As a result of a rigorous, methodical process that (ISC)² follows to routinely update its credential exams, it has announced that enhancements will be made to both the Certified Information Systems Security Professional (CISSP) credential, beginning April 15, 2015. (ISC)² conducts this process on a regular basis to ensure that the examinations and subsequent training and continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals.
Refreshed technical content has been added to the official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today. Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.
The domain names have been updated as follows:
CISSP Domains, Effective April 15, 2015
- Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
- Asset Security (Protecting Security of Assets)
- Security Engineering (Engineering and Management of Security)
- Communications and Network Security (Designing and Protecting Network Security)
- Identity and Access Management (Controlling Access and Managing Identity)
- Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
- Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
- Software Development Security (Understanding, Applying, and Enforcing Software Security)
Some candidates may be wondering how these updates affect training materials for the CISSP credential. As part of the organization’s comprehensive education strategy and certifying body best practices, (ISC)² training materials do not teach directly to its credential examinations. Rather, (ISC)² Education is focused on teaching the core competencies relevant to the roles and responsibilities of today’s practicing information security professional. It is designed to refresh and enhance the knowledge of experienced industry professionals.
Domain 1 — Security & Risk Management
Security & Risk Management
Confidentiality, Integrity, and Availability
Security Governance
The Complete and Effective Security Program
Compliance
Global Legal and Regulatory Issues
Understand Professional Ethics
Develop and Implement Security Policy
Business Continuity (BC) & Disaster Recovery (DR) Requirements
Manage Personnel Security
Risk Management Concepts
Threat Modeling
Acquisitions Strategy and Practice
Security Education, Training, and Awareness
Domain 2 — Asset Security
Asset Security
Data Management: Determine and Maintain Ownership
Data Standards
Longevity and Use
Classify Information and Supporting Assets
Asset Management
Protect Privacy
Ensure Appropriate Retention
Determine Data Security Controls
Standards Selection
Domain 3 — Security Engineering
Security Engineering
The Engineering Lifecycle Using Security Design Principles
Fundamental Concepts of Security Models
Information Systems Security Evaluation Models
Security Capabilities of Information Systems
Vulnerabilities of Security Architectures
Database Security
Software and System Vulnerabilities and Threats
Vulnerabilities in Mobile Systems
Vulnerabilities in Embedded Devices and Cyber-Physical Systems
The Application and Use of Cryptography
Site and Facility Design Considerations
Site Planning
Implementation and Operation of Facilities Security
Domain 4 — Communications & Network Security
Communications & Network Security
Secure Network Architecture and Design
Implications of Multi-Layer Protocols
Converged Protocols
Securing Network Components
Secure Communication Channels
Network Attacks
Domain 5 — Identity & Access Management
Identity & Access Management
Physical and Logical Access to Assets
Identification and Authentication of People and Devices
Identity Management Implementation
Identity as a Service (IDaaS)
Integrate Third-Party Identity Services
Implement and Manage Authorization Mechanisms
Prevent or Mitigate Access Control Attacks
Identity and Access Provisioning Lifecycle
Domain 6 — Security Assessment & Testing
Security Assessment & Testing
Assessment and Test Strategies
Collect Security Process Data
Internal and Third-Party Audits
Domain 7 — Security Operations
Security Operations
Investigations
Provisioning of Resources through Configuration Management
Resource Protection
Incident Response
Preventative Measures against Attacks
Patch and Vulnerability Management
Change and Configuration Management
The Disaster Recovery Process
Test Plan Review
Business Continuity and Other Risk Areas
Access Control
Personnel Safety
Domain 8 — Security in the Software Development Life Cycle
Security in the Software Development Life Cycle
Software Development Security Outline
Environment and Security Controls
Security of the Software Environment
Software Protection Mechanisms
Assess the Effectiveness of Software Security
Assess Software Acquisition Security
Biography
Adam Gordon
