ISC2 published the 3rd edition of their CISSP CBK in late 2012. I ordered my copy in December 2012 and said, “So what’s new in BCP/DRP?

First, let me say that all quoted material in this article is from the “Official (ISC)2 Guide to the CISSP® CBK Third Edition.”

First I have to say “C’mon Man,” to borrow an expression. The title of this domain is Business Continuity and Disaster Recovery Planning. I wonder what Conti-unity is?

Generally, with respect to all the domains, ISC2 and the authors of the 3rd Edition have placed emphasis (by bolding, bullet-pointing, or indenting) on some of the material that was in the 2nd Edition. You can take that for what it is worth. For example, in the section on “Senior Leadership Support”, the 2nd Edition has a statement which says:

Probability of harm (P): the chance that a damaging event will occur times the magnitude of harm (M): –

Where the 3rd Edition has them listed as:

  • Probability of harm(P): the chance that a damaging event will occur times the
  • Magnitude of harm (M):–

As I said, you can take that for what it is worth; the information remains the same.

One thing I noticed different about this domain is there are documented footnotes for most of the references, e.g.NFPA16003 now has


Here are the things that I found different in Business Continuity and Disaster Recovery Planning.

  • The section on “Coordination with Public Authorities” references BS 25999 stage 2 being replaced by ISO 22301 in 2012. ISO 22301:2012 was actually published May 15, 2012
  • The section on “Regulations for US Financial Institutions” has been updated with new laws to include:
    • US Financial Integrity Regulatory Authority (FINRA) Rule 4370,
    • The Australian Prudential Standard CPS232,
    • Monetary Authority of Singapore,
    • Standard for Business Continuity/Disaster Recovery Service Providers (SS507), and
    • HIPAA
  • In the section on “Recovery Site Strategies” several new sections have been added to include:
    • Mobile Sites
    • Processing Agreements, which include:
      • Reciprocal agreements
      • Outsourcing
    • Multiple Processing Sites
  • A section was added entitled “Assessment” which states that events need to be categorized as”
    • Non-Incident
    • Incident
    • Severe Incident
  • The Disaster Recovery Exercise Report sample has the title changed from 2008 to 2013; everything else in the sample is the same.
  • In the section on “Transitioning from Project to Program” there is a bulleted list in the paragraph which starts out with “The EMO management team.” The 9th bullet point is actually a new paragraph, but somehow it got a bullet instead. That’s the one that reads “Each of these groups has specific responsibilities in the event of an emergency, including:”

As always, InfoSec is updating the courseware to reflect this new material and re-sequencing of the Business Conti-unity and Disaster Recovery Planning domain.