O'Reilly logo
live online training icon Live Online training

CISSP Exam Preparation: Building a Practice of Mapping Threats to Controls

Dean Bushmiller

CISSP is the gold standard of vendor neutral cybersecurity certification. Every job that touches a computer has a cybersecurity component. Every business owner must make informed decisions and choices in cybersecurity computing. If your organization is subject to PCI, GDPR, HIPAA, SOX, ISO 27001, or others, you need the CISSP to understand cybersecurity from a management viewpoint.

Many people think the CISSP exam is about technology and security; it is not. It is about managing the people with technology and security functions. It is about thinking the CISSP way; a unique skill.

Each one of the 8 CISSP domains represent an entire life’s work. You must build a system to prepare for the exam. Everyone tries to brute-force the exam, but most fail because it requires finesse, a CISSP management way of thinking, and a clear study plan. This course starts with one view across all domains and one practice.

This course is the first in a series of four courses on CISSP exam preparation. Each of the four courses explores the exam through a different lens, cultivating a skill that will improve your overall performance on the exam. Taking all four courses will cover 80% of the exam topics, and will enable you to complete the exam in only 100 questions.

As a CISSP you are fixing cybersecurity business problems “threats” using tools that directly address the problem “controls”.

We will learn the skill of mapping each threat to each control and on the fly challenge each other to identify as many threats and controls as possible across all domains.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • Identify CISSP threats and control them
  • Be able to process 15-20% of all cybersecurity business questions
  • Recognize what a CISSP exam question is asking
  • How to be a true security professional
  • How to manage your organization’s cybersecurity

And you’ll be able to:

  • Avoid cybersecurity technical brute-force traps
  • Build a plan for growing your managerial decision making process
  • Identify major threats and controls

This training course is for you because...

  • You need to earn CISSP certification
  • You need a plan to prepare for CISSP certification
  • You are moving from a security support role to a management position
  • You are a security designer, administrator, or engineer
  • You are maintaining your CPE/CEU’s for your profession


  • An understanding of (ISC)2‘s CISSP requirements of certification
  • As per CISSP exam requirements:
  • 4-6 years experience in information system security
  • 1-2 years experience in each domain of the CISSP

Recommended follow-up:

About your instructor

  • Dean Bushmiller has been teaching the CISSP for 15 years. Dean Bushmiller knows the easiest ways for you to keep the CISSP way of thinking in your head. His life-time instructor approval rating is over 90%. He is a leader of cybersecurity subject matter experts. He has been teaching cybersecurity continuously online since 2007. He has over 1000 hours of recorded cybersecurity training.

    Dean has built CISSP mindmap workbooks since 2010 and hosts a free weekly discussion on cybersecurity topics PDIH Preventing-Deer-In-Headlights which can be found at ExpandingSecurity.com

    He has held the following certifications: CISSP, CFR, CVLP, CEH, ISSMP, CRISC, ISSAP, CCSK, CCSP, Exin Cloud, CHFI, CASP, GSEC, CCNA, MCSE 2K Charter, MCDBA, MCSA, MCP, MCT, CISM, PLCOP, PLA, PLCT, AWR-138-W, Cloud+, CEI, LPIC-1, Security+

    Outlets for his training include: SANS, FED-VTE, Software Engineering Institute - Carnegie Mellon University, (ISC)2, and Expanding Security.

    Though Dean is non-military, he has had the honor to train the U.S. military since 1999. In recognition for outstanding service in the Information Assurance field, he has received 8 mission coins.


The timeframes are only estimates and may vary according to how the class is progressing

Day 1 (240 minutes)

  • Presentation: Why you should listen to me (5m)
  • Exercise: Quick navigation of shared content on safari (5m)
  • Presentation: Threats & Controls process (10m)
    • This is a skill you must grow
    • General Sample STRIDE
    • Rules of participation
    • Roles of participation
  • Question & Answer (5m)
  • Pomodoro-break & prepare for next section (5m)
  • Presentation: Specific Sample OWASP top 10 (10m)
  • Activities(15m)
  • Pomodoro-break & prepare for next section (5m)
  • Presentation: Specific Sample Controls CIS (10m)
  • Activities(15m)
    • Given a CIS Control - find a Threat
  • Pomodoro-break & prepare for next section (5m)
  • Presentation: Specific Sample Controls 800-53 (10m)
  • Activities(15m)
    • Given a 800-53 Control - find a Threat
  • Pomodoro-break & prepare for next section (5m)
  • Presentation: Adding Categories to improve process (10m)
    • 6 Categories for controls
    • 6 practice
  • Pomodoro-break & prepare for next section (5m)
  • Activities(25m)
    • Given Threats / Controls - do Categorizing
  • Pomodoro-break & prepare for next section (5m)
  • Activities(25m)
    • Given a Domain & Subtopics
    • Provide a Threat - pause
    • Provide a Control - pause
    • Provide a Categorize - pause
  • Presentation: Let us improve process (5m)
  • Preparation for Next session (10m)
    • List of domains and subtopics
    • Students choose “Great 8”
  • Vote on top 3 domains
  • Vote on top 5 subtopics
  • On your own Find threats, controls, categories
  • Q&A (5m)

Day 2 (240 minutes)

  • We execute some or all of the activities detailed in section labeled “Activities # 1” below a total of 8 times. Each time we are choosing a different domain or subtopic from the list determined by the students in the polling from Session 1.
  • Presentation: Review of first session (5m)
    • Review order of domains by students Ranking 1 to 8
    • Detailed list for threats, controls, categories
  • Activities(25m) # 1 of 8 from student voting
    • Given threats add more - Chat
    • Assigned threats, supply controls - Chat
    • Assigned controls, supply category - poll
    • Private chat to do more than your assignment
    • If time allows add ranking - poll
    • If time allows add narrow scope - poll
  • Pomodoro-break & prepare for next section (5m)
  • Activities(25m) # 2 of 8
  • Pomodoro-break & prepare for next section (5m)
  • Activities(25m) #3 of 8
  • Pomodoro-break & prepare for next section (5m)
  • Activities(25m) #4
  • Pomodoro-break & prepare for next section (10m)
  • Activities(25m) #5
  • Pomodoro-break & prepare for next section (5m)
  • Activities(25m) #6
  • Pomodoro-break & prepare for next section (5m)
  • Activities(25m) #7 (if time allows)
  • Pomodoro-break & prepare for next section (5m)
  • Activities(10m) #8 (if time allows)
  • Q&A (?m)