Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
Cheat sheet

CISSP Cheat Sheet

Practice QuestionsStudy Guide

Security + Risk Management

16%of exam

GovernanceRiskBCPLegalEthics

Asset Security

10%of exam

ClassificationOwnershipPrivacyLifecycleRetention

Architecture + Engineering

13%of exam

ModelsCryptoPKIPhysicalDesign

Communication + Network

13%of exam

OSISegmentationSecure ChannelsWirelessZero Trust

Identity + Access

13%of exam

AAAProvisioningFederationMFAAccess Models

Assessment + Testing

12%of exam

AuditVulnerabilityPen TestMetricsEvidence

Security Operations

13%of exam

IncidentForensicsLoggingChangeDR

Software Security

10%of exam

Secure SDLCThreat ModelingCode ReviewCI/CDDevSecOps

Quick Facts

Exam
CISSP CAT
Items
100-150
Time
3 hours
Pass
700/1000
Domains
8
Experience
5 years
CPE
120/3 years
Mindset
Risk first

Risk Flow

Asset + threat + weakness = risk

Owner acceptsControls mitigateResidual remains

Due Care vs Diligence

Due care

  • Act responsibly
  • Apply controls
  • Protect assets

Due diligence

  • Investigate first
  • Know risks
  • Verify facts

Act vs investigate

Risk Response

  1. Risk too highMitigate(Add controls)
  2. Insurable lossTransfer(Contract/insurance)
  3. Activity optionalAvoid(Stop action)
  4. Within appetiteAccept(Owner signs)
  5. Business impact unclearBIA(Prioritize)

Governance

CIA
Core objectives
Due care
Reasonable action
Due diligence
Reasonable investigation
Policy
Management direction
Standard
Mandatory requirement
Procedure
Step-by-step
Guideline
Recommended practice
Risk owner
Accepts risk

Risk + BCP

Asset value
Business worth
Threat
Potential harm
Vulnerability
Weakness
Risk
Threat exploits weakness
Mitigate
Reduce risk
Transfer
Share risk
BIA
Impact prioritization
RTO
Recovery time target

Owner vs Custodian

Owner

  • Classifies
  • Sets rules
  • Accepts risk

Custodian

  • Implements controls
  • Operates systems
  • Maintains data

Decides vs implements

Data Lifecycle

Owner
Classifies data
Custodian
Implements controls
User
Follows rules
Classification
Sensitivity label
Retention
Required storage time
Remanence
Residual data
Sanitization
Data removal
DLP
Leak prevention

Symmetric vs Asymmetric

Symmetric

  • One shared key
  • Fast bulk crypto
  • Key distribution issue

Asymmetric

  • Public/private keys
  • Slower
  • Supports signatures

Speed vs trust

Models

Bell-LaPadula
Confidentiality model
Biba
Integrity model
Clark-Wilson
Well-formed transactions
Brewer-Nash
Conflict of interest
Reference monitor
Mediates access
TCB
Trusted components
Fail secure
Deny on failure
Defense-in-depth
Layered controls

Crypto + PKI

Symmetric
Shared secret
Asymmetric
Key pair
Hash
Integrity digest
HMAC
Keyed hash
Digital signature
Authenticity plus integrity
Certificate
Public key binding
CA
Certificate issuer
CRL/OCSP
Revocation checks

Network Security

OSI 1
Physical
OSI 2
Data link
OSI 3
Network
TLS
Transport encryption
IPsec
Network encryption
VLAN
Layer-2 segmentation
NAC
Admission control
IDS/IPS
Detect/prevent attacks

AAA

Identify, authenticate, authorize, account

Who claimsProve identityWhat allowedWhat logged

RBAC vs ABAC

RBAC

  • Role based
  • Job function
  • Simpler admin

ABAC

  • Attribute based
  • Context aware
  • Flexible rules

Role vs context

Access Model Picker

  1. Job function accessRBAC
  2. Label clearanceMAC
  3. Owner discretionDAC
  4. Context rulesABAC
  5. High privilegePAM

IAM

Identification
Claim identity
Authentication
Prove identity
Authorization
Grant access
Accountability
Trace actions
RBAC
Role-based access
ABAC
Attribute-based access
MAC
Label-based access
DAC
Owner-controlled access

Testing

Scan finds; pen test proves

Audit assuresCode review inspectsMetrics trend

Scan vs Pen Test

Scan

  • Find weaknesses
  • Automated
  • Broad coverage

Pen test

  • Exploit proof
  • Authorized attack
  • Limited scope

Find vs exploit

Assessment Picker

  1. Need assuranceAudit
  2. Find weaknessesVuln scan
  3. Validate exploitPen test
  4. Review sourceCode review
  5. Track risk trendKRI

Assessment

Audit
Independent assurance
Assessment
Control review
Vulnerability scan
Weakness discovery
Pen test
Exploit validation
Code review
Source inspection
Misuse case
Abuse scenario
KPI
Performance metric
KRI
Risk indicator

Incident Cycle

Prepare, detect, contain, eradicate, recover

Lessons learnedEvidence preservedBusiness informed

BCP vs DRP

BCP

  • Business continuity
  • Process survival
  • BIA driven

DRP

  • IT recovery
  • Systems restored
  • RTO/RPO driven

Business vs IT

Incident Picker

  1. Detect eventTriage
  2. Stop spreadContain
  3. Remove causeEradicate
  4. Restore serviceRecover
  5. Improve processLessons learned

Operations

IR
Incident response
Forensics
Evidence handling
Chain custody
Evidence history
SIEM
Log correlation
Change control
Approved modifications
Patch management
Vulnerability reduction
Backup
Data copy
DRP
IT recovery plan

Software Security

Secure SDLC
Security by phase
Threat modeling
Design risk analysis
SAST
Static code testing
DAST
Runtime app testing
SBOM
Component inventory
CI/CD
Automated delivery
DevSecOps
Security integrated delivery
Least privilege
Minimum access

Common Traps

Technical vs managerial

CISSP favors governance Tools follow risk

Owner vs operator

Owner decides Custodian implements

Residual vs inherent

Inherent before controls Residual after controls

Authentication vs authorization

Authenticate proves identity Authorize grants access

Backup vs continuity

Backup stores data BCP keeps business

Hash vs encryption

Hash verifies integrity Encryption protects secrecy

Last Minute

  1. 1.Think risk before tool
  2. 2.Management owns risk appetite
  3. 3.Data owner classifies
  4. 4.Custodian implements controls
  5. 5.BIA drives BCP priorities
  6. 6.RTO = time target
  7. 7.RPO = data loss
  8. 8.Scan finds; pen proves
  9. 9.Authenticate before authorize
  10. 10.Residual risk needs acceptance

CISSP

Practice QuestionsStudy GuideCheat SheetFlashcards
1 video1 blog

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle (Sybex Study Guide)

$70.97 · Buy on Amazon

Take courses on UdemyLearning path on Pluralsight
Same family resources

Explore More ISC2 Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

ISC2 Certified in Cybersecurity (CC)

Cheat SheetPractice QuestionsStudy GuideFlashcards
1 blog

ISC2 SSCP

Practice Questions
1 blog

ISC2 Certified in Governance, Risk and Compliance (CGRC)

Practice Questions

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Practice Questions

CCSP

Practice Questions

ISC2 HealthCare Information Security and Privacy Practitioner (HCISPP)

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoCISSP Study Plan: 3-Month Schedule + Hours (2026)This examArticleCISSP Study Plan: 3-Month Schedule + Hours (2026)16 min readArticleISC2 CC Certified in Cybersecurity Guide (FREE 2026)24 min readArticleISC2 SSCP 2026: CAT Strategy for Security Administrators7 min read