By Saaz Rai Under CISSP Jan 18, 2018

Every 3 years or so (ISC)2 refreshes the CISSP CBK (Common Body of Knowledge) to ensure its relevancy across all disciplines in the field of information security. The last change was applicable from April 15, 2015 and as expected (ISC)2 has announced the new CISSP CBK applicable from April 2018.

Should you be worried? Are the changes significant? Should you stop studying now and wait till the new CISSP materials arrive?
Here I'll try answer some of these questions which many of you may be contemplating.

COMPARISON OF WEIGHTAGE PER DOMAIN

  2015 2018
Domain Weightage Weightage
1. Security and Risk Management 16% 15%
2. Asset Security 10% 10%
3. Security Architecture and Engineering 12% 13%
4. Communication and Network Security 12% 14%
5. Identity and Access Management (IAM) 13% 13%
6. Security Assessment and Testing 11% 12%
7. Security Operations 16% 13%
8. Software Development Security 10% 10%

There is very little change to the weightage given to each domain in the new 2018 CBK. The maximum change is visible in domain 7 where the weightage has reduced from 16% to 13%. This time around the weightage distribution across domains is almost even which means that you will have to study and master every domain in order to pass the exam.

COMPARISON OF CHANGES PER DOMAIN

Lets examine the changes per domain and I have highligeted whatever has been removed in Red and the new additions in Green.

Domain 1. Security and Risk Management 

2015

2018

Topic Sub Topic Topic Sub Topic
Understand and apply concepts of confidentiality, integrity and availability   Understand and apply concepts of confidentiality, integrity and availability  

 

 

     
Apply security governance principles through: Alignment of security function to strategy, goals, mission, and objectives (e.g., business case, budget and resources) Evaluate and apply security governance principles Alignment of security function to business strategy, goals, mission, and objectives
  Organizational processes (e.g., acquisitions, divestitures, governance committees)   Organizational processes (e.g., acquisitions, divestitures, governance committees)
  Security roles and responsibilities   Organizational roles and responsibilities
  Control frameworks   Security control frameworks
  Due care   Due care/due diligence
  Due diligence   Determine compliance requirements
       
Compliance Legislative and regulatory compliance Determine compliance requirements Contractual, legal, industry standards, and regulatory requirements
  Privacy requirements compliance   Privacy requirements
       
Understand legal and regulatory issues that pertain to information security in a global context Computer crimes Understand legal and regulatory issues that pertain to information security in a global context Cyber crimes and data breaches
  Licensing and intellectual property (e.g., copyright, trademark, digital-rights management)   Licensing and intellectual property requirements
  Import/export controls   Import/export controls
  Trans-border data flow   Trans-border data flow
  Privacy   Privacy
  Data breaches    
       
Understand professional ethics Exercise (ISC)2 Code of Professional Ethics Understand, adhere to, and promote professional ethics (ISC)2 Code of Professional Ethics
  Support organization’s code of ethics   Organizational code of ethics
       
Develop and implement documented security policy, standards, procedures, and guidelines   Develop, document, and implement security policy, standards, procedures, and guidelines  
       
Understand business continuity requirements Develop and document project scope and plan Identify, analyze, and prioritize Business Continuity (BC) requirements Develop and document scope and plan
  Conduct business impact analysis   Business Impact Analysis (BIA)
       
Contribute to personnel security policies Employment candidate screening (e.g., reference checks, education verification) Contribute to and enforce personnel security policies and procedures Candidate screening and hiring
  Employment agreements and policies   Employment agreements and policies
  Employment termination processes   Onboarding and termination processes
      Vendor, consultant, and contractor agreements and controls
      Compliance policy requirements
      Privacy policy requirements
       
Understand and apply risk management concepts Identify threats and vulnerabilities Understand and apply risk management concepts Identify threats and vulnerabilities
  Risk assessment/analysis (qualitative, quantitative, hybrid)   Risk assessment/analysis
  Risk assignment/acceptance (e.g., system authorization)   Risk response
  Countermeasure selection   Countermeasure selection and implementation
  Implementation    
  Types of controls (preventive, detective, corrective, etc.)   Applicable types of controls (e.g., preventive, detective, corrective)
  Control assessment   Security Control Assessment (SCA)
  Monitoring and measurement   Monitoring and measurement
  Asset valuation   Asset valuation
  Reporting   Reporting
  Continuous improvement   Continuous improvement
  Risk frameworks   Risk frameworks
       
Understand and apply threat modeling Identifying threats (e.g., adversaries, contractors,employees, trusted partners) Understand and apply threat modeling concepts and methodologies Threat modeling methodologies
  Determining and diagramming potential attacks (e.g., social engineering, spoofing)   Threat modeling concepts
  Performing reduction analysis    
  Technologies and processes to remediate threats (e.g., software architecture and operations)    
       
Integrate security risk considerations into acquisition strategy and practice Hardware, software, and services Apply risk-based management concepts to the supply chain Risks associated with hardware, software, and services
  Third-party assessment and monitoring (e.g., on-site assessment, document exchange and review, process/policy review)   Third-party assessment and monitoring
  Minimum security requirements   Minimum security requirements
  Service-level requirements   Service-level requirements
       
Establish and manage information security education, training, and awareness Appropriate levels of awareness, training, and education required within organization Establish and maintain a security awareness, education, and training program Methods and techniques to present awareness and training
  Periodic reviews for content relevancy   Periodic content reviews
      Program effectiveness evaluation

Domain 2 : Asset Security 

2015

2018

Topic Sub Topic Topic Sub Topic
Classify information and supporting assets (e.g., sensitivity, criticality)   Identify and classify information and assets Data classification
      Asset Classification
       
Determine and maintain ownership (e.g., data owners, system owners, business/mission owners)   Determine and maintain information and asset ownership  
       
Protect privacy Data owners Protect privacy Data owners
  Data processers   Data processers
  Data remanence   Data remanence
  Collection limitation   Collection limitation
Ensure appropriate retention (e.g., media, hardware, personnel)   Ensure appropriate asset retention  
       
Determine data security controls (e.g., data at rest, data in transit) Baselines Determine data security controls Understand data states
  Scoping and tailoring   Scoping and tailoring
  Standards selection   Standards selection
  Cryptography   Data protection methods
       
Establish handling requirements (markings, labels, storage, destruction of sensitive information)   Establish information and asset handling requirements  

Domain 3 : Security Architecture and Engineering 

2015

2018

Topic Sub Topic Topic Sub Topic
Implement and manage engineering processes using secure design principles   Implement and manage engineering processes using secure design principles  
       
Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-level Models)   Understand the fundamental concepts of security models  
       
Select controls and countermeasures based upon systems security evaluation models   Select controls based upon systems security requirements  
       
Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module, interfaces, fault tolerance)   Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)  
       
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Client-based (e.g., applets, local caches) Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Client-based systems
  Server-based (e.g., data flow control)   Server-based systems
  Database security (e.g., inference, aggregation, data mining, data analytics, warehousing)   Database systems
  Large-scale parallel data systems    
  Distributed systems (e.g., cloud computing, grid computing, peer to peer)    
  Cryptographic systems   Cryptographic systems
  Industrial control systems (e.g., SCADA)   Industrial Control Systems (ICS) Cloud-based systems Distributed systems
      Internet of Things (IoT)
       
Assess and mitigate vulnerabilities in web-based systems (e.g., XML, OWASP)   Assess and mitigate vulnerabilities in web-based systems  
       
Assess and mitigate vulnerabilities in mobile systems   Assess and mitigate vulnerabilities in mobile systems  
       
Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, Internet of things (loT))   Assess and mitigate vulnerabilities in embedded devices  
       
Apply cryptography Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) Apply cryptography Cryptographic life cycle (e.g., key management, algorithm selection)
  Cryptographic types (e.g., symmetric, asymmetric, elliptic curves)   Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
  Public Key Infrastructure (PKI)   Public Key Infrastructure (PKI)
  Key management practices   Key management practices
  Digital signatures   Digital signatures
  Digital rights management   Digital Rights Management (DRM)
  Non-repudiation   Non-repudiation
  Integrity (hashing and salting)   Integrity (e.g., hashing)
  Methods of cryptanalytic attacks (e.g., brute force, cipher-text only, known plaintext)   Understand methods of cryptanalytic attacks
       
Apply secure principles to site and facility design   Apply security principles to site and facility design  
       
Design and implement physical security Wiring closets Implement site and facility security controls Wiring closets/intermediate distribution facilities
  Server rooms   Server rooms/data centers
  Media storage facilities   Media storage facilities
  Evidence storage   Evidence storage
  Restricted and work area security (e.g., operations centers)   Restricted and work area security
  Data center security    
  Utilities and HVAC considerations   Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
  Water issues (e.g., leakage, flooding)   Environmental issues
  Fire prevention, detection and suppression   Fire prevention, detection, and suppression

 

Domain 4 : Communication and Network Security 

2015

2018

Topic Sub Topic Topic Sub Topic
Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation) OSI and TCP/IP models Implement secure design principles in network architectures Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
  IP networking   Internet Protocol (IP) networking
  Implications of multilayer protocols (e.g., DNP3)   Implications of multilayer protocols
  Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI)   Converged protocols
  Software-defined networks   Software-defined networks
  Wireless networks   Wireless networks
  Cryptography used to maintain communication security    
       
Secure network components Operation of hardware (e.g., modems, switches, routers, wireless access points, mobile devices) Secure network components Operation of hardware
  Transmission media (e.g., wired, wireless, fiber)   Transmission media
  Network access control devices (e.g., firewalls, proxies)   Network Access Control (NAC) devices
  Endpoint security   Endpoint security
  Content-distribution networks   Content-distribution networks
  Physical devices    
       
Design and establish secure communication channels Voice Implement secure communication channels according to design Voice
  Multimedia collaboration (e.g., remote meeting technology, instant messaging)   Multimedia collaboration
  Remote access (e.g., VPN, screen scraper, virtual application/desktop, telecommuting)   Remote access
  Data communications (e.g., VLAN, TLS/SSL)   Data communications
  Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation)   Virtualized networks
       
Prevent or mitigate network attacks      

 

Domain 5 : Identity and Access Management 

2015

2018

Topic Sub Topic Topic Sub Topic
Control physical and logical access to assets Information Control physical and logical access to assets Information
  Systems   Systems
  Devices   Devices
  Facilities   Facilities
       
Manage identification and authentication of people and devices Identity management implementation (e.g., SSO, LDAP) Manage identification and authentication of people, devices, and services Identity management implementation
  Single/multi-factor authentication (e.g., factors, strength, errors)   Single/multi-factor authentication
  Accountability   Accountability
  Session management (e.g., timeouts, screensavers)   Session management
  Registration and proofing of identity   Registration and proofing of identity
  Federated identity management (e.g., SAML)   Federated Identity Management (FIM)
  Credential management systems   Credential management systems
       
Integrate identity as a service (e.g., cloud identity)   Integrate identity as a third-party service On-premise
      Cloud
      Federated
       
Integrate third-party identity services (e.g., on-premise)      
       
Implement and manage authorization mechanisms Role-Based Access Control (RBAC) methods Implement and manage authorization mechanisms Role Based Access Control (RBAC)
  Rule-based access control methods   Rule-based access control
  Mandatory Access Control (MAC)   Mandatory Access Control (MAC)
  Discretionary Access Control (DAC)   Discretionary Access Control (DAC)
      Attribute Based Access Control (ABAC)
       
Prevent or mitigate access control attacks      
       
Manage the identity and access provisioning lifecycle (e.g., provisioning, review)   Manage the identity and access provisioning lifecycle User access review
      System account access review
      Provisioning and deprovisioning

 

 

Domain 6 : Security Assessment and Testing 

2015

2018

Topic Sub Topic Topic Sub Topic
Design and validate assessment and test strategies   Design and validate assessment, test, and audit strategies Internal
      External
      Third-party
       
Conduct security control testing Vulnerability assessment Conduct security control testing Vulnerability assessment
  Penetration testing   Penetration testing
  Log reviews   Log reviews
  Synthetic transactions   Synthetic transactions
  Code review and testing (e.g., manual, dynamic, static, fuzz)   Code review and testing
  Misuse case testing   Misuse case testing
  Test coverage analysis   Test coverage analysis
  Interface testing (e.g., API, UI, physical)   Interface testing
       
Collect security process data (e.g., management and operational controls) Account management (e.g., escalation, revocation) Collect security process data (e.g., technical and administrative) Account management
  Management review   Management review and approval
  Key performance and risk indicators   Key performance and risk indicators
  Backup verification data   Backup verification data
  Training and awareness   Training and awareness
  Disaster recovery and business continuity   Disaster Recovery (DR) and Business Continuity (BC)
       
Analyze and report test outputs (e.g., automated, manual)   Analyze test output and generate report  
       
Conduct or facilitate internal and third party audits   Conduct or facilitate security audits Internal
      External
      Third-party

 

Domain 7 : Security Operations 

2015

2018

Topic Sub Topic Topic Sub Topic
Understand and support investigations Evidence collection and handling (e.g., chain of custody, interviewing) Understand and support investigations Evidence collection and handling
  Reporting and documenting   Reporting and documentation
  Investigative techniques (e.g., root-cause analysis, incident handling)   Investigative techniques
  Digital forensics (e.g., media, network, software, and embedded devices)   Digital forensics tools, tactics, and procedures
       
Understand requirements for investigation types Operational Understand requirements for investigation types Administrative
  Criminal   Criminal
  Civil   Civil
  Regulatory   Regulatory
  Electronic discovery (eDiscovery)   Industry standards
       
Conduct logging and monitoring activities Intrusion detection and prevention Conduct logging and monitoring activities Intrusion detection and prevention
  Security information and event management   Security Information and Event Management (SIEM)
  Continuous monitoring   Continuous monitoring
  Egress monitoring (e.g., data loss prevention, steganography, watermarking)   Egress monitoring
       
Secure the provisioning of resources Asset inventory (e.g., hardware, software) Securely provisioning resources Asset inventory
  Configuration management   Configuration management
  Physical assets   Asset management
  Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems)    
  Cloud assets (e.g., services, VMs, storage, networks)    
  Applications (e.g., workloads or private clouds, web services, software as a service)    
       
Understand and apply foundational security operations concepts Need-to-know/least privilege (e.g., entitlement, aggregation, transitive trust) Understand and apply foundational security operations concepts Need-to-know/least privileges
  Separation of duties and responsibilities   Separation of duties and responsibilities
  Monitor special privileges (e.g., operators, administrators)   Privileged account management
  Job rotation   Job rotation
  Information lifecycle   Information lifecycle
  Service-level agreements   Service Level Agreements (SLA)
       
Employ resource protection techniques Media management Apply resource protection techniques Media management
  Hardware and software asset management   Hardware and software asset management
       
Conduct incident management Detection Conduct incident management Detection
  Response   Response
  Mitigation   Mitigation
  Reporting   Reporting
  Recovery   Recovery
  Remediation   Remediation
  Lessons learned   Lessons learned
       
Operate and maintain preventative measures Firewalls Operate and maintain detective and preventative measures Firewalls
  Intrusion detection and prevention systems   Intrusion detection and prevention systems
  Whitelisting/Blacklisting   Whitelisting/blacklisting
  Third-party security services   Third-party provided security services
  Sandboxing   Sandboxing
  Honeypots/Honeynets   Honeypots/honeynets
  Anti-malware   Anti-malware
       
Implement and support patch and vulnerability management   Implement and support patch and vulnerability management  
       
Participate in and understand change management processes (e.g., versioning, baselining, security impact analysis)   Understand and participate in change management processes  
       
Implement recovery strategies Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotation) Implement recovery strategies Backup storage strategies
  Recovery site strategies   Recovery site strategies
  Multiple processing sites (e.g., operationally redundant systems)   Multiple processing sites
  System resilience, high availability, quality of service, and fault tolerance   System resilience, high availability, Quality of Service (QoS), and fault tolerance
       
Implement disaster recovery processes Response Implement Disaster Recovery (DR) processes Response
  Personnel   Personnel
  Communications   Communications
  Assessment   Assessment
  Restoration   Restoration
  Training and awareness   Training and awareness
       
Test disaster recovery plans Read-through Test Disaster Recovery Plans (DRP) Read-through/tabletop
  Walkthrough   Walkthrough
  Simulation   Simulation
  Parallel   Parallel
  Full interruption   Full interruption
       
Participate in business continuity planning and exercises   Participate in Business Continuity (BC) planning and exercises  
       
Implement and manage physical security Perimeter (e.g., access control and monitoring) Implement and manage physical security Perimeter security controls
  Internal security (e.g., escort requirements/visitor control, keys and locks)   Internal security controls
       
Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring)   Address personnel safety and security concerns Travel
      Security training and awareness
      Emergency management
      Duress

 

Domain 8 : Software Development Security 

2015

2018

Topic Sub Topic Topic Sub Topic
Understand and apply security in the software development lifecycle Development methodologies (e.g., Agile, Waterfall) Understand and integrate security in the Software Development Life Cycle (SDLC) Development methodologies
  Maturity models   Maturity models
  Operation and maintenance   Operation and maintenance
  Change management   Change management
  Integrated product team (e.g., DevOps)   Integrated product team
       
Enforce security controls in development environments Security of the software environments Identify and apply security controls in development environments Security of the software environments
  Security weaknesses and vulnerabilities at the source-code level (e.g., buffer overflow, escalation of privilege, input/output validation)    
  Configuration management as an aspect of secure coding   Configuration management as an aspect of secure coding
  Security of code repositories   Security of code repositories
  Security of application programming interfaces    
       
Assess the effectiveness of software security Auditing and logging of changes Assess the effectiveness of software security Auditing and logging of changes
  Risk analysis and mitigation   Risk analysis and mitigation
  Acceptance testing    
       
Assess security impact of acquired software   Assess security impact of acquired software  
       
    Define and apply secure coding guidelines and standards Security weaknesses and vulnerabilities at the source-code level
      Security of application programming interfaces
      Secure coding practices

 

OVERALL CHANGES

Topics Removed : 11%

Topics Added : 7% 

SUMMARY

The Good

  • No major changes in the CBK.
  • Your current study effort is/will not be wasted
  • Weightage per domain is more evened out.

The Bad

  • Although the change is minimum, you might want to take the 2015 exam while you can if you are already prepared for it.
  • The new study materials will take time to arrive. Some editions might take more than a year or so.