CISSP Domain 6

The CISSP Domain 6 covers topics that focus on evaluating an organization’s security posture and testing of the organisations security controls and systems. This domain covers vulnerability assessment, penetration testing, and security testing methods.

It helps analyze methods and instruments used to identify system flaws, weaknesses, and possible problems that security protocols and rules do not cover. This domain includes ethical disclosure and attack simulations.

The test will check candidates for vulnerability analysis and penetration testing. Compliance checks are also included.

It includes 12% of exam questions.

The objectives of this domain are:

  1. Create and verify assessment, testing, and auditing procedures
  2. Test security control procedures
  3. Gather data about security procedures (technical and administrative)
  4. Examine test results and produce a report
  5. Carry out or assist with security audits 

Important Domain 6 Concepts


In terms of types of assessments, we have two primary categories that you’ll need to be aware of:

Formal assessments are evaluations against a compliance standard, which includes regulatory and other legal requirements.

Informal assessments are done to provide insight, but they’re basically done the same way.  They might be done by an internal group, or in an informal setting, but the objective is what matters here – which is purely to gain insight.  An informal assessment might be done before a formal assessment as a preparatory exercise. 

There is also mention of “No-notice” assessments, which simply means that the situation being evaluated has no forewarning of the evaluation (e.g. spot check, desk audit).  A no-notice assessment isn’t really a ‘type’ of assessment, it’s basically a surprise audit, or an informal assessment where notice isn’t given.  It can likely fit into a subcategory, or type of informal assessment. 

Internal assessments are done for the purpose of seeing if controls meet risk expectations or to see if there are ways to improve efficiency of operations, and how well an organization is prepared for an external or formal audit.  An internal assessment might follow a formal process, but is most likely considered informal by nature. 

Audit Strategies

Frequency is based on risk. Overall risk must be sufficient enough to justify time, energy, and cost. Asset value and threats are only part of risk.

  • Internal – an internal audit strategy should be in step with daily operations. This also includes compliance initiatives as well as security of normal business operations.
  • External – an external audit strategy should complement the internal strategy, providing further proof that your initiatives are actually working.
  • Third-party – third-party auditing provides another set of eyes for whatever needs to be tested within your enterprise. This type of audit can also review internal and external audits.

Key elements of an audit report:

  • Purpose
  • Scope
  • Results of the audit

Audit Events

  • Security health checks from IT staff.
  • Certified law enforcement personnel investigating criminal activity.

Security Process Data

  • Review policies and procedures regularly to ensure they are not only being followed, but capable of being followed. Also, are there new risks?
  • Account management involves a defined procedure for maintaining accounts. Account management reviews ensure that users only retain authorized permissions and perform allowed actions and restricting them from unauthorized access and modifications.
  • Management review and approval makes sure process are followed. After collecting adequate supporting evidence full support of the management team.
  • Key performance and risk indicators – Key performance and risk indicators are measurements of key activities in an information security program. These indicators can help to management understand how well the security program and its components are performing.  The performance indicators can be used to capture and report on levels of success.
  • Backup verification data is a must when dealing with backups. Organizations deal with huge amounts of data which needs protection for a variety of reasons such as Disaster Recovery (DR).If a disaster strikes, the organization will reach a point where it will need to recover existing backups prepared before the disaster. Organizations should periodically inspect the results of backups to verify that the processed functions effectively meet the organization’s data protection needs.  If you can’t restore your backups, you are wasting time and resources. Integrity must be checked.
  • Traniing and Awareness – Organizations need to have training programs for their staff to increase their awareness. If this item properly do, then personnel at all levels of the organization can understand how to respond to new threats and vulnerabilities.

Analyse Test Output and Generate Report

Security controls, vulnerability scans, penetration tests, and audits—all these activities generate a significant amount of data. Perhaps a few gifted people can review the raw data and draw salient conclusions, but most people need the data presented to them in a meaningful way. 

SOC Reports

Service Organizational Control reports (SOC) audits and report types are much more important than they used to be. Not only will questions appear on the exam, but ISC2 has beefed up the Common Body of Knowledge with more information on this topic, so let’s dive in with some mnemonics and try to break this down as simply as possible.

Any information of concern must be reported to management teams immediately.

Level of detail within reports can vary depending on roles.

Types of audits necessary can also shape how reports should be used. There are four types of SOC reports:

  • SOC 1 Type 1 – report outlines the findings of an audit, as well as the completeness and accuracy of the documented controls, systems, and facilities.
  • SOC 1 Type 2 – report includes the Type 1 report, along with information about the effectiveness of the procedures and controls in place for the immediate future.
  • SOC 2 – report includes the testing results of an audit.
  • SOC 3 – report outlines general audit results with a datacenter certification level.

Preparing for the SOC audit:

There are two phases in preparing for the SOC audit. If you need a mnemonic to memorize the sub phases, use the following: phase 1: SSIRR, phase 2: DAAWM CTO IALR

For context of this mnemonic, pretend you are in charge of collecting evidence for a case that implied that the CTO had committed fraud.  As you’re talking to your CIO, you say the following: “Sir, the damn CTO is a liar!”   And you’ll spell it SSIRR, DAAWM CTO IALR , so be sure to write this down on your memorization sheet.

Phase one is the preparations phase.  During the preparations phase, you would expect to see activities like,

  • Schedule preparation.
  • Scope for the audit, which would include success criteria for the audit overall.
  • Inventory of controls based on the scope.
  • Readiness review (gap analysis)
  • Resolve any discrepancies identified during the gap analysis.

As you can see, this is the “SSIRR” part of the mnemonic, except that we spell “SIR” with two S’s and two R’s.  

Phase two: audit phase.

The activities in the audit phase are as follows:

  • Detailed project plan for the audit. – this might seem like it should be part of planning in phase one, but actually this is referring to specific activities that will be done for the audit.  
  • Artifacts – gather all required data artifacts in advance. – this might also seem like it should be part of preparation phase, but this is typically done when the auditor requests the documents, or provides a list of documents that could be looked at while on site, so technically it’s part of the audit phase.
  • Access (physical) – providing facilities access is another step.
  • Work space – providing work spaces so the auditors can work.
  • Meeting areas – reserving areas for on site discussions with subject matter experts.
  • Conducting meetings with experts and auditors.
  • Testing and providing resulting artifacts and evidence to auditors. 
  • Offsite analysis of the artifacts collected or generated during the audit. 
  • Issue resolution – resolving any issues or impediments to audit completion in a timely, collaborative manner, 
  • Audit reports – providing them to management for review.
  • Lessons learned – the post-audit internal review.
  • Recommendations for management to consider for the next audit cycle.

Leave a Reply

Your email address will not be published. Required fields are marked *