On April 15th of 2024, ISC² implemented a refreshed set of objectives for the CISSP exam. The goal of refreshing the exam objectives is to keep the exam relevant to the latest happenings in security. As things progress and new technologies are introduced, the objectives are updated to account for them as well as for the latest standards and processes. In this blog, we’ll look at the changes and explore some of the key things to be aware of as you prepare for the refreshed exam in 2025. If you studied for the CISSP using material for the previous update, you only need to review the changes / additions as much of the content and topics remain the same.
CISSP domains and changes
First, let’s review the 8 domains that make up the CISSP exam. In the following table, we show the 8 domains and relative weight in 2018 and 2021 in comparison to the relative weights today with the 2024 update. You’ll notice that the relative weights have been quite stable, with only slight changes over the last couple of updates.
| Domain number | Previous domain | Weight in 2018 | Weight in 2021 | Weight in 2024 |
| 1 | Security and Risk Management | 15% | 15% | 16% |
| 2 | Asset Security | 10% | 10% | 10% |
| 3 | Security Architecture and Engineering | 13% | 13% | 13% |
| 4 | Communication and Network Security | 14% | 13% (down 1%) | 13% |
| 5 | Identity and Access Management (IAM) | 13% | 13% | 13% |
| 6 | Security Assessment and Testing | 12% | 12% | 12% |
| 7 | Security Operations | 13% | 13% | 13% |
| 8 | Software Development Security | 10% | 11% (up 1%) | 10% |
Details about the domain updates
Similar to the last exam update, you’ll find some of the newer security concepts, terms, and acronyms added to the exam blueprint. The list of changes below isn’t exhaustive but is fairly complete. In the updated study guide, I also call out when something is new for 2024 or when something was removed.
- Domain 1 (Name stays the same, weight up by 1%). From a title perspective, Domain 1 is the same. However, there are some changes within to be aware of:
- The “5 Pillars of Information Security” was added
- For the topic on security governance principles, the act of sustaining them was added
- For the security control frameworks, specific frameworks are called out, including ISO, NIST, COBIT, SABSA, PCI, and FedRAMP – understand what each of these is at a management level
- For the legal and regulatory topic, compliance was added in
- The topic on privacy was updated to specific General Data Protection Regulation, California Consumer Privacy Act, Personal Information Protection Law, and Protection of Personal Information Act – as with other topics, whenever the blueprint calls out specific examples, be sure to understand them and the differences between them)
- For the business continuity topic, the actions of assessing and implementing were added
- A new topic was added for external dependencies for business continuity
- The topic on employment agreements was updated to mention policy driven requirements
- Scoping was added to the risk assessment/analysis topic
- For monitoring and measurement, the word “continuous” was added
- The risk frameworks topic added specific examples
- The topic around risks for hardware, software, and services was updated to emphasize broader risks when dealing with suppliers (such as product tampering)
- The topic on third-party assessment and monitoring was renamed risk mitigations and added examples such as third-party assessment and monitoring, service level requirements, and software bill of materials)
- The topic on awareness changed “present” to “increase”, a slight change that focuses on ongoing awareness instead of initial awareness
- The topic on periodic content reviews added including emerging technologies and trends and gave specific examples (such as AI and cryptocurrency)
- Domain 2 (Name and weight stay the same). Nothing changed in this domain for the 2024 exam update!
- Domain 3 (Name and weight stay the same).
- The topic “Keep it simple” was changed to “Keep it simple and small” to showcase that size matters when it comes to complexity
- The topic on zero trust was updated to include “trust but verify” – this is not a new topic but just combined two existing topics
- A new topic titled “Secure access service edge” was added
- The topic on Industrial Control Systems (ICS) added “Operational Technology” to the title
- The topic on microservices added a call out for APIs
- The PKI topic added a reference to quantum key distribution)
- The key management practices topic added a reference to rotation
- The digital signatures topic combined non-repudiation and integrity topics
- The wiring closets topic changed “intermediate distribution facilities” to “intermediate distribution frame”
- The topic on environmental issues added examples of natural disasters and man-made issues
- The following topics and sub-topics were added:
- Manage the information system lifecycle
- Stakeholders needs and requirements
- Requirements analysis
- Architectural design
- Development / implementation
- Integration
- Verification and validation
- Transition / deployment
- Operations and maintenance / sustainment
- Retirement / disposal
- Manage the information system lifecycle
- Domain 4 (Name the same, weight the same).
- Section 4.1 changes the title slightly from “assess and implement” to “Apply”
- Section 4.1.2 adds examples of unicast, broadcast, multicast, and anycast
- Section 4.1.3 gives examples of secure protocols including IPSec, SSH, SSL, and TLS
- There were 7 topics added (4.1.6 to 4.1.12) covering transport architecture, performance metrics, traffic flows, physical segmentation, logical segmentation, micro-segmentation, and edge networks. Micro-segmentation changed quite a bit to include references to VLANs, VPNs, virtual routing and forward, and virtual domain.
- In section 4.1.13, Bluetooth was added and Li-Fi was removed
- In section 4.1.14 – “Cellular networks” was changed to “Cellular/mobile networks”
- Software defined networks got its own sub-topic at 4.1.16
- Virtual Private Cloud (VPC) got its own sub-topic at 4.1.17
- In 4.1.18, monitoring and management (as well as specific examples) was added
- Section 4.2.1 was changed from “Operation of hardware” to “Operation of infrastructure” which broadened the topic slightly
- In Section 4.2.2, physical security of media and signal propagation quality were added as examples
- Section 4.2.3 was updated to mention physical NAC and virtual solutions
- Section 4.2.4 on endpoint security, the term “host-based” was added
- Section 4.3.1 was “Voice” in 2021 but now adds video and collaboration along with conferencing and Zoom as examples
- Doman 5 (Name and weight the same)).
- For Domain 5, “Identity and Access Management (IAM)” keeps its title.
- In Section 5.1, around controlling access to assets, a new item for services was added. Previously, services were not in scope. Be sure to understand controlling access to services for the updated exam.
- The topic titled “Identity Management (IdM) implementation was removed.
- Groups and Roles were added as section 5.2.1 which covers the management of users and access
- In Section 5.2.2, the title was updated from “Single/Multi-Factor Authentication (MFA)” to “Authentication, Authorization, and Accounting (AAA) (e.g., multi-factor authentication (MFA), password-less authentication)”. This broadens the topic to include authorization while also adding password-less technologies to the mix. Note that the topic on accountability in the 2021 exam was folded into this topic.
- The topic around credential management systems was updated to include “password vault” as an example. This references apps/services that centralize enterprise passwords and secrets.
- A new topic, 5.4.7, was added title “Access policy enforcement (e.g., policy decision point, policy enforcement point)”. This expands the topic around authorization mechanisms.
- The section 5.5.3, titled “Role definition (e.g., people assigned to new roles)” was updated to include transition which refers to people moving to a new role within the company.
- The section 5.5.4 around privilege escalation removed managed service account and minimizing the use of sudo to focus on “use of sudo” and “audits its use”.
- The sub-topics around authentication systems – OIDC, SAML, Kerberos, RADIUS, and TACACS+ were removed.
- Domain 6 (Name and weight the same).
- For this domain, the title remains the same – “Security and Assessment Testing”.
- In Section 6.1.1, the internal topic adds “within organization control”.
- In Section 6.1.2, the external topic adds “outside organization control).
- In Section 6.1.3, the third-party topic adds “outside of enterprise control”.
- A new topic, 6.1.4, titled “Location (e.g., on-premise, cloud, hybrid)” was added to reference the audit strategies topic.
- The penetration testing topic, 6.2.2, added examples of red, blue and/or purple team exercises. Know the differences between each.
- The topic around synthetic transactions (6.2.4) added a reference to benchmarks.
- The topic 6.2.7 was renamed from “Test coverage analysis” to “Coverage analysis”.
- The topic 6.2.8 around interface testing, added examples of user interface, network interface, and application programming interface (API).
- For 6.5.1, 6.5.2, and 6.5.3, the topics were updated to indicate whether there was organization control or not.
- For 6.5.4, a new topic was added titled “Location (e.g., on-premise, cloud, hybrid)” to reference the conducting or facilitating security audits
- Domain 7 (Name and weight the same).
- The title “Security Operations” remains the same.
- For the topic 7.1.5 around artifacts, data was added to the mix.
- Topic 7.2.1 was renamed slightly from “Intrusion detection and prevention” to “Intrusion detection and prevention system (IDPS)”.
- The topic “Continuous monitoring” was updated to “Continuous monitoring and tuning”.
- The topic 7.4.2 was changed from “Separation of Duties (SoD)…” to “Segragation of Duties (SoD)…”.
- A new topic was added at 7.5.3 titled “Data at rest/data in transit” referring the topic of applying resource protection techniques.
- For topic 7.7, the title was renamed from “Operate and maintain detective and preventative measure” to “Operate and maintain detection and preventative measures”.
- For topic 7.10.1 around backup storage strategies, examples of cloud storage, onsite storage, and offsite storage were added.
- For topic 7.10.2, around recovery site strategies, examples of cold. vs. host and resource capacity agreements were added.
- For topic 7.11.3 titled “Communications”, the term “methods” was added to indicate the topic is about communication methods.
- A new topic was added as 7.12.6 titled “Communications (e.g., stakeholders, test status, regulators)” in reference to testing disaster recovery plans.
- For the topic 7.15.2 (security training and awareness), examples of insider threat, social media impacts, two-factor authentication fatigue were added.
- Domain 8 (Name the same, weight down 1%).
- The title of this domain, Software Development Security, remains the same.
- For the topic 8.1.1 around development methodologies, a reference to scaled agile framework was added.
- For section 8.2.9 around application security testing, examples were added for software composition analysis and Interactive Application Security Test (IAST).
- For the topic 8.4.4 around managed services, SaaS and IaaS and PaaS was removed and replaced with “enterprise applications”.
- A new topic was added at 8.4.5 covering cloud services with a reference to SaaS, IaaS, and PaaS.
CISSP Exam Updates FAQ
To help you understand the changes to the CISSP exam, we present some common questions and answers about the recent updates below.
- How often does the CISSP exam blueprint change? Typically, every 3 years. The most recent change occurred on April 15, 2024. Before that, it changed in May of 2021. Prior, there was a change in 2018, 2015, and 2012.
- Can I pass the new exam using old study material? Yes. Many people have done that. The key is having the relevant work experience and knowledge in the topics. If you are trying to pass the exam just based on studying, it will be more difficult with the older materials (and of course, the exam has prerequisite work experience to begin with).
- Has the exam format changed with this blueprint update? No, except for the transition for some languages from a linear exam (set number of questions) to a non-linear exam. The exam is now available only in Computerized Adaptive Testing (CAT) format for all languages. The CAT version has a minimum of 100 questions and a maximum of 150 questions.
- What is the point of updating the exam every 3 years? The primary goal is to keep the exam fresh and relevant. If the CISSP exam blueprint wasn’t ever updated, the certification would decline in value and relevance. By keeping it fresh and relevant, it maintains itself as a premier security certification. There are other reasons too. For example, exam piracy (people disseminating exam content without authorization) is a real concern.
