A CISSP certification is a vendor-neutral credential by (ISC)² and one of the most valued by employers. Because the CISSP exam is experience-based, it routinely has updates to maintain the relevancy of knowledge and to keep up with the changes in the roles and responsibilities of today’s practicing information security professionals. To this purpose, the (ISC)² CBK (the Common Body of Knowledge that every professional in the field must have regarding skills, practices, and techniques) is updated annually by a committee. Periodically, however, the association also reviews the entire exam, editing domains as needed or changing the weight each of them has on the overall score. The CISSP exam was last reviewed on April 15, 2015, when some topics were updated while others were realigned. A new revision, however, is in the works and, in April 2018, a new version will be released with slight changes to the domains and the percentages to them associated.
How are the Domains Changing?
Let’s now take a closer look at the 8 domains of the (ISC)² CISSP CBK, how the exam will be changing content-wise, and what test takers should be prepared to know. When comparing the program for the 2015 exam with that of the new 2018 test, in most cases professionals will not see many differences. For the most part, the content and name of each subsection in the domains have simply been streamlined although the concepts covered stayed the same. There are, however, some differences worth noting.
Domain 1: Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity)
What Changed: The domain covers more in-depth the identification, prioritization, and analysis of Business Continuity (BC) requirements; as well gives more emphasis to compliance. It also focuses on risk-based approaches for the organization in general and in the supply chain in particular.
|Understand and apply concepts of confidentiality, integrity, and availability|
|Evaluate and apply security governance principles||Added a section on determining compliance requirements|
|Determine compliance requirements||Added a more precise reference to legal, contractual and industry standards compliance|
|Understand legal and regulatory issues that pertain to information security in a global context|
|Understand, adhere to, and promote professional ethics|
|Develop, document, and implement security policy, standards, procedures, and guidelines|
|Identify, analyze, and prioritize Business Continuity (BC) requirements||More in-depth approach than the simple “understanding business requirements” of the 2015 test|
|Contribute to and enforce personnel security policies and procedures||Added a reference to enforcing policies and now also covering procedures|
|Understand and apply risk management concepts||Added a subsection on “risk response” and now covering also the implementation of countermeasures|
|Understand and apply threat modeling concepts and methodologies||This section was streamlined and a reference to “concepts and methodologies” was added|
|Apply risk-based management concepts to the supply chain||This section now makes a more precise reference to a risk-based approach rather than simply “integrating security risk considerations” as in the 2015 test|
|Establish and maintain a security awareness, education, and training program||Added a subsection covering the all-important evaluation of the programs implemented. It now also focuses on techniques that can be used to train on awareness|
Domain 2: Asset Security (Protecting Security of Assets)
What Changed: Nothing really changed, if not a reference to additional data protection methods.
|Identify and classify information and assets||The section now makes more specific reference to two subsections: data clarification and asset clarification. It also covers the identification of assets|
|Determine and maintain information and asset ownership|
|Ensure appropriate asset retention|
|Determine data security controls||The section now focuses more on the different states in which data can be found and refers to “data protection methods” and not just cryptography|
|Establish information and asset handling requirements|
Domain 3: Security Architecture and Engineering (Engineering and Management of Security)
What Changed: Some refocusing and shifting around of topics was done in this section. The domain now incorporates Security Architecture. Encryption and decryption were included in the area covering security capabilities of information systems; plus, IoT was addressed among the items in the vulnerabilities of security architectures after cyber-physical devices were removed from the embedded device section.
|Implement and manage engineering processes using secure design principles|
|Understand the fundamental concepts of security models|
|Select controls based upon systems security requirements|
|Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)||More precise reference to encryption/decryption is made. Specific subsections were added for Internet of Things and Cloud-based systems|
|Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements||Specific subsections on cloud computing and IoT were added|
|Assess and mitigate vulnerabilities in web-based systems|
|Assess and mitigate vulnerabilities in mobile systems|
|Assess and mitigate vulnerabilities in embedded devices||Cyber-physical systems were removed from this section|
|Apply security principles to site and facility design|
|Implement site and facility security controls||The subsection on water issues has been substituted by a more generic one on environmental issues. The data centers section was incorporated in the server room one and the wiring closets subsection now also covers intermediate distribution facilities|
Domain 4: Communication and Network Security (Designing and Protecting Network Security)
What Changed: The section on cryptography has been removed; also, physical devices were taken out of the secure network components topic. Also, the Prevent or Mitigate Network Attacks topic was completely removed, and nothing was added in its place.
|Implement secure design principles in network architectures||No subsection on cryptography|
|Secure network components||No subsection on physical devices|
|Implement secure communication channels according to design||The need to “design” is emphasized|
Domain 5: Identity and Access Management (Controlling Access and Managing Identity)
What Changed: The (ISC)² re-focused part of this domain and re-balanced some of the sections and subsections. Attribute-Based Access Control (ABAC) was added as part of the authorization mechanisms. A section on preventing and mitigating access control attacks was removed, while 2 sections of the 2015 test were consolidated in the “integrate identity as a third-party service” to cover on-premise, cloud and federated.
|Control physical and logical access to assets|
|Manage identification and authentication of people, devices, and services||A reference to services was added|
|Integrate identity as a third-party service||This is a consolidated subsection of two present in the 2015 test: “integrate identity as a service” and integrate third-party identity services|
|Implement and manage authorization mechanisms||Added a subsection on Attribute Based Access Control (ABAC)|
|Manage the identity and access provisioning lifecycle|
Domain 6: Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
What Changed: Audit strategies are now being discussed along with assessment and test strategies. This allows for clearer enlightenments on the three major components of a security assessment program: the security test, the security assessment, the security audit.
|Design and validate assessment, test, and audit strategies||Subsections on internal, external, and third party were added. Also, a reference to auditing was added|
|Conduct security control testing|
|Collect security process data (e.g., technical and administrative)||A reference to management approval was added|
|Analyze test output and generate report|
|Conduct or facilitate security audits||Subsections on internal, external, and third party were added|
Domain 7: Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)
What Changed: The (ISC)² omitted electronic discovery (eDiscovery) but included administrative and industry standards as requirements for investigations; in addition, it has removed specific subsections on physical assets, virtual assets, cloud assets and associated applications from the “provisioning of resources” topic, although an “asset management” subsection was added.
|Understand and support investigations||A more specific subsection on tools, tactics, and procedures for digital forensics was added|
|Understand requirements for investigation types||Administrative and industry-standards requirements were added while the eDiscovery subsection was removed|
|Conduct logging and monitoring activities|
|Securely provisioning resources||A larger “asset management” subsection was created to include physical, cloud and virtual assets while the section on applications is no longer present|
|Understand and apply foundational security operations concepts|
|Apply resource protection techniques|
|Conduct incident management|
|Operate and maintain detective and preventative measures||Added a reference to detective measures|
|Implement and support patch and vulnerability management|
|Understand and participate in change management processes|
|Implement recovery strategies|
|Implement Disaster Recovery (DR) processes|
|Test Disaster Recovery Plans (DRP)||Added a reference to tabletop exercises|
|Participate in Business Continuity (BC) planning and exercises|
|Implement and manage physical security|
|Address personnel safety and security concerns||The guide now spells out in greater detail what is covered: travel, security training and awareness, emergency management and duress|
Domain 8: Software Development Security (Understanding, Applying, and Enforcing Software Security)
What Changed: The association excluded security weaknesses and vulnerabilities at the source-code level (e.g., buffer overflow, escalation of privilege, input/output validation) and also security of application programming interfaces from the part covering security controls in development environments; those elements are now in a new topic section under Define and Apply Secure Coding Guidelines and Standards and includes content on secure coding practices. Also, the CBK left out acceptance testing in the area where assessing the effectiveness of software security is covered.
|Understand and integrate security in the Software Development Life Cycle (SDLC)|
|Identify and apply security controls in development environments||Greater focus on the identification of security controls. Two subsections on security weaknesses and vulnerabilities at the source-code level and security of application programming interfaces were removed and placed in a brand-new topic section|
|Assess the effectiveness of software security||Subsection on acceptance testing was removed|
|Assess security impact of acquired software|
|Define and apply secure coding guidelines and standards||This is a brand-new section that includes security weaknesses and vulnerabilities at the source-code level, security of application programming interfaces and secure coding practices|
Weighing of Each Domain in the (ISC)² CISSP CBK 2018
Figure: Weightings (Percentages) follow the new CISSP Exam Outline as of April 15.
CISSP Instant Pricing – InfoSec
Note: The other three domains are at the same percentage.
Preparing for the Test and How to Master the Domains on the Exam
As the CISSP history shows, (ISC) ² is known for updating the content of its tests, the curriculum and other aspects of all exams on a regular basis. This is obviously beneficial for testers who can be sure to be tried on the latest knowledge in the field and for employers who use certifications as proof of current knowledge in the field. Professionals, however, need to be careful when preparing for the exam as it reassesses their current awareness of the latest information on the test.
Be sure to download the CISSP exam outline by filling out the short form for more details from (ISC)² to obtain basic information on which subjects are covered. You can also download the CISSP guide developed by (ISC)².
Another important tip is to regard all CISSP CBK Domains as equal. Refrain from the temptation to focus more on topics that have higher weight/percentage and use tools like Skillset.com for CISSP practice questions to review all topics with the same intensity.
Resources also come in printed form. The CISSP Official (ISC)² Practice Tests 1st Edition is a text for preparing for the exam with its 100+ plus Q&As per domain. The current edition, however, is aligned with the 2015 version but a 2nd edition is probably in the making and covering 2018 CISSP Body of Knowledge. Meanwhile, the CISSP (ISC)² Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated to reflect the contents applicable to the April 2018 CBK domains and can be helpful on your way to becoming certified.
While there are official (ISC)² preparation materials available, many other self-study resources are obtainable to professionals striving for certification. From textbooks, apps, guides, and tests to instructor-led training and seminars being offered in different formats (classroom-based, private on-site, online instructor-led, online self-paced). The InfoSec Institute is one of the sources for high-quality training services for this (ISC)² certification and can ensure your preparations for the CISSP exam through resources like CISSP Boot Camp course, or the CISSP practice exam for a closer look at the 8 Skillset domains and to give testers an experience that resembles that of the actual test. The resource materials are always updated with the latest information on the exam objectives, and students can be certain the courseware is designed by Common Body of Knowledge experts and CISSP insiders to meet their professional development needs. Also, Intense School’s Boot Camp can help in training and preparing for the CISSP with sessions that cover the entire CBK; its courseware is always updated to coincide with the most recent version of the exam.
When ready, register to take the exam at www.isc2.org/Register-for-Exam. The official testing center for (ISC)² is PearsonVue, which is where you will need to start looking for an exam date. The CISSP exam uses Computerized Adaptive Testing (CAT) for all English exams. The CISSP exam changed to CAT format in December 2017, which proves as a more precise and efficient evaluation of your competency compared to the linear, fixed-form exams which are administered in all other languages at (ISC)² at authorized PPC and PVTC Select Pearson VUE Testing Centers. While the CISSP CAT and Linear Examination Weights are the same, “CISSP CAT enables [test takers] to prove their knowledge by answering fewer items and completing the exam in half the time,” explains (ISC)², Inc.
IT practitioners who would like to become Certified Information Systems Security Professionals (CISSP®) can start now to prepare for the imminent changes on (ISC)² new CBKs effective in April 2018. The revised domains can help them advance their career in the fields of information security by ensuring they understand all latest developments that are now being covered by the common body of knowledge and tested in the exam to ensure credential holders are trained to use their skills in a variety of work environments.
Many training resources are already available for the (ISC)² CISSP CBK 2018 version, but professionals should make sure to look for approved, official training providers that use appropriate courseware and authorized instructors.
The CISSP exam can be a very challenging test; however, those who study for it and grasp the eight domains in the CBK will be able to prove a good working knowledge of all major aspects in the IT security field and have the competence to excel in this career.
Brecht, D. (2017, July 11). The CISSP CBK Domains: Information and Updates. Retrieved from
Dodt, C. (2017, October 25). 8 Tips for CISSP Exam Success. Retrieved from
Dupuis, Clément. (2017, October 26). The new ISC2 CISSP® CBK® 2018 version is coming out in April of 2018. Retrieved from
InfoSec Institute. (n.d.). Certifications Training:
CISSP. Retrieved from http://resources.infosecinstitute.com/category/certifications-training/cissp/
Intense School. (n.d.). CISSP Boot Camp. Real CISSP Training By Real CISSP Certification Experts! Retrieved from http://www.intenseschool.com/boot_camp/network_security/cissp
(ISC)² Inc. (2017, December 20). 4 Things You Need to Know about the (ISC)² CISSP CAT Exam. Retrieved from http://blog.isc2.org/isc2_blog/2017/12/4-things-you-need-to-know-about-the-isc²-cissp-cat-exam.html
(ISC)² Inc. (n.d.). CISSP Domain Refresh FAQ. Retrieved from https://www.isc2.org/Certifications/CISSP/Domain-Refresh-FAQ
(ISC)² Inc. (n.d.). CISSP Exam Outline – Effective Date: April 2018. Retrieved from https://www.isc2.org//-/media/ISC2/Certifications/Exam-Outlines/CISSP-Exam-Outline-121417–Final.ashx
(ISC)² Inc. (n.d.). Textbooks, Study Guides, Apps and More – (ISC)² Self-Study Resources. Retrieved from https://www.isc2.org/Training/Self-Study-Resources
Skillset. (n.d.). Take our CISSP practice exam engine for a test drive! Retrieved from https://www.skillset.com/certifications/cissp