CBK Domains order of importance

JohnnyBiggles

Hopefully this isn't going against the NDA but how accurate is this? It's a few years old but has it changed at all or much?

Top 5 domains are about 70 percent of the exam.

Two most important domains for the CISSP:

1. Information Security and Risk Mangement
2. Access Control

These two domains will represent about 25 percent of the whole exam.

3. Security Architecture and Design

Security models within this domain.

4. Telecommunications and Network Security

CCNA folks will have advantage here. About 13 percent of the exam.

5. BCP and DRP

Small domain but quite a few questions.

6. Application Security
7. Cryptography

About 8 percent of the exam.

8. Legal, Regulations, Compliance, and Investigation

Shrinking nearly every year.

9. Operations Security

A lot of the material here is covered in other domains.

10. Physical Security

Only about 4 percent of the exam.

beads

Depends on the mix of questions on the individual tests itself but from my experience your first five are much too heavily favored and in the wrong order from what I remember.

- b/eads

dustervoice

I believe i had questions equally from all domains.

rickberr

Each test is probably different but I studied based on the order they were listed on the ISC2 site. The only domains that I switched were software development and security architecture/design. That will possibly change after the 15th since there is a big push to incorporate security into software design process instead of trying to add it on the backend.

The CISSP exam is based on the following 10 domains:

NOTE: Effective April 15, 2015, the CISSP exam will be based on a new exam blueprint. Please refer to the Exam Outline and FAQs for details.

• Access Control
• Telecommunications and Network Security
• Information Security Governance and Risk Management
• Software Development Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Investigations, and Compliance
• Physical (Environmental) Security

Watched the domain refresh webinar yesterday, cryptography and telecommunications will be merged to become the "communications and network security" domain. Business Continuity, Legal and Risk Management have also been merged to form the "Security and Risk Management" domain but Software Development Security is still its own domain.

This is the new domain listing from the webinar.

1. Security and Risk Management
(Security, Risk, Compliance, Law, Regulations, Business Continuity)
2. Asset Security
(Protecting Security of Assets)
3. Security Engineering
(Engineering and Management of Security)
4. Communications and Network Security
(Designing and Protecting Network Security)
5. Identity and Access Management
(Controlling Access and Managing Identity)
6. Security Assessment and Testing
(Designing, Performing, and Analyzing Security Testing)
7. Security Operations
(Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
8. Software Development Security
(Understanding, Applying, and Enforcing Software Security)

E Double U

I took it on March 28th and had a mix of everything. How much I focused on a domain had less to do with CBK importance and more with how well I understood the material. With over six years of telco experience, the telecommunications and network security domain was just a review for me. So I spent more time focused on other domains.