Saturday, April 21, 2018

CISSP Domain 1 Changes - 2018 vs 2015


The new exam outline has been released by (ISC)2 for the CISSP exam. I will be evaluating each domain of the 2015 & 2018 exam outline and would present you a point by point change in the course content. 

New Course Content which has added in the 2018 edition will be added in the form of posts on the blog.

Here is the overall result in Domain 1: Extremely Limited Change

2015 Exam Outline
2018 Exam Outline
Understand and apply concepts of confidentiality, integrity and availability
Understand and apply concepts of   confidentiality, integrity and availability
# No Change
Apply security governance principles through

  • Alignment of security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Security roles and responsibilities
  • Control frameworks

Evaluate and apply security governance principles

  • Alignment of security function to the business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks
  • Due care/due diligence
# Focus now on Security Control frameworks. Due care & Due Diligence separately mentioned now.
Compliance

  • Legislative and regulatory compliance
  • Privacy requirements compliance
Determine compliance requirements

  • Contractual, legal, industry standards, and regulatory requirements
  • Privacy requirements
# No Change
Understand legal and regulatory issues that pertain to information security in a global context

  • Computer crimes
  • Licensing and intellectual property
  • Import/export controls
  • Trans-border data flow
  • Privacy
  • Data Breaches
Understand legal and regulatory issues that pertain to information security in a global context

  • Cyber-crimes and data breaches
  • Licensing and intellectual property requirements
  • Import/export controls
  • Trans-border data flow
  • Privacy
#No Change
Understand professional ethics


  • (ISC)² Code of Professional Ethics
  • Organizational code of ethics
Understand, adhere to, and promote professional ethics

  • (ISC)² Code of Professional Ethics
  • Organizational code of ethics
#No Change
Develop, document, and implement security policy, standards, procedures, and guidelines
Develop, document, and implement security policy, standards, procedures, and guidelines

#No Change

Understand Business continuity requirements

  • Develop and document scope and plan
  • Business Impact Analysis (BIA)
Identify, analyze, and prioritize Business Continuity (BC) requirements

  • Develop and document scope and plan
  • Business Impact Analysis (BIA)
# No Change.
Contribute to personnel security policies


  • Employment Candidate Screening
  • Employment agreements and policies
  • Employment termination processes
  • Vendor, consultant, and contractor controls
  • Compliance
  • Privacy

Contribute to and enforce personnel security policies and procedures

  • Candidate screening and hiring
  • Employment agreements and policies
  • Onboarding and termination processes
  • Vendor, consultant, and contractor agreements and controls
  • Compliance policy requirements
  • Privacy policy requirements
# No Change
Understand and apply risk management concepts

  • Identify threats and vulnerabilities
  • Risk assessment/analysis
  • Risk assignment/acceptance
  • Countermeasure selection
  • Implementation
  • Types of controls (e.g., preventive, detective, corrective)
  • Control Assessment (SCA)
  • Monitoring and measurement
  • Asset valuation
  • Reporting
  • Continuous improvement
  • Risk frameworks
Understand and apply risk management concepts

  • Identify threats and vulnerabilities
  • Risk assessment/analysis
  • Risk response
  • Countermeasure selection and implementation
  • Applicable types of controls (e.g., preventive, detective, corrective)
  • Security Control Assessment (SCA)
  • Monitoring and measurement
  • Asset valuation
  • Reporting
  • Continuous improvement
  • Risk frameworks
# No Change
Understand and apply threat modeling

  • Identifying threats
  • Determining and Diagramming potential attacks
  • Performing reduction analysis
  • Technology and processes to remediate threats
Understand and apply threat modeling concepts and methodologies

  • Threat modeling methodologies
  • Threat modeling concepts

# Change is limited. The focus area remains the same. CISSP CBK 2018 can highlight newer concepts.
Integrate security risk considerations into acquisition strategy and practice

  • Hardware, Software, and Services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service-level requirements
Apply risk-based management concepts to the supply chain

  • Risks associated with hardware, software, and services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service-level requirements
#Overall no change. Focus on Risks in 1st point.
Establish and manage information security education, training, and awareness

  • Appropriate levels of awareness, training, and education required within organization
  • Periodic reviews for content relevancy
Establish and maintain a security awareness, education, and training program

  • Methods and techniques to present awareness and training
  • Periodic content reviews
  • Program effectiveness evaluation
# Evaluation of the effectiveness of the security program is a (welcome) addition.

No comments: