Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content


Creator:     Alfred Ouyang

License:    Creative Commons: Attribution, Non-Commercial, Share-Alike


Class Prerequisites: None

Lab requirements: None

Class Textbook: CISSP All-in-One Exam Guide, 5th Edition, by Shon Harris

Recommended class duration: 5 days

Creator Available to Teach In-Person Classes: Yes

Course Description

CISSP CBK Review consists of 10 interdependent knowledge domains:

·         Information Security and Risk Management Domain

·         Security Architecture and Design Domain

·         Telecommunications and Network Security Domain

·         Operations Security Domain

·         Cryptography Domain

·         Physical Security Domain

·         Software Development Security Domain

·         Access Control Domain

·         Business Continuity and Disaster Recovery Planning Domain

·         Legal, Regulations, Compliance, and Investigation Domain


Exam Preparation Suggestions

·         Tips on studying, preparing, and taking the CISSP Exam (pptx,pdf)

·         (ISC)2 Exam Pricing Catalog (pdf)


Version: 5.9.2, June 2013

·         Now licensed under Creative Commons 3.0. Please feel free to share with your sponsors and friends.

·         Updated course material to align with 2012 (ISC)2 CISSP Candidate Information Bulletin (CIB), January 2012 (Rev. 2) (docx)

·         CISSP Glossary (69 pages) (docx)

·         Draft CISSP Flash Cards (docx) (Need volunteers in completing them)

·         Special thanks to Dr. Marshal Abrams for sharing his authoritative insight on Generalized Framework for Access Control (GFAC)

·         Special thanks to Vijay Rachamadugu for his feedback on sample exam questions (I just haven't had the time to correct them yet.)


Course Delivery

The CISSP CBK Review course is uniquely designed for federal agency information assurance (IA) professionals in meeting NSTISSI-4011, National Training Standard for Information Systems Security Professionals, as required by DoD 8570.01-M, Information Assurance Workforce Improvement Program.

Format: This is a one week boot camp course.

Objective: Upon completion of this course, students will be equipped with a foundational understanding of the 10 CISSP CBK Domains and be prepared to take the certification exam.

Reference Material: Each student will receive a copy of:

·         CISSP All-in-One Exam Guide, 5th Edition, by Shon Harris, McGraw-Hill Osborne Media, January 2010 (ISBN-10: 0071602178, ISBN-13: 978-0071602174) (Shipping Weight: 4.8 lbs.)

·         Printout of course material (slides and handouts) in a 6" 3-Ring binder with a CD-ROM. (Estimated Shipping Weight: 5.5 lbs.)


Baseline Exam

·         100-Question Baseline Exam (22 pages) (pdf)

·         Answers to 100-Question Exam (22 pages) (pdf)


Final Exam

·         250-Question Final Exam (53 pages) (pdf)

·         Answers to 250-Question Final Exam (53 pages) (pdf)



·         CISSP All-in-One Exam Guide, 5th Edition, Shon Harris, McGraw-Hill, 2010.

·         Official (ISC)2 Guide To The CISSP CBK , Harold F. Tipton, et. al., Auerbach Publications, 2006.

·         Official (ISC)2 Guide To The CISSP Exam, Susan Hansche, et. al., Auerbach Publications, 2004.

·         Secrets and Lies: Digital Security in a Networked World, Bruce Schneier, Wiley, 2004.

·         Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier, Springer, 2003.

·         Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, Bruce Schneier, Wiley, 1996.

·         The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, Simon Singh, Archor, 2000.

·         The Information: A History, a Theory, a Flood, James Gleick, Random House, 2001.

·         The Mathematical Theory of Communication, ClaudeE. Shannon, Warren Weaver, University of Illinois Press, 1949.

·         Software Security: Building Security In, Gary McGraw, Addison-Wesley Professional, 2006.

·         Incident Response: A Strategic Guide to Handling System and Network Security Breaches, E. Eugene Schultz, Russell Shumway, Sams, 2001.

·         Software Engineering Economics, Barry W. Boehm, Prentice Hall, 1981.

·         Managing the Software Process, Watts S. Humphrey, Addison-Wesley Professional, 1989.

·         A Discipline for Software Engineering, Watts S. Humphrey, Addison-Wesley Professional, 1995.

·         The Mythical Man-Month: Essays on Software Engineer, Frederick P. Brooks, Addison-Wesley Professional, 1995.

·         The Design of Design: Essays from a Computer Scientist, Frederick P. Brooks, Addison-Wesley Professional, 2010.

·         NIST SP 800-30, Risk Management Guide for Information Technology Systems, July 2002.

·         NIST SP 800-37, Rev.1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, February 2010.

·         NIST SP 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques, December 2001.

·         NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems, August 2009.

·         NIST SP 800-64 Rev. 2, Security Considerations in the Information System Development Life Cycle, October 2008.

·         NIST SP 800-61, Computer Security Incident Handling Guide, January, 2004.

·         NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process, January 2005.

·         NIST SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 2004.

·         NIST SP 800-77, Guide to IPsec VPNs, December 2005.

·         FIPS 46-3, Data Encryption Standard (DES), October 1999.

·         FIPS 140-2, Security Requirements for Cryptographic Modules, May 2001.

·         FIPS 180-2, Secure Hash Standard (SHS), August 2002.

·         FIPS 185, Escrowed Encryption Standard, February 1994.

·         FIPS 186-2, Digital Signature Standard (DSS), January 2000.

·         FIPS 197, Advanced Encryption Standard, November 2001.

·         FIPS 198, The Keyed-Hashed Message Authentication Code (HMAC), March 2002.

·         FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, December 2003.

·         FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.

·         Information Assurance Technical Framework (IATF), Release 3.1, NSA IA Solutions Technical Directors, September 2002.

·         ISO/IEC 15408-1:2005, Evaluation Criteria for IT Security - Part 1: Introduction and General Model, 2005.

·         ISO/IEC 15408-2:2005, Evaluation Criteria for IT Security - Part 2: Security Functional Requirements, 2005.

·         ISO/IEC 15408-3:2005, Evaluation Criteria for IT Security - Part 3: Security Assurance Requirements, 2005.

·         BS ISO/IEC 17799:2005, Code of Practice for Information Security Management, 2005.

·         Control Objectives for Information and related Technology (COBIT), Release 4.0, IT Governance Institute, 2005.

·         ISO/IEC 21827, Systems Security Engineering - Capability Maturity Model (SSE-CMM), 2002.

·         ISO/IEC 27001, Information Security Management Systems - Requirements, 2005.

·         Draft MIL-STD-499C, Systems Engineering, Aerospace Corporation, April 15, 2005.

·         ISO/IEC 15288:2008(E), IEEE Std 15288-2008, Systems and Software Engineering - System Life Cycle Processes, February 1, 2008.

·         IEEE STD 1220-2005, IEEE Standard for Application and Management of the Systems Engineering Process, September 9, 2005.

·         IEEE/EIA 12207.0-1996, Industrial Implementation of International Standard ISO/IEC 12207:1995 Software Life Cycle Processes, March 1998.

·         IEEE/EIA 12207.1-1997, Industrial Implementation of International Standard ISO/IEC 12207:1995 Software Life Cycle Processes-Life Cycle Data, April 1998.

·         IEEE/EIA 12207.2-1997, Industrial Implementation of International Standard ISO/IEC 12207:1995 Software Life Cycle Processes-Implementation Considerations, April 1998.

·         DoD 5200.28-STD, Department of Defense Trusted Computer System Evaluation Criteria, December 1985. (a.k.a. Orange Book).

·         NCSC-TG-003, A Guide to Understanding Discretionary Access Control in Trusted Systems, Version-1, September 30, 1987. (a.k.a. Neo-Orange Book).

·         Information Technology Security Evaluation Criteria (ITSEC), Version 1.2, June 1991.

·         CNSSI 4009, National Information Assurance (IA) Glossary, June 2006.

·         S. Christey, et. al., 2011 CWE/SANS Top 25 Most Dangerous Programming Errors, MITRE, September 13, 2011. (http://cwe.mitre.org/)

·         OWASP Top 10 - 2010, Release Candidate, The Open Web Application Security Project (OWASP), November 2009. (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

All Materials (zip - 270MB - md5=ebb43cdb25786dee0d06f74cf9b8acda)

Revision History:

06-30-2013 - Uploaded v 5.9.2

03-18-2012 - Initial class content upload (v 5.9.0)

If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.