CISSP Chronicles Vault from PK

---

Author’s Note

Over the past 60 days, I’ve taken the time around 80 hours to publish, personal experience, mindset to have, domain-wise CISSP notes, aiming to support fellow aspirants and give back to the cybersecurity community. This effort comes not as a formality, but as a personal mission rooted in passion and dedication.

For me, CISSP is not just another certification—it’s a milestone that reflects consistent hard work, deep understanding, and commitment to the profession. Conquering CISSP is indeed a proud goal, but let’s be honest—it can also be overwhelming and mentally taxing.

Throughout my own journey, I encountered many who shared the same goal but were confused about where to start, what to study, how to plan, and when to feel prepared. The CISSP path can be unclear, especially with the abundance of materials and approaches available.

I am not claiming that my notes would be a perfect fit for everyone—because truthfully, no “one-size-fits-all” approach exists in CISSP preparation. There are many seasoned professionals and pioneers in the field who have spent years perfecting their way of delivering CISSP content.

However, the notes I’ve created are based on my personal approach, drawn from real study experiences, late-night struggles, revision strategies, and moments of clarity. I’ve tried to keep them practical, simplified, and rooted in exam-relevant understanding.

I hope is that these notes help someone take that first step, fill a gap, or gain confidence when the road feels too steep. Whether you’re just starting or reinforcing what you already know—you’re not alone in this journey.

Wishing every aspirant the clarity, focus, and resilience needed to reach their CISSP goal.

This effort is dedicated to the cybersecurity community, and I believe in learning together. If you have any suggestions or constructive feedback, please share—I’m always looking to improve and refine the work I publish.

Regards – PraveenKumar Karthikeyan, Since 1987

Beginning of the Core

To begin with, I would like to share my CISSP journey — from the preparation phase all the way through to the exam experience.

Next, I would like to shed light on the kind of mindset that every CISSP aspirant should cultivate throughout theirjourney

Now, I would like to provide in-depth insights into the CISSP certification itself. While I have already touched on some aspects in the mindset section, I will briefly cover the essential ‘need-to-know’ elements for a clearer understanding

What is CISSP?

CISSP (Certified Information Systems Security Professional) is a globally recognized certification offered by (ISC)² for information security professionals. It validates deep technical and managerial knowledge in designing, engineering, and managing an organization’s overall security posture.

CISSP Goals

• Establish a standardized body of knowledge for information security.
• Certify professionals with expertise in security principles and practices.
• Demonstrate the ability to effectively design, implement, and manage a best-in-class cybersecurity program.

Who Should Take CISSP?

• Security Analysts / Engineers / Architects
• IT Managers and Directors
• Security Consultants and Auditors
• Chief Information Security Officers (CISOs)
• Risk and Compliance Officers

CISSP Certification Requirements

• Minimum 5 years of cumulative paid full-time experience in 2 or more of the 8 CISSP domains
  • 1-year waiver possible with a 4-year college degree or an approved credential.
• Agree to the (ISC)² Code of Ethics
• Pass the CISSP exam
• Submit the endorsement form within 9 months
• Maintain certification via Continuing Professional Education (CPE) and annual membership fees

CISSP Exam Overview

• Format: Computerized Adaptive Testing (CAT) for English; Linear for other languages
• Questions: 100–150 (CAT) / 250 (Linear)
• Time: 3 hours (CAT) / 6 hours (Linear)
• Passing Score: 700 out of 1000
• Language: English, French, German, Spanish, etc.

The 8 Domains of CISSP (2024)

1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communication and Network Security
5. Identity and Access Management (IAM)
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

🧾 (ISC)² Code of Ethics

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

CISSP Domain-Wise Overview  and Quick Introductions

Over the next sections, you’ll find a quick yet meaningful overview of all 8 CISSP domains. At the end of each introduction, you’ll find a direct link to the detailed notes I’ve prepared based on my own learning journey. These are not generic summaries—they’re crafted from hours of structured study and reflection.

🛡️ Domain 1: Security and Risk Management

This foundational domain focuses on principles like confidentiality, integrity, and availability (CIA). You’ll learn about governance, compliance, policies, security roles, and risk management. Topics such as legal systems, business continuity, ethics, and security frameworks (like ISO, NIST, etc.) are central. It sets the stage for security decision-making across the entire organization.

🔗 Read Domain 1 Notes: View Domain 1 Notes »

📦 Domain 2: Asset Security

This domain centers on classifying and protecting assets—especially data—throughout its lifecycle. You’ll explore ownership, data labeling, privacy, retention, and secure disposal techniques. Key concepts include regulatory data requirements and protecting data at rest, in transit, and in use. Physical and logical protections are addressed to prevent leakage or misuse.

🔗 Read Domain 2 Notes: View Domain 2 Notes »

🏛️ Domain 3: Security Architecture and Engineering

Dive into the principles of designing secure systems, hardware, and architecture. This domain covers security models (Bell-LaPadula, Biba, etc.), cryptography, trusted computing, and secure design patterns. It explores vulnerabilities in processors, firmware, and embedded systems. You’ll also learn about system evaluation standards and security capabilities of operating systems.

🔗 Read Domain 3 Notes Part I: View Domain 3 Notes »

🔗 Read Domain 3 Notes Part II: View Domain 3 Notes »

🌐 Domain 4: Communication and Network Security

This domain is all about securing data in motion across networks. It covers protocols, secure network design, segmentation, wireless security, and layered defenses. You’ll study technologies like VPNs, firewalls, IDS/IPS, and common network attacks. Emphasis is placed on secure protocol use (TLS, IPsec, SSH) and architecture-level resilience.

🔗 Read Domain 4 Notes: View Domain 4 Notes »

🔐 Domain 5: Identity and Access Management (IAM)

IAM is the core of who can access what and how. You’ll learn about authentication methods (passwords, biometrics, multifactor), authorization models (RBAC, ABAC, DAC), and identity provisioning. It explores identity federation, SSO, directory services, and access reviews. Strong IAM controls are key to enforcing least privilege and accountability.

🔗 Read Domain 5 Notes: View Domain 5 Notes »

🧪 Domain 6: Security Assessment and Testing

Learn how to validate security controls using audits, vulnerability assessments, and penetration tests. This domain includes testing strategies, log review, metrics collection, and remediation. It emphasizes creating baselines, managing test results, and ensuring continuous improvement through control testing.

🔗 Read Domain 6 Notes: View Domain 6 Notes »

⚙️ Domain 7: Security Operations

This domain covers day-to-day security management: monitoring, incident response, forensics, and operational resilience. You’ll study disaster recovery, business continuity, change control, and physical security. Logging, SIEM tools, and escalation procedures are also covered. It’s about ensuring systems remain secure, available, and monitored in real time.

🔗 Read Domain 7 Notes Part I: View Domain 7 Notes »

🔗 Read Domain 7 Notes Part II: View Domain 7 Notes »

💻 Domain 8: Software Development Security

Focuses on integrating security throughout the software development lifecycle (SDLC). You’ll study secure coding practices, application vulnerabilities, DevOps integration, and threat modeling. Topics include CI/CD, APIs, version control, and secure architecture for applications. A must-know domain for addressing software risks early.

🔗 Read Domain 8 Notes: View Domain 8 Notes »

150 CISSP Exam Essentials

Here’s a carefully curated list of 🔑 150 important CISSP exam essentials, compiled domain-wise and optimized for exam-day revision, last-minute brushing, or checkpoint tracking. These points focus on concepts, processes, and terminology that often appear in questions, scenarios, and tricky distractors.

🛡️ Domain 1: Security and Risk Management (25 points)

1. CIA Triad: Confidentiality, Integrity, Availability
2. Governance drives security alignment with business goals
3. Security Policies are mandatory, high-level directives
4. Risk = Threat × Vulnerability × Asset Value
5. Risk Responses: Avoid, Transfer, Mitigate, Accept
6. Qualitative vs Quantitative Risk Analysis
7. Risk Appetite vs Risk Tolerance
8. Due Care = Action taken; Due Diligence = Investigation performed
9. Threat Modeling: STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation)
10. Security Control Types: Preventive, Detective, Corrective, Deterrent, Compensating
11. Administrative, Technical, and Physical control categories
12. Business Continuity Planning (BCP) vs Disaster Recovery Planning (DRP)
13. RTO (max downtime) vs RPO (max data loss)
14. BIA identifies critical business functions and recovery priorities
15. Legal Systems: Civil, Common, Religious, Customary
16. GDPR: Lawfulness, Fairness, Transparency, Data Minimization
17. Data Breach Notification Laws vary by country
18. Security Roles: Owner (defines), Custodian (protects), User (uses)
19. (ISC)² Code of Ethics – 4 Canons
20. Intellectual Property: Copyright, Trademark, Patent, Trade Secret
21. Compliance = Adhering to legal, regulatory, and contractual obligations
22. Security Awareness is a critical preventive control
23. Threat Sources: Natural, Human, Environmental
24. Risk Register tracks and monitors risks over time
25. Asset Value influences control selection

📦 Domain 2: Asset Security (15 points)

26. Data Lifecycle: Create → Store → Use → Share → Archive → Destroy
27. Data Classification determines required protection
28. Owner assigns classification; Custodian implements controls
29. Labeling ensures data is handled correctly
30. Asset Handling depends on sensitivity and regulatory needs
31. PII (Personal Identifiable Info) must be protected by law
32. Data Masking hides sensitive data in test/dev environments
33. Data Remanence – residual data left after deletion
34. Data Sanitization Methods: Clearing, Purging, Degaussing, Destruction
35. Data Retention depends on legal and business requirements
36. Physical Protection is needed for servers, drives, paper files
37. Encryption protects data at rest and in transit
38. Data Aggregation and Inference can reveal sensitive info
39. Media Reuse must include sanitization
40. Privacy Controls must be enforced at collection and use

🏛️ Domain 3: Security Architecture and Engineering (20 points)

41. Security Models: Bell-LaPadula (Confidentiality), Biba (Integrity), Clark-Wilson (Well-formed transactions)
42. Secure Design Principles: Least Privilege, Fail-Safe Defaults, Economy of Mechanism
43. Reference Monitor ensures mediation of all access
44. Trusted Computing Base (TCB) = critical components of a secure system
45. Common Criteria (ISO 15408): EAL1–EAL7 assurance levels
46. Side-Channel Attacks exploit timing, power, or emissions
47. Cryptographic Goals: Confidentiality, Integrity, Authentication, Non-repudiation
48. Symmetric Encryption: Fast, same key for encrypt/decrypt (AES, DES)
49. Asymmetric Encryption: Uses key pairs (RSA, ECC)
50. Hashing (SHA-2, SHA-3) provides integrity only
51. Digital Signatures = Integrity + Authentication + Non-repudiation
52. Key Management is the hardest part of cryptography
53. PKI = CA + RA + Certificates + CRLs + OCSP
54. Secure Boot ensures system integrity during startup
55. Hardware Security: TPM, HSM, Secure Enclaves
56. Security Boundaries separate levels of sensitivity
57. Embedded Systems must be designed with security from the start
58. IoT Security must consider limited device resources
59. Fail-Secure vs Fail-Open depending on context (availability vs safety)
60. Protocols like SSL, TLS must use strong cipher suites

🌐 Domain 4: Communication and Network Security (20 points)

61. OSI Model: Layers 1–7 (Physical to Application)
62. TCP/IP Model: 4 Layers (Network Access, Internet, Transport, Application)
63. Common Ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 25 (SMTP), 3389 (RDP)
64. IPsec Protocols: AH (integrity/auth), ESP (confidentiality)
65. TLS provides secure application-level communication
66. VPN Types: Remote Access, Site-to-Site
67. Network Segmentation reduces attack surface
68. DMZ hosts public-facing services
69. IDS = Detects, IPS = Blocks
70. Wireless Security: WPA3, EAP, PSK
71. VLANs segment traffic logically within a switch
72. NAT hides internal IP addresses
73. SNMPv3 is secure; v1 and v2 are not
74. DNSSEC provides authentication of DNS responses
75. Port Security limits MAC addresses per switch port
76. Encapsulation used to wrap data across network layers
77. Protocol Analyzers (Wireshark) used for traffic analysis
78. ARP Poisoning = redirecting traffic by falsifying MAC mappings
79. MAC Filtering is weak but adds minimal control
80. Network Topologies: Mesh, Star, Bus, Ring

🔐 Domain 5: Identity and Access Management (IAM) (20 points)

81. AAA: Authentication, Authorization, Accounting
82. Authentication Factors: Knowledge, Possession, Inherence, Location, Behavior
83. MFA = at least two different factor types
84. SSO improves user experience, introduces risk
85. Federation enables identity across org boundaries (SAML, OAuth)
86. RBAC: Role-Based Access Control
87. DAC: User-controlled access (Windows NTFS)
88. MAC: Centralized control by policy (Military)
89. ABAC: Dynamic and context-based control
90. Access Provisioning = Identity Creation → Access Granting
91. Account Lifecycle = Joiner → Mover → Leaver
92. Session Timeout, Account Lockout protect against misuse
93. Identity Proofing verifies individual before account creation
94. Directory Services = LDAP, Active Directory
95. Kerberos uses tickets to manage authentication
96. Identity Federation = Trust relationships between domains
97. Just-in-Time Access reduces attack surface
98. Privileged Access Management tools control high-level access
99. Entitlement Review = Periodic access recertification
100. Identity Governance automates compliance and audits

🧪 Domain 6: Security Assessment and Testing (15 points)

101. Vulnerability Scanning is passive; Pen Testing is active
102. Penetration Test Phases: Planning, Discovery, Attack, Reporting
103. Black-box = no access; White-box = full access
104. Static Testing = source code analysis; Dynamic = running application
105. Security Audits evaluate compliance
106. SIEM = Security Information and Event Management
107. Synthetic Transactions simulate real traffic
108. Code Review can be manual or automated
109. Logging is required for accountability
110. Test Environment must mirror production
111. Regression Testing checks that changes don’t break functions
112. Fuzz Testing sends unexpected input to find flaws
113. Metrics: Quantify effectiveness (KPIs, KRIs)
114. Continuous Monitoring = Real-time security telemetry
115. Remediation must follow vulnerability findings

⚙️ Domain 7: Security Operations (20 points)

116. Incident Response: Preparation, Detection, Response, Recovery, Lessons Learned
117. Forensics = Preservation + Collection + Analysis + Reporting
118. Chain of Custody preserves integrity of evidence
119. DR Sites: Hot (ready), Warm (partial), Cold (basic)
120. Backup Types: Full, Incremental, Differential
121. Change Management = Approvals, Rollbacks, Version Control
122. Monitoring = Detection; Logging = Record
123. BCP: Ensures minimal business disruption
124. DRP: Ensures quick recovery of IT systems
125. Mean Time to Detect/Recover (MTTD/MTTR)
126. Least Privilege in operations = reduce insider threats
127. Job Rotation + Mandatory Vacations detect fraud
128. SLA = Agreed service performance & availability
129. Secure Disposal = Wipe, Degauss, Shred
130. Physical Controls: Mantraps, CCTV, Locks, Guards
131. HVAC controls temperature, humidity, dust
132. Fire Suppression: Gas (FM-200), Water, Dry Chemicals
133. Escalation Matrix defines contact chain
134. SIEM correlation = detect advanced threats
135. Outage Communication Plan is critical to BCP

💻 Domain 8: Software Development Security (15 points)

136. SDLC Phases: Requirements → Design → Development → Testing → Deployment → Maintenance
137. DevSecOps: Integrate security early in CI/CD pipeline
138. Secure Coding = Input validation, error handling, least privilege
139. OWASP Top 10: Most common web app vulnerabilities
140. APIs must enforce authentication and rate limiting
141. Threat Modeling in development phase (STRIDE, DFDs)
142. Static & Dynamic Code Analysis for vulnerability detection
143. Software Testing: Unit, Integration, Regression, Fuzz
144. Version Control = Git, SVN
145. Configuration Management = Consistent system state
146. Code Signing ensures authenticity of software
147. Input Sanitization prevents injection attacks
148. Secure SDLC ensures quality + security
149. Supply Chain Risk = tampered components/libraries
150. Application Sandboxing limits impact of compromise

Final Words

Preparing for the CISSP is a journey that demands consistency, clarity, and commitment. Through these notes, I’ve aimed to simplify complex topics, highlight core concepts, and provide a structured guide for aspirants at every stage.

Remember, there’s no one perfect way to prepare—adapt what works best for you, stay focused, and keep moving forward. Whether you’re just starting or reviewing for the final time, I hope these notes serve as a valuable companion in your CISSP journey.

Wishing you success and confidence on exam day!
Let’s continue learning, sharing, and growing together in the cybersecurity community.