CISSP Domain 7 · 13% of Exam Weight

Security Operations

Vận hành Bảo mật

Domain 7 covers the day-to-day security operations: incident response, digital forensics, monitoring, change management, and business continuity. This is where all the other domains get tested against reality.

6

Lessons

13%

Exam Weight

NIST

800-61 / 800-34

What This Domain Covers

Security Operations (Domain 7) is the largest domain by exam weight (13%). It tests your ability to handle real-world security events — detecting breaches, preserving evidence, maintaining monitoring, managing changes safely, and recovering from disasters.

Incident Response

NIST 800-61 lifecycle, CIRT, breach notification timelines

Digital Forensics

Order of volatility, chain of custody, forensic imaging

Monitoring & SIEM

SOC tiers, MTTD/MTTR, threat hunting, MITRE ATT&CK

Change Management

CAB, GitOps, patch management, configuration drift

BCP & DRP

RTO, RPO, MTD, hot/warm/cold sites, backup strategies

Physical & Environmental

CCTV, fire suppression, UPS, media sanitization

Lessons — Domain 7

01

Incident Response Lifecycle

NIST SP 800-61 Rev 2 — 6-phase IR process, severity levels, breach notification (GDPR / PH DPA)

CIRT Containment P1-P4
02

Digital Forensics & Investigations

Order of volatility, chain of custody, forensic imaging, anti-forensics, cloud forensics

Volatility Chain of Custody Legal Hold
03

Monitoring, SIEM & Threat Hunting

SOC tiers, MTTD/MTTR, alert fatigue, MITRE ATT&CK, IOC vs IOA, threat intelligence types

SIEM MTTD Threat Hunting
04

Change, Patch & Configuration Mgmt

CAB, standard/normal/emergency changes, GitOps, CMDB, patch SLAs, virtual patching

CAB GitOps CVSS SLA
05

Business Continuity & Disaster Recovery

BCP vs DRP, RTO/RPO/MTD, hot/warm/cold sites, BCP testing types, 3-2-1 backup

RTO RPO Hot Site
06

Physical Security & Environmental

CCTV, visitor management, fire suppression (CO2!), UPS/generator, media sanitization

CCTV UPS Destruction Cert
Key Exam Themes for Domain 7
  • IR phase order: Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned
  • Evidence collection: order of volatility (RAM before disk); chain of custody is mandatory
  • SIEM correlates; SOC responds; threat hunting is proactive (not reactive)
  • Emergency changes still require expedited approval — not "no approval"
  • RTO must be ≤ MTD — the business sets MTD, IT must meet it
  • CO2 fire suppression: evacuate personnel BEFORE activation
FinTech Company X Context — Domain 7 Relevance

PII incident: Production shutdown = Containment phase. InfoSec sign-off before redeployment = formal Recovery gate. This is textbook NIST 800-61 in practice.

Datadog monitoring: Error rate, latency, and Kafka lag alerts = SIEM-equivalent for Platform C. MTTD target for P1 incidents should be <15 minutes.

ArgoCD GitOps: Every deployment via Git commit = auditable change management satisfying CAB requirements for standard changes.

Bank A/Partner A SLAs: High availability commitments → RTO and RPO targets. Lending downtime = direct revenue and regulatory exposure.

HashiCorp Vault: Audit logs for all secret access → forensic evidence trail if credentials are compromised.

← Domain 6: Assessment Start: Lesson 1 →