CISSP Study Guide · Domain 2
CISSP Domain 2 Explained: Asset Security
Domain 2 (~10%) is about classifying information by its value and protecting it accordingly across its entire lifecycle.
A practical guide with free practice questions · by Domain8
The CISSP — Certified Information Systems Security Professional — is ISC2’s globally recognized cybersecurity certification, organized into eight domains.
Asset Security covers how you identify, classify, handle, retain, and dispose of information and assets. The recurring theme: protection should match value, and the right person makes each decision.
Want to drill Domain 2? Domain8 has adaptive quizzes, a 700-question bank, and a diagnostic that finds your weak spots. Domain 8 is free to try, no card.
Study free at Domain8 →1. Data classification
Classify data by sensitivity and impact so protection matches value — no more, no less.
- Classification levels (e.g., Public, Internal, Confidential, Restricted) drive handling rules.
- Over-classifying wastes resources; under-classifying creates exposure.
- Government and commercial schemes differ but follow the same logic.
2. Data roles
The exam loves to test who does what:
- Data owner (a senior business role) classifies the data and is accountable for it — not IT.
- Data custodian (often IT) implements and maintains the protective controls.
- Data processor acts on the controller's instructions; the controller stays accountable.
3. Data states and the lifecycle
Protect data in every state:
- At rest (storage), in transit (network), in use (memory/processing).
- Apply the right control per state — e.g., encryption at rest and in transit.
- Manage data through create, store, use, share, archive, and destroy.
4. Retention and secure disposal
Keep data only as long as it serves a purpose, then dispose of it securely.
- Data remanence is residual data left after deletion; ordinary deletion is not enough.
- Use appropriate sanitization: clearing, purging, or physical destruction by media type.
- Indefinite retention is pure liability — retention limits reduce breach impact.
5. Privacy and protecting PII
Asset security and privacy overlap on personal data.
- Data minimization: collect only what you genuinely need.
- Apply tailored protections (encryption, tokenization, access control) to sensitive data.
- Honor purpose limitation and retention limits for PII.
Free practice questions
Try these in the exam's "best answer" style, then expand for the explanation.
1. A dispute arises over who is responsible for assigning a classification level to a new dataset. Who holds that responsibility?
- The IT department that stores it
- The data custodian
- The data owner
- The end users who access it
Show answer
C. The data owner — a senior business role — classifies the data and is accountable for it. IT, as custodian, implements the controls but does not decide classification.
2. Sensitive drives are being decommissioned. Which concern MUST be addressed before disposal?
- Compression ratio
- Data remanence
- File fragmentation
- Drive label color
Show answer
B. Data remanence is residual data that survives ordinary deletion. Media must be properly sanitized (purged or physically destroyed) so residual data cannot be recovered.
3. Which control set BEST protects data in all three of its states?
- Encryption at rest only
- A firewall only
- Encryption at rest and in transit, plus access controls during use
- Backups only
Show answer
C. Data must be protected at rest, in transit, and in use. Encryption addresses rest and transit, and access controls plus runtime protections address data in use.
Like these? Get a full adaptive quiz engine and a diagnostic that scores you by difficulty and question style. All of Domain 8 is free to try.
Study free at Domain8 →Frequently asked questions
Is Domain 2 heavy on the exam?
No, it is about 10%, but it pairs tightly with Domains 1 and 5 on data roles and protection decisions.
What trips candidates up in Asset Security?
Confusing the data owner (classifies, accountable) with the custodian (implements controls). Keep those roles distinct.
More CISSP domain guides
D1 · D3 · D4 · D5 · D6 · D7 · D8 · All guides