FuturevisionIA
Back to Domain 6 · Security Assessment & Testing
CISSP Mastery

CISSP Mastery · Module 7 / 8

Domain 7: Security Operations

The heartbeat of security: Incident response, investigations, and continuous monitoring.

Your progress

Domain 7 of 8 88%

Module 7
  1. Domain 1
  2. Domain 2
  3. Domain 3
  4. Domain 4
  5. Domain 5
  6. Domain 6
  7. Domain 7
  8. Domain 8

13%

Exam weight

NIST

IR lifecycle

7 / 8

Domain focus

SOC

Run & improve

Open preview · Domain overview

Why Domain 7 is where controls earn their keep

Incidents are inevitable; chaos is optional. Domain 7 ties detection to disciplined response, trustworthy evidence, sustainable patching, and rehearsed continuity so the organization survives bad days with its reputation intact.

Domain 7 is the SOC heartbeat: detect abnormal conditions, execute IR with defensible evidence, sustain secure baselines through change, and rehearse continuity when systems or sites fail. It closes the loop with Domain 6 (how you test) and Domain 8 (how developers ship safely).

  • IR is a program, not a hero shift

    Preparation and post-incident activity bookend the technical phases — the exam rewards lifecycle thinking over ad-hoc firefighting.

  • Forensics is custody, not cool tools

    Hashing, write-blockers, and documented handoffs matter more than the brand of your imaging laptop.

  • Patch + config = moving baseline

    Change windows, rollback plans, and drift detection keep production aligned with the hardened build you thought you deployed.

  • DR ≠ BCP

    DR restores IT services; BCP keeps the business alive when facilities, suppliers, or people are unavailable — know which plan answers which scenario.

Module 1 · Incident response

The NIST incident response lifecycle

NIST SP 800-61 structures response as a closed loop: preparation and post-incident work are where mature teams outrun immature ones. The exam often tests ordering (contain before eradicate) and evidence discipline during analysis.

  • Preparation

    IR policy, severity models, comms trees, forensic kit, legal retainers, and tabletops before the first compromise.

  • Detection & Analysis

    Correlate SIEM/SOAR alerts with business context; scope blast radius; open a ticket with time-stamped evidence decisions.

  • Containment

    Short-term isolation to stop bleeding, then strategic containment that preserves evidence and keeps minimum viable services alive.

  • Eradication

    Remove root cause and persistence: rebuild trusted images, revoke secrets, patch exploited flaws, validate with fresh scans.

  • Recovery

    Phased return to production, enhanced monitoring, rollback triggers, and explicit sign-off when normal risk posture resumes.

  • Post-Incident Activity

    Hotwash, metrics, RCA, control changes, and regulatory notifications — feed lessons back into preparation.

The interactive diagram below maps the same six phases in cycle form — hover each stage for its operational focus.

Premium diagram

NIST incident response lifecycle

Six phases in a continuous loop — hover a stage to highlight it and read its focus in the tooltip.

NIST IR
NIST incident response lifecycle — six phases NIST IR lifecycle Preparation Detection & Analysis Containment Eradication Recovery Post-Incident Activity

Phase

Hover, tap, or Tab to a phase to see SOC focus and an exam cue.

Interactive: phases update the panel (keyboard: Tab between phases, Enter to “stick” is not required). Arrows show NIST order; post-incident feeds the next preparation cycle.

Module 2 · Investigations

Evidence handling, chain of custody & forensic basics

CISSP is not a lab certification, but it expects you to defend admissibility: if you cannot explain custody and integrity, your findings never survive legal or regulatory scrutiny.

  • Evidence identification & collection

    Scope what is volatile (memory, connections) vs stable (disk images). Use write-blockers, document who touched what, and minimize analyst-induced changes.

  • Chain of custody

    A signed, unbroken trail from collection to courtroom: hashes, sealed media, transfer forms, and secure storage with access logs.

  • Forensic soundness

    Repeatable methods, clock synchronization, integrity verification (SHA-256), and working copies — never analyze the only original.

Module 3 · Patch & configuration management

Maintaining the security baseline & secure deployment

Operations owns the moving target: every deployment is a chance to regress hardening. Patch and configuration programs align engineering velocity with measurable control posture.

  • Patch lifecycle

    Source → test → approve → deploy → verify. Emergency lanes exist, but bypassing QA requires documented risk acceptance and rollback.

  • Secure configuration baseline

    CIS benchmarks, STIGs, or cloud guardrails baked into images; drift detection on servers, Kubernetes, and SaaS admin consoles.

  • Change & release integrity

    Segregation of duties between build and deploy, signed artifacts, and immutable infrastructure patterns reduce tampering between scan and production.

Module 4 · Disaster recovery & business continuity

DRP strategies, BCP, and testing discipline

DR focuses on restoring IT systems and data (sites, backups, replication tiers). BCP keeps critical business processes running when people, buildings, or suppliers fail — often with manual workarounds while technology catches up.

Disaster recovery (DR)

  • Recovery strategies

    Cold / warm / hot sites, cloud cross-region pairs, backup immutability, and RTO/RPO contracts that finance understands.

  • Testing & rehearsal

    Tabletop → parallel → full cutover tests with scoped blast radius; document failures as backlog items, not shame files.

Business continuity planning (BCP)

  • BIA & continuity strategies

    Business impact analysis drives MTPD/RTO tiers, alternate workflows, vendor contingencies, and crisis communications — not just failover buttons.

  • Crisis governance

    War-room roles, decision authority, employee safety, and regulatory touchpoints — continuity is an executive program, not a rack in another city.

Exam-grade takeaways

CISSP Exam Pro-Tip — BCP vs DRP

When a question mentions restoring data centers, backups, or failover sites, lean DRP. When it mentions keeping payroll/legal/manufacturing alive without the HQ building or manual workarounds, lean BCP. Both align with Domain 1 risk/BIA language — do not conflate them into one generic “continuity plan.”

Exam cue

Order of battle: IR vs continuity

During an ongoing breach, incident response leads technical containment; continuity activates when the business cannot operate normally even after initial IR steps — know which playbook owns the executive bridge line.

Quick check

Domain 7 quiz

One question at a time — instant feedback. Pair it with the diagrams and Pro-Tip callouts above.

Quiz progress

Question 1 of 5 · 20%

Q 1

Question 1 of 5

1.For critical patching, the best first governance step is:

Ready for Domain 8?

Module 7 covers incident response, logging, recovery, and day-to-day security operations. One module left in the blueprint. Every domain lesson is open for review — the Final Mock Exam is where premium diagnostics and readiness scoring begin.

Back to Domain 6 · Security Assessment & Testing Final Mock Exam Continue · Domain 8 · Software Development Security