Are You Ready for Upcoming Changes to the CISSP Exam?

The CISSP exam is changing on May 1, 2021.  The changes are covering technology updates for the most part.  The official word from (ISC)2 is that the changes are minor, and if you have the industry experience required, and have adequately prepared for the current exam, you should be ready for the May 1 changes.  Also, many of the questions on the current exam already reflect some of those changes.  You do not need to wait, you do not need a new text book or need to take a refresher course.

Since teaching the CISSP is what I do, I am posting this article to share some of the research I have done on this subject.  Here is what I have found so far.


The official word from (ISC)2 can be found on their website at these two links:

And here are another pair of websites that go into more detail:

Domain 1: Security and Risk Management

  • 1.2.1 Confidentiality, integrity, availability, authenticity and nonrepudiation
    • [Authenticity is a newly listed item, nonrepudiation is new in Domain 1, it also still appears as non-repudiation in 3.6]
  • 1.9.3 Onboarding, transfers, and termination processes
    • [“transfers” is new in 2021]
  • 1.10.6 Control assessments (security and privacy)
    • [Privacy control assessments is new, and this sub-sub-topic is renamed from 2018 1.9.6 “Security Control Assessment (SCA)”]
  • 1.10.9 Continuous improvement (e.g., Risk maturity modeling)
    • [“Risk maturity modeling” is new for 2021]
  • 1.12 Apply Supply Chain Risk Management (SCRM) concepts
    • [SCRM is new in 2021]
  • 1.13.1 Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
    • [“social engineering, phishing, security champions, gamification” are new topics in 2021]

Domain 2: Asset Security

  • 2.3 Provision resources securely
    • [new in 2021]
  • 2.3.2 Asset inventory (e.g., tangible, intangible)
    • [“tangible, intangible” new in 2021]
  • 2.4 Manage data lifecycle
    • [new in 2021, potentially renamed and moved from 2018 7.5.5 Information lifecycle]
  • 2.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
    • [new in 2021]
  • 2.4.2 Data collection
    • [new in 2021]
  • 2.4.3 Data location
    • [new in 2021]
  • 2.4.4 Data maintenance
    • [new in 2021]
  • 2.4.5 Data retention
    • [new in 2021]
  • 2.4.6 Data destruction
    • [new in 2021]
  • 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
    • [“EOL” and “EOS” are new in 2021]
  • 2.6.1 Data states (e.g., in use, in transit, at rest)
    • [“in use, in transit, at rest” data states are new in 2021]
  • 2.6.4 Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
    • [DLP and CASB new in 2021]

Domain 3: Security Architecture and Engineering

  • 3.1.2 Least privilege
    • [new for 2021 and present in 7.4.1]
  • 3.1.3 Defense in depth
    • [new in 2021]
  • 3.1.4 Secure defaults
    • [new in 2021]
  • 3.1.5 Fail securely
    • [new in 2021]
  • 3.1.7 Keep it simple
    • [new in 2021]
  • 3.1.8 Zero Trust
    • [new in 2021]
  • 3.1.9 Privacy by design
    • [new in 2021]
  • 3.1.10 Trust but verify
    • [new in 2021]
  • 3.1.11 Shared responsibility
    • [new in 2021]
  • 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
    • [“Biba, Star Model, Bell-LaPadula” new in 2021]
  • 3.5.6 Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
    • [SaaS, IaaS, and PaaS new in 2021]
  • 3.5.9 Microservices
    • [new in 2021]
  • 3.5.10 Containerization
    • [new in 2021]
  • 3.5.11 Serverless
    • [new in 2021]
  • 3.5.13 High-Performance Computing (HPC) systems
    • [new in 2021]
  • 3.5.14 Edge computing systems
    • [new in 2021]
  • 3.5.15 Virtualized systems
    • [new in 2021]
  • 3.6.2 Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
    • [“quantum” new in 2021]
  • 3.6.5 Digital signatures and digital certificates
    • [“Digital certificates” new in 2021]
  • 3.7.1 Brute force
    • [new in 2021]
  • 3.7.2 Ciphertext only
    • [new in 2021]
  • 3.7.3 Known plaintext
    • [new in 2021]
  • 3.7.4 Frequency analysis
    • [new in 2021]
  • 3.7.5 Chosen ciphertext
    • [new in 2021]
  • 3.7.6 Implementation attacks
    • [new in 2021]
  • 3.7.7 Side-channel
    • [new in 2021]
  • 3.7.8 Fault injection
    • [new in 2021]
  • 3.7.9 Timing
    • [new in 2021]
  • 3.7.10 Man-in-the-Middle (MITM)
    • [new in 2021]
  • 3.7.11 Pass the hash
    • [new in 2021]
  • 3.7.12 Kerberos exploitation
    • [new in 2021]
  • 3.7.13 Ransomware
    • [new in 2021]
  • 3.9.9 Power (e.g., redundant, backup)
    • [new in 2021]

Domain 4: Communication and Network Security

  • 4.1.2 Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6)
    • [IPSec, IPv4, and IPv6 new in 2021]
  • 4.1.3 Secure protocols
    • [new in 2021]
  • 4.1.5 Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP))
    • [FCoE, iSCSI, and VoIP new in 2021]
  • 4.1.6 Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
    • [Micro-segmentation, VXLAN, encapsulation, and SD-WAN new in 2021]
  • 4.1.7 Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite)
    • [Li-Fi, Zigbee, and satellite new in 2021]
  • 4.1.8 Cellular networks (e.g., 4G, 5G)
    • [new in 2021]
  • 4.2.1 Operation of hardware (e.g., redundant power, warranty, support)
    • [new in 2021]
  • 4.3.6 Third-party connectivity
    • [new in 2021]

Domain 5: Identity and Access Management (IAM)

  • 5.1.5 Applications
    • [new in 2021]
  • 5.2.5 Registration, proofing, and establishment of identity
    • [“Establishment of identity” new in 2021]
  • 5.2.8 Single Sign On (SSO)
    • [new in 2021]
  • 5.8.9 Just-In-Time (JIT)
    • [new in 2021]
  • 5.3.3 Hybrid
    • [new in 2021]
  • 5.4.6 Risk based access control
    • [new in 2021]
  • 5.5.1 Account access review (e.g., user, system, service)
    • [“service” new in 2021]
  • 5.5.2 Provisioning and deprovisioning (e.g., on /off boarding and transfers)
    • [“on /off boarding and transfers” new in 2021]
  • 5.2.3 Role definition (e.g., people assigned to new roles)
    • [new in 2021]
  • 5.2.4 Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)
    • [new in 2021]
  • 5.6 Implement authentication systems
    • [new in 2021]
  • 5.6.1 OpenID Connect (OIDC)/Open Authorization (Oauth)
    • [new in 2021]
  • 5.6.2 Security Assertion Markup Language (SAML)
    • [new in 2021]
  • 5.6.3 Kerberos
    • [new in 2021]
  • 5.6.4 Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)
    • [new in 2021]

Domain 6: Security Assessment and Testing

  • 6.2.9 Breach attack simulations
    • [new in 2021]
  • 6.2.10 Compliance checks
    • [new in 2021]
  • 6.4.1 Remediation
    • [new in 2021]
  • 6.4.2 Exception handling
    • [new in 2021]
  • 6.4.3 Ethical disclosure
    • [new in 2021]

Domain 7: Security Operations

  • 7.1.5 Artifacts (e.g., computer, network, mobile device)
    • [new in 2021]
  • 7.2.5 Log management
    • [new in 2021]
  • 7.2.6 Threat intelligence (e.g., threat feeds, threat hunting)
    • [new in 2021]
  • 7.2.7 User and Entity Behavior Analytics (UEBA)
    • [new in 2021]
  • 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
    • [new in 2021]
  • 7.7.1 Firewalls (e.g., next generation, web application, network)
    • [“next generation, web application, network” new in 2021]
  • 7.7.8 Machine learning and Artificial Intelligence (AI) based tools
    • [new in 2021]
  • 7.11.7 Lessons learned
    • [new in 2021]

Domain 8: Software Development Security

  • 8.1.1 Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
    • [“Agile, Waterfall, DevOps, DevSecOps” are new in 2021]
  • 8.1.2 Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
    • [CMM and SAMM are new in 2021]
  • 8.2.1 Programming languages
    • [new in 2021]
  • 8.2.2 Libraries
    • [new in 2021]
  • 8.2.3 Tool sets
    • [new in 2021]
  • 8.2.4 Integrated Development Environment (IDE)
    • [new in 2021]
  • 8.2.5 Runtime
    • [new in 2021]
  • 8.2.6 Continuous Integration and Continuous Delivery (CI/CD)
    • [new in 2021]
  • 8.2.7 Security Orchestration, Automation, and Response (SOAR)
    • [new in 2021]
  • 8.2.10 Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))
    • [new in 2021]
  • 8.4.1 Commercial-off-the-shelf (COTS)
    • [new in 2021]
  • 8.4.2 Open source
    • [new in 2021]
  • 8.4.3 Third-party
    • [new in 2021]
  • 8.4.4 Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
    • [new in 2021]
  • 8.5.4 Software-defined security
    • [new in 2021]

Upon close inspection you might recognize that some of these “new” topics are already covered or are reasonable expansions of the domains. Many of the “new” topics should be familiar to any current cybersecurity professional. Be sure to focus on these topics in your preparation as they may be slightly more prevalent in exam questions than “legacy” topics.
Note: Please refer to the full 2021 CISSP Certification Exam Outline for the complete current topic list.

Rewording issues to review

In addition to the actual new items on the 2021 CISSP exam, there are numerous rewordings of topics and detailed items. In addition to rewording, there is also some re-organization and renumbering of items. Since those have little to no impact on the exam or your preparations, I have only highlighted a few of those items that were moved or renamed that are noteworthy. I did not include items where acronyms were added or hyphenation changed.

Here is a list of some potentially important rewordings or location changes:

Domain 1: Security and Risk Management

  • 1.1 Understand, adhere to, and promote professional ethics
    • [was promoted to 1.1 from 1.5 in order to emphasis the importance of ethics]
  • 1.4 Determine compliance and other requirements
    • [revised 2018 1.3, and “Determine compliance requirements” removed from 2018 1.2.6]
  • 1.5 Understand legal and regulatory issues that pertain to information security in a holistic context
    • [changed from 2018 1.4 “global context”]
  • 1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
    • [this was topic 2018 7.2, 7.2.1-7.2.5]
  • 1.10.6 Control assessments (security and privacy)
    • [renamed from 2018 1.9.6 “Security Control Assessment (SCA)”]
  • 1.12 Apply Supply Chain Risk Management (SCRM) concepts
    • [renamed from 2018 1.11 “Apply risk-based management concepts to the supply chain”]

Domain 2: Asset Security

  • 2.2 Establish information and asset handling requirements
    • [moved from 2018 2.6]
  • 2.3.1 Information and asset ownership
    • [renamed from 2018 2.2 “Determine and maintain information and asset ownership”]
  • 2.3.2 Asset inventory (e.g., tangible, intangible)
    • [moved from 2018 7.4.2]
  • 2.3.3 Asset Management
    • [moved from 2018 7.4.2]
  • 2.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
    • [renamed from 2018 2.3.1 Data owners and 2.3.2 Data processors]
  • 2.4.2 Data collection
    • [renamed from 2018 2.3.4 Collection limitation]
  • 2.6 Determine data security controls and compliance requirements
    • [renamed from 2018 2.5 Determine data security controls]
  • 2.6.1 Data states (e.g., in use, in transit, at rest)
    • [renamed from 2018 2.5.1 Understand data states]
  • 2.6.4 Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
    • [DRM moved from 2018 3.9.9, this item is also renamed from 2018 2.5.4]

Domain 3: Security Architecture and Engineering

  • 3.1 Research, implement and manage engineering processes using secure design principles
    • [renamed from 2018 3.1]
  • 3.1.1 Threat modeling
    • [renamed and moved from 2018 1.10, 1.10.1, and 1.10.2]
  • 3.1.6 Separation of Duties (SoD)
    • [also included in 7.4.2]
  • 3.5.12 Embedded systems
    • [renamed from 2018 3.8 Assess and mitigate vulnerabilities in embedded devices]
  • 3.6 Select and determine cryptographic solutions
    • [renamed from 2018 3.9 Apply cryptography]
  • 3.7 Understand methods of cryptanalytic attacks
    • [moved from 2018 3.9.8]

Domain 4: Communication and Network Security

  • 4.1.9 Content Distribution Networks (CDN)
    • [moved and renamed from 2018 4.2.5]
  • 4.1.6 Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
    • [SDN moved and renamed from 2018 4.1.5]

Domain 5: Identity and Access Management (IAM)

  • 5.3 Federated identity with a third-party service
      • [renamed from 2018 5.3.3]
  • 5.5.1 Account access review (e.g., user, system, service)
    • [renamed from 2018 5.5.1 and 5.5.2]

Domain 6: Security Assessment and Testing

None

Domain 7: Security Operations

  • 7.5.2 Media protection techniques
    • [renamed from 2018 7.6.2 Hardware and software asset management]

Domain 8: Software Development Security

  • 8.2.8 Software Configuration Management (SCM)
    • [renamed from 2018 8.2.2]
  • 8.2.9 Code repositories
    • [renamed from 2018 8.2.3]

There are several items that were removed or at least not retained in the 2021 version of the CISSP exam. While these items are removed from the 2021 CISSP Certification Exam Outline, that does not typically mean the topic is not on the 2021 exam. Most of the dropped items were removed because the topics are included in other topics already and their removal is resolving unnecessary repetition. Also, all number references in this list are from the 2018 Exam Outline since these items are not present in the 2021 CISSP Certification Exam Outline.

Domain 1: Security and Risk Management

  • 1.9.8 Asset valuation
    • [Removed from 2021, but still relevant to overall topic]
  • 1.10.1 Threat modeling methodologies
    • [This sub-sub-topic was removed for 2021, but it is still contained in the 1.11 Understand and apply threat modeling concepts and methodologies sub-domain.]
  • 1.10.2 Threat modeling concepts
    • [This sub-sub-topic was removed for 2021, but it is still contained in the 1.11 Understand and apply threat modeling concepts and methodologies sub-domain.]

Domain 2: Asset Security

  • 2.3 Protect privacy
    • [This sub-topic was removed for 2021, but it is contained in other 2021 topics, including 1.4.2, 1.5.5, 1.9.6, 1.10.6, and 3.1.9]

Domain 3: Security Architecture and Engineering

  • 3.6 Assess and mitigate vulnerabilities in web-based systems
    • [This sub-topic was removed for 2021, but likely still relevant to the exam]
  • 3.7 Assess and mitigate vulnerabilities in mobile systems
    • [This sub-topic was removed for 2021, but likely still relevant to the exam]

Domain 4: Communication and Network Security

None

Domain 5: Identity and Access Management (IAM)

None

Domain 6: Security Assessment and Testing

None

Domain 7: Security Operations

None

Domain 8: Software Development Security

  • 8.2.1 Security of the software environments
    • [Removed in 2021, but still relevant to 2021 8.2 Identify and apply security controls in software development ecosystems]

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.