The Real List of ALL 11 Cyber Security Domains!

How many cyber security domains are there? Even though you hear it used all the time, you may be surprised to read that domains aren’t set in stone.

The problem is, the list is often organization or agency specific, and no standard definition exists. This article breaks down how others interpret the cyber security domains versus what I believe is the best way!

What Are Cyber Security Domains?

Domains are often associated with government agencies or cyber security credentialing organizations. When someone talks about cyber security domains, what they really mean is the area of cybersecurity that’s being referenced.

In other words, a domain is just a fancy way of saying “category” or even cyber security “focus area”.

Cyber Security Domains for Certifying Organizations

For certifying organizations, domains (or categories) help test takers understand what topics an exam will cover. Read the list of examples below to get an idea of how each organization classifies their cyber security domains.

Various organizations and frameworks define the domains of cybersecurity differently, but one of the most widely recognized frameworks is that defined by the CISSP certification, created by ISC2.

The Eight Domains of the CISSP

That exam tests your knowledge in the following eight domains with a brief description:

  • Security and Risk Management: You need to understand professional ethics, the alignment of security functions with business strategies, legal and regulatory issues, security policies, and risk management.
  • Asset Security: Your knowledge should encompass the identification and classification of information and assets, handling requirements, the data lifecycle, and compliance with data security controls.
  • Security Architecture and Engineering: Know about secure architectures, security models, appropriate controls, and vulnerability assessment in various systems, including cloud and IoT devices.
  • Communication and Network Security: Understanding secure network architectures, network component security, and secure communication channels is essential.
  • Identity and Access Management (IAM): Your knowledge should cover access control, identification and authentication processes, authorization mechanisms, and the provisioning lifecycle of identities.
  • Security Assessment and Testing: You need to know about assessment and testing strategies, security control testing, and result analysis, including internal, external, and third-party audits and tests.
  • Security Operations: Your understanding should also extend to operational aspects of security, such as incident management, logging and monitoring, recovery strategies, and physical security.
  • Software Development Security: Be aware of integrating security into the software development lifecycle, applying security controls in development environments, assessing software security effectiveness, and adhering to secure coding standards.

The Seven Domains of the SSCP

If we look at the SSCP certification, also offered by ISC2, there’s a list of seven cyber security domains:

  • Security Operations and Administration: It’s important to understand ethical compliance, grasp key security concepts, know how to implement security controls, and manage assets. Being aware of how to promote security awareness is also crucial.
  • Access Controls: You need to be familiar with authentication methods, understand how to manage trust architectures, the ins and outs of identity management, and the application of various access controls.
  • Risk Identification, Monitoring, and Analysis: You should know the risk management processes, the legal and regulatory aspects of security, how to conduct security assessments, and the methods for analyzing security monitoring.
  • Incident Response and Recovery: Knowledge of supporting the incident response lifecycle, conducting forensic investigations, and understanding business continuity and disaster recovery plans is essential.
  • Cryptography: It’s important to understand cryptography principles and protocols, and be knowledgeable about public key infrastructure management.
  • Network and Communication Security: Similar to what’s needed for the CISSP, you need a good grasp of networking concepts, how to manage network access and security, operate network security devices, and secure wireless communications.
  • Systems and Application Security: Knowing how to analyze malicious activities, manage endpoint and mobile device security, understand cloud security, and maintain secure virtual environments is key.

The Five Domains of the CISA

The CISA certification, from ISACA, a very common certification for security auditing, shows the following five domains:

  • Information Systems Auditing Process
  • Governance and Management of IT
  • Information Systems Acquisition, Development, and Implementation
  • Information Systems Operations and Business Resilience
  • Protection of Information Assets

Interested in learning, The Best Method to Become a Security Auditor?

SANS, creators of the GSEC certification, indicate eight domains:

  • Active Defense
  • Cryptography
  • Defensible Network Architecture
  • Incident Handling and Response
  • Linux Security
  • Security Policy
  • Web Communication Security
  • Windows Security

As you can see, different certifying organizations categorize cyber security domains according to the topics covered in their certification exams.

Cybersecurity Focus Areas for Agencies

The US Department of Energy, which helped to develop the Cybersecurity Capability Maturity Model (C2M2) through public and private partnerships, has decided upon the following 10 domains:

Cybersecurity Domains C2M2
  • Asset, Change, and Configuration Management (ASSET)
  • Threat and Vulnerability Management (THREAT)
  • Risk Management (RISK)
  • Identity and Access Management (ASSESS)
  • Situational Awareness (SITUATION)
  • Event and Incident Response, Continuity of Operations (RESPONSE)
  • Third-Party Risk Management (THIRD-PARTIES)
  • Workforce Management (WORKFORCE)
  • Cybersecurity Architecture (ARCHITECTURE)
  • Cybersecurity Program Management (PROGRAM)

Surprisingly, even the NIST Cybersecurity Framework covers the following five domains which are the most simplified:

Cybersecurity Domains NIST Framework
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Are you starting to get the point yet?

What Are the 11 Domains of Cyber Security?

Let’s look at another popular example by Henry Jiang, creator of The Map of Cybersecurity Domains v3.1 and the most vendor neutral of all the examples. His model lists 11 cyber security domains:

  • Frameworks and Standards
  • Application Security
  • Risk Assessment
  • Enterprise Risk Management
  • Governance
  • Threat Intelligence
  • User Education
  • Security Operations
  • Physical Security
  • Career Development
  • Security Architecture

And though you may not agree, it does do a better job of capturing a more holistic view of cyber security. A brief description of the 11 domains along with the Tier-1 subdomains are referenced below.

1. Frameworks and Standards

Frameworks are important because they provide a common template from which all others can follow. They help ensure that security teams are able to follow a structured path towards achieving security.

Cybersecurity Domains Frameworks and Standards
  • NIST Cybersecurity Framework
  • CIS Top 20 Controls / CIS Benchmarks
  • ISO 27001 / 27017 / 27018
  • OWASP Top 10
  • MITRE ATT&CK Framework

2. Application Security

As Andreas Happe puts it, application security “includes all tasks that (hopefully) introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications.”

Cybersecurity Domains Application Security
  • S-SDLC
  • Security UX
  • Security QA
  • API Security
  • Source Code Scan
  • Data-Flow Diagram

3. Risk Assessment

Risk assessment is the process of identifying threats and vulnerabilities to an organization and its assets, then assessing the likelihood and impact of these threats to the organization. The assessment is used to determine what security controls are necessary to mitigate the impacts of a potential security incident.

Cybersecurity Domains Risk Assessment
  • Vulnerability Scan
  • Assets Inventory
  • 3rd Park Risk
  • Penetration Test
  • Risk Monitoring Services

4. Enterprise Risk Management

Enterprise risk management (ERM) is an organizational activity that assesses, monitors, and manages the risks that threaten an entity. ERM is a process, not a product or service. It must be an integral part of the organizational culture to be effective. ERM involves identifying, assessing, mitigating, and monitoring risks to business continuity, reputation and brand value, operations efficiency and long-term viability.

Cybersecurity Domains Enterprise Risk Management
  • Risk Treatment Actions
  • Risk Acceptance Statement
  • Cyber Insurance
  • Lines of Defense
  • Risk Register
  • Risk Appetite
  • Crisis Management
  • BCP/DR

5. Governance

Governance is the process of making decisions and implementing security policies. It’s about making sure that the right decisions are made at the right time, and that the right policies are in place to mitigate risk more effectively while being cost-effective—and doing so while respecting privacy rights and compliance obligations as well.

Cybersecurity Domains Governance
  • Laws and Regulations
  • Executive Management Involvement
  • Company Written Policy

6. Threat Intelligence

Threat intelligence is the process of collecting and analyzing data about cyber threats. Used in conjunction with other cybersecurity solutions, threat intelligence can be used to protect against cyber-attacks.

Cybersecurity Domains Threat Intelligence
  • External
  • Internal

7. User Education

Another key element of the cyber security domains is user education. It’s a part of the security lifecycle, and it’s all about getting people to understand the importance of security.

Cybersecurity Domains User Education
  • Training
  • Awareness
  • Cyber Security Table-Top Exercises

8. Security Operation

Security operations is the team that keeps systems running and secure, monitoring them for incidents and responding to them when necessary. They also update security processes and policies as needed, ensuring that all the technology is up-to-date and working properly. Security operations personnel are responsible for knowing all aspects of their organization’s cybersecurity program—from policy to technology—so they can respond quickly when an attack occurs or a vulnerability must be patched.

Cybersecurity Domains Security Operation
  • Vulnerability Management
  • Active Defense
  • Incident Response
  • Security Operation Centers
  • SIEM
  • Threat Hunting

9. Physical Security

Physical security is a broad category that includes all measures of preventing any unauthorized access to people or property.

Cybersecurity Domains Physical Security
  • IoT Security

10. Career Development

As strange as it may sound, career development has also been included as a cyber security domain. The intense demand of qualified cyber security professionals requiring a good education, skills and experience makes this domain an invaluable asset to the industry.

Cybersecurity Domains Career Development
  • Certifications
  • Conferences
  • Self-Study
  • Peer Groups
  • Coaches and Role Models
  • Training

11. Security Architecture

Security architecture is the design of the security policy and strategy of an organization and is quite broad in scope. These are all security-related categories that must be addressed when designing your application’s architecture.

Cybersecurity Domains Security Architecture
  • Network Design
  • Secure System Build
  • Cryptography
  • Security Engineering
  • Access Control
  • Cloud Security
  • Container Security
  • Endpoint Hygiene
  • Data Protection

Cybersecurity Domains: The Big Picture

When all the cybersecurity domains are brought together in this layout.

The Map of Cyber Security Domains
The Map of Cyber Security Domains v3.1 (by Henry Jiang)

As you can see, it doesn’t matter if you call them cyber security focus areas, categories, tiers, or domains, they all mean the same thing.

So, the next time you hear anyone speaking about cyber security domains, just make sure you understand the context behind the discussion.

Looking to upgrade your career?
View our listing of cybersecurity jobs!

Interested in More…

Cyber Security vs Information Security?

Why Take the Security+ Certification?

Ways to Work in Cyber Security Without a Degree!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top