On April 15, 2018, ISC² implemented a new set of objectives for the Certified Information Systems Security Professional (CISSP) exam. The goal of refreshing the CISSP exam blueprint is to keep the exam relevant to the latest technologies, standards and processes in information security, so the certification will remain highly valuable. In this post, we’ll review the recent CISSP exam changes and explore some of the key things to be aware of as you prepare for the new version of the CISSP exam.
Previous and new CISSP domain names and weighing
First, let’s review the 8 domains that make up the CISSP exam. In the following table, we show the previous 8 domains and the new set. The last column shows the weight of each domain — the percentage of questions in the exam that cover that domain — and the change from the previous version of the exam.
|Domain number||Previous domains||Domains as of April 15, 2018||CISSP CAT examination weights as of April 15th, 2018|
|1||Security and Risk Management||Security and Risk Management||15% (-1%)|
|2||Asset Security||Asset Security||10% (no change)|
|3||Security Engineering||Security Architecture and Engineering||13% (-1%)|
|4||Communications and Network Security||Communication and Network Security||14% (-2%)|
|5||Identity and Access Management||Identity and Access Management (IAM)||13% (no change)|
|6||Security Assessment and Testing||Security Assessment and Testing||12% (+1%)|
|7||Security Operations||Security Operations||13% (+3%)|
|8||Software Development Security||Software Development Security||10% (no change)|
As you can see, the domain names stayed pretty much the same, but the importance of some domains has shifted. Now, let’s look at the key changes in each domain.
Domain 1. Security and Risk Management
Domain 1 still has the same name, but in some areas, there is an expansion of the skills required to pass the exam. For example, section 1.5 went from “Understand professional ethics” to “Understand, adhere to, and promote professional ethics”, and section 1.7 changed from “Understand business continuity requirements” to “Identify, analyze, and prioritize Business Continuity (BC) requirements”. Ensure that you have the expanded operational knowledge in these areas by making sure your study materials account for the new content.
Domain 2. Asset Security
Domain 2 also has the same name as before. Domain 2 is smaller than Domain 1, and the changes to it are less significant. One common theme throughout is improved precision of the topics. For example, section 2.2 used to be “Determine and maintain ownership”, which was a bit vague; most CISSP study materials assumed it meant ownership of data. Now, 2.2 is “Determine and maintain information and asset ownership”, which is much more precise. We see the same change a few other times in Domain 2; therefore, when studying, be sure to think about how the concepts apply to both information and other IT assets.
Domain 3. Security Architecture and Engineering
This domain has been expanded from “Security Engineering” to “Security Architecture and Engineering”. In small organizations, engineering and architecture are often handled by the same person or team; in large organizations, they are usually separate and often have different management chains. Be sure you understand how both an architect and an engineer approach the topics in this domain. An architect focuses on high-level design without diving into the details (such as specific configurations or how things integrate), and therefore generally has a small amount of knowledge across a large number of technologies. Engineers, on the other hand, focus on the configuration and integration of technologies based on the high-level architecture, and therefore generally have deep knowledge of a few specific technologies. Of course, there are many exceptions. Pay particular attention to the addition of the architecture aspect, which applies across the domain. Beyond that, there are a few important new topics: cryptographic systems, cloud-based systems and IoT (all in section 3.5).
Domain 4. Communication and Network Security
From a title perspective, just a single letter has changed (“Communications” became “Communication”). Looking into the topics, “Prevent or mitigate network attacks” has been removed completely, so make sure you don’t focus on it unnecessarily. The rest of Domain 4 is mostly the same; therefore older study materials, such as the Official (ISC)² Guide to the CISSP CBK, should still be very effective for preparing for the exam.
Doman 5. Identity and Access Management
Not much was changed in Domain 5. There are a couple of new concepts, such as “Attribute-Based Access Control (ABAC)”. Also, section 5.6, titled “Prevent or mitigate access control attacks”, has been removed, so you can save some time by not studying this topic.
Domain 6. Security Assessment and Testing
For this CISSP domain, changes are minimal and the title remains the same. Study materials for the previous version of the exam should still be effective for the updated exam objectives.
Domain 7. Security Operations
As Domain 7 is one of the largest ones in CISSP certification, it has slightly more significant updates than the other domains. Also note that the weight of the domain (the number of questions covered on the exam) has increased the most, so make sure you spend more time digging into its topics and practicing exam questions for them. There are some new topics, such as “Asset management”, “Security training and awareness” and “Emergency management”. Some topics experienced important changes; for example, you now need to understand “administrative” investigation and “industry standards” instead of “operational” investigations and “electronic discovery”; be sure to review training resources that account for these changes before attempting the exam. Other topics were clarified; for example, one of the topics in 7.1 was changed from “Digital forensics” to “Digital forensics tools, tactics, and procedures”.
Domain 8. Software Development Security
Though the title of this domain remains the same and the domain remains fairly small compared to most of the others, there are quite a few changes in it. A new section — “Define and apply secure coding guidelines and standards” — has been added. This is an area that you might want to investigate, especially if you don’t work in software development. There are also some minor clarifications. For example, instead of “Enforce security controls in development environments”, section 8.2 is now “Identify and apply security controls in development environments”.
CISSP certification changes FAQ
Here are answers to the most common questions about CISSP exam updates:
- How often does the CISSP exam change? The blueprint typically changes every three years: the exam was changed in 2012, 2015 and 2018.
- What is the point of updating the exam every 3 years? The primary goal is to keep the exam fresh and relevant so CISSP remains a premier security certification; otherwise, it would decline in value and relevance. There are other reasons too. For example, exam piracy (people disseminating exam content without authorization) is a real concern.
- Can I pass the new exam using old study material? Yes. Many people have done that; the key is having the relevant work experience. If you are trying to pass the exam just based on studying, it will be more difficult with the older materials. Of course, the exam has work experience as a prerequisite.
- Has the exam format changed with this blueprint update? No. However, the format of the English language exam changed at the end of 2017 with the adoption of the Computerized Adaptive Testing (CAT) format. See http://blog.isc2.org/isc2_blog/2017/12/4-things-you-need-to-know-about-the-isc%C2%B2-cissp-cat-exam.html for details about that change.