What’s new in (ISC)²’s CISSP CBK for 2021
A CISSP certification is a vendor-neutral credential by (ISC)² that meets the stringent requirements of ISO/IEC Standard 17024. It is a valued credential among employers, thanks to its experience-based nature. The (ISC)² common body of knowledge (CBK) is a set of peer-developed lists of skills, techniques and practices considered essential for professionals in a field.
The association reviews the entire exam periodically, editing domains as needed or changing the weight each of them has on the overall score. The CISSP exam was last reviewed in April 2018 when some topics were updated while others were realigned. A domain revision is now in the works and a new version will be released with slight changes to the broad spectrum of topics in May 2021. The core disciplinary areas of focus will be updated with the latest issues, practices and skills associated with each domain.
How are the domains changing?
In most cases, professionals will not see many differences between the 2018 and 2021 exams. For the most part, the content and name of each subsection in the domains have simply been streamlined, although the concepts covered stayed the same. There are some differences worth noting.
|Old domains||Weight||Domains as of May 1, 2021||Weight|
|Security and risk management||15%||Security and risk management||15%|
|Asset security||10%||Asset security||10%|
|Security architecture and engineering||13%||Security architecture and engineering||13%|
|Communication and network security||14%||Communication and network security||13%|
|Identity and access management (IAM)||13%||Identity and access management (IAM)||13%|
|Security assessment and testing||12%||Security assessment and testing||12%|
|Security operations||13%||Security operations||13%|
|Software development security||10%||Software development security||11%|
The exam structure and domains will be unchanged, while some domain weights will change in May 2021.
Domain 4, communication and network security, is decreasing in weight from 14% to 13%. Domain 8, software development security, is increasing in weight from 10% to 11%.
Domain 1: Security and risk management
This domain covers risk-based management concepts, security governance principles, compliance requirements, threat modeling and methodologies for developing mitigation strategies.
What’s new: The domain covers requirements for investigation types (administrative, criminal, civil, regulatory and industry standards). Plus, it includes more details on methods and techniques to present awareness and training (social engineering, phishing, security champions and gamification).
Domain 2: Asset security
Focuses on the security of information assets from the identification and classification of data/info held within an organization to handling and managing the data lifecycle.
What’s new: The domain goes in-depth on the topic of appropriate asset retention (end-of-life, end-of-support), asset ownership and data roles (owners, controllers and custodians) and asset inventory. This domain includes ways to manage data throughout its life cycle (from collection to destruction).
Domain 3: Security architecture and engineering
Contains various aspects of design principles, models and security capabilities of information systems.
What’s new: The domain features more coverage of research, implementation and management of engineering processes using secure design principles (trust but verify and Zero Trust), contains a selection of cryptographic solutions and places more emphasis on the methods of cryptanalytic attacks. It adds more info on assessing and mitigating the vulnerabilities of virtualized systems, containerization systems and edge computing systems, as well as serverless computing and microservices to re-architect legacy applications.
Domain 4: Communication and network security
Covers secure network components, securing communication channels per design and implementing secure design principles in a network architecture.
What’s New: The domain covers secure communication channels via third-party connectivity and adds more network archetypes: micro-segmentation, wireless networks like Zigbee, cellular networks including 5G, CDN, secure protocols, IPsec, IPv6, VXLAN and SD-WAN.
Domain 5: Identity and access management
Presents user accessibility features within an organization needed by an individual to access logical and physical assets, facilities or to a single system.
What’s new: It includes the control of access to applications as well as risk-based access control, single sign-on (SSO), just-in-time (JIT), Kerberos, Security Assertion Markup Language (SAML), privilege escalation (managed service, accounts, use of SUDO and minimizing its use), role definition (people assigned to new roles), OpenID Connect (OIDC)/Open Authorization (Oauth), remote authentication dial-in user service (RADIUS)/terminal access controller, access control system plus (TACACS+) and identity as a third-part service: on-premise, cloud and hybrid.
Domain 6: Security assessment and testing
Deals with the designing and testing audit strategies as well as collecting security process data, analyzing results and preparing reports.
What’s new: The domain includes compliance checks, breach attack simulations and focuses on three “analyze test output and generate report” topics: remediation, exception handling and ethical disclosure.
Domain 7: Security operations
Gains insight into the plan of operations with investigations, monitoring, detection and prevention techniques for security. Also covers incident-management processes, disaster recovery, continuity plans, resilience features and more.
What’s new: The domain contains machine learning and artificial intelligence (AI) based tools, media protection techniques, user and entity behavior analytics (UEBA), threat intelligence, logging and monitoring activities.
Domain 8: Software development security
Provides concepts, applications and implementations for software security (auditing, logging, risk analysis and mitigation). Covers the importance of integrating security in the software development life cycle (SDLC).
What’s new: The domain introduces software-defined security, managed services (SaaS, IaaS and PaaS), application security testing (SAST, DAST), software configuration management (SCM), security orchestration, automation, and response (SOAR), continuous integration and continuous delivery (CI/CD) and integrated development environment (IDE).
Preparing for the test and how to master the domains on the exam
As the CISSP history shows, (ISC)² is known for updating the content of its tests, the curriculum and other aspects of all exams regularly. This is beneficial for employers who use certifications as proof of current knowledge in the field.
Professionals, however, need to be careful when preparing for the exam as it reassesses their current awareness of the latest information on the test. A good tip is to regard all CISSP CBK domains as equal. Refrain from the temptation to focus more on topics that have higher weight and use the CISSP exam outline to obtain basic information on which subjects are covered. You can also download the CISSP guide developed by (ISC)² that covers everything there is to know of this certification.
When ready, register to take the exam online. The official testing center for (ISC)² is PearsonVue, which is where you’ll need to start looking for an exam date. The CISSP exam uses computerized adaptive testing (CAT) for all English exams. The CISSP exam changed to CAT format in December 2017 and is a more precise and efficient evaluation of your competency compared to the linear, fixed-form exams which are administered in other languages (French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese and Korean) at (ISC)² authorized PPC and PVTC Select Pearson VUE Testing Centers. While the CISSP CAT and linear examination weights are the same, “CISSP CAT enables [test takers] to prove their knowledge by answering fewer items and completing the exam in half the time,” explains (ISC)².
Domain Refresh FAQ, (ISC)²
Domain Refresh Guide, (ISC)²
The (ISC)² CBK, (ISC)²
Certification Exam Outline, (ISC)²
The Ultimate Guide to the CISSP, (ISC)²
Why Does the CISSP Exam Change?, (ISC)²
Analysis of the Changes to the CISSP Exam Coming in May 2021, CISSP Exam Prep