logo

CISSP Exam Pattern Changes, May 2021

On May 1, 2021, ISC² implemented a refreshed set of objectives for the CISSP certification exam for security professionals in order to keep it relevant to the latest technologies and cybersecurity standards, requirements and processes. New information security concepts, terms and acronyms have been added and others are better covered.

In this blog, we’ll look at the CISSP exam pattern changes and explore some of the key concepts and issues a candidate needs to be aware of in order to prepare for the refreshed exam in the best possible way.

Changes to domain weights

There are still 8 CISSP domains, all with the same names. A slight change was made to the weight of two domains, as shown in the following table:

Domain numberDomainWeight in 2018 Weight in 2021
1Security and Risk Management15%15%
2Asset Security10%10%
33. Security Architecture and Engineering13%13%
4Communications and Network Security14%13% (down 1%)
5Identity and Access Management (IAM)13%13%
6Security Assessment and Testing12%12%
7Security Operations13%13%
8Software Development Security10%11% (up 1%)

Changes to domain content

The list of changes below is fairly complete but isn’t exhaustive. In the updated study guide, I also call out when something is new for 2021.

  1. Security and Risk Management
    • In 1.2, authenticity and nonrepudiation have been added.
    • In 1.9, transfers have been added to the discussion of onboarding and termination.
    • Privacy is quietly mentioned in 1.10. Also in 1.10 is the mention of risk maturity modeling (evaluating how mature an organization’s risk model is). Expect more exam content around privacy in this space. Previously, the primary focus was security.
    • In 1.12, a new acronym was added for supply chain risk management (SCRM). The content around this topic remains the same but be aware of the acronym.
    • In 1.13, examples were added around awareness and training: social engineering, phishing, security champions and gamification.
  2. Asset Security
    • 2.3 now includes content around assent inventory (tangible, intangible) and asset management.
    • 2.4 has new content around data lifecycle, data roles, data collection and data management.
    • 2.5 introduces the terms “end of life” and “end of support.”
    • 2.6 has minor updates, such as changing “data in motion” to “data in transit.” But 2.6 also has new mentions of DRM, DLP and CASB; previously, there weren’t any examples of technologies or solutions. Thus, ensure that you have a good understanding of DRM, DLP and CASB and can differentiate between them if you’re given a scenario and must choose the appropriate solution.
  3. Security Architecture and Engineering
    • The title of 3.1 now includes “research” and the word is also incorporated into a couple of the bulleted items. The previous version of the exam focused strictly on implementing and managing. Expect some new content around research, such as evaluating solutions as well as comparing and contrasting different solutions.
    • 3.2 calls out specific security models: Biba, Star Model and Bell-LaPadula. In the previous version of the exam, specific models were not mentioned. While study guides and books have long discussed Biba and Bell-LaPadula, many do not cover Star Model as thoroughly.
    • 3.5 introduces the acronyms SaaS, IaaS and PaaS. It also introduces a plethora of other types of systems and services, including microservices, containerization, serverless, embedded systems, high-performance computing systems, edge computing systems and virtualized systems. Focus on the unique security challenges associated with these systems.
    • In Section 3.6, quantum is introduced as part of the cryptographic methods. Also introduced is “digital certificates.” Certificates were covered in the previous exam under “Apply Cryptography” but this is the first use of the formal term “digital certificate.” Concepts remain the same, though.
    • In 3.9, the term “power” is introduced in relation to high availability.
  4. Communication and Network Security
    • 4.1 includes multiple changes:
      • The title now includes “assess and implement”.
      • IPv4, IPv6 and IPsec are specifically called out, so they are almost certain to show up in exam questions.
      • There is a new section for secure protocols such as Kerberos, SSL/TLS, SFTP, SSH and IPSec; you should know enough about these to explain at a high level when and how they are used.
      • More examples have been added in the section on converged protocols, including FCoE, iSCSI, and VOIP.
      • The section on micro-segmentation has been expanded to include VXLAN, encapsulation and SD-WAN.
      • In the section on wireless networks, new examples are called out: Li-Fi, Wi-Fi, Zigbee and satellites. Also new is a call out for cellular networks (4G and 5G) and content distribution networks (CDNs). You should understand what these are and how to differentiate between them. Stay focused on the security aspects.
    • In 4.2, in the first topic on the operation of hardware, redundant power, warranty and support have been added to the list.
    • In 4.3, there is a new item for third-party connectivity; it centers around third parties connecting to your organization’s network, often to perform work or consume data and services.
  5. Identity and Access Management
    • In 5.1, around controlling access to assets, a new item for applications was added. Previously, applications were not in scope.
    • In 5.2, the concept of just-in-time (JIT) is introduced.
    • In 5.3, related to federated identity with a third-party service, an item was added for hybrid implementations. It covers an environment that has some on-premises technologies integrated with some cloud-based technologies for their federated identity environment.
    • In 5.4, an item for risk-based access control was added. Risk-based access control looks at the specific risks of each user authentication to determine whether actions should be taken based on the risk. For example, in a low-risk authentication, action should not be taken. But in a high-risk authentication, MFA could be required.
    • In 5.5, the topic of provisioning and deprovisioning has been expanded to include transfers. There are also new items for role definitions and privilege escalation (managed service accounts, use of sudo, and minimizing its use).
    • 5.6 is all new and covers the implementation of authentication systems, with items around OpenID Connect, SAML, Kerberos, RADIUS and TACACS+.
  6. Security and Assessment Testing
    • In 6.2, around security control testing, two new items were added: breach attack simulations and compliance checks. These are areas that you should be able to describe at a high level.
    • 6.4 has been revamped with new items for remediation, exception handling and ethical disclosure. Be sure to understand the nuances of each.
  7. Security Operations
    • In 7.1, about investigations, a new item was added for artifacts (computer, network mobile device). Artifacts are remnants (information) left behind on devices that you can use in investigations.
    • 7.2 includes a new item covering log management, threat intelligence, and user and entity behavior analytics (UEBA).
    • 7.4 has new examples: provisioning, baselining and automation.
    • 7.5 has a new item for media protection techniques, such as physically protecting media or virtually protecting media with technologies like WORM.
    • 7.7 adds new examples for firewall, including next generation, web application and network. This section also has a new item for machine learning and artificial intelligence (AI) based tools. Be sure to understand the benefits that these tools bring to incident management.
    • In 7.11, a new item for lessons learned was added. You should understand why an organization should utilize lessons learned, as well as when in the process they should be used.
  8. Software Development Security
    • 8.2 adds many new items: libraries, tool sets; integrated development environment (IDE); runtime; continuous integration and continuous delivery (CI/CD); security orchestration, automation and response (SOAR); and application security testing (SAST and DAST).
    • 8.4 calls out the different ways to acquire software, with new items added for commercial-off-the-shelf (COTS), open source, third-party and managed services. Be familiar with the security aspects of software and how security differs based on how you acquire the software.
    • 8.5 includes a new item for software-defined security.

CISSP Exam Updates FAQ

  1. How often does the CISSP exam blueprint change?
    Typically, every 3 years. The most recent changes were in 2021, 2018, 2015 and 2012.
  2. Can I pass the new exam using old study material?
    Yes; many people have done that. The key is having the relevant work experience and knowledge in the topics.
  3. Has the exam format changed with this blueprint update?
    However, previously, there was a limited trial of home-based testing, which has ended. Whether that will be an option in the future hasn’t been announced.
  4. What is the point of updating the exam every few years?
    The primary goal is to keep the exam fresh and relevant; otherwise, the certification would decline in value. There are other reasons, too. For example, exam piracy (people disseminating exam content without authorization) is a real concern.
  5. Is the new CISSP exam harder?
    The new version of CISSP is not harder than the previous one. With the right resources that reflect the changes, you can prepare for the exam effectively.
  1. What are the prerequisites for the CISSP?
    To be eligible to take the CISSP exam, you must have a minimum of 5 years of work experience in at least 2 of the 8 CISSP domains. However, if you have a 4-year college degree or equivalent, an advanced degree in information security from NCAE-C, or another certification from ISC2’s recognized list of credentials, the work experience requirement is reduced to 4 years.

Work experience can be at a job or at a paid or unpaid internship. Here’s how to calculate your experience:

  • If you had full-time position, you accrue a month of work experience by working at least 35 hours/week for 4 weeks.
  • If you worked part time (20–34 hours/week), calculate your total hours: 2080 hours of part-time work equals 12 months of full-time work experience.
Expert in Microsoft infrastructure and cloud-based solutions built around Windows, Active Directory, Azure, Microsoft Exchange, System Center, virtualization, and MDOP. In addition to authoring books, Brian writes training content, white papers, and is a technical reviewer on a large number of books and publications.