Skip to content Skip to footer
Close
CISSP

📘 CISSP DOMAIN 2 — ASSET SECURITY

February 2, 2026

Source of the domain task list: (ISC)² CISSP Exam Outline. [isc2.org]

Domain 2 covers the identification, classification, handling, protection, tracking, and lifecycle management of information and assets. All responsibilities revolve around ensuring that data is properly governed at every stage from creation to destruction.

2.1 Identify and Classify Information and Assets

✔ What This Means

Organizations must understand what assets they own, including physical, digital, logical, and intangible assets. This begins with classification, which determines sensitivity, handling rules, retention, and security controls.
Source: “Identify and classify information and assets; Data classification; Asset classification.” [isc2.org]

✔ Classification

Classification levels vary by organization, but all classification schemes aim to define impact if the asset is compromised.
Examples of common classification categories:

  • Public
  • Internal
  • Confidential
  • Restricted
    (Example classification schemes provided in study resources.) [passitexams.com]

✔ Why Classification Matters

Classification informs:

  • Access control strength
  • Retention rules
  • Encryption requirements
  • Legal/regulatory handling requirements
    Source: Classification governs the handling requirements described throughout Domain 2. [isc2.org]

2.2 Establish Information and Asset Handling Requirements

Organizations must create formal handling rules for each data classification level.
Source: “Establish information and asset handling requirements.” [isc2.org]

Handling requirements include:

  • Labeling (physical/digital)
  • Access procedures
  • Transmission rules (secure email, encrypted channels)
  • Storage rules (on‑prem, cloud, encrypted, physical safes)
  • Retention and destruction requirements
    Source: Handling requirements are part of applying classification and lifecycle controls. [isc2.org]

2.3 Provision Information and Assets Securely

Provisioning ensures assets are introduced into the environment in a controlled, secure, and documented manner.
Source: “Provision information and assets securely.” [isc2.org]

✔ Asset Ownership

  • Every asset must have an assigned owner responsible for classification, policy adherence, and authorization decisions.
    Source: “Information and asset ownership.” [isc2.org]

✔ Asset Inventory

  • Organizations must maintain detailed asset inventories, covering tangible and intangible assets.
    Source: “Asset inventory (e.g., tangible, intangible).” [isc2.org]

✔ Asset Management Practices

  • Tracking assets through their lifecycle
  • Ensuring provisioning follows policy
  • Maintaining accurate system of record
    Source: “Asset management.” [isc2.org]

2.4 Manage the Data Lifecycle

Data moves through distinct phases from creation to destruction, each requiring security controls.
Source: “Manage data lifecycle.” [isc2.org]

The lifecycle activities explicitly listed in the outline:

  • Data roles: owners, controllers, custodians, processors, users/subjects. [isc2.org]
  • Data collection: understanding lawful and minimal collection. [isc2.org]
  • Data location: knowing geographical and logical data placement. [isc2.org]
  • Data maintenance: ensuring accuracy, completeness, and secure storage. [isc2.org]
  • Data retention: storing information for the correct period based on business and regulatory requirements. [isc2.org]
  • Data remanence: residual data that persists even after attempts to delete; requires sanitization methods. [isc2.org]
  • Data destruction: final stage; must follow approved destruction methods (shredding, degaussing, crypto‑shredding). [isc2.org]

2.5 Ensure Appropriate Asset Retention (End‑of‑Life / End‑of‑Support)

Retention and disposal rules apply to hardware, software, and data.
Source: “Ensure appropriate asset retention (e.g., End of Life (EOL), End of Support).” [isc2.org]

Key tasks include:

  • Identifying when an asset reaches EOL or EOS
  • Migrating data from unsupported systems
  • Ensuring secure decommissioning
  • Preventing use of unpatched, unsupported software/hardware
    Source: Explicitly included in the EOL/EOS retention requirement. [isc2.org]

2.6 Determine Data Security Controls and Compliance Requirements

Controls must be chosen based on:

  • The data state (in use, in transit, or at rest)
  • Compliance obligations
  • Risk level and classification
    Source: “Determine data security controls… Data states (e.g., in use, in transit, at rest).” [isc2.org]

✔ Scoping and Tailoring

Organizations must define which controls apply based on system boundaries and risk.
Source: “Scoping and tailoring.” [isc2.org]

✔ Standards Selection

Choosing standards for:

  • Encryption
  • Storage
  • Transmission
  • Data handling
    Source: “Standards selection.” [isc2.org]

✔ Data Protection Methods

Organizations apply technologies including:

  • DRM (Digital Rights Management) to enforce usage restrictions on documents and media
  • DLP (Data Loss Prevention) to prevent unauthorized exfiltration
  • CASB (Cloud Access Security Broker) to enforce cloud governance and data policies
    Source: “Data protection methods (e.g., DRM, DLP, CASB).” [isc2.org]
0Likes
About Author

You May Also Like

CISSP
📘 CISSP DOMAIN 1 — SECURITY & RISK MANAGEMENT ( Study Concepts)