15+ Laws Every CISSP Candidate Must Know: The Only Legal Guide You Need
Think you can skip the legal stuff? Think again. FISMA, HIPAA, SOX, and GDPR aren't optional, but this guide makes them simple, categorized, and exam-ready.
Sarbanes-Oxley. Gramm-Leach-Bliley. DMCA.
You’ve probably seen these names before.
Maybe on flashcards. Maybe on Reddit. Maybe in your nightmares.
But here’s the real question most beginners ask:
“Why do I, a future cybersecurity professional, need to know all these laws?”
Why should someone configuring firewalls or reviewing risk registers care about a law that defines how banks disclose information?
The answer is simple — and painful:
👉 If something goes wrong, it’s your fault.
👉 If data is mishandled, it’s your domain.
👉 If a regulator comes knocking, they won’t ask the CFO. They’ll ask you.
Cybersecurity isn’t only about encryption, firewalls, and incident response.
It’s about legality, accountability, and compliance.
And the CISSP exam creators know that very well.
So here’s what you can expect from this article:
✔️ Understand every major law you need for the CISSP exam
✔️ See them grouped into categories that make them easy to remember
✔️ Learn the essence of each law, the exam will never ask for more
✔️ Get actionable exam tips that save study time
✔️ Get directed to the Domain 1 Checklist for a complete learning path
Sounds good?
Great, let’s roll!
Before we dive deep into various laws, I want you to know that this whole topic is tightly connected to another CISSP topic: the protection of intellectual property, which I’ve covered in my previous article.
I recommend starting with it.
Categories
I managed to categorize the relevant laws into five categories:
Healthcare
Finance
Privacy
Government
IP Protection (Copyright).
Please note that these categories are intended solely for educational purposes. There is no official categorization.
However, I find it quite useful.
This is a picture that summarizes all the laws you need to know for the CISSP exam.
Quite a lot, isn’t it?
The good news is that the exam doesn’t require you to go into much detail for most laws.
There are some exceptions, such as HIPAA or GDPR, but those will be covered in completely separate articles.
Here is the categorized list of laws:
1. Government
Federal Information Security Management Act (FISMA):
U.S. government’s “baseline security rulebook.” Any federal agency or any contractor handling federal data must follow strict, mandatory security controls.
Federal Risk and Authorization Management Program (FedRAMP)
If a cloud provider wants to work with the U.S. government, FedRAMP is its entrance exam. Just remember that it has something to do with cloud providers and the government.
Communications Assistance for Law Enforcement Act (CALEA)
CALEA ensures law enforcement can legally intercept communications when they have proper authorization.
2. Healthcare
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA protects medical records and health information, requiring healthcare entities to implement strict privacy and security controls. (Will be covered in a separate article)
Health Information Technology for Economic and Clinical Health Act (HITECH)
HITECH strengthens HIPAA by increasing enforcement, raising penalties, and promoting secure adoption of electronic health records. Remember: It’s just improved HIPAA.
4. Finance
Gramm–Leach–Bliley Act (GLBA)
GLBA requires financial institutions to protect customer financial data and explain how personal information is collected, used, and shared. Remember: It protects the financial information of clients.
Sarbanes–Oxley Act (SOX)
SOX requires organizations to protect financial records, maintain reliable reporting, and preserve audit logs, with executives held legally accountable for compliance.
Let me show you what you need to know about SOX in one simple picture.
5. Privacy
United States
Electronic Communications Privacy Act (ECPA)
ECPA protects digital communications, such as emails, texts, and cloud data, from unauthorized access, while defining when law enforcement may access them. Connected to CALEA, which allows law enforcement to tap into the communication with proper authorization.
Children’s Online Privacy Protection Act (COPPA)
Before a company can collect any data from kids under 13, it needs parental consent. Websites, apps, YouTube channels, and online games must all comply. Remember: 13 years old!
Computer Fraud and Abuse Act (CFAA)
CFAA makes unauthorized access, tampering, and computer-related fraud federal crimes, forming the foundation of U.S. anti-hacking enforcement.
Family Educational Rights and Privacy Act (FERPA)
This protects student records. Schools must safeguard data, and parents (or adult students) should control who has access to what. Remember: Protection of student records.
Want the Complete Domain 1 Roadmap?
GDPR is just one piece of the Security and Risk Management topics.
If you want a structured way to master Domain 1 of the CISSP exam, I’ve created something for you.
My CISSP Domain 1 Checklist provides clarity and focus on everything that truly matters for the exam and real-world practice.
➡️ Download it here and stop wasting time on scattered study materials.
International
General Data Protection Regulation (GDPR)
GDPR grants individuals strong rights over their personal data and requires organizations to implement strict privacy and security controls.
Personal Information Protection Law (PIPL)
PIPL regulates how personal data is collected, processed, and transferred in China, with strict rules for international data transfers.
Protection of Personal Information Act (POPIA)
POPIA requires organizations operating in South Africa to protect personal data, minimize data collection, and respect individual privacy rights.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA governs how Canadian private-sector organizations collect, use, and safeguard personal information, giving individuals rights to access and challenge data handling.
Exam tip: Remember that these are privacy laws, and make sure you know which country they apply to.
6. Copyright / Digital Content
Digital Millennium Copyright Act (DMCA)
Exist to protect copyrighted digital content and address online copyright infringement, particularly in the Internet era. Remember: Makes unauthorized use of intellectual property illegal.
Key Takeaways
Wow, quite a lot of laws, right?
If you are panicking right now, stop. It isn’t that bad.
Here is what I want you to take from this article:
✔️ You don’t need to memorize legal text — only the purpose of each law.
✔️ CISSP is not testing your ability to interpret legislation.
✔️ Instead, it tests whether you understand which law applies in which scenario.
✔️ This topic looks big, but it’s actually one of the easiest marks in Domain 1.
✔️ If you know the categories + one-sentence purpose, you’re good.
✔️ Don’t try to pass CISSP without knowing these — the exam will test them.
If the pictures aren’t enough to help you remember, just comment “ANKI” and I’ll send you the flashcard deck.
Remember: The most important thing is to know the very basics of each law. You don’t need any details. We’re not lawyers, we’re cybersecurity professionals, and the exam reflects that.
I strongly believe that if you remember everything in this article, you will answer all law-related questions with ease.
Conclusion
No, you’re not expected to become a lawyer.
But you are expected to understand which laws apply to your organization — because when a regulator, auditor, or lawyer asks questions, cybersecurity is always part of the conversation.
And if something goes wrong?
Everyone will look at you.