates have very long lifetimes (10–25 years) precisely because renewal is operationally complex — CISSP Domain 3 tests this lifecycle awareness extensively.

6. A CISO is presenting a request to the board for additional security budget. Which framing is MOST effective from a CISSP management perspective?

A) List the CVEs that the current tooling cannot detect
B) Present the ALE reduction, risk posture improvement, and regulatory compliance gaps addressed by the investment
C) Show the number of failed penetration test findings from the last engagement
D) Reference competitor security budgets to justify parity spending

Answer: B Boards speak in business risk, not technical jargon. The most effective CISSP-level executive communication translates security investment into: (1) quantified risk reduction (ALE before/after), (2) regulatory exposure being addressed, and (3) business value protected. CVE lists (A) are technical details that boards cannot act on. Pentest findings (C) are useful context but not a business case. Competitor benchmarking (D) can supplement but cannot anchor an investment case.

7. An organisation stores highly classified research data. The security team must choose an access control model that ensures access decisions are made by the system based on data labels and subject clearances — not by data owners. Which model applies?

A) Discretionary Access Control (DAC)
B) Role-Based Access Control (RBAC)
C) Mandatory Access Control (MAC)
D) Attribute-Based Access Control (ABAC)

Answer: C MAC (Mandatory Access Control) uses system-enforced labels (classification levels: Unclassified, Confidential, Secret, Top Secret) and subject clearances. The data owner cannot grant access outside the policy — access is controlled by the system/organisation. DAC (A) allows owners to grant access at their discretion — it's the default Unix/Windows file permission model. RBAC (B) assigns access based on job roles. ABAC (D) uses multiple attributes including role, time, location, and device. MAC is the model used in government and military systems such as SELinux.

8. During a penetration test, the tester finds that they can read another user's data by changing a numeric ID in the URL: /api/invoices/1042 → /api/invoices/1043. Which OWASP vulnerability does this represent?

A) Broken Authentication (A07)
B) Insecure Direct Object Reference (IDOR) — now categorised under Broken Access Control (A01)
C) Security Misconfiguration (A05)
D) XML External Entity Injection (A04)

Answer: B Insecure Direct Object Reference (IDOR) occurs when an application uses user-controllable input to access database objects without verifying the requesting user's authorisation to access that specific object. In OWASP Top 10:2021, IDOR is classified under A01 — Broken Access Control, which is the #1 web application risk. The fix: never expose internal database IDs — use GUIDs or session-scoped tokens, and always validate ownership server-side. Reference: OWASP Top 10:2021 — A01 Broken Access Control.

16-week programme

CISSP Study Plan for Working Professionals

CISSP is a marathon, not a sprint. Most successful candidates report 300–500 hours of study. This plan runs 16 weeks at ~20 hours/week (weekday evenings + weekend study blocks).

Weeks 1–4: Foundational domains (high weight)

Domain 1 — Security & Risk Management (2 weeks)
Domain 3 — Security Architecture & Engineering (1 week)
Domain 5 — Identity & Access Management (1 week)

Weeks 5–8: Operational and technical domains

Domain 4 — Communication & Network Security (1.5 weeks)
Domain 7 — Security Operations (1.5 weeks)
Domain 6 — Security Assessment & Testing (1 week)

Weeks 9–11: Remaining domains

Domain 2 — Asset Security (0.5 weeks)
Domain 8 — Software Development Security (1 week)
Complete first full read-through of all study materials

Weeks 12–16: Practice, review & mindset

Week 12: 1,000-question bank round 1 — flag all incorrect answers
Week 13: Study incorrect answers; review weak domains in depth
Week 14: 1,000-question bank round 2; target ≥ 75%
Week 15: Full-length CAT-style timed practice exams
Week 16: Final review; managerial mindset drills; exam strategy

Free & reputable CISSP resources

Official blueprint: ISC2 CISSP exam outline PDF — download and use as your primary study checklist
Free video: Destination Certification YouTube (Rob Witcher) — free domain-level videos with visual mind maps; consistently cited in r/cissp pass posts
Free video: Kelly Handerhan's CISSP on Cybrary (free account) — the canonical "managerial mindset" explanation
Free practice questions: ISC2 official self-assessment quiz — official questions from the exam body
Free entry credential: ISC2 Certified in Cybersecurity (CC) — free exam & training — covers Domains 1, 4, 7 deeply; excellent warm-up
Community: r/cissp and the ISC2 Community — read the weekly "I passed" posts; they include real study breakdowns

Study tools · Active recall · CISSP / CC

Flashcards & Term-Matching Game

Active recall beats passive reading for long-term retention. Use the flashcards to drill definitions and the matching game to reinforce connections between concepts. Shuffle to mix domains and reset to start fresh. Keyboard navigation supported on flashcards.

Flashcard Deck — Key Terms

Loading flashcards… ensure JavaScript is enabled.

Term-Matching Game

Click a term on the left, then click its matching definition on the right. Correct pairs lock in green; wrong pairs flash red. Complete all pairs to advance to the next round.

Loading matching game… ensure JavaScript is enabled.

Speed Round — True or False

You have 10 seconds per statement. Answer TRUE or FALSE before the timer runs out. Build a combo multiplier for consecutive correct answers and beat your session high score.

Loading speed round… ensure JavaScript is enabled.

Fill in the Blank

Read the clue and type the missing term. One typo is forgiven for longer answers. Use the hint button if you're stuck — but it costs half the question's points.

Loading fill-in-the-blank… ensure JavaScript is enabled.

Domain Sprint — Categorise the Term

A term appears — click the correct exam domain it belongs to. Correct selections score 100 pts; wrong selections deduct 25 pts. Master domain knowledge before exam day.

Loading domain sprint… ensure JavaScript is enabled.

Explore other certification tracks

← All Certifications CompTIA Prep → ISACA Prep →

CCSP sample questions

Practice Questions — CCSP

CCSP questions test cloud security architecture and operations judgment. Many questions present scenarios where multiple answers look correct — select the answer that addresses the most critical risk or applies the most comprehensive control.

1. An organisation is moving a regulated workload to a public cloud provider. Which control is MOST important for ensuring data sovereignty compliance?

A) Enable cloud provider encryption at rest using provider-managed keys
B) Contractually restrict data residency to specific geographic regions and verify through audit rights
C) Implement a VPN between the corporate network and the cloud provider
D) Use a cloud access security broker (CASB) to monitor data uploads

Answer: B Data sovereignty requires both technical controls and legal assurance. Contractually restricting data residency to specific regions ensures the cloud provider is legally bound to keep data in compliant locations. Audit rights allow verification. Provider-managed encryption (A) doesn't address location. VPNs (C) secure transit, not residency. CASB (D) provides visibility but not residency control.

2. In the cloud shared responsibility model for IaaS, which component is the cloud provider ALWAYS responsible for?

A) Guest OS patching and configuration
B) Application security and data classification
C) Physical facility security, hypervisor, and underlying hardware
D) Identity and access management for cloud workloads

Answer: C In IaaS, the cloud provider owns responsibility for physical security, hardware, and the hypervisor layer. Customers are responsible for everything above: guest OS, applications, data, and identity management. In PaaS, the provider also manages the OS and runtime. In SaaS, the provider manages all infrastructure and the application — customers are responsible only for data and user access management.

3. An organisation uses a multi-cloud strategy with workloads in AWS and Azure. Which cloud deployment model does this represent?

A) Hybrid cloud
B) Community cloud
C) Multi-cloud (multiple public clouds)
D) Private cloud with public burst capacity

Answer: C Multi-cloud uses services from two or more public cloud providers simultaneously. Hybrid cloud (A) combines a private cloud (or on-premises infrastructure) with a public cloud connected by consistent orchestration. Community cloud (B) is shared infrastructure for organisations with common interests (e.g., government agencies). The CCSP exam requires precise understanding of cloud deployment model terminology.

4. A security architect is designing a cloud key management strategy. Which approach provides the strongest protection against cloud provider access to customer data?

A) Cloud provider-managed keys (SSE with provider keys)
B) Customer-managed keys stored in the cloud provider's key management service
C) Customer-managed keys with a customer-controlled Hardware Security Module (HSM) outside the cloud provider's infrastructure
D) Envelope encryption using the cloud provider's KMS

Answer: C Using an HSM outside the cloud provider's infrastructure (e.g., Thales Luna, on-premises HSM) gives the customer cryptographic control that the cloud provider cannot bypass even under legal compulsion — the cloud provider cannot decrypt data because they never hold the keys. Options A, B, and D all involve keys that reside in cloud provider infrastructure where the provider has some level of access.

SSCP sample questions

Practice Questions — SSCP

SSCP (Systems Security Certified Practitioner) is the technical practitioner-level ISC2 credential — designed for security operations, network security analysts, and system administrators with hands-on security responsibilities. Unlike CISSP, SSCP focuses on implementation rather than management.

1. A security analyst is reviewing firewall logs and notices repeated connection attempts from a single external IP on TCP ports 22, 3389, 445, and 5900. What does this activity MOST likely represent?

A) Legitimate administrative traffic from a remote user
B) Port scanning targeting common remote administration services
C) A DDoS attack against the firewall
D) Normal traffic pattern requiring no action

Answer: B The targeted ports — SSH (22), RDP (3389), SMB (445), and VNC (5900) — are all common remote administration protocols. An external IP probing all of these is reconnaissance for vulnerable remote access services. SSCP candidates must recognise common port numbers and what activity targeting them represents. Action: block the source IP, alert the security team, and review whether any of these ports are unnecessarily exposed.

2. Which type of access control assigns permissions based on attributes of the user, resource, and environment (such as time of day or location)?

A) Mandatory Access Control (MAC)
B) Discretionary Access Control (DAC)
C) Role-Based Access Control (RBAC)
D) Attribute-Based Access Control (ABAC)

Answer: D ABAC uses dynamic attributes (user department, clearance, device posture, location, time, resource sensitivity) evaluated against policies expressed in XACML or similar. RBAC (C) uses fixed roles — simpler but less granular. MAC (A) uses security labels and clearances enforced by the system. DAC (B) lets the data owner decide who has access. ABAC is increasingly used in Zero Trust architectures and cloud-native applications.

3. A user reports they cannot decrypt an email sent by a colleague. The colleague used PGP and confirms the email was correctly encrypted. What is the MOST likely cause?

A) The email was encrypted with the sender's private key instead of the recipient's public key
B) The recipient does not have access to their own private key on the current device
C) The email server stripped the PGP signature
D) The email was encrypted with AES instead of RSA

Answer: B In asymmetric encryption, the sender encrypts using the recipient's public key; the recipient decrypts using their private key. If decryption fails, the most common cause is that the recipient's private key is not available on the device (key not imported, different device than where the keypair was generated, or password manager lockout). Memorise: encrypt with recipient's public, decrypt with recipient's private, sign with sender's private, verify with sender's public.

4. A SOC analyst observes that a workstation is making DNS queries every 30 seconds to a domain with high entropy (random-looking characters). What does this BEST indicate?

A) Normal DNS cache refresh activity
B) A Domain Generation Algorithm (DGA) used by malware for command-and-control
C) A misconfigured DNS server
D) DNSSEC validation queries

Answer: B DGAs generate large numbers of pseudo-random domain names (e.g., x4j8sn29df.com) so malware can find its C2 server even if individual domains are blocked. Periodic queries to high-entropy domains are a strong indicator of compromise. Modern EDR/NDR tools flag these patterns automatically. Response: isolate the host, capture memory, identify the malware variant, and add the C2 infrastructure to threat intelligence.

5. Which authentication factor is BEST described by a hardware token generating a one-time password every 30 seconds?

A) Something you know
B) Something you have
C) Something you are
D) Somewhere you are

Answer: B Hardware tokens (RSA SecurID, YubiKey, etc.) are physical possessions — "something you have". Passwords and PINs are "something you know". Biometrics (fingerprint, retina) are "something you are". Geofencing is "somewhere you are". True multi-factor authentication requires factors from at least two different categories — a password plus a security question is NOT MFA because both are "something you know".

CSSLP sample questions

Practice Questions — CSSLP

CSSLP (Certified Secure Software Lifecycle Professional) addresses secure SDLC across all phases. It is one of the few credentials specifically targeting application security architects, secure development lifecycle leaders, and software security engineers.

1. During requirements gathering for a new web application, the security team is conducting threat modelling. Which framework systematically identifies threats across Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege?

A) PASTA (Process for Attack Simulation and Threat Analysis)
B) STRIDE
C) DREAD
D) OCTAVE

Answer: B STRIDE is Microsoft's threat classification framework — the acronym stands for the six categories listed. STRIDE is typically applied per-component or per-trust-boundary in a data flow diagram. PASTA (A) is a 7-stage risk-based threat modelling methodology. DREAD (C) is a risk rating system (Damage, Reproducibility, Exploitability, Affected users, Discoverability) — used to prioritise threats identified by STRIDE. OCTAVE (D) is an enterprise risk management framework, not application-focused.

2. A development team must select tools for their secure SDLC pipeline. Which combination provides the MOST comprehensive coverage?

A) SAST only — analyse source code for vulnerabilities
B) DAST only — test running applications dynamically
C) SAST + DAST + SCA (software composition analysis) + IaC scanning + secrets detection in CI/CD
D) Penetration testing performed annually

Answer: C A mature DevSecOps pipeline uses multiple complementary tools: SAST (source code), DAST (runtime), SCA (vulnerable third-party dependencies — critical given that 70%+ of application code is open source), IaC scanning (Terraform, CloudFormation), and secrets detection (preventing API keys committed to git). Each tool catches different classes of vulnerabilities. Annual pen testing (D) is required but cannot replace continuous testing — it identifies issues too late to fix economically.

3. An application stores user passwords. Which storage approach is RECOMMENDED?

A) Store plaintext passwords for password recovery convenience
B) Encrypt passwords with AES-256 using a shared encryption key
C) Hash passwords using a slow, memory-hard algorithm with per-user salt (Argon2id, bcrypt, or scrypt)
D) Hash passwords with SHA-256 for performance

Answer: C Passwords should be one-way hashed — never encrypted (encryption implies decryption is possible). The hash algorithm should be intentionally slow (Argon2id is OWASP's first recommendation as of 2024, followed by bcrypt and scrypt) to resist offline brute force. Per-user random salt prevents rainbow table attacks. SHA-256 (D) is too fast for password storage — billions of hashes can be tested per second on a modern GPU. Plaintext (A) and reversible encryption (B) are both never acceptable for credentials.

4. An application allows users to upload profile pictures. Which control set BEST prevents file upload attacks?

A) Validate the file extension client-side using JavaScript
B) Server-side validation: check MIME type, file magic bytes, extension whitelist, max size, virus scan, rename file with random UUID, store outside webroot, serve through an authenticated endpoint
C) Block any file with executable extensions
D) Trust the client-provided MIME type

Answer: B File uploads are one of the most exploited features in web applications. Defence requires layered controls: validate type via magic bytes (not just extension or MIME), enforce a whitelist of allowed types, enforce size limits, scan with AV, rename to a server-generated UUID (prevents directory traversal and overwriting), store outside the web-accessible directory, and serve through an authenticated controller that streams the file. Client-side validation (A) can be trivially bypassed by an attacker.

Common questions

ISC2 Certification FAQ

How many questions are on the CISSP exam?

The CISSP uses Computerised Adaptive Testing (CAT). You will see between 125 and 175 questions in 4 hours. The exam stops when it is statistically confident you are above or below the passing standard. Receiving more questions is not an indicator of failure — many passing candidates answer all 175 questions.

Can I sit the CISSP exam before meeting the experience requirement?

Yes. You can take and pass the exam before you have the required five years of experience. Upon passing, you become an Associate of ISC2 and have six years to accumulate the required experience and earn endorsement from an ISC2 member. This is a popular path for career-changers and recent graduates entering security.

Is CCSP harder than CISSP?

Most candidates who have passed CISSP find CCSP comparable in difficulty but narrower in scope — it covers cloud security across six domains. Having CISSP first provides a significant foundation. Both use CAT format with 125–175 questions. CCSP requires three years of cumulative paid work experience in information technology with one year in cloud security.

What is the CISSP managerial mindset?

CISSP questions are designed to assess senior security management judgment. When you see multiple technically correct answers, select the one that a risk-informed senior security executive would choose — prioritising risk management, policy, and process over technical implementation. "Ensure policy exists" typically outranks "implement a technical control" on management-level questions.

Interactive · Timed · Fully explained

Interactive Practice Exam — CISSP

Twenty CISSP-style items spanning all eight CBK domains. Each item is written in the "best/MOST appropriate" management style that CISSP rewards, with detailed rationale explaining the managerial mindset and authoritative references to NIST, ISO, IETF, and ISC2 source material.

Loading the interactive practice exam… If it does not load, ensure JavaScript is enabled.

Interactive · Timed · Fully explained · Exam #2

Practice Exam #2 — CISSP

A second 20-question practice exam with all-new scenarios spanning all eight CISSP domains. Covers vendor risk assessment, data classification, Bell-LaPadula, TLS 1.3, SAML, forensic order of volatility, RTO/RPO, SQL injection, BGP hijacking, and more. Written in the 'MOST appropriate' management mindset CISSP rewards.

Loading practice exam… If it does not load, ensure JavaScript is enabled.

Case study · Apply your CISSP thinking

Real-World Walkthrough: The 2020 SolarWinds SUNBURST Supply-Chain Attack

SolarWinds is the textbook example of every CISSP domain converging in one incident — risk management, asset security, secure SDLC, identity federation, network architecture, security operations, and software supply-chain assurance. Use this incident to convert abstract CBK material into vivid mental models.

Timeline

September 2019: Nation-state actors (US government attributes to APT29 / Cozy Bear / Russian SVR) gain access to SolarWinds' internal build environment.
March – June 2020: SUNBURST malicious code is inserted into Orion Platform updates between builds 2019.4 HF5 and 2020.2.1 HF1. The compromise is invisible because the malicious DLL is digitally signed by SolarWinds' valid code-signing certificate — the trust anchor itself is poisoned.
March – December 2020: ~18,000 customers install the trojanised update. Attackers selectively activate the backdoor against ~100 high-value targets (US Treasury, Commerce, State, DHS, FireEye, Microsoft, Mimecast, Cisco). They use forged SAML tokens (the Golden SAML technique) to mint authentication tokens against federated identity providers.
December 8, 2020: FireEye discloses theft of its red-team tools and traces the intrusion to Orion. Investigation reveals the broader supply-chain compromise.
2021 onwards: Executive Order 14028 mandates Software Bills of Materials (SBOM) for federal procurement. NIST SP 800-218 (SSDF) becomes binding. Microsoft, CISA, and ISC2 publish post-mortems used in CISSP study material.

Map to CISSP CBK domains

Domain 1 (Risk): Third-party / supply-chain risk was the entire attack surface. Vendor risk assessments must include build-pipeline integrity, not just SOC 2 reports.
Domain 3 (Architecture): Trust anchors (code-signing certificates, root CAs) became the single point of failure. Defence in depth must NOT depend on any single trust source.
Domain 4 (Network): SUNBURST used DNS-based C2 to subdomains of avsvmcloud.com — egress filtering, DNS sinkholing, and outbound proxying with categorisation would have blunted exfiltration.
Domain 5 (Identity): Golden SAML forged tokens directly against ADFS. Mitigations: token issuer key in HSM, conditional access with device compliance, continuous token-issuance anomaly detection.

Domain 6 (Assessment): Software composition analysis (SCA) and SBOM are now baseline expectations — Domain 8 also reinforces this.
Domain 7 (Operations): The dwell time (months) exposed monitoring blind spots. Behavioural detection on identity providers, EDR with cloud-native telemetry, and threat-hunting programs are CISSP-grade controls.
Domain 8 (SDLC): Build pipeline became the attack surface. SLSA framework, signed and reproducible builds, hermetic build environments, isolated build hosts, and separation of duties between developers and release engineers are direct lessons.
Domain 2 (Asset): Inventory of every signed binary plus its provenance is essential to detect anomalous releases.

Study technique for CISSP: for every incident you read about, write three sentences mapping the technical detail to each CBK domain. The exam frequently asks "what would PREVENT this risk?" — train yourself to answer at the policy/governance/architecture layer first, technical control second.

Free & reputable only · Verified links

Helpful Materials — CISSP

CISSP candidates routinely waste hundreds of hours on the wrong study material. Every resource below is free and authoritative — the most effective study combines official sources, free video, and a strong community.

Official & primary sources (all free)

ISC2 CISSP exam outline — the authoritative blueprint (PDF download)
NIST SP 800 series — risk, controls, IR, supply chain, IAM — freely downloadable PDFs; focus on 800-53 Rev 5, 800-61r2, 800-145
NIST SP 800-53 Rev 5 control catalogue — the standard behind CISSP Domain 1 and 3 questions
NIST SP 800-61r2 — Incident Response guide (free PDF)
CISA free cybersecurity services and tools catalogue

Free video & audio

Pete Zerger — YouTube domain mind-map reviews (free) — domain-by-domain deep dives, consistently rated top free CISSP resource
Destination Certification — Rob Witcher's free YouTube CISSP playlist — concise concept explanations with visual mind maps
Cybrary — Kelly Handerhan's CISSP course (free with account) — the managerial mindset explained by one of the most cited CISSP instructors
r/cissp — "I passed" posts with real study breakdowns — read the top posts from the last year; candidates post which resources actually worked

Free practice questions

ISC2 official CISSP self-assessment quiz (free, no signup) — official questions from ISC2 itself
Quizlet CISSP community flashcard sets (free tier) — large community-maintained question banks covering all 8 CBK domains
LearnZapp CISSP — 100 free sample questions

Free ISC2 entry credential

ISC2 Certified in Cybersecurity (CC) — currently free exam and training — ISC2's free entry-level credential; excellent CISSP primer covering Domains 1, 4, 7

Process & eligibility

Quick reference · Memorise before exam day

CISSP Cheatsheet

High-frequency CISSP facts. The exam is concept-heavy — these definitions repeat in many disguises.

Security models

Bell-LaPadula — confidentiality; no read up, no write down (NRU / NWD).
Biba — integrity; no read down, no write up (NRD / NWU).
Clark-Wilson — integrity via well-formed transactions and separation of duties.
Brewer-Nash (Chinese Wall) — prevents conflicts of interest.
Take-Grant / Graham-Denning / Harrison-Ruzzo-Ullman — formal access-control models.

Risk management formulas

Single Loss Expectancy (SLE) = Asset Value × Exposure Factor
Annual Loss Expectancy (ALE) = SLE × Annualised Rate of Occurrence (ARO)
Cost-benefit: control is worthwhile if (ALE before − ALE after) > annual cost of control
Treatments: Avoid, Transfer, Mitigate, Accept

BIA & recovery objectives

RPO — data-loss tolerance (past)
RTO — time-to-restore (future)
MTD / MTPD — maximum tolerable downtime / disruption
WRT — work recovery time (after RTO, before normal)

Common evaluation criteria

TCSEC (Orange Book) — historical, replaced by CC
ITSEC — European predecessor
Common Criteria (ISO/IEC 15408) — EAL1 (functionally tested) … EAL7 (formally verified design and tested)
Protection Profile (PP) — class of products; Security Target (ST) — specific product

Identity protocols

SAML 2.0 — XML assertions; SSO between IdP and SP
OAuth 2.0 — delegated authorisation (NOT authentication)
OpenID Connect (OIDC) — authentication layer on top of OAuth 2.0; uses ID Token (JWT)
Kerberos — symmetric-key SSO; KDC, AS, TGS, TGT, ST
SCIM — provisioning protocol

IR & BCP cycles

IR (NIST SP 800-61): Preparation → Detection & Analysis → Containment / Eradication / Recovery → Post-incident
BCP: Project init → BIA → Strategy → Plan dev → Test & maintain
Change management: Request → Review → Approve → Test → Implement → Document → Review