reference

The 8 CISSP Domains and Their Exact 2024 Weightings

CISSP is a mile wide, and the eight domains of the Common Body of Knowledge are not weighted equally. The (ISC)2 exam outline effective April 15, 2024 fixes how much of the exam each domain carries, and that weighting should shape your study order. This page walks all eight domains, their exact official weights, what each covers, and how a 125-item practice form distributes questions, so you can prioritize by exam load rather than by the domain you happen to enjoy.

By Junaid Khalid, updated 2026-04-18

Key takeaways

  • CISSP has eight CBK domains, weighted from 16% down to 10%.
  • Security and Risk Management (16%) is the single largest domain.
  • Asset Security and Software Development Security are the lightest at 10% each.
  • The exam is adaptive, so weightings describe the target distribution, not a fixed count.
  • CISSP rewards management judgment over the sharpest technical fix.
  • Study in weight order and lead with Security and Risk Management.

The eight CISSP domains at official weight

The (ISC)2 CISSP Exam Outline effective April 15, 2024 sets the domain weighting below. Since the exam is delivered as Computerized Adaptive Testing, these percentages describe the target distribution across the item bank rather than a fixed count on your specific form. The question column shows roughly how a full 125-item practice form allocates items when you apply the official weighting.

  • Security and Risk Management: 16% (about 20 questions on a 125-item form).
  • Asset Security: 10% (about 13 questions).
  • Security Architecture and Engineering: 13% (about 16 questions).
  • Communication and Network Security: 13% (about 16 questions).
  • Identity and Access Management: 13% (about 16 questions).
  • Security Assessment and Testing: 12% (about 15 questions).
  • Security Operations: 13% (about 16 questions).
  • Software Development Security: 10% (about 13 questions).

Security and Risk Management (16%)

The largest domain and the intellectual spine of the exam. It covers security governance, compliance and legal issues, professional ethics, risk management concepts, threat modeling, and security awareness. This is where CISSP most clearly rewards the manager mindset over the practitioner one.

Lead your prep here. Because it is the heaviest domain and its risk-and-governance vocabulary recurs across the other seven, points earned here compound.

Asset Security (10%)

One of the two lightest domains by weight, but conceptually central. It covers data classification, ownership, handling requirements, data retention, and protecting data throughout its lifecycle. Expect scenario questions about the correct handling or classification of information given a business context.

At 10% it does not justify heavy time, but the classification and data-lifecycle language shows up in other domains, so learn it well enough to recognize it anywhere.

Security Architecture and Engineering (13%)

The most technical domain in feel. It covers secure design principles, security models, cryptography, and the engineering of secure systems and facilities. Questions here reward understanding why a control or model fits a stated security goal, not just naming it.

At 13% it is a solid middle-tier domain. If your background is engineering-heavy this is comfortable ground; if it is not, budget extra time for the cryptography and secure-design concepts.

Communication and Network Security (13%)

Covers secure network architecture, the OSI and TCP/IP models, secure protocols such as TLS, IPsec, and SSH, segmentation, wireless security, and network attacks and defenses. It is technical, but framed at the design and assurance level rather than the hands-on configuration level.

At 13% it carries real weight. Focus on why a given network control or protocol is the right answer for the scenario, which is the axis CISSP grades on.

Identity and Access Management (13%)

Covers identification, authentication, authorization, and accountability, multi-factor authentication, access control models such as DAC, MAC, RBAC, and ABAC, single sign-on and federation, the identity lifecycle, and privileged access management. IAM is a recurring exam theme because it touches almost every other domain.

At 13% it deserves focused attention. Practice reasoning about the identity lifecycle and access-control models, since these frequently anchor best-answer questions.

Security Assessment and Testing (12%)

Covers assessment and test strategies, security control testing, collecting security process data, and analyzing and reporting test results. It is the "how do we know our controls work" domain, and it rewards understanding assurance over specific tools.

At 12% it is a mid-tier domain. Learn the difference between assessment types and when each is appropriate, since that distinction drives the correct answers here.

Security Operations (13%)

Covers investigations, logging and monitoring, incident management, disaster recovery, business continuity, and the ongoing operation of security controls. It overlaps in feel with the Security+ operations domain but is framed at the management and assurance level.

At 13% it is a meaningful slice. Incident management and business continuity reasoning appear often, so practice ranking response actions in the order CISSP expects.

Software Development Security (10%)

The other lightest domain at 10%. It covers security in the software development lifecycle, secure coding practices, and assessing the security of acquired and developed software. Even non-developers need to recognize where security fits into the development process.

At 10% it does not demand deep coding knowledge, but you should be comfortable placing security controls at the right stage of the development lifecycle.

How the weighting should shape your study plan

Study in weight order and lead with Security and Risk Management, the largest and most cross-cutting domain. The four 13% domains form the next tier, followed by Security Assessment and Testing at 12%, and finally the two 10% domains. That order roughly matches where the exam spends its points.

Remember the exam is adaptive: it adjusts difficulty as you go and reports a pass or fail against a scaled 700 out of 1000, with no numeric score to the candidate. The weightings describe the target distribution of the item bank, so treat them as a study-priority map rather than a promise about your exact form.

The fastest way to convert this map into a personal plan is a timed diagnostic that reports your standing per domain against these official weights, so you know which one or two domains to attack first.

FAQs

See your standing across all eight domains

Take a free timed CISSP practice test and get an instant per-domain breakdown against the official weightings.

Take a free test