(ISC)2 CISSP requirements and exam changes on January 1, 2012

September 30, 2011 by Kenneth Magee

(ISC)2 is making several changes to the CISSP exam effective January 1st, 2012.

This language was found on the ISC2 website;

(ISC)² CBK Domain Name Changes Coming Soon.
We are making some changes to the CBK domain names for the CISSP, SSCP and CISSP-ISSEP. These changes do not affect experience requirements for any (ISC)² certifications or concentrations. Please refer to the appropriate CIB for details.

I downloaded the Candidate Information Bulletin for January 2009 and the one for January 2012 and compared each domain.  What I’ve found is that ISC2 is shifted the focus of each domain so that they are in three parts:

  1. A definition of the concepts/methodologies/technologies for the domain;
  2. A definition of the threats/vulnerabilities/attacks against that particular domain; and
  3. How to assess the effectiveness of the controls that are put in place to address the threats/vulnerabilities/attacks for the domain.

Let’s take a closer look at each of the domains:

1)   Access control

  1. The definition of the concepts/methodologies/technologies for this domain have not changed
  2. The definition of the threats/vulnerabilities/attacks has been expanded to include:

i.    Threat modeling
ii.    Asset Valuation
iii.    Vulnerability Analysis
iv.    Access aggregation

3.  How to assess the effectiveness has been expanded to include:

i.    User entitlement
ii.    Access review & audit

A new section has been added entitled:

i.    “Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)

2)   Telecommunications and Network Security
The definition of concepts/methodologies/technologies for this domain has several changes

i.    Understanding secure network architecture and design has a net sub-section entitled “Implications of multi-layer protocols”

ii.    Hardware section now includes “Wireless Access Points”

iii.    Transmission media has been defined to include “wired, wireless, fiber”

iv.    Filtering devices has been renamed to network Access Control Devices

v.    The section entitled “Establish Secure Communication Channels” now specifically names (e.g. VPN, TLS/SSL, VLAN)

vi.    The old “Virtual Private Networks (VPN) section has been removed

vii.    The Remote Access section now has specifics (e.g., screen scraper, virtual application/desktop, telecommuting)

viii.    And finally, a new section has been added; “Data Communications”

The definition of the threats/vulnerabilities/attacks has been expanded to include:

i.    (e.g., DDoS, spoofing)

3)   Information Security Governance & Risk Management

  1. In “Understand and apply security governance” the section on “Organizational processes” has been expanded to specifically mention; “(e.g., acquisitions, divestitures, governance committees)
  2. The old section “Define and Implement Information Classification and Ownership” has been renamed to “Manage the information life cycle (e.g., classification, categorization, and ownership)
  3. The old section “Ensure security in contractual agreements and procurement processes” has been renamed to “Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
  4. In the section “Understand and apply risk management concepts” the sub-section “Risk Assessment/analysis” has been expanded to specifically address “qualitative, quantitative, and hybrid”; and a new sub-section “Tangible and Intangible asset valuation” has been added.
  5. In the section “Manage Personnel Security” the old-sub section “Background checks and employment candidate screening” has been renamed “Employment candidate screening” and specifically addresses (e.g., reference checks, education verification)
  6. The following old sections have been dropped or moved

i.    Develop and implement information security strategies (moved)

ii.    Support certification and accreditation efforts (dropped)

iii.    Assess the completeness and effectiveness of the security program (moved)

iv.    Understand professional ethics (dropped)

The section “Manage the Security Function” has the two sub-sections identified as moved.

i.    Develop and implement information security strategies (moved)

ii.    Assess the completeness and effectiveness of the security program (moved)

4)   Software Development Security (new name) Application Development Security (old name)

  1. Systems Development Life Cycle (SDLC) has been renamed to Development Life Cycle
  2. The sub-section entitled “Security issues n source code” has been expanded to include “escalation of privilege and backdoor”
  3. All of the sub-sections under “Assess the effectiveness of software security” have been dropped

5)   Cryptography

  1. A new section entitled “Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)” has been added.
  2. In the section “Understand methods of cryptanalytic attacks” the sub-section on “Brute Force” has been expanded to specifically include (e.g., rainbow tables, specialized/scalable architecture)
  3. Employ cryptography in network security has been renamed to “Use cryptography to maintain network security”
  4. Use cryptography to maintain e-mail security has been renamed to “Use cryptography to maintain application security”

6)   Security Architecture and Design
Understand application and system vulnerabilities and threats has been renamed to “Understand software and system vulnerabilities and threats”

  1. The sub section on Web-based has been expanded to include OWASP
  2. A new sub-section “Distributed systems (e.g., cloud computing, grid computing, peer to peer) has been added

7)   Operations Security has been renamed to Security Operations

  1. Under the section “Employ resource protection” the sub-section “Asset Management”  has been expanded to specifically include “(e.g., equipment life cycle, software licensing)”
  2. Under the section “Manage incident response” the sub-section Remediation has been expanded as “Remediation and review (e.g., root cause analysis)”
  3. The section Prevent or respond to attacks has been renamed to “Implement preventative measures against attacks”
  4. The section Understand configuration management concepts has been renamed to “Understand change and configuration management”
  5. The section Understand fault tolerance requirements has been renamed to “Understand system resilience and fault tolerance requirements”

8)   Business Continuity and Disaster Recovery

  1. The Overview for this domain has been expanded significantly which would explain why we’re seeing more and more questions on the exam on this domain.
  2. The section Provide Training has been moved to the Understand Disaster recovery Process section
  3. The section Test, Update, Assess and Maintain the plan has been renamed to “Exercise, assess and maintain the plan”

9)   Legal, Regulations, Investigations and Compliance
A new section entitled “Understand professional ethics” has been added with two sub-sections:

i.    (ISC)2 code of Professional Ethics

ii.    Support organization’s code of Ethics

  1. In the section entitled Understand and support investigations, the sub-section Policy has been expanded to include; “Policy, role and responsibilities (e.g., rules of engagement, authorization, scope)”
  2. Under the section entitled “Understand forensic procedures” a new sub-section entitled “Hardware/embedded device analysis” has been added
  3. A new section entitled “Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, vendor governance) has been added

10)       Physical (Environmental) Security

  1. The section “Participate in site and facility design considerations” has been renamed to “Understand site and facility design considerations”
  2. The section “Support the implementation and operation of facilities security” has been expanded to include “(e.g., technology convergence)”
  3. A new section “Understand personnel privacy and safety (e.g., duress, travel, monitoring)” has been added.

What’s interesting is that several of the texts that are listed for the old version of the CIB weren’t published until 2011 and the old CIB is data 2009.  I suspect that we’ll hear more as time progresses towards January 1, 2012.  We at InfoSec are committed to providing you with training that will not only help you achieve your CISSP certification, but will also be useful in your daily work environment. Fill out the short form below for pricing information and details regarding our training options.

Happy Reading.

J Kenneth Magee

Posted: September 30, 2011
Articles Author
Kenneth Magee
View Profile

J Kenneth (Ken) Magee is president and owner of Data Security Consultation and Training, LLC, which specializes in data security auditing and information security training. He has over 40 years of IT experience in both private industry and the public sector with the last 21 devoted to IT security and Risk Management.

Ken holds degrees from Robert Morris University and Fairleigh Dickinson University. He holds 30 certifications including: CTT+, CEH, CPT, SSCP, CISSP-ISSMP, CAP, CISA, CISM, ISO 27001 PA, GIAC-GWAPT/GSEC/GSNA, CIA-CGAP, Security+, and CDP. He is a Senior Instructor with the InfoSec Institute.