What’s new in Information Security Governance & Risk Management

ISC2 published the 3rd edition of their CISSP CBK in late 2012.  I ordered my copy in December 2012 and said, “So what’s new in Governance and Risk?”

First, let me say that all quoted material in this article is from the “Official (ISC)2 Guide to the CISSP® CBK Third Edition.”

I started going through this domain and only found minor changes.

  • The “PUSH” risk assessment methodology has been dropped from the 3rd edition.
  • Manage Third-Party Governance is a new section and addresses the areas of:
    • Infrastructure as a service (IaaS)
    • Platform as a service (PaaS)
    • Software as a service (SaaS)
  • A section on Tangible and Intangible Asset Valuation has been added:
    • Tangible Asset Valuation
      • Original cost minus depreciation
      • Actual market value through market research
      • Cost of switching to a competing asset or capability
    • Intangible Asset Valuation
      • What is a definite intangible asset?
      • What is an indefinite intangible asset?
      • Cost approximation methods for intangible assets
        • Cost
        • Capitalization of historic profits
        • Cost avoidance or savings
  • A section on Vendor, Consultant and Contractor Controls has been added:
    • If the third-party is infrequently on site considerations
    • If the third-party is on site for a more permanent basis considerations
    • Regardless of duration, if the third-party has limited access to sensitive information considerations

Also of note, was that the entire section on Ethics has been moved to the Legal domain.  But we knew that from having read the new candidate information bulletin for the CISSP.

Along with the usual resequencing, these were the areas that received the most work.

As always, InfoSec is updating their course material to reflect these new areas.