Hardest CISSP Domain?

Hi everyone,

I realize my question is quite subjective, but is there a general consensus on which of the ten CISSP domains is the most difficult? I am in the early stages of assessing whether to take the deep dive into the material and take the exam, and I've done a reasonable scan of the domains to determine if any of the material is just way over my head. I haven't encountered anything to scare me off, not yet anyway.

My interpretation is that there are six or seven "hard" domains and three or four "soft" domains, the former ones being highly technical and the latter ones more focused on policies, procedures, legal, ethical and other "corporate" types of topics. It would seem to me that many people with deep technical skills but not much corporate management skills would master the "hard" domains and have trouble with the "soft" domains, while management-type people would have trouble with the "hard" domains and breeze through the "soft" domains. My guess is this is why the exam is so challenging, because relatively few people have a mastery of both the technical and the managerial.

So what do people think are the hardest domains for each of those two groups of people? I have a good amount of experience in both realms, but most of my technical knowledge has been gained informally over many years, through osmosis of working with and managing others with deep technical knowledge (admins, coders etc). Would it be fair to say that the crypto domain would pose the greatest conceptual challenge for someone like me?

Thanks!

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

ssehg

Hi
It depends what your core areas or strengths are.In my opinion all 10 domain need to be focused for the CISSP examination. Mainly Cryptography ,Security Architecture and Design are two domains where I had some difficulty in understanding them.
The Exam is challenging as here we need to remember/understand many things from all 10 domains (mile wide and inch deep) and while answering we really need to focus and carefully read the questions and the options provided.Time is another aspect we need to take care of.

Cheers
ssehg

paul78

Welcome to TE forums.

I don't think you are likely to get a consensus since every exam candidates background and experience will factor into what they will find difficult.

For me personally, the Physical Security domain was the most unfamiliar since my background didn't include too much. It wasn't necessarily difficult and I found that domain very interesting but it wasn't a topic that I had to deal with. The Security Architecture and Design topics were relatively straight-forward for me with the exception of the materials about architecture models which I was unaccustomed like Bell-Lapadula.

Good luck in your studies...

RanMic

I agree with Paul and SSEHG, it really depends on your background and what you "just get". I am not a full time Cyrpto guy but it comes easy for me, but Networking doesn't. I have to work really hard at networking and the next guy may not. I think you will find everyone has different areas of trouble, but overall I think everyone will agree that the exam is very challenging.

the_hutch

Crypto was my most difficult.

cyberguypr

I don't think you are likely to get a consensus since every exam candidates background and experience will factor into what they will find difficult.

This. In my case it was Crypto and Software Dev Sec precisely because I was unfamiliar with the material. It is essential that you identify your individual weakest areas and work on them.

bobloblaw

Crypto. Initially read like gibberish until I wrapped my head around it, and surprisingly became interesting.

ssehg

Hi
Best would be to focus on your weak areas and work towards passing the certification.

t17hha

I thought crypto would be my hardest but actually it became one of my strongest, I think I had a little problem with the Security Architecture & Design domain, mainly around the Common Criteria, EAL etc

Humbe

Crypto for me due to the fact not every day you deal with the subject.

JDMurray

I've noticed over the years that Applications Development (now Software Development Security) is consistently mentioned by people as being difficult to understand. It's tough for anyone who isn't a software developer to understand what's really going on with the form, fit, and function of any software application, so I'm not surprised.

wes allen

The software dev security was the toughest for me since I had no background in programing at all, so it was the most amount of new stuff to learn.

ssehg

I would agree with you . In my opinion attending a classroom / online boot camp helps.

kashmo

From the perspective of just trying to get a straight answer, I found the BCP/DRP quite challenging. It seems that most resources interpret the steps and frameworks differently. I'm a concrete type of person, I need to know the exact definition of something, so it was difficult when all these different sources would have slightly different interpretations of the BCP/DRP steps along with the various related frameworks. Cryptography was much easier for me since its concrete.

Iristheangel

BCP was my hardest domain and every other question on my test seemed to be BCP-oriented. There were a few times i was like "Here's my Hail Mary answer!!!!" Crypto, Access Control, and Governance were probably my strongest. Physical security was boring to learn but I probably answered those questions decently. Law I didn't see at all.

teeman

Cryptography is the hardest master it well if you also have intentions of doing ISSAP

ssehg

I would again say that it all depends on your experience. For some Application Security is toughest for others it could be Cryptography.
Read books and may be attend boot camps. I attended one by Simplilearn.

JDMurray

OK people, please discuss which were your most difficult CISSP CBK domain(s) only and not what you saw on your actual CISSP exams.

Thistleback

Software Development LifeCycle was hardest for me, because of no prior experience in that field. Crypto was also not as familiar, but I found it fascinating to learn, and enjoyed the studies for that domain.