Coverage: 1.1â1.12 in the (ISC)² outline. [cisa.gov]
1.1 Professional Ethics
What the CISSP expects of you
- (ISC)² Code of Professional Ethics requires you to: protect society and the common good; act honorably, honestly, justly, responsibly and legally; provide diligent and competent service; and advance and protect the profession. [cisa.gov]
- Organizational codes of ethics (e.g., conflict of interest, antiâcorruption, acceptable use) are employer policies that you must follow in addition to your professional code. [cisa.gov]
Scenario
- Your manager asks you to âquietlyâ view an employeeâs email without authorization: you must decline and escalate to the appropriate authority because it violates law/policy and the (ISC)² Code. [cisa.gov]
1.2 Security Concepts: CIA + Authenticity + Nonrepudiation
Core definitions
- Confidentiality prevents unauthorized disclosure (e.g., encryption, access controls, segmentation). [cisa.gov]
- Integrity prevents unauthorized modification (e.g., hashes, digital signatures, checksums). [cisa.gov]
- Availability ensures timely and reliable access (e.g., redundancy, DR/BC, clustering, UPS). [cisa.gov]
- Authenticity confirms an entity or artifact is genuine (e.g., code signing, certificates). [cisa.gov]
- Nonrepudiation prevents denial of actions (e.g., digitally signed transactions and immutable, timeâstamped logging). [cisa.gov]
How STRIDE maps to CIA+A+NR (highâyield association)
- Spoofing â Authentication property; Tampering â Integrity; Repudiation â Nonrepudiation; Information Disclosure â Confidentiality; Denial of Service â Availability; Elevation of Privilege â Authorization. [csrc.nist.gov]
1.3 Security Governance Principles & Frameworks
Aligning security to business
- Governance aligns security to mission, goals, strategy and embeds risk into organizational decisionâmaking (e.g., governance committees, M&A, reporting lines). [cisa.gov]
Due Care vs. Due Diligence (test favorite)
- Due Care = acting prudently (publish/enforce policy, set minimum standards, training). [cisa.gov]
- Due Diligence = ongoing verification and analysis (risk assessments, vendor reviews, vulnerability management); it informs dueâcare choices. [cisa.gov]
Frameworks â what each is best at (know the differences)
- ISO/IEC 27001: certifiable ISMS; strong governance + Annex A controls; used to prove security maturity to customers/regulators. [mitre.org]
- NIST CSF 2.0: voluntary risk framework (Govern/Identify/Protect/Detect/Respond/Recover) to improve posture; not a certification. [mitre.org]
- COBIT: enterprise IT governance (EDM/APO/BAI/DSS/MEA), connects business goals to IT processes and audits. [pcisecuritâŚndards.org]
- SABSA: businessâdriven security architecture; traceability from business attributes â policies â services â mechanisms. [nvlpubs.nist.gov]
- PCI DSS: industry standard for cardholder/sensitive auth data; prescriptive controls; contractual enforcement via payment ecosystem. [aptori.com]
- FedRAMP: authorization/baselines for US federal cloud systems; narrower useâcase than ISO/NIST CSF. [cisa.gov]
1.4 Legal, Regulatory, and Compliance
The legal landscape
- Cybercrime/data breach laws define offenses and penalties as well as notification duties after incidents. [cisa.gov]
- Intellectual property & licensing govern use/redistribution of software and content. [cisa.gov]
- Export controls limit transfer of strong cryptography and dualâuse technologies. [cisa.gov]
- Transborder data flow rules (e.g., GDPR, CCPA, PIPL, POPIA) restrict how personal data moves across jurisdictions with different rights and transfer mechanisms. [cisa.gov]
Contractual vs. statutory obligations
- PCI DSS is a contractual/industry standard required by the card brands and acquiring banks for entities that store/process/transmit CHD/SAD, not a government law. [aptori.com]
1.5 Investigation Requirements (Administrative, Criminal, Civil, Regulatory)
Types of investigations (how they differ)
- Administrative: internal policy violations; HRâled; lower standard of proof; may precede other actions. [cisa.gov]
- Criminal: law enforcement; warrants; strict chain of custody and forensic soundness; evidence must meet rules of evidence. [cisa.gov]
- Civil: lawsuits between parties; discovery process; âpreponderance of evidenceâ standard. [cisa.gov]
- Regulatory: sectorâspecific agencies/enforcers; statutory deadlines; audits, corrective actions, fines. [cisa.gov]
Evidence handling basics
- Maintain chain of custody, capture hashes, document who/what/when/where/how, and preserve originals via forensically sound imaging when criminal/civil admissibility is required. [cisa.gov]
1.6 Security Policies, Standards, Procedures, Guidelines (PSPG)
What each document does
- Policy: management intent (the âwhat/whyâ), brief and mandatory. [cisa.gov]
- Standard: mandatory specifics (e.g., TLS 1.2+, 14âchar passwords, device hardening baseline). [cisa.gov]
- Procedure: stepâbyâstep âhowâtoâ for consistent execution. [cisa.gov]
- Guideline: recommended best practice, nonâmandatory, allows local discretion. [cisa.gov]
1.7 Business Continuity (BC) Requirements
BIA essentials (and key metrics)
- Business Impact Analysis (BIA) identifies critical processes, quantifies impacts, and defines RTO (how fast to restore) and RPO (how much data loss is tolerable). [cisa.gov]
- Consider external dependencies (providers, utilities, logistics) because their outages drive your downstream impacts and recovery sequence. [cisa.gov]
BC vs. DR (difference)
- BC = keeping the business running (people, sites, suppliers, manual workarounds); DR = restoring IT systems/data; both are informed by the BIA. [cisa.gov]
1.8 Personnel Security
Lifecycle controls
- Screening/hiring (e.g., background checks as permitted by law), employment agreements/NDAs, onboarding/transfer/offboarding, and thirdâparty/contractor controls reduce human risk. [cisa.gov]
How this differs from IAM
- Personnel security = administrative/HRâcentric measures; IAM (Domain 5) = digital identities, entitlements, authentication/authorization systems. [cisa.gov]
1.9 Risk Management Concepts
Terminology & risk math
- Threat (potential cause of harm) vs. Vulnerability (weakness) vs. Risk (likelihood Ă impact of a threat exploiting a vulnerability). [nist.gov]
- Qualitative analysis uses scales (High/Med/Low) when reliable data is limited. [nist.gov]
- Quantitative analysis estimates SLE, ARO, ALE to express financial exposure and justify control costâbenefit. [nist.gov]
Treatment options & control types
- Treat/mitigate, transfer (insurance, contract), avoid, accept â choose based on risk appetite and costâbenefit. [nist.gov]
- Preventive, detective, corrective (plus deterrent, compensating, physical) â layered per scenario for depth. [cisa.gov]
Continuous monitoring
- Move beyond pointâinâtime checks: SIEM, KPIs/KRIs, vulnerability management, reporting, and continuous improvement are part of a mature program. [cisa.gov]
Risk frameworks
- NIST SP 800â30 Rev.1 gives structured steps for risk assessments (prepare â conduct â maintain), focusing on residual risk and decision support. [nist.gov]
- COBIT connects risk/governance to business processes with defined domains and capabilities. [pcisecuritâŚndards.org]
- SABSA links business requirements to security architecture with bidirectional traceability. [nvlpubs.nist.gov]
1.10 Threat Modeling Concepts & Methodologies
Methods (how they differ and when to use)
- STRIDE (Microsoft): categoryâbased coverage using DFDs; easy to teach and scale; doesnât inherently prioritize by risk. [csrc.nist.gov]
- PASTA: 7âstage riskâcentric method with attack simulation and alignment to business objectives; deeper traceability; heavier process. [nvlpubs.nist.gov]
- DREAD: scoring (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) for prioritization; often used to score threats identified via STRIDE; subjectivity is a known caveat. [csrc.nist.rip]
- MITRE ATT&CK: empirical catalog of adversary tactics/techniques for detection engineering, hunting, and purple teaming â complements designâtime models by informing detection coverage. [isc2.org]
Practical combo (likely exam logic)
- Use STRIDE for systematic coverage, add risk scoring or PASTA elements for prioritization, and map to ATT&CK to validate detection/response gaps. [csrc.nist.gov], [nvlpubs.nist.gov], [isc2.org]
1.11 Supply Chain Risk Management (SCRM)
What can go wrong (layers of risk)
- Hardware/firmware risks: tampering, counterfeits, implants; mitigations include silicon root of trust and physically unclonable functions (PUF) along with provenance controls. [cisa.gov]
- Software risks: hidden vulnerable dependencies and compromised build pipelines; mitigations include thirdâparty assessments, minimum security requirements, SLAs, and SBOM transparency. [cisa.gov]
SBOM (and why it matters)
- SBOM = machineâreadable âingredients listâ of software components to speed vulnerability exposure analysis and license compliance. [sabsa.org]
- NIST describes SBOMâs minimum elements as data fields, automation support, and operational processes, with common formats SPDX, CycloneDX, SWID for interoperability. [en.wikipedia.org]
- CISAâs 2025 draft proposes enhancements (e.g., component hash, license, tool name, generation context) and stresses operationalization and VEX/CSAF alignment. [avolutionsâŚftware.com]
- OMB Mâ26â05 encourages agencies to apply riskâbased software/hardware assurance and allows requiring SBOM upon request, rather than imposing a universal oneâsizeâfitsâall; it references NIST SSDF and CISA SBOM work. [davidlynas.com]
1.12 Security Awareness, Education, and Training
Building an effective program
- Methods include phishing simulations, social engineering exercises, gamification, and security champion networks to embed knowledge in product/ops teams. [cisa.gov]
- Periodic content reviews must reflect new tech/trends (AI, blockchain, cryptocurrency) to stay relevant and riskâaligned. [cisa.gov]
- Program effectiveness should be measured (report rates, behavior change, reduced incidents), not just attendance. [cisa.gov]
