What’s new in (ISC)²’s CISSP CBK for 2021

April 15, 2021 by Daniel Brecht

A CISSP certification is a vendor-neutral credential by (ISC)² that meets the stringent requirements of ISO/IEC Standard 17024. It is a valued credential among employers, thanks to its experience-based nature. The (ISC)² common body of knowledge (CBK) is a set of peer-developed lists of skills, techniques and practices considered essential for professionals in a field.  

The association reviews the entire exam periodically, editing domains as needed or changing the weight each of them has on the overall score. The CISSP exam was last reviewed in April 2018 when some topics were updated while others were realigned. A domain revision is now in the works and a new version will be released with slight changes to the broad spectrum of topics in May 2021. The core disciplinary areas of focus will be updated with the latest issues, practices and skills associated with each domain. 

How are the domains changing?

In most cases, professionals will not see many differences between the 2018 and 2021 exams. For the most part, the content and name of each subsection in the domains have simply been streamlined, although the concepts covered stayed the same. There are some differences worth noting.

Old domains Weight Domains as of May 1, 2021 Weight
Domain 1
Security and risk management 15% Security and risk management 15%
Domain 2
Asset security 10% Asset security 10%
Domain 3
Security architecture and engineering 13% Security architecture and engineering 13%
Domain 4
Communication and network security 14% Communication and network security 13%
Domain 5
Identity and access management (IAM) 13% Identity and access management (IAM) 13%
Domain 6
Security assessment and testing 12% Security assessment and testing 12%
Domain 7
Security operations 13% Security operations 13%
Domain 8
Software development security 10% Software development security 11%

The exam structure and domains will be unchanged, while some domain weights will change in May 2021.

Domain 4, communication and network security, is decreasing in weight from 14% to 13%. Domain 8, software development security, is increasing in weight from 10% to 11%.

Domain 1: Security and risk management

This domain covers risk-based management concepts, security governance principles, compliance requirements, threat modeling and methodologies for developing mitigation strategies.

What’s new: The domain covers requirements for investigation types (administrative, criminal, civil, regulatory and industry standards). Plus, it includes more details on methods and techniques to present awareness and training (social engineering, phishing, security champions and gamification).

Domain 2: Asset security

Focuses on the security of information assets from the identification and classification of data/info held within an organization to handling and managing the data lifecycle.

What’s new: The domain goes in-depth on the topic of appropriate asset retention (end-of-life, end-of-support), asset ownership and data roles (owners, controllers and custodians) and asset inventory. This domain includes ways to manage data throughout its life cycle (from collection to destruction).

Domain 3: Security architecture and engineering

Contains various aspects of design principles, models and security capabilities of information systems.

What’s new: The domain features more coverage of research, implementation and management of engineering processes using secure design principles (trust but verify and Zero Trust), contains a selection of cryptographic solutions and places more emphasis on the methods of cryptanalytic attacks. It adds more info on assessing and mitigating the vulnerabilities of virtualized systems, containerization systems and edge computing systems, as well as serverless computing and microservices to re-architect legacy applications.

Domain 4: Communication and network security

Covers secure network components, securing communication channels per design and implementing secure design principles in a network architecture.

What’s New: The domain covers secure communication channels via third-party connectivity and adds more network archetypes: micro-segmentation, wireless networks like Zigbee, cellular networks including 5G, CDN, secure protocols, IPsec, IPv6, VXLAN and SD-WAN.

Domain 5: Identity and access management

Presents user accessibility features within an organization needed by an individual to access logical and physical assets, facilities or to a single system.

What’s new: It includes the control of access to applications as well as risk-based access control, single sign-on (SSO), just-in-time (JIT), Kerberos, Security Assertion Markup Language (SAML), privilege escalation (managed service, accounts, use of SUDO and minimizing its use), role definition (people assigned to new roles), OpenID Connect (OIDC)/Open Authorization (Oauth), remote authentication dial-in user service (RADIUS)/terminal access controller, access control system plus (TACACS+) and identity as a third-part service: on-premise, cloud and hybrid.

Domain 6: Security assessment and testing

Deals with the designing and testing audit strategies as well as collecting security process data, analyzing results and preparing reports.

What’s new: The domain includes compliance checks, breach attack simulations and focuses on three “analyze test output and generate report” topics: remediation, exception handling and ethical disclosure.

Domain 7: Security operations

Gains insight into the plan of operations with investigations, monitoring, detection and prevention techniques for security. Also covers incident-management processes, disaster recovery, continuity plans, resilience features and more. 

What’s new: The domain contains machine learning and artificial intelligence (AI) based tools, media protection techniques, user and entity behavior analytics (UEBA), threat intelligence, logging and monitoring activities.

Domain 8: Software development security

Provides concepts, applications and implementations for software security (auditing, logging, risk analysis and mitigation). Covers the importance of integrating security in the software development life cycle (SDLC).

What’s new: The domain introduces software-defined security, managed services (SaaS, IaaS and PaaS), application security testing (SAST, DAST), software configuration management (SCM), security orchestration, automation, and response (SOAR), continuous integration and continuous delivery (CI/CD) and integrated development environment (IDE).

Preparing for the test and how to master the domains on the exam

As the CISSP history shows, (ISC)² is known for updating the content of its tests, the curriculum and other aspects of all exams regularly. This is beneficial for employers who use certifications as proof of current knowledge in the field.

Professionals, however, need to be careful when preparing for the exam as it reassesses their current awareness of the latest information on the test. A good tip is to regard all CISSP CBK domains as equal. Refrain from the temptation to focus more on topics that have higher weight and use the CISSP exam outline to obtain basic information on which subjects are covered. You can also download the CISSP guide developed by (ISC)² that covers everything there is to know of this certification.

When ready, register to take the exam online. The official testing center for (ISC)² is PearsonVue, which is where you’ll need to start looking for an exam date. The CISSP exam uses computerized adaptive testing (CAT) for all English exams. The CISSP exam changed to CAT format in December 2017 and is a more precise and efficient evaluation of your competency compared to the linear, fixed-form exams which are administered in other languages (French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese and Korean) at (ISC)² authorized PPC and PVTC Select Pearson VUE Testing Centers. While the CISSP CAT and linear examination weights are the same, “CISSP CAT enables [test takers] to prove their knowledge by answering fewer items and completing the exam in half the time,” explains (ISC)². 




Domain Refresh FAQ, (ISC)²

Domain Refresh Guide, (ISC)²

The (ISC)² CBK, (ISC)²

Certification Exam Outline, (ISC)²

The Ultimate Guide to the CISSP, (ISC)²

Why Does the CISSP Exam Change?, (ISC)²

Official (ISC)² CBK Online Training Seminars for the CISSP, (ISC)²

Survey: CISSP is the Most Valuable Security Certification for 2021, (ISC)²

Analysis of the Changes to the CISSP Exam Coming in May 2021, CISSP Exam Prep

Posted: April 15, 2021
Articles Author
Daniel Brecht
View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *