CISSP Domain 1 Changes - 2018 vs 2015

By

The new exam outline has been released by (ISC)2 for the CISSP exam. I will be evaluating each domain of the 2015 & 2018 exam outline and would present you a point by point change in the course content. 

New Course Content which has added in the 2018 edition will be added in the form of posts on the blog.

Here is the overall result in Domain 1: Extremely Limited Change

2015 Exam Outline
2018 Exam Outline
Understand and apply concepts of confidentiality, integrity and availability
Understand and apply concepts of   confidentiality, integrity and availability
# No Change
Apply security governance principles through

  • Alignment of security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Security roles and responsibilities
  • Control frameworks
Evaluate and apply security governance principles

  • Alignment of security function to the business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks
  • Due care/due diligence
# Focus now on Security Control frameworks. Due care & Due Diligence separately mentioned now.
Compliance

  • Legislative and regulatory compliance
  • Privacy requirements compliance
Determine compliance requirements

  • Contractual, legal, industry standards, and regulatory requirements
  • Privacy requirements
# No Change
Understand legal and regulatory issues that pertain to information security in a global context

  • Computer crimes
  • Licensing and intellectual property
  • Import/export controls
  • Trans-border data flow
  • Privacy
  • Data Breaches
Understand legal and regulatory issues that pertain to information security in a global context

  • Cyber-crimes and data breaches
  • Licensing and intellectual property requirements
  • Import/export controls
  • Trans-border data flow
  • Privacy
#No Change
Understand professional ethics


  • (ISC)² Code of Professional Ethics
  • Organizational code of ethics
Understand, adhere to, and promote professional ethics

  • (ISC)² Code of Professional Ethics
  • Organizational code of ethics
#No Change
Develop, document, and implement security policy, standards, procedures, and guidelines
Develop, document, and implement security policy, standards, procedures, and guidelines

#No Change
Understand Business continuity requirements

  • Develop and document scope and plan
  • Business Impact Analysis (BIA)
Identify, analyze, and prioritize Business Continuity (BC) requirements

  • Develop and document scope and plan
  • Business Impact Analysis (BIA)
# No Change.
Contribute to personnel security policies


  • Employment Candidate Screening
  • Employment agreements and policies
  • Employment termination processes
  • Vendor, consultant, and contractor controls
  • Compliance
  • Privacy
Contribute to and enforce personnel security policies and procedures

  • Candidate screening and hiring
  • Employment agreements and policies
  • Onboarding and termination processes
  • Vendor, consultant, and contractor agreements and controls
  • Compliance policy requirements
  • Privacy policy requirements
# No Change
Understand and apply risk management concepts

  • Identify threats and vulnerabilities
  • Risk assessment/analysis
  • Risk assignment/acceptance
  • Countermeasure selection
  • Implementation
  • Types of controls (e.g., preventive, detective, corrective)
  • Control Assessment (SCA)
  • Monitoring and measurement
  • Asset valuation
  • Reporting
  • Continuous improvement
  • Risk frameworks
Understand and apply risk management concepts

  • Identify threats and vulnerabilities
  • Risk assessment/analysis
  • Risk response
  • Countermeasure selection and implementation
  • Applicable types of controls (e.g., preventive, detective, corrective)
  • Security Control Assessment (SCA)
  • Monitoring and measurement
  • Asset valuation
  • Reporting
  • Continuous improvement
  • Risk frameworks
# No Change
Understand and apply threat modeling

  • Identifying threats
  • Determining and Diagramming potential attacks
  • Performing reduction analysis
  • Technology and processes to remediate threats
Understand and apply threat modeling concepts and methodologies

  • Threat modeling methodologies
  • Threat modeling concepts

# Change is limited. The focus area remains the same. CISSP CBK 2018 can highlight newer concepts.
Integrate security risk considerations into acquisition strategy and practice

  • Hardware, Software, and Services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service-level requirements
Apply risk-based management concepts to the supply chain

  • Risks associated with hardware, software, and services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service-level requirements
#Overall no change. Focus on Risks in 1st point.
Establish and manage information security education, training, and awareness

  • Appropriate levels of awareness, training, and education required within organization
  • Periodic reviews for content relevancy
Establish and maintain a security awareness, education, and training program

  • Methods and techniques to present awareness and training
  • Periodic content reviews
  • Program effectiveness evaluation
# Evaluation of the effectiveness of the security program is a (welcome) addition.

Comments

Post a Comment

You may also like to read...

Identification, Authentication, Authorization, and Accountability

By
Image
The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you
Continue Reading...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

By
Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization. These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, whi
Continue Reading...

How to Pass SSCP Exam in the First Attempt

By
Image
Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2 . When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.  Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP? You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are
Continue Reading...

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

By
Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels? Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready
Continue Reading...

Cloud Computing - The Logical Model

By
Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec
Continue Reading...