CISSP Study Guide · Domain 5
CISSP Domain 5 Explained: Identity and Access Management
Domain 5 (~13%) covers how identities are established, authenticated, authorized, and held accountable.
A practical guide with free practice questions · by Domain8
The CISSP — Certified Information Systems Security Professional — is ISC2’s globally recognized cybersecurity certification, organized into eight domains.
Identity and Access Management (IAM) is about controlling who can access what, and proving it. Know the access control models, authentication factors, and federation protocols cold.
Want to drill Domain 5? Domain8 has adaptive quizzes, a 700-question bank, and a diagnostic that finds your weak spots. Domain 8 is free to try, no card.
Study free at Domain8 →1. The access control lifecycle
Identification, authentication, authorization, and accountability:
- Identification claims an identity; authentication proves it; authorization grants access; accountability ties actions to identities via logging.
- Provision, review, and de-provision access across the identity lifecycle.
- Regular access reviews catch privilege creep.
2. Authentication factors
Strength comes from combining types:
- Something you know (password), have (token), are (biometric).
- MFA combines two or more different factor types.
- Biometrics balance false accept (FAR) and false reject (FRR) rates.
3. Access control models
The exam tests which model fits a scenario:
- DAC: owners grant access at their discretion.
- MAC: system enforces access by labels/clearance (rigid, high-security).
- RBAC: access by job role; ABAC: access by attributes/policy.
4. Federation and SSO
One identity across systems:
- SSO lets users authenticate once for many systems.
- SAML (enterprise SSO), OAuth (authorization/delegation), OIDC (authentication on top of OAuth).
- Federation extends trust across organizational boundaries.
5. Privilege and least access
Limit the damage of any one account:
- Least privilege: only the access needed for the job.
- Separation of duties prevents any one person from completing a sensitive transaction alone.
- PAM tightly controls and monitors privileged accounts.
Free practice questions
Try these in the exam's "best answer" style, then expand for the explanation.
1. A high-security system enforces access strictly by classification labels and clearances, with no user discretion. Which access control model is this?
- Discretionary Access Control (DAC)
- Role-Based Access Control (RBAC)
- Mandatory Access Control (MAC)
- Attribute-Based Access Control (ABAC)
Show answer
C. MAC enforces access centrally based on labels and clearances and removes user discretion, making it suitable for high-security environments.
2. A login requires a password and a one-time code from a hardware token. How many authentication factor types are in use?
- One, both are 'something you know'
- Two, 'something you know' and 'something you have'
- Three
- Zero, tokens are not a factor
Show answer
B. A password is something you know and a hardware token is something you have — two distinct factor types, which is true multi-factor authentication.
3. Which protocol is designed primarily for delegated authorization rather than authentication?
- SAML
- OAuth
- Kerberos
- OIDC
Show answer
B. OAuth is an authorization/delegation framework. OIDC adds authentication on top of OAuth; SAML and Kerberos handle authentication directly.
Like these? Get a full adaptive quiz engine and a diagnostic that scores you by difficulty and question style. All of Domain 8 is free to try.
Study free at Domain8 →Frequently asked questions
What is the most tested IAM topic?
Access control models (DAC/MAC/RBAC/ABAC) and matching the right one to a scenario, plus distinguishing the federation protocols.
Is OAuth authentication or authorization?
Authorization. OIDC is the authentication layer built on top of it — a classic exam distinction.
More CISSP domain guides
D1 · D2 · D3 · D4 · D6 · D7 · D8 · All guides