1.2 Exam Outline Effective Date and Eight-Domain Map

The Outline Is the Map

The CISSP exam outline effective April 15, 2024 is the source of record for the current content map in this guide. That date is not trivia; it is a source-control marker. When old notes mention different item counts, stale domain wording, or an older content split, the current outline wins. A disciplined CISSP learner tags notes, flashcards, and practice explanations to the current domains so that study time follows the body of knowledge ISC2 has published.

The outline says CISSP validates deep technical and managerial knowledge and experience to design, engineer, and manage the overall security posture of an organization. The phrase overall security posture is important because the domains are interdependent. Security architecture depends on risk appetite. Identity depends on personnel security and data classification. Operations depends on logging, incident response, business continuity, and change management. Software development security depends on governance, testing, supply chain controls, and secure design principles.

The weights should influence study time, but they should not make you ignore lower-weight domains. Asset Security and Software Development Security are each 10 percent, yet both often drive major enterprise risk. Mishandled data can create privacy, legal, and operational harm. Weak software governance can introduce vulnerabilities into every business process that depends on applications. A CISSP-level study plan treats weights as a planning tool, not a value judgment about what matters in practice.

Security and Risk Management deserves special attention because it supplies the language of many correct decisions. Ethics, governance, legal and regulatory requirements, investigations, policy documents, business continuity, personnel security, risk management, threat modeling, supply chain risk, and awareness programs all live in that domain. These topics do not stay isolated. They affect how you select encryption, approve remote access, test controls, onboard vendors, respond to incidents, and set secure development requirements.

A practical way to study the domain map is to follow the lifecycle of a sensitive system. First, leadership defines business goals, risk appetite, policies, and legal obligations. Next, the organization identifies assets and data handling requirements. Architects design secure systems and networks. Identity teams define authentication, authorization, and provisioning. Assessment teams test controls. Operations teams monitor, respond, and recover. Development teams maintain secure code and pipelines. The same system passes through all eight domains.

The exam outline also helps you reject misleading study shortcuts. A list that focuses almost entirely on cryptography formulas, network ports, or access-control acronyms is incomplete because it misses governance, risk treatment, assurance, operations, and software lifecycle issues. A list that only discusses policy is also incomplete because CISSP expects you to understand technical and managerial knowledge together. The right balance is not policy versus technology; it is technology selected and managed through policy, risk, and evidence.

Use domain weights to schedule review blocks. Start with the official percentage, then adjust for your weakness. A network engineer may need more time on legal, governance, software security, and assessment. A GRC analyst may need more time on architecture, cryptography, networks, and operations. The CISSP exam is broad because security leaders must communicate across specialties. Your study plan should intentionally cross-train the domains you do not use every day.

Integrated Scenario Workflow

1. Identify the business objective and risk owner.
2. Classify the data and assets involved.
3. Define security requirements and design principles.
4. Select network, identity, and platform controls.
5. Document policy, standards, procedures, and guidelines.
6. Test controls and report results to accountable stakeholders.
7. Operate, monitor, respond, recover, and improve.
8. Feed lessons learned into software, supplier, and architecture decisions.

When reading a scenario, ask which domain is primary and which domains constrain the answer. A question about vendor connectivity may primarily involve Communication and Network Security, but it may also involve supply chain risk, contractual requirements, identity federation, logging, data classification, and incident response. A strong answer respects the whole map. It chooses a control that fits the stated requirement and also fits governance, assurance, and operations.