New CISSP Exam Outline [Effective Date: May 1, 2021]

 

New CISSP Exam Outline

Effective Date: May 1, 2021

• Download Link: https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CISSP-Exam-Outline-English-April-2021.ashx
• CISSP Domain Refresh FAQ: https://www.isc2.org/Certifications/CISSP/Domain-Refresh-FAQ

Quick Review

• Domain 1
  • Emphasize Ethics
  • Emphasize authenticity and nonrepudiation (properties of Integrity)
  • Change “global” context to “holistic” context (legal and regulatory requirements)
  • Move Investigation types here from Domain 7
  • Change SCA to Control assessments (security and privacy)
  • Remove Asset valuation
  • Mention Risk maturity modeling
  • Use the term, Supply Chain Risk Management (SCRM)
  • Mention social engineering, phishing, security champions, and gamification
• Domain 2
  • Use the term, asset handling requirements
  • Move Provision resources securely here from Domain 7
  • Specify data lifecycle
  • Emphasize asset retention (EOL, EOS)
  • Identify Data protection methods
  • Move Digital Rights Management (DRM) here from Domani 3
• Domain 3
  • Specify secure design principles
  • Identify 15 (add 7 more) vulnerabilities of architectures, designs, and solution elements. (Microservices, Containerization, Serverless, High-Performance Computing systems, Edge computing systems, and Virtualized systems)
  • Emphasize cryptanalytic attacks
  • Emphasize Power (e.g., redundant, backup)
• Domain 4
  • Cover more network archetypes: Micro-segmentation, Zigbee, satellite, 5G, CDN, Secure protocols, IPsec, IPv6, VXLAN, and SD-WAN
  • Add Third-party connectivity
• Domain 5
  • Add Just-In-Time (JIT)
  • Rename “Integrate identity as a third-party service” to “Federated identity with a third-party service”
  • Change “On-premise, Cloud, and Federated” to “On-premise, Cloud, and Hybrid“
  • Add Risk based access control
  • Improve provisioning lifecycle
  • Add Implement authentication systems
• Domain 6
  • Add 2 testing: Breach attack simulations and Compliance checks
  • Add 3 topics under “Analyze test output and generate report”: Remediation, Exception handling, and Ethical disclosure
• Domain 7
  • Emphasize Artifacts (e.g., computer, network, mobile device)
  • Add 3 topics under “Conduct logging and monitoring activities”: Log management, Threat intelligence (e.g., threat feeds, threat hunting), and User and Entity Behavior Analytics (UEBA)
  • Emphasize Machine learning and Artificial Intelligence (AI) based tools
  • Add Lessons learned to Disaster Recovery (DR) processes
• Domain 8
  • Expand “development environments” to “software development ecosystems”
    • Programming languages
    • Libraries
    • Tool sets
    • Integrated Development Environment (IDE)
    • Runtime
    • Continuous Integration and Continuous Delivery
      (CI/CD)
    • Security Orchestration, Automation, and Response
      (SOAR)
    • Software Configuration Management (SCM)
    • Code repositories
    • Application security testing (e.g., SAST, DAST)
  • Emphasize acquired software
    • Commercial-off-the-shelf (COTS)
    • Open source
    • Third-party
    • Managed services (e.g., SaaS, IaaS, PaaS)
  • Mention Software-defined security