CISSP Certification Path

1. Executive Summary

Target Certification: CISSP (Certified Information Systems Security Professional)

Timeline: 3-4 months focused study

Foundation Assets:

  • 12 years network engineering experience

  • CCNP Security certification

  • CompTIA Security+ certification

  • Daily ISE/802.1X/PKI operations

  • Zero-trust architecture implementation experience

  • Active security operations (dACL design, policy enforcement)

Endorsement Eligibility:

  • Requirement: 5 years in 2+ domains (or 4 years with relevant degree)

  • Your status: Exceeds requirement - 12 years spanning multiple domains

2. The CISSP Mindset Shift

CISSP is NOT a technical certification. It tests security management, risk assessment, and decision-making at an executive level.

The most common failure mode: Answering as a technician instead of as a security manager.

You have the technical knowledge. The challenge is thinking like a CISO, not an engineer.

2.1. Technical vs. Managerial Thinking

Scenario Technician Answer CISSP Answer

Firewall breach detected

"Check logs, block IP, patch vulnerability"

"Activate incident response plan, notify stakeholders, assess business impact"

New application deployment

"Configure security controls, test penetration"

"Conduct risk assessment, ensure compliance with policy, verify due diligence"

Password policy

"Require 12+ characters, complexity, rotation"

"Balance security with usability, consider risk appetite, evaluate authentication alternatives"

Budget allocation

"Buy the best firewall"

"Prioritize based on risk analysis, demonstrate ROI, align with business objectives"

2.2. Key Mantras

  1. Safety of human life is always the highest priority

  2. Risk management drives all decisions

  3. Due diligence and due care are non-negotiable

  4. Business continuity enables everything else

  5. Legal and regulatory compliance cannot be ignored

  6. When in doubt, choose the most complete answer

3. Domain Overview

Domain Focus Area Weight

1. Security and Risk Management

Governance, compliance, ethics, risk concepts, legal/regulatory

15%

2. Asset Security

Classification, ownership, privacy, retention, data handling

10%

3. Security Architecture and Engineering

Security models, cryptography, physical security, secure design

13%

4. Communication and Network Security

Network architecture, secure protocols, network attacks

13%

5. Identity and Access Management (IAM)

Authentication, authorization, identity lifecycle, access control

13%

6. Security Assessment and Testing

Vulnerability assessment, penetration testing, audits, metrics

12%

7. Security Operations

Incident response, investigations, disaster recovery, monitoring

13%

8. Software Development Security

SDLC, secure coding, application security, DevSecOps

11%

4. Domain Deep Dive

4.1. Domain 1: Security and Risk Management (15%)

4.1.1. Key Concepts

  • CIA Triad: Confidentiality, Integrity, Availability

  • Governance: Policies, standards, procedures, guidelines

  • Risk Management: Identify, assess, treat, monitor

  • Due Diligence: Research before decision

  • Due Care: Reasonable actions after decision

  • Compliance: GDPR, HIPAA, SOX, PCI-DSS

4.1.2. Risk Assessment Formulas

Single Loss Expectancy (SLE) = Asset Value × Exposure Factor
Annualized Rate of Occurrence (ARO) = Frequency per year
Annualized Loss Expectancy (ALE) = SLE × ARO

Risk = Threat × Vulnerability × Asset Value

4.1.3. Risk Treatment Options

  1. Mitigate: Implement controls to reduce risk

  2. Transfer: Insurance, contracts (shift to third party)

  3. Accept: Document and accept residual risk (management decision)

  4. Avoid: Eliminate the risk-causing activity

4.1.4. Legal and Regulatory

  • Criminal Law: Prosecution by government (felonies, misdemeanors)

  • Civil Law: Disputes between parties (torts, contracts)

  • Administrative Law: Government regulations

  • GDPR: EU data protection (72-hour breach notification)

  • HIPAA: US healthcare (PHI protection)

  • SOX: US financial reporting (Section 404)

  • PCI-DSS: Payment card industry

4.2. Domain 2: Asset Security (10%)

4.2.1. Data Classification

Government:

  1. Top Secret

  2. Secret

  3. Confidential

  4. Sensitive But Unclassified

  5. Unclassified

Commercial:

  1. Confidential/Proprietary

  2. Private

  3. Sensitive

  4. Public

4.2.2. Data Roles

Role Responsibility

Data Owner

Senior management, classifies data, approves access

Data Custodian

IT staff, implements controls, manages storage

Data Steward

Ensures data quality and compliance

Data Processor

Third party processing on behalf of controller

Data Controller

Determines purposes and means of processing

4.2.3. Data Lifecycle

  1. Create/Collect

  2. Store

  3. Use

  4. Share

  5. Archive

  6. Destroy

4.3. Domain 3: Security Architecture and Engineering (13%)

4.3.1. Security Models

Model Purpose

Bell-LaPadula

Confidentiality (no read up, no write down)

Biba

Integrity (no read down, no write up)

Clark-Wilson

Integrity via well-formed transactions

Brewer-Nash (Chinese Wall)

Conflict of interest prevention

4.3.2. Cryptography

Symmetric Algorithms:

  • AES (128, 192, 256-bit) - Current standard

  • 3DES - Legacy, being phased out

  • Blowfish, Twofish

Asymmetric Algorithms:

  • RSA - Key exchange, digital signatures

  • ECC - Smaller keys, mobile/IoT

  • Diffie-Hellman - Key exchange only

Hashing:

  • SHA-256, SHA-3 - Current standards

  • MD5, SHA-1 - Deprecated (collision vulnerabilities)

Key Management:

  • Generation, distribution, storage, rotation, destruction

  • Key escrow, key recovery

  • Certificate lifecycle

4.4. Domain 4: Communication and Network Security (13%)

This is your strongest domain given 12 years of network engineering and CCNP certifications. Focus on reviewing concepts you use daily and ensuring you understand the management perspective.

4.4.1. OSI Model Security

Layer Name Security Considerations

7

Application

Application firewalls, WAF, secure coding

6

Presentation

Encryption, data formatting

5

Session

Session management, authentication

4

Transport

TLS/SSL, port security

3

Network

IPsec, firewalls, IDS/IPS

2

Data Link

802.1X, MAC filtering, VLANs

1

Physical

Physical security, cable security

4.4.2. Network Security Concepts

  • Defense in Depth: Multiple layers of security

  • Zero Trust: Never trust, always verify (your daily practice)

  • Micro-segmentation: Granular network isolation

  • Network Access Control: 802.1X, ISE (your expertise)

4.5. Domain 5: Identity and Access Management (13%)

4.5.1. Authentication Factors

  1. Something You Know: Password, PIN

  2. Something You Have: Token, smart card, certificate

  3. Something You Are: Biometrics

  4. Somewhere You Are: Location-based

  5. Something You Do: Behavioral biometrics

4.5.2. Access Control Models

Model Description

DAC (Discretionary)

Owner determines access

MAC (Mandatory)

Labels/clearances determine access

RBAC (Role-Based)

Roles determine access

ABAC (Attribute-Based)

Attributes/policies determine access

Rule-Based

Rules (time, location) determine access

4.5.3. Identity Lifecycle

  1. Provisioning (onboarding)

  2. Review (periodic attestation)

  3. Revocation (termination, change)

4.6. Domain 6: Security Assessment and Testing (12%)

4.6.1. Assessment Types

Type Description

Vulnerability Assessment

Identify weaknesses (no exploitation)

Penetration Testing

Attempt to exploit vulnerabilities

Red Team

Adversarial simulation

Blue Team

Defensive operations

Purple Team

Combined red/blue collaboration

4.6.2. Audit Types

  • Internal Audit: Organization’s own auditors

  • External Audit: Independent third party

  • SOC 1: Financial controls (Type I = point in time, Type II = period)

  • SOC 2: Security, availability, processing integrity, confidentiality, privacy

  • SOC 3: Public report (seal of approval)

4.7. Domain 7: Security Operations (13%)

4.7.1. Incident Response Phases

  1. Preparation: Plans, tools, training

  2. Detection/Identification: Recognize incident

  3. Containment: Limit damage (short-term, long-term)

  4. Eradication: Remove threat

  5. Recovery: Restore normal operations

  6. Lessons Learned: Post-incident review

4.7.2. Evidence Handling

  • Chain of Custody: Document all handling

  • Integrity: Hashing, write-blockers

  • Admissibility: Legal requirements

  • Order of Volatility: Collect most volatile first (registers → memory → disk → logs)

4.7.3. Business Continuity

  • BCP: Business Continuity Plan (maintain operations)

  • DRP: Disaster Recovery Plan (restore IT)

  • RTO: Recovery Time Objective (max downtime)

  • RPO: Recovery Point Objective (max data loss)

  • MTBF: Mean Time Between Failures

  • MTTR: Mean Time To Repair

4.8. Domain 8: Software Development Security (11%)

4.8.1. SDLC Security

  • Requirements: Security requirements, threat modeling

  • Design: Secure architecture, design review

  • Development: Secure coding, code review

  • Testing: SAST, DAST, penetration testing

  • Deployment: Hardening, configuration management

  • Maintenance: Patching, vulnerability management

4.8.2. Application Vulnerabilities (OWASP Top 10)

  1. Broken Access Control

  2. Cryptographic Failures

  3. Injection

  4. Insecure Design

  5. Security Misconfiguration

  6. Vulnerable Components

  7. Authentication Failures

  8. Integrity Failures

  9. Logging/Monitoring Failures

  10. SSRF

5. Study Resources

5.1. Primary Resources

  1. (ISC)² CISSP Official Study Guide (OSG) - 9th Edition

    • Authors: Mike Chapple, James Michael Stewart, Darril Gibson

    • ISBN: 978-1119786238

    • Status: Required

  2. (ISC)² CISSP Official Practice Tests - 3rd Edition

    • 1300+ practice questions

    • Status: Required

  3. CISSP All-in-One Exam Guide - 9th Edition

    • Author: Shon Harris / Fernando Maymi

    • Comprehensive alternative reference

    • Status: Recommended

5.2. Supplementary Resources

  1. Destination Certification CISSP MindMaps

  2. Kelly Handerhan - Cybrary CISSP

    • Video course

    • "Think like a manager" emphasis

  3. Sunflower CISSP Summary

    • Condensed study guide

    • Good for final review

  4. Boson Practice Exams

    • High-quality practice questions

    • Status: Recommended for final prep

5.3. Practice Question Strategy

Phase Approach

Learning Phase

Read explanations for ALL answers (right and wrong)

Assessment Phase

Timed practice under exam conditions

Refinement Phase

Focus on weak domains

Final Week

Full practice exams, review only wrong answers

6. Study Plan (12 weeks)

6.1. Phase 1: Foundation (Weeks 1-4)

6.1.1. Week 1: Domain 1 - Security and Risk Management

  • Read OSG Chapter 1

  • Risk management concepts

  • Governance and compliance

  • Legal and ethical considerations

  • Practice questions (50+)

6.1.2. Week 2: Domains 2 & 3 - Asset Security + Architecture

  • Read OSG Chapters 2-3

  • Data classification and handling

  • Security models (Bell-LaPadula, Biba)

  • Cryptography fundamentals

  • Practice questions (75+)

6.1.3. Week 3: Domains 4 & 5 - Network + IAM

  • Read OSG Chapters 4-5

  • Network security (review - your strength)

  • Access control models

  • Authentication mechanisms

  • Practice questions (75+)

6.1.4. Week 4: Domains 6, 7, 8 - Assessment, Operations, Development

  • Read OSG Chapters 6-8

  • Vulnerability assessment vs penetration testing

  • Incident response phases

  • SDLC security

  • Practice questions (100+)

6.2. Phase 2: Deepening (Weeks 5-8)

6.2.1. Week 5: Domain 1 Deep Dive

  • Reread OSG Chapter 1

  • Risk formulas (SLE, ALE, ARO)

  • Business impact analysis

  • Legal jurisdictions

  • Domain-specific practice (100+)

6.2.2. Week 6: Domains 2 & 3 Deep Dive

  • Cryptography protocols

  • PKI and certificate lifecycle

  • Physical security

  • Domain-specific practice (100+)

6.2.3. Week 7: Domains 4 & 5 Deep Dive

  • Network protocols and attacks

  • Identity federation

  • SSO and access management

  • Domain-specific practice (100+)

6.2.4. Week 8: Domains 6, 7, 8 Deep Dive

  • Audit types and SOC reports

  • Business continuity (RTO, RPO, BIA)

  • OWASP Top 10

  • Domain-specific practice (100+)

6.3. Phase 3: Integration (Weeks 9-12)

6.3.1. Week 9: Cross-Domain Integration

  • How domains relate to each other

  • Scenario-based questions

  • Management decision-making

  • Full practice exam #1

6.3.2. Week 10: Weak Area Focus

  • Identify weak domains from practice exams

  • Targeted study

  • Additional practice questions

  • Review incorrect answers

6.3.3. Week 11: Practice Exams

  • Full practice exam #2

  • Full practice exam #3

  • Analyze patterns in errors

  • Refine test-taking strategy

6.3.4. Week 12: Final Review

  • Sunflower summary review

  • Destination Certification MindMaps

  • Light review only - avoid cramming

  • Schedule exam

  • Rest before exam day

7. Exam Strategy

7.1. Question Approach

  1. Read the ENTIRE question - including all options

  2. Identify what they’re REALLY asking - often the last sentence

  3. Eliminate obviously wrong answers - usually 2 can be eliminated

  4. Think like a manager - not a technician

  5. Choose the BEST answer - not just a correct answer

  6. When stuck:

    • What protects human life?

    • What manages risk?

    • What is the most complete answer?

7.2. Time Management

  • 250 questions in 6 hours = ~1.4 minutes per question

  • CAT format: 125-175 questions (adaptive)

  • Flag and move on - don’t get stuck

  • Trust your first instinct (usually)

7.3. Day Before

  • Light review only

  • No new material

  • Good sleep (8+ hours)

  • Prepare ID and confirmation

7.4. Exam Day

  • Arrive early

  • Light breakfast

  • Bring water/snacks for breaks

  • Deep breaths - you’ve prepared

8. Endorsement Process

8.1. Requirements

  • 5 years full-time experience in 2+ domains

  • OR 4 years with relevant degree/certification

  • Your experience: 12 years spanning multiple domains

8.2. Your Domain Coverage

Domain Your Experience Years

Domain 1

Risk management, compliance, policy development

12

Domain 4

Network security, 802.1X, firewalls (CCNP)

12

Domain 5

IAM, authentication, ISE, zero-trust

12

Domain 6

Security assessments, vulnerability management

5+

Domain 7

Security operations, incident response

10+

8.3. Endorsement Steps

  1. Pass CISSP exam

  2. Complete online endorsement application

  3. Endorser with active CISSP certifies your experience

  4. (ISC)² review (6-8 weeks)

  5. Pay annual maintenance fee

  6. Official certification

9. Progress Tracking

Week Milestone Target Date Status

4

All domains first pass complete

[ ]

8

Deep dive complete, 500+ practice questions

[ ]

10

Practice exams scoring 75%+

[ ]

12

Final review complete

[ ]

13

Pass CISSP exam

[ ]

15

Endorsement submitted

[ ]

10. Quick Reference

10.1. Key Formulas

SLE = Asset Value × Exposure Factor
ALE = SLE × ARO
Total Risk = Threats × Vulnerabilities × Asset Value
Residual Risk = Total Risk - Controls
Safeguard Value = (ALE before) - (ALE after) - (Annual Cost of Safeguard)

10.2. Key Acronyms

Acronym Meaning

ALE

Annualized Loss Expectancy

ARO

Annualized Rate of Occurrence

BCP

Business Continuity Plan

BIA

Business Impact Analysis

CMDB

Configuration Management Database

DRP

Disaster Recovery Plan

IDS

Intrusion Detection System

IPS

Intrusion Prevention System

MTD

Maximum Tolerable Downtime

RPO

Recovery Point Objective

RTO

Recovery Time Objective

SLE

Single Loss Expectancy

SOC

Security Operations Center

Created: 2026-02-14
Target: CISSP (Q3 2026)
Foundation: 12 years network security, CCNP Security, Security+, daily zero-trust operations