Asset Security is the smallest domain on the CISSP exam at roughly 10% of your questions, and it is also one of the domains where strong candidates lose points they should never lose. The reason is consistent. People study it as a vocabulary list, memorizing classification levels and a few data role names, then walk into a scenario question that asks them to decide who is accountable, which control applies, and how the data should be disposed of. That is a different skill than recall, and the exam knows it.
This breakdown covers what Domain 2 actually tests, where candidates get tripped up in the classroom and on the exam, and how to think through the question types ISC2 favors. It is the second piece in a domain-by-domain series. If you have not read the first, start with the CISSP Domain 1 breakdown, since Security and Risk Management sets up the governance language that Asset Security assumes you already speak.
Most Domain 2 questions come down to defending a decision rather than reciting a definition. Who owns this data, what is it worth to the business, and what happens to it at every stage from creation through disposal.
What Does CISSP Domain 2 Cover?
Asset Security is built around a single idea. You cannot protect something appropriately until you know what it is worth and who is responsible for it. The domain walks the full life of an asset, from the moment information is identified and classified, through how it is handled and stored, all the way to retention limits and final destruction. The official ISC2 exam outline groups this into a handful of areas: identifying and classifying assets, setting handling requirements, provisioning assets securely, managing the data lifecycle, ensuring appropriate retention, and determining the right data security controls.
A note on the current version. The April 2024 outline kept Domain 2 at 10% and added language around AI assets, so classification now extends to things like training datasets and model weights, not just spreadsheets and database tables. If your study materials predate 2024, the weighting is the same but the example assets are broader than what older books describe.
A pattern I point out in class: almost every Domain 2 question is really a value question wearing a costume. Classification is about value. Handling rules follow from value. Retention and destruction decisions come down to what the data is worth versus what it costs to keep or recover it. Read the question, find the asset, and ask what it is worth to the organization. That single habit answers more of these than any flashcard stack.
Data and Asset Classification
Classification assigns a protection level to an asset based on its value and the impact if it were disclosed, altered, or lost. Government and military environments tend to use a Top Secret, Secret, Confidential, and Unclassified scheme. Commercial environments use their own labels, often something like Confidential, Private, Sensitive, and Public, though the exact words vary by organization. The labels matter less than the logic underneath them. The classification drives the handling requirements, and the handling requirements drive the controls.
Here is the trap. Candidates classify by data type instead of impact. Someone sees the word “email” and reaches for a low label, or sees “financial” and reaches for a high one, without reading what the data does for the business. A leaked internal lunch menu and a leaked merger plan are both email. They are not the same asset. The owner classifies based on what disclosure would cost the organization, not based on the file format or the system it lives in.
One more thing the exam likes to test here. When two pieces of data of different classifications get combined, the result generally inherits the higher classification. Aggregation can raise sensitivity too. Individually harmless records can become sensitive in bulk, which is why a database export of a million “low value” rows is treated very differently from a single row.
The Data Roles, and the One Distinction That Costs People Points
If there is one part of Domain 2 worth memorizing cold, it is the data roles, because ISC2 builds scenario questions specifically to see whether you can tell them apart under pressure. The most common miss in twenty years of watching candidates work these is owner versus custodian. The owner decides. The custodian implements. When a question asks who is responsible for setting the classification of a dataset, the answer is the owner, who is usually a senior business manager, not the database administrator who runs the backups.
If you want a deeper walk through the owner, custodian, controller, and user relationships with worked examples, we cover it separately in this piece on CISSP data roles. Get that distinction reflexive and a real chunk of Domain 2 stops being hard.
Data States: At Rest, In Transit, In Use
When the exam asks how to protect data, the right answer almost always depends on which state the data is in. Each state has a default control set, and matching them correctly is most of the battle.
The classic wrong answer is reaching for encryption no matter what the question describes. Encryption is the right move at rest and in transit. Data in use has to be decrypted to be processed, so an answer that says “encrypt it” for in-use protection is usually the distractor. Watch for it.
Data Lifecycle, Retention, and Destruction
The lifecycle runs from data being collected, through where it lives and how it is maintained, to how long you keep it and how you get rid of it. Retention is a policy decision before it is a technical one. You keep data as long as a legal, regulatory, or business reason requires, and not longer, because data you no longer need is pure liability. Holding records past their retention period is its own finding in an audit.
Destruction is where the technical detail comes back, and it is heavily tested. The reference the exam draws from is the NIST media sanitization guidance, NIST Special Publication 800-88, which sorts sanitization into three levels: Clear, Purge, and Destroy. Clear relies on standard overwrite techniques and is fine for media that stays inside the same security boundary. Purge goes further, using methods such as cryptographic erase or block-level commands that put recovery out of reach even with lab tools. With Destroy, the media is physically ruined so it can never be reused at all.
Two things catch people here. One is degaussing. It wipes data on magnetic media but does nothing useful to a solid state drive, because there is no magnetic field to disrupt, so an answer that degausses an SSD is wrong on its face. The other is the assumption that more destruction is always safer. The right level is driven by how sensitive the data is and whether the media will be reused or leave your control, not by reflex. Destroying every retired drive is wasteful when a purge would do, and a purge is not enough when the medium is leaving for disposal and held Top Secret data. Match the method to the sensitivity and the destination.
Remanence is the term for the residual data left behind after you think you have deleted something. A standard file delete or a quick format does not remove the underlying bits, it just frees the pointer to them. That gap between “deleted” and “unrecoverable” is exactly what Clear, Purge, and Destroy address, and it is a favorite area for exam questions because so many people in IT assume a delete is the end of the story.
Determining Data Security Controls: Scoping and Tailoring
The last big area asks how you pick the controls that protect an asset. You start from a baseline, which is a standard starting set of controls for a given classification. Then you apply two adjustments that candidates routinely swap. Scoping is deciding which controls in the baseline actually apply to your system, removing the ones that are not relevant. Tailoring is adjusting the controls that do apply so they fit your specific environment. Scope first to figure out what is in play, then tailor what remains.
Beyond the baseline work, this area folds in the protection technologies you would expect, such as data loss prevention to stop sensitive data from leaving, digital rights management to enforce usage rules on files, and cloud access security brokers to extend policy into cloud services. The exam is less interested in product features than in whether you can match a tool to the problem the scenario describes.
Where Candidates Actually Lose Points on Domain 2
Pulling together what I see go wrong most often, a short list is worth keeping in front of you while you study. These are the recurring misses, not edge cases.
Confusing owner and custodian. The owner sets classification and stays accountable while the custodian carries it out. If a question asks who is responsible for a classification decision, it is never the administrator.
Classifying by data type instead of value. The label follows the impact of disclosure, not the file format or the system. Read what the data does for the business.
Reaching for encryption on data in use. It works at rest and in transit. Data being processed has to be readable, so in-use protection lives elsewhere.
Degaussing a solid state drive. Degaussing only affects magnetic media. For an SSD you need cryptographic erase or physical destruction.
Swapping scoping and tailoring. Scoping decides which controls apply. Tailoring adjusts the ones that do. Scope first, then tailor.
Domain 2 carries less weight than the heavyweights, which is exactly why it is worth locking down. You will not study it for three weeks, but the questions are gettable if the role definitions and the destruction levels are second nature. For how it stacks up against the rest of the exam, our ranked look at the hardest CISSP domains puts the difficulty in context.
Frequently Asked Questions
How much of the CISSP exam is Domain 2?
Asset Security is weighted at about 10% of the exam under the current outline that took effect April 15, 2024 and still applies for 2026 candidates. It is tied with Domain 8 as the lowest-weighted domain, but the question style still rewards judgment over memorization.
What is the difference between a data owner and a data custodian?
The data owner is a senior management role that is accountable for an asset, sets its classification, and approves access. The custodian is the technical role that carries out those decisions through backups, access enforcement, and system maintenance. Accountability stays with the owner even when the hands-on work is delegated.
What are the three data states tested in Domain 2?
Data at rest, data in transit, and data in use. At rest and in transit are protected primarily with encryption, while data in use has to be readable to be processed and relies on application security and access controls instead. Picking encryption as the answer for data in use is a common exam trap.
What are the NIST 800-88 levels of media sanitization?
NIST Special Publication 800-88 defines Clear, Purge, and Destroy. Clear uses standard overwrites and suits media reused inside the same boundary. Purge uses stronger methods like cryptographic erase that defeat lab recovery. Destroy physically ruins the media so it cannot be reused. The right choice depends on the data sensitivity and whether the media will leave your control.
Can you degauss a solid state drive?
No. Degaussing disrupts the magnetic fields on traditional hard drives and tape, but a solid state drive stores data in flash memory with no magnetic field to affect. To sanitize an SSD you use cryptographic erase or physical destruction. Exam answers that degauss an SSD are wrong.
What is the difference between scoping and tailoring?
Scoping is deciding which controls from a baseline actually apply to your system and removing the ones that do not. Tailoring is adjusting the controls that remain so they fit your environment. You scope first to narrow the set, then tailor what is left.
Director, Educational Services | Training Camp
Mark Sabo is the Director of Educational Services at Training Camp, where he oversees the training team, course design, and certification program development. He holds a B.S. in Information Sciences and Technology from Penn State University and more than 50 industry certifications. Mark joined Training Camp in 2005, became a Technical Trainer in 2007, and assumed his current leadership role in 2015. His specialty is practice exam development and exam preparation strategy, built from years of teaching students in the classroom and studying how certification exams are constructed. His writing focuses on the technical details that matter most to professionals preparing for high stakes exams.