Domain 7: Security Operations

Last updated: December 1, 2025 in CISSP Domains

Where Strategy Meets Reality

Domain 7 represents 13% of the CISSP exam. The question executives ask about security operations is straightforward: when something goes wrong, how quickly can we detect it, contain it, and recover? Everything else is preparation for that moment.

Security operations transforms policies and architectures into daily reality. The best security strategy fails if operations can’t execute it. This domain covers incident response, disaster recovery, physical security, and continuous activities that keep security programs functioning.

Security Operations Center SOC 24/7 Monitoring SIEM Alerts EDR Events Network Logs Investigate Escalate Respond MTTD: 4.2hrs | MTTR: 2.1hrs

Incident Response Fundamentals

Incident response follows a lifecycle: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. The NIST SP 800-61 provides the standard framework most organizations adapt.

Preparation happens before incidents occur—establishing teams, defining roles, creating playbooks, ensuring tools exist. Organizations that skip preparation improvise during crises.

  • Containment prevents incidents from spreading. Short-term containment isolates affected systems. Long-term containment maintains operations while preparing for eradication. Balance aggressive containment against business impact.
  • Eradication removes attackers and malicious artifacts. Remove malware, close vulnerabilities, reset credentials. Incomplete eradication leads to reinfection.
  • Recovery restores systems to normal operation. Rebuild from known-good images, restore data, verify functionality before returning to production.
  • Post-incident activity captures lessons learned. What gaps allowed the incident? What improvements would reduce impact? Documentation supports future response and potential legal proceedings.

Incident Response Lifecycle PREPARE DETECT CONTAIN ERADICATE RECOVER REVIEW CONTINUOUS CYCLE

Business Continuity and Disaster Recovery

Business continuity ensures critical functions continue during disruptions. Disaster recovery focuses on restoring IT systems. Both require understanding which processes matter most and acceptable downtime.

Business Impact Analysis identifies critical processes and dependencies. Recovery Time Objective (RTO) defines maximum acceptable downtime. Recovery Point Objective (RPO) defines maximum acceptable data loss. These drive technical decisions about backups, replication, and recovery infrastructure.

Investigations and Evidence

Security investigations require preserving evidence for potential legal proceedings. Chain of custody documents who handled evidence, when, and what they did. Breaks in chain of custody may make evidence inadmissible.

Digital forensics extracts evidence from electronic systems. Forensic imaging creates bit-for-bit copies without modifying originals. Live forensics captures volatile data—memory contents, network connections, running processes—before shutdown.

Change and Configuration Management

Change management controls modifications to systems. The Change Advisory Board reviews proposed changes, assessing risk before approving implementation. Standard changes follow pre-approved procedures. Emergency changes address urgent issues but require post-implementation review.

Configuration management maintains consistent system configurations. Baselines define approved states. Drift detection identifies deviations enabling correction before they cause problems.

Change Management Process Request Review Approve Implement Verify CAB Reviews: Risk | Impact | Rollback | Testing Emergency Changes: Post-implementation review required

Physical Security Operations

Physical security protects facilities, equipment, and people. Access control systems manage facility entry. Environmental controls address fire, flood, temperature, and humidity. Redundant utilities and generators ensure continued operation during outages.

Connecting to Other Domains

Security operations executes what other domains plan. Domain 1 governance determines operational priorities. Domain 3 architectures define what operations protects. Domain 6 testing validates operational controls work.

The practice questions test incident scenarios requiring prioritization. Containment versus business continuity. Evidence preservation versus rapid recovery.

Security operations transforms strategy into daily reality. When incidents occur—and they will—operations determines whether the organization detects quickly, responds effectively, and recovers completely.

author avatar
Morgan Reyers Cybersecurity Consultant
Morgan Reyes is a respected cybersecurity consultant with more than a decade of experience supporting high level defense environments and financial institutions. She began her career in confidential roles within the Department of Defense where she developed deep knowledge of threat analysis, secure architecture, incident response, and strategic risk mitigation. Her work inside these restricted programs shaped her reputation for calm leadership and precise decision making in mission critical situations.
See Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *