CISSP Study Guide · Domain 6
CISSP Domain 6 Explained: Security Assessment and Testing
Domain 6 (~12%) covers how you verify that controls actually work — through assessments, audits, and testing.
A practical guide with free practice questions · by Domain8
The CISSP — Certified Information Systems Security Professional — is ISC2’s globally recognized cybersecurity certification, organized into eight domains.
Security Assessment and Testing is about evidence: designing assessment programs, running the right kind of test, and reporting results to the people who can act on them. Know the distinctions the exam draws between assessment types.
Want to drill Domain 6? Domain8 has adaptive quizzes, a 700-question bank, and a diagnostic that finds your weak spots. Domain 8 is free to try, no card.
Study free at Domain8 →1. Why and how we test
Verification, not assumption:
- Testing proves controls are present and effective, not just documented.
- Tie testing to risk and to compliance obligations.
- Results feed remediation and continuous improvement.
2. Assessment vs audit
Different purposes:
- An assessment evaluates and recommends; an audit formally verifies against a standard.
- Audits require independence — internal audit reports to the board, external auditors are third parties.
- Independence prevents conflicts of interest in the findings.
3. Vulnerability assessment vs penetration testing
Breadth vs depth:
- A vulnerability assessment broadly identifies and ranks weaknesses.
- A penetration test actively exploits weaknesses to prove real impact.
- Pen tests require explicit authorization and a defined scope (rules of engagement).
4. Knowledge levels and code testing
How much the tester knows:
- Black-box (no knowledge), white-box (full knowledge), gray-box (partial).
- SAST examines source code without running it; DAST tests the running application.
- Combine static and dynamic testing for coverage.
5. Logging, monitoring, and metrics
Continuous assurance:
- SIEM aggregates and correlates logs; SOAR automates response.
- Track KPIs and KRIs to show trends and emerging risk.
- Detection is only useful if someone reviews and acts on it.
Free practice questions
Try these in the exam's "best answer" style, then expand for the explanation.
1. A team broadly scans the environment to identify and rank weaknesses, but does not exploit them. What activity is this?
- Penetration test
- Vulnerability assessment
- Red team operation
- Forensic investigation
Show answer
B. A vulnerability assessment identifies and prioritizes weaknesses without exploiting them. A penetration test goes further and actively exploits to prove impact.
2. Which testing method analyzes an application's source code without executing it?
- DAST
- Fuzzing
- SAST
- Penetration testing
Show answer
C. SAST (static application security testing) inspects source code without running it. DAST tests the running application dynamically.
3. Why must an audit function be independent of the area it audits?
- To reduce licensing cost
- To prevent conflicts of interest that could bias findings
- To speed up the audit
- Independence is not required
Show answer
B. Independence keeps the audit objective and free of conflicts of interest, which is why internal audit reports to the board and external auditors are third parties.
Like these? Get a full adaptive quiz engine and a diagnostic that scores you by difficulty and question style. All of Domain 8 is free to try.
Study free at Domain8 →Frequently asked questions
How is an assessment different from an audit?
An assessment evaluates and recommends improvements; an audit formally verifies compliance against a standard and requires independence.
SAST or DAST first?
They are complementary. SAST finds code-level flaws early; DAST catches runtime issues. Mature programs use both across the lifecycle.
More CISSP domain guides
D1 · D2 · D3 · D4 · D5 · D7 · D8 · All guides