ISC2 published the 3rd edition of their CISSP CBK in late 2012. I ordered my copy in December 2012 and said, “So what’s new in BCP/DRP?

First, let me say that all quoted material in this article is from the “Official (ISC)2 Guide to the CISSP® CBK Third Edition.”

First I have to say “C’mon Man,” to borrow an expression. The title of this domain is Business Continuity and Disaster Recovery Planning. I wonder what Conti-unity is?

Generally, with respect to all the domains, ISC2 and the authors of the 3rd Edition have placed emphasis (by bolding, bullet-pointing, or indenting) on some of the material that was in the 2nd Edition. You can take that for what it is worth. For example, in the section on “Senior Leadership Support”, the 2nd Edition has a statement which says:

Probability of harm (P): the chance that a damaging event will occur times the magnitude of harm (M): –

Where the 3rd Edition has them listed as:

  • Probability of harm(P): the chance that a damaging event will occur times the
  • Magnitude of harm (M):–

As I said, you can take that for what it is worth; the information remains the same.

One thing I noticed different about this domain is there are documented footnotes for most of the references, e.g.NFPA16003 now has


Here are the things that I found different in Business Continuity and Disaster Recovery Planning.

  • The section on “Coordination with Public Authorities” references BS 25999 stage 2 being replaced by ISO 22301 in 2012. ISO 22301:2012 was actually published May 15, 2012
  • The section on “Regulations for US Financial Institutions” has been updated with new laws to include:
    • US Financial Integrity Regulatory Authority (FINRA) Rule 4370,
    • The Australian Prudential Standard CPS232,
    • Monetary Authority of Singapore,
    • Standard for Business Continuity/Disaster Recovery Service Providers (SS507), and
    • HIPAA
  • In the section on “Recovery Site Strategies” several new sections have been added to include:
    • Mobile Sites
    • Processing Agreements, which include:
      • Reciprocal agreements
      • Outsourcing
    • Multiple Processing Sites
  • A section was added entitled “Assessment” which states that events need to be categorized as”
    • Non-Incident
    • Incident
    • Severe Incident
  • The Disaster Recovery Exercise Report sample has the title changed from 2008 to 2013; everything else in the sample is the same.
  • In the section on “Transitioning from Project to Program” there is a bulleted list in the paragraph which starts out with “The EMO management team.” The 9th bullet point is actually a new paragraph, but somehow it got a bullet instead. That’s the one that reads “Each of these groups has specific responsibilities in the event of an emergency, including:”

As always, InfoSec is updating the courseware to reflect this new material and re-sequencing of the Business Conti-unity and Disaster Recovery Planning domain.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.