The Certified Information Systems Security Professional (CISSP) is the senior-level cybersecurity certification from (ISC)². It tests the breadth of the Common Body of Knowledge (CBK) across eight domains and rewards candidates who can think like a security manager, not just a technician. Threat on the Wire publishes deep, practitioner-focused articles for every domain - this hub is the index, the study plan, and the strategic frame for using the site to prepare.
If you are starting your CISSP preparation, read this page top to bottom. If you have already started studying, jump to the domain you are working on and use its pillar as the structured reading order.
How to use Threat on the Wire to prepare for the CISSP
Threat on the Wire is organised around the eight CISSP domains. For each domain we publish:
- A domain pillar Page (this hub links to all 8) summarising the domain, its exam weight, the testable concepts, and the reading order.
- 12-14 standalone articles per domain covering each major topic in depth.
- Exam-scenario deep-dives for every domain that walk through manager-mindset reasoning on tough questions.
The pillars are the spine. Read the pillar for the domain you are working on, then drill into the individual articles in the reading order. Every article cross-links back to its pillar, so you can navigate either direction.
CISSP exam structure at a glance
| Property | Value |
|---|---|
| Format (English) | Computer Adaptive Test (CAT) |
| Question count | 100 - 150 items |
| Time limit | 3 hours |
| Passing score | 700 / 1000 |
| Question types | Multiple choice, drag-and-drop, hotspot |
| Domains tested | All 8, weighted by domain |
| Endorsement requirement | 5 years of paid security work in 2+ domains, or 4 years with a relevant degree/cert |
| Recertification | 120 CPE credits over 3 years; annual maintenance fee |
The CAT format means the exam ends as soon as the algorithm has enough confidence in your score - you might finish in 100 questions or take all 150. The exam is harder for stronger candidates because the algorithm pushes harder questions when you are answering correctly.
The eight CISSP domains
The eight domains and their exam weights are listed below. Each links to the full domain pillar - the structured reading hub for that domain.
| Domain | Weight | What it covers |
|---|---|---|
| Domain 1: Security and Risk Management | 15% | Governance, risk, ethics, BCP, due care vs due diligence, the manager mindset |
| Domain 2: Asset Security | 10% | Data lifecycle, classification, ownership, retention, sanitisation, privacy by design |
| Domain 3: Security Architecture and Engineering | 13% | Design principles, security models, cryptography, PKI, hardware, virtualisation |
| Domain 4: Communication and Network Security | 13% | Network design, segmentation, firewalls, IDS/IPS, secure protocols, wireless, VPN |
| Domain 5: Identity and Access Management | 13% | Authentication, MFA, access control models, SSO, federation, IGA, Zero Trust |
| Domain 6: Security Assessment and Testing | 12% | Vulnerability assessment, pen testing, SAST/DAST, audits, SOC reports, DR testing |
| Domain 7: Security Operations | 13% | Incident response, monitoring, vulnerability management, change control, BCP/DR |
| Domain 8: Software Development Security | 11% | Secure SDLC, threat modeling, DevSecOps, application access control, third-party risk |
Domain 1: Security and Risk Management
Domain 1 is the largest domain (15%) and the conceptual lens for the entire exam. It tests how a security leader thinks: governance, risk lifecycle, due care vs due diligence, the (ISC)² Code of Ethics, business continuity planning, and the manager-mindset framing that separates technical thinking from leadership thinking. Most CISSP candidates underestimate Domain 1 because it has no bits or protocols - and that is exactly why it is the most-failed domain.
Read the full Domain 1 pillar for the structured reading order across 12 in-depth articles.
Domain 2: Asset Security
Domain 2 is the data-centric domain (10%). It covers the full data lifecycle: create, store, use, share, archive, destroy. The exam tests classification, ownership, retention, sanitisation, privacy by design, and the cloud-shared-responsibility model. Every breach you read about is, somewhere upstream, an asset-security failure - data ended up where it should not have, lasted longer than it should have, or nobody knew it existed. Domain 2 is the smallest domain by weight but it punches well above its weight in real-world security work.
Read the full Domain 2 pillar for the structured reading order across 12 in-depth articles.
Domain 3: Security Architecture and Engineering
Domain 3 is the engineering heart of the CBK (13%). It covers secure design principles (least privilege, defence in depth, fail-safe defaults), security models (Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash), cryptography (symmetric, asymmetric, hashing, modes of operation), PKI, hardware security (TPM, HSM, embedded systems), and physical and virtualisation architecture. Cryptography gets all the attention, but the architectural reasoning is what the exam rewards.
Read the full Domain 3 pillar for the structured reading order across 14 in-depth articles.
Domain 4: Communication and Network Security
Domain 4 (13%) is the network-security domain. It covers segmentation, firewalls, IDS/IPS, secure protocols (TLS, IPsec, SSH), wireless security, VPN and remote access, NAC, cloud and hybrid connectivity, and the Zero Trust shift. Network engineers find Domain 4 familiar but trip on the security-architect framing - the exam wants answers that design for containment when, not if, an attacker gets in.
Read the full Domain 4 pillar for the structured reading order across 14 in-depth articles.
Domain 5: Identity and Access Management
Domain 5 (13%) is the identity domain. It covers authentication (passwords, MFA, FIDO2, biometrics), authorisation (DAC, MAC, RBAC, ABAC), accountability, federation (SAML, OAuth 2.0, OpenID Connect), directory services, IGA, PAM, identity attacks, and Zero Trust applied to identity. Most modern breaches are identity breaches in disguise - learn the lifecycle here and you make six other domains easier.
Read the full Domain 5 pillar for the structured reading order across 14 in-depth articles.
Domain 6: Security Assessment and Testing
Domain 6 (12%) is the assurance domain. It covers vulnerability assessment vs penetration testing, security testing in the SDLC (SAST, DAST, IAST, SCA), red and purple teaming, internal audits, third-party assessments and SOC reports, control validation, BCP/DR testing, and the metrics that turn findings into actual risk reduction. The exam rewards picking the right testing technique for the assurance question being asked.
Read the full Domain 6 pillar for the structured reading order across 14 in-depth articles.
Domain 7: Security Operations
Domain 7 (13%) is the operational rhythm of a security program. It covers incident detection and response (the six-phase lifecycle), logging and monitoring, change and configuration management, vulnerability and patch operations, insider threat and DLP, IAM operations, BCP/DR execution, physical and environmental security operations, and managing third-party and cloud security operations. Domain 7 is what turns plans into outcomes.
Read the full Domain 7 pillar for the structured reading order across 14 in-depth articles.
Domain 8: Software Development Security
Domain 8 (11%) is software security at the manager level. It covers secure SDLC across development models (waterfall, agile, DevOps), secure coding foundations, threat modeling, application access control, database and data-layer security, secure deployment, DevSecOps, security testing in the SDLC, software security governance, third-party and open-source risk (SBOM, SCA), legacy systems and technical debt, and privacy and compliance integrated into the SDLC.
Read the full Domain 8 pillar for the structured reading order across 14 in-depth articles.
A practical CISSP study plan
Different candidates need different study plans, but a working baseline for someone with 5+ years of security experience is roughly 12 weeks of consistent study. Adjust based on your starting point, your domain strengths, and your available study time.
| Phase | Weeks | Focus |
|---|---|---|
| Foundation | 1 - 2 | Domain 1 (manager mindset is the lens for the rest) |
| Core technical | 3 - 6 | Domains 3, 4, 5 (engineering, network, IAM) |
| Asset and operations | 7 - 8 | Domains 2, 7 (data and operational discipline) |
| Testing and software | 9 - 10 | Domains 6, 8 (assurance and SDLC) |
| Practice and gaps | 11 | Practice exams; identify weak domains; targeted re-reading |
| Final review | 12 | Final practice exams under time pressure; rest before the exam |
Daily and weekly cadence
- Daily reading: 30-45 minutes of one Threat on the Wire article or one chapter of the official study guide.
- Weekly practice: 50-100 practice questions in the domain you have just studied.
- Weekly mixed review: 20-30 questions across all domains studied so far, to reinforce retention.
- Final two weeks: at least two full-length practice exams under exam-day conditions (3 hours, no interruption).
Exam-day strategy
- Read each question twice. The CISSP loves carefully-worded distractors. Speed-reading is how you miss the qualifier.
- Eliminate aggressively. If two answers are obviously wrong, you have already increased your odds significantly.
- Default to the manager mindset. When two answers are reasonable, pick the one that reflects governance, risk, or stakeholder priorities over the most technical option.
- Never leave a question unanswered. The CAT exam will not let you go back. Pick the best option you have and move on.
- Trust your preparation. Second-guessing answers is one of the most common ways well-prepared candidates fail. Trust the manager-mindset frame.
Frequently asked questions
How much experience do I need before sitting the CISSP?
Five years of paid full-time work experience in two or more of the eight domains, reduced to four years if you have an approved degree or certification (Security+, CISA, CCSP, etc.). You can pass the exam without the experience and become an Associate of (ISC)² for up to six years while you accumulate it.
How long should I study for the CISSP?
Most candidates with relevant experience need 8-16 weeks of consistent study. Less experienced candidates need longer; veterans with broad exposure can sometimes do it in 6-8 weeks. The variable is breadth, not depth - the CISSP rewards generalists.
What study resources should I use alongside this site?
The (ISC)² Official Study Guide and the (ISC)² Official Practice Tests are the baseline. The Sybex All-in-One Exam Guide is widely respected as a second perspective. Boson, ThorTeaches, Pete Zerger, and Wentz Wu all produce useful supplementary content - the goal is to triangulate, not to memorise one source.
Which domain is the hardest?
Domain 1 is the most-failed because candidates approach it like a technical exam. Domain 3 is the most-feared because of cryptography. Domain 8 catches candidates who have never managed software development. The exam treats them roughly equally; your relative weakness depends on your background.
What does the passing score really mean?
You need 700 of 1000 scaled points to pass. The CAT algorithm scores items by difficulty, so missed easy questions cost more than missed hard questions. The score is not a simple percentage of correct answers - it is a measure of where the algorithm placed your ability. Practising to consistently exceed 80% on solid practice exams gives you reasonable confidence on exam day.
Key takeaways
- The CISSP tests breadth across eight domains and rewards the manager mindset over technical depth alone.
- The CAT format adapts to your performance; the exam ends when the algorithm is confident, between 100 and 150 questions.
- Each domain has a Threat on the Wire pillar Page that organises 12-14 in-depth articles into a structured reading order.
- Domain 1 is the largest single domain (15%) and the conceptual lens for the rest. Master it first.
- A working baseline study plan is 12 weeks: foundation, core technical, asset and operations, testing and software, practice and review.
- Use this hub and the eight domain pillars as the spine of your study plan. Drill into individual articles for depth on specific topics.
If you take one thing away from this hub, take this: the CISSP is not a memorisation exam. It is a reasoning exam. Build the manager mindset by reading the domain pillars in priority order, drill into the articles for depth, and the exam becomes a structured reasoning problem rather than a wall of trivia.