🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 19.1 - Investigations (Part 1 of 3)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens the world of security investigations, within Domain 7, Security Operations. It sets the foundations for handling evidence correctly, since the day evidence is mishandled is the day a case can fall apart, and lays out the types of inquiry and the rules that keep findings standing up under scrutiny.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

Why does a routine incident sometimes become a formal investigation?

Because the stakes are not always small. Many incidents are minor enough to close with a quick judgment call, but when the damage or the threat is serious, you need a rigorous inquiry. The moment it turns formal, procedure becomes everything, since sloppy steps can violate someone’s rights, sink a prosecution, or expose you to legal action. Picture a small kitchen fire versus a full arson case: one you handle yourself, the other demands careful documentation.

What are the four investigation types you need to recognize?

There are four big ones, and each carries its own standard of proof. Administrative investigations look inward at operations and policy. Criminal investigations pursue alleged violations of criminal law. Civil investigations resolve disputes between two parties. And regulatory investigations handle possible breaches of administrative law. Think of them as four different courtrooms, each with its own bar to clear, so you match your rigor to the room you are heading toward.

How does evidence get shared before a case reaches court?

Through a process called discovery, where each side must preserve and exchange relevant information. When that information lives in digital form, we call it electronic discovery. A widely used reference model lays out this work in nine stages, moving from governing your information and identifying what is relevant, through preserving, collecting, and processing it, then into review, analysis, production, and finally presentation. It turns a mountain of raw data into a court-ready exhibit and demands tight teamwork between technical staff and lawyers.

What makes evidence admissible in a court of law?

A judge weighs it against three tests before it ever reaches open court. First, it must be relevant, meaning it helps establish a fact. Second, that fact must be material, meaning it truly connects to the case. Third, the evidence must be competent, meaning it was obtained legally. Evidence pulled from an illegal search fails that last test and gets tossed. Picture a bouncer at a door checking three items before anyone walks in: miss one, and you stay outside.

What forms can evidence take, and how is real evidence proven genuine?

Four major categories matter: real evidence is a physical object like a seized laptop, documentary evidence is written material like a system log, testimonial evidence is what a witness swears to under oath, and demonstrative evidence is a visual aid that explains a concept to a jury. Real evidence must be authenticated as unique and unaltered from the moment of collection, and when no witness can vouch for it, you rely on a chain of custody logging every hand it passes through with time, date, location, and reason.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 19.1 - Investigations (Part 1 of 3).