Common Body of Knowledge (CBK)

What is the Common Body of Knowledge (CBK)?

In security, the Common Body of Knowledge (CBK) is a comprehensive framework of all the relevant subjects a security professional should be familiar with, including skills, techniques and best practices. The CBK is organized by domain and is annually gathered and updated by (ISC)2 (International Information Systems Security Certification Consortium) to reflect the most relevant topics within the industry.

(ISC)2 uses the CBK domains to test a certificate candidate's levels of expertise in the most critical aspects of infosec. The Certified Information Systems Security Professional (CISSP) certification exam covers the CBK domains: security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security.

CISSP CBK domains

The eight CISSP domains are the following:

  1. Security and Risk Management. This domain deals with risk management concepts, threat modeling, the security model, security governance principles, business continuity requirements, and policies and procedures.
  2. Asset Security. This domain contains topics that involve data management and standards, longevity and use, how to ensure appropriate retention and how data security controls are determined.
  3. Security Engineering. This domain tests a candidate on security engineering processes, models and design principles, including database security, cryptography systems, clouds and vulnerabilities.
  4. Communications and Network Security. This domain includes network security and the creation of secure communication channels, such as secure network architecture design and components including access control, transmission media and communication hardware.
  5. Identity and Access Management. This domain focuses on system access, authorization, identification and authentication, including access control and multifactor authentication.
  6. Security Assessment and Testing. This domain covers the tools needed to find vulnerabilities, bugs and errors in code and system security, as well as vulnerability assessment, penetration testing and disaster recovery.
  7. Security Operations. This domain deals with digital forensic and investigations, detection tools, firewalls and sandboxing, as well as incident management.
  8. Software Development Security. This domain contains information on how to build and integrate security into the software development lifecycle.
Graphic showing the weights of the CISSP CBK domains
The eight CISSP CBK domains aren't equally weighted on the exam.

How to study for the CISSP exam

The CISSP certification exam covers all eight CISSP domains. CISSP CBK test-takers are expected to be familiar with each. The use of learning materials is encouraged. Textbooks and practice exams can be found online. The official test website contains a list of CISSP resources available for purchase.

Editor's note: This article was republished in November 2022 to improve the reader experience.

This was last updated in November 2022

Continue Reading About Common Body of Knowledge (CBK)

Dig Deeper on Careers and certifications

Enterprise Desktop
Cloud Computing