Authors
ARTHUR DEANE, CISSP, CCSP, is a senior director at Capital One Financial, where he leads information security activities in the Card division. Prior to Capital One, Arthur held security leadership roles at Google, Amazon, and PwC, in addition to several security engineering and consulting roles with the U.S. federal government.
Arthur is an adjunct professor at American University and a member of the Computer Science Advisory Board at Howard University. He holds a bachelor's degree in electrical engineering from Rochester Institute of Technology (RIT) and a master's degree in information security from the University of Maryland. Arthur is also the author of CCSP for Dummies.
AARON KRAUS, CISSP, CCSP, is an information security professional with more than 15 years of experience in security risk management, auditing, and teaching cybersecurity topics. He has worked in security and compliance leadership roles across industries including U.S. federal government civilian agencies, financial services, insurance, and technology startups.
Aaron is a course author, instructor, and cybersecurity curriculum dean at Learning Tree International, and he most recently taught the Official (ISC)2 CISSP CBK Review Seminar. He is a co-author of The Official (ISC)2 Guide to the CCSP CBK, 3rd Edition, and served as technical editor for numerous Wiley publications including (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 2nd Edition; CCSP Official (ISC)2 Practice Tests; The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition; and (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests, 2nd Edition.
Technical Reviewer
MICHAEL S. WILLS, CAMS, CISSP, SSCP, is assistant professor of applied and innovative information technologies at the College of Business at Embry-Riddle Aeronautical University – Worldwide, where he continues his graduate and undergraduate teaching and research in cybersecurity and information assurance.
Mike has also been an advisor on science and technology policy to the UK's Joint Intelligence Committee, Ministry of Justice, and Defense Science and Technology Laboratories, helping them to evolve an operational and policy consensus relating topics from cryptography and virtual worlds, through the burgeoning surveillance society, to the proliferation of weapons of mass disruption (not just “destruction”) and their effects on global, regional, national, and personal security. For a time, this had him sometimes known as the UK's nonresident expert on outer space law.
Mike has been supporting the work of (ISC)2 by writing, editing, and updating books, study guides, and course materials for both their SSCP and CISSP programs. He wrote the SSCP Official Study Guide, 2nd Edition (Sybex, 2019), followed quickly by the SSCP Official Common Book of Knowledge, 5th Edition. He was lead author for the 2021 update of (ISC)2's official CISSP and SSCP training materials. Mike has also contributed to several industry roundtables and white papers on digital identity and cyber fraud detection and prevention and has been a panelist and webinar presenter on these and related topics for ACAMS.
Foreword
EARNING THE GLOBALLY RECOGNIZED CISSP® security certification is a proven way to build your career and demonstrate deep knowledge of cybersecurity concepts across a broad range of domains. Whether you are picking up this book to supplement your preparation to sit for the exam or are an existing CISSP using it as a desk reference, you'll find the The Official (ISC)2® CISSP® CBK® Reference to be the perfect primer on the security concepts covered in the eight domains of the CISSP CBK.
The CISSP is the most globally recognized certification in the information security market. It immediately signifies that the holder has the advanced cybersecurity skills and knowledge to design, engineer, implement, and manage information security programs and teams that protect against increasingly sophisticated attacks. It also conveys an adherence to best practices, policies, and procedures established by (ISC)2 cybersecurity experts.
The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a CISSP with all the benefits of (ISC)2 membership, you are part of a global network of more than 161,000 certified professionals who are working to inspire a safe and secure cyber world.
Drawing from a comprehensive, up-to-date global body of knowledge, the CISSP CBK provides you with valuable insights on the skills, techniques, and best practices a security professional should be familiar with, including how different elements of the information technology ecosystem interact.
If you are an experienced CISSP, you will find this edition of the CISSP CBK an indispensable reference. If you are still gaining the experience and knowledge you need to join the ranks of CISSPs, the CISSP CBK is a deep dive that can be used to supplement your studies.
As the largest nonprofit membership body of certified information security professionals worldwide, (ISC)2 recognizes the need to identify and validate not only information security competency, but also the ability to build, manage, and lead a security organization. Written by a team of subject matter experts, this comprehensive compendium covers all CISSP objectives and subobjectives in a structured format with common practices for each objective, a common lexicon and references to widely accepted computing standards and case studies.
The opportunity has never been greater for dedicated professionals to advance their careers and inspire a safe and secure cyber world. The CISSP CBK will be your constant companion in protecting your organization and will serve you for years to come.
Sincerely,
Clar Rosso
CEO, (ISC)2
Introduction
THE CERTIFIED INFORMATION SYSTEMS Security Professional (CISSP) certification identifies a professional who has demonstrated skills, knowledge, and abilities across a wide array of security practices and principles. The exam covers eight domains of practice, which are codified in the CISSP Common Body of Knowledge (CBK). The CBK presents topics that a CISSP can use in their daily role to identify and manage security risks to data and information systems and is built on a foundation comprising fundamental security concepts of confidentiality, integrity, availability, nonrepudiation, and authenticity (CIANA), as well as privacy and security (CIANA+PS). A variety of controls can be implemented for both data and systems, with the goal of either safeguarding or mitigating security risks to each of these foundational principles.
Global professionals take many paths into information security, and each candidate's experience must be combined with variations in practice and perspective across industries and regions due to the global reach of the certification. For most security practitioners, achieving CISSP requires study and learning new disciplines, and professionals are unlikely to work across all eight domains on a daily basis. The CISSP CBK is a baseline standard of security knowledge to help security practitioners deal with new and evolving risks, and this guide provides easy reference to aid practitioners in