The CISSP is often described as a certification, but I’ve come to see it as something more than that. For me, it represents a map of the security landscape: a way of organising the discipline into concepts, responsibilities, and mental models that help make sense of a world that is constantly shifting beneath our feet. I’m not CISSP-certified — at least not yet — and I don’t approach this series as an examiner or an authority. I’m writing these articles as someone who works in cybersecurity every day, trying to deepen my own understanding of the field, and perhaps offer that exploration to others who might be on a similar path.
The eight domains of the CISSP aren’t simply topics to revise. They’re lenses through which to look at security as a whole. Some of them deal with the strategic: governance, ethics, leadership decisions, and the way organisations weigh risk. Others examine the technical and operational realities: how systems are built, how networks behave, how identity is managed, how incidents unfold, and how software either supports or undermines an entire security posture. What I find valuable about the CISSP framework is not that it turns anyone into a specialist in all of these areas — nobody is. Instead, it encourages breadth. It asks you to see how these disciplines fit together, how they depend on one another, and how decisions made in one place echo across the rest of the organisation.
That is why the certification has persisted for so long. It doesn’t prescribe a single philosophy or best practice. It offers a way of thinking about security that remains relevant even as technologies, regulations, and threats evolve.
The domains themselves each take a different angle on this shared purpose.
They cover the strategic foundations of security — governance, risk, and organisational structure. They focus on the things we protect — data, assets, and the operational environments that support them. They explore architecture, engineering, communication, identity, and the practice of verifying whether our controls actually work. And finally, they bring the focus back to creation: the software development activities that, more and more, define the systems organisations rely upon.
Together, the eight domains reinforce a simple truth: security is multidisciplinary. It is legal, technical, architectural, behavioural, operational, and human. No single perspective is enough.
This series is my attempt to explore each domain in turn — not as an exam guide, and certainly not as a definitive authority, but as a way of engaging more deeply with the discipline I work in every day. Writing is one of the ways I make sense of complex topics. If these articles help someone else gain a clearer understanding of the CISSP domains, or even just spark a moment of reflection, then I’ll consider that a welcome bonus.
But first and foremost, this is a learning journey — mine, shared in case it might be useful on yours.