CISSP 8 Domains Explained: Weights, Topics & Study Tips (2026)

The CISSP exam tests you across all 8 domains of the Common Body of Knowledge (CBK). You don't get to skip any — but you do get to know exactly how much each one matters. ISC2 publishes official domain weights that tell you precisely what percentage of exam questions come from each area.

If you're about to spend 300–500 hours studying, you need to know this breakdown cold. A candidate who devotes equal time to all 8 domains is working against themselves. Domain 1 carries 60% more weight than Domains 2 or 8. That's not a small difference — that's the difference between passing and rescheduling.

CISSP Domain Overview & Exam Weights

The CISSP CAT exam delivers between 100 and 150 questions over 3 hours. Based on the official domain weights, here's how many questions you can expect from each domain at the 125-question midpoint:

Notice that five domains tie at 13% — Domains 3, 4, 5, 7, and Domain 6 at 12%. Together, those five represent 64% of your exam. Domain 1 adds another 16%. That means the first seven domains cover 90% of questions. Domain 8 and 2 split the remaining 20%.

Domain 1: Security and Risk Management (16%)

Domain 1 is the biggest on the exam and also one of the most conceptual. It's not about configuring firewalls — it's about understanding why security decisions get made at an organizational level. You need to think like a Chief Information Security Officer (CISO) who's accountable to the board.

What trips candidates up: Risk management math. You must know ALE (Annual Loss Expectancy = SLE × ARO), how to calculate risk reduction after safeguards, and the difference between risk avoidance, transference, mitigation, and acceptance. ISC2 loves quantitative risk scenarios.

Domain 2: Asset Security (10%)

Asset Security covers how organizations classify, handle, and protect their data throughout its entire lifecycle — from creation to disposal. The key concept is that the data owner determines the classification level, while the custodian (usually IT) implements the controls.

What trips candidates up: Data remanence. Know the difference between clearing (reusing media within the organization), purging (destroying data so it can't be recovered even with lab equipment), and destruction (physical elimination of media). The exam often describes a scenario and asks which sanitization method is appropriate.

Domain 3: Security Architecture and Engineering (13%)

This is the most technically broad domain. It covers everything from formal security models developed in the 1970s to modern cloud architecture. Cryptography alone can feel like a full certification — you need to understand not just which algorithm does what, but when to use each and why.

What trips candidates up: Security models. Bell-LaPadula enforces confidentiality (no read up, no write down). Biba enforces integrity (no read down, no write up). The exam will give you a scenario and ask which model applies. Practice until the distinction is automatic.

Domain 4: Communication and Network Security (13%)

Domain 4 is where networking knowledge matters most. But the CISSP doesn't test you on how to configure a Cisco switch — it tests you on why specific network security architectures are chosen. You need to know how protocols work, what they're vulnerable to, and how controls mitigate those vulnerabilities.

What trips candidates up: Confusing IDS and IPS. An IDS (Intrusion Detection System) detects and alerts — it's passive. An IPS (Intrusion Prevention System) detects and blocks — it's inline. The exam loves asking which is more appropriate given a scenario. If availability is the priority, IDS. If stopping attacks is the priority, IPS.

Domain 5: Identity and Access Management (13%)

Identity is the new perimeter. Domain 5 reflects how modern security has shifted from protecting the network boundary to verifying identities at every access point. Understanding the differences between access control models is non-negotiable.

What trips candidates up: Access control models. DAC (Discretionary) — the owner controls access, flexible but risky. MAC (Mandatory) — labels and clearances, used in government systems. RBAC (Role-Based) — access based on job function, most common in enterprise. ABAC (Attribute-Based) — fine-grained policies. Know the use case for each.

Domain 6: Security Assessment and Testing (12%)

Domain 6 tests whether you understand how organizations verify that their security controls actually work. It's not just about running a Nessus scan — it's about choosing the right assessment methodology, interpreting results, and communicating findings to the right stakeholders.

What trips candidates up: DR testing types. Tabletop exercises are discussions — no systems are involved. Parallel tests run both old and new systems simultaneously. Full cutover (or failover) is the real thing — highest risk, most realistic. Know the risk and resource profile of each.

Domain 7: Security Operations (13%)

Domain 7 is where security concepts meet day-to-day operations. It's the largest "practical" domain — covering how security teams actually run, respond to incidents, and maintain controls. If you work in a SOC or IT operations role, this domain may feel familiar but still requires the CISSP managerial perspective.

What trips candidates up: Incident response order. The NIST phases are: Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident Activity. The exam will ask what you do first, second, or next in a given scenario. Containment always comes before eradication.

Domain 8: Software Development Security (10%)

Domain 8 dropped from 11% to 10% in the 2024 update — reflecting a slight deprioritization relative to risk and operations topics. But don't skip it. OWASP Top 10 vulnerabilities, SDLC integration, and the DevSecOps mindset are all testable and increasingly relevant.

What trips candidates up: Mixing up code testing methods. SAST (Static Application Security Testing) analyzes source code without running it — like a code review done by a scanner. DAST (Dynamic Application Security Testing) runs the application and attacks it from the outside. Know which finds what category of bugs.

Which CISSP Domains to Study First

The instinct is to work through Domains 1–8 in order. That's not optimal. Here's a better approach based on exam weight and conceptual dependencies:

Phase 1: Foundation (Start Here)

• Domain 1 (16%) — Study this first and in depth. It underlies every other domain. Risk management vocabulary and governance frameworks will show up in Domain 3, 6, and 7 questions too.
• Domain 5 (13%) — Identity concepts are straightforward and high-value. Strong ROI for study time.

Phase 2: Technical Core (Middle)

• Domain 3 (13%) — Cryptography and security models require the most concentrated study. Don't rush this one.
• Domain 4 (13%) — Network security concepts. If you have a networking background, this will move faster.
• Domain 7 (13%) — Security operations is practical — connect concepts to real-world scenarios as you study.

Phase 3: Fill the Gaps

• Domain 6 (12%) — Assessment and testing frameworks. Solidify DR testing types and audit methodologies.
• Domain 2 (10%) — Asset security is more conceptual and often feels intuitive once Domain 1 is solid.
• Domain 8 (10%) — Finish with software security. If you work in development, move this earlier.

FAQ: CISSP Domains

Are the CISSP domain weights changing in 2026?

Not currently. ISC2 updated the CISSP exam outline effective April 15, 2024 — that's the current version for 2026 exam takers. Domain 1 went up to 16%, Domain 8 dropped to 10%. Unless ISC2 announces a new Job Task Analysis (JTA), these weights remain in effect.

Do I need to pass each domain separately?

No. The CISSP is a single cumulative exam — there's no domain-by-domain passing threshold. The CAT algorithm evaluates your overall competency across all domains. However, severe weakness in any domain can hurt your overall score since the algorithm tests breadth, not just aggregate knowledge.

How many questions come from each domain?

ISC2 doesn't specify exact per-domain question counts — you'll see between 100 and 150 total questions depending on when the CAT algorithm achieves statistical confidence in your ability. Using the published weights as percentages against 125 questions gives the estimates in the table above.

Which domain is hardest?

Domain 3 (Security Architecture and Engineering) consistently gets cited as the most difficult due to cryptography depth. Domain 1 (Security and Risk Management) is cited as the most important and most conceptually challenging for candidates without a management background. Domain 7 (Security Operations) trips up candidates who answer from a technical rather than managerial perspective.

How is the CISSP different from CCSP or CISM?

The CISSP is the broadest of the three — covering all 8 security domains from governance to technical implementation. The CCSP focuses on 6 cloud-specific domains (cloud concepts, architecture, data security, platform security, operations, and legal). The CISM focuses on 4 management domains (governance, risk management, incident management, program management). If you're a security manager, you may pursue CISM. If you're in cloud security, CCSP. CISSP works as a foundation for both.