CISSP Cheat Sheet 2026
Everything you need on one page before exam day: the 8 domains and their weights, the risk and crypto formulas examiners love, access control models, must-know concepts, and the traps that sink first-timers.
01 The 8 domains & weights
The CISSP Common Body of Knowledge (CBK) spans 8 domains, and the exam draws roughly proportionally from each. Security & Risk Management is the single heaviest area at 16%, so if your time is short, that is where it should go — it is also where the management mindset that runs through the whole exam is established. The remaining domains cluster between 10% and 13%, meaning no single technical area can be safely ignored. Memorise these weights cold: they tell you exactly how to budget your study hours and where the marginal question is most likely to come from.
02 Domain quick reference
The key topics in each of the 8 domains. Know what each domain owns and the vocabulary it uses.
1. Security & Risk Management
Governance · BCP/DR · Ethics
Policies, risk management, legal/regulatory compliance, BCP/DRP, ISC2 Code of Ethics, due care & due diligence.
2. Asset Security
Classification · Retention
Data classification, ownership roles, handling, retention, data remanence and secure destruction.
3. Architecture & Engineering
Security models · Cryptography
Security models (Bell-LaPadula, Biba), secure design, cryptography, physical security.
4. Communication & Network Security
OSI / TCP-IP · Secure protocols
OSI/TCP-IP models, secure network design, segmentation, VPN/IPsec, TLS, secure protocols.
5. Identity & Access Mgmt (IAM)
Identity lifecycle · SSO · Federation
Identity lifecycle, authentication factors, SSO, federation (SAML, OAuth, OIDC), access control models.
6. Security Assessment & Testing
Audits · Pen testing
Security audits, vulnerability assessment, penetration testing, log review, SAST/DAST.
7. Security Operations
Incident response · Logging · DR
Incident response, monitoring/logging, change management, backups, disaster recovery, forensics.
8. Software Development Security
SDLC · OWASP
Secure SDLC, software security controls, OWASP Top 10, code review, maturity models.
03 Risk management formulas
Quantitative risk analysis on CISSP comes down to four relationships, and the exam will hand you a scenario with the raw numbers and expect you to chain them: asset value and exposure factor give you the loss from a single event, and multiplying by how often it happens per year gives the annualized figure that justifies (or kills) a control. Know the terms, the order, and the units — a percentage where dollars belong is a classic distractor.
| Formula | Means | Terms |
|---|---|---|
| SLE = AV × EF | Single Loss Expectancy: cost of one incident. | AV = Asset Value; EF = Exposure Factor (% of asset lost). |
| ALE = SLE × ARO | Annualized Loss Expectancy: expected yearly cost. | ARO = Annualized Rate of Occurrence (times per year). |
| Risk = Threat × Vulnerability | Likelihood a threat exploits a weakness. | Add asset value/impact for the full picture. |
| ROSI | Return on Security Investment: is a control worth it? | (ALE before − ALE after) − cost of control. |
04 Cryptography quick reference
You will not be asked to break a cipher, but you must know which family solves which problem. Symmetric is fast and protects bulk data; asymmetric is slow but solves key exchange and proves identity; hashing protects integrity and stores passwords. Most real systems combine all three — for example, TLS uses asymmetric crypto to exchange a symmetric session key and a hash to verify integrity.
| Type | Algorithms | Use & key fact |
|---|---|---|
| Symmetric | AES, DES/3DES, Blowfish, RC4 | One shared key; fast; best for bulk encryption. Key distribution is the hard problem. |
| Asymmetric | RSA, ECC, Diffie-Hellman | Public/private key pair; slower; used for key exchange, digital signatures, non-repudiation. |
| Hashing | SHA-2, SHA-3, MD5 (weak) | One-way; no key; verifies integrity, not confidentiality. MD5/SHA-1 are deprecated. |
05 Access control models
CISSP expects you to recognise an access control model from a one-sentence scenario. The trick is to listen for who makes the access decision: the owner, the system, a role, or a set of attributes. Get that right and the distractor answers fall away.
| Model | How access is decided | Example |
|---|---|---|
| DAC — Discretionary | The data owner decides who gets access. | File owner sets read/write on their own file. |
| MAC — Mandatory | System enforces labels & clearances; users cannot override. | Military/government classified systems (Top Secret, Secret). |
| RBAC — Role-Based | Access tied to a job role, not the individual. | "Nurse" role grants chart access; assign people to the role. |
| ABAC — Attribute-Based | Policy on attributes (user, resource, time, location). | "Allow if dept=finance AND device=managed AND 9am–5pm". |
| Rule-Based | Global rules applied to everyone (often on top of RBAC). | Firewall ACLs; "deny all traffic after hours". |
06 Network & key security concepts
OSI 7 layers
Physical, Data Link, Network, Transport, Session, Presentation, Application. Mnemonic: Please Do Not Throw Sausage Pizza Away.
TCP/IP model
4 layers: Link, Internet, Transport, Application. Maps onto OSI; CISSP expects you to translate between them.
Firewalls
Stateless (packet filter, rules only), stateful (tracks connections), NGFW (deep inspection, app-aware, IPS built in).
VPN / IPsec
AH = authentication/integrity only; ESP = encryption + integrity. Tunnel mode for site-to-site, transport mode host-to-host.
Common ports
22 SSH, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS, 389 LDAP, 636 LDAPS, 3389 RDP.
Core principles
Defense in depth (layered controls), least privilege, separation of duties, need to know, fail secure.
07 Must-know concepts
These are the cross-domain fundamentals that resurface in every section of the exam. If you can recite the CIA triad, distinguish the recovery metrics, and recall the order of the ISC2 canons under pressure, you have a foundation the scenario questions can build on.
- CIA triad: Confidentiality, Integrity, Availability — the foundation of every control. Often paired with AAA: Authentication, Authorization, Accounting (and Identification).
- Testing types: SAST = static, white-box, reads source code; DAST = dynamic, black-box, tests the running app. Pen tests can be black/grey/white box.
- BCP vs DRP: BCP keeps the whole business running; DRP restores IT/systems after a disaster. Know RTO (time to restore), RPO (acceptable data loss), MTD (max tolerable downtime), WRT (work recovery time).
- Incident response phases: Detection → Response → Mitigation → Reporting → Recovery → Remediation → Lessons Learned.
- ISC2 Code of Ethics canons (in order): 1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; 2) Act honourably, honestly, justly, responsibly and legally; 3) Provide diligent and competent service to principals; 4) Advance and protect the profession. Order matters — when canons conflict, the earlier one wins, so society always comes first.
- Due care vs due diligence: due diligence = researching and planning the right thing to do; due care = actually doing it and continuing to do it (the "prudent person" rule). Failing either can be negligence.
- Security control types: by function — preventive, detective, corrective, deterrent, compensating, recovery, directive; by category — administrative (policy), technical/logical (tech), physical. Expect questions that ask you to classify a given control.
08 Common traps
09 FAQ
Do I need 5 years experience to take CISSP?
You can sit and pass the exam without it, but to be certified you need 5 years of cumulative paid work experience across 2 or more of the 8 domains. One year is waivable with a relevant 4-year degree or an approved credential. If you lack the experience, you pass the exam and become an Associate of ISC2, with up to 6 years to earn it.
How hard is the CISSP CAT exam?
It is hard because it is broad and management-oriented rather than purely technical. The English CAT (Computerized Adaptive Testing) version is 100 to 150 questions in up to 3 hours, and it adapts difficulty as you go. Many questions have several correct-looking options where you must pick the BEST answer from a risk-manager's perspective.
What is the CISSP passing score?
700 out of 1000 on a scaled scoring model. Because the CAT exam adapts to your ability, you do not need a fixed percentage correct. The exam ends once it is statistically confident you are above or below the standard, anywhere between 100 and 150 questions.
How long should I study for CISSP?
Most candidates with some security background study 3 to 6 months. Plan to cover all 8 domains, work through a question bank of 2,000+ items, and review weak domains. Treat this cheat sheet as a final-weeks consolidation tool, not your primary study source.
