As the digital landscape evolves, so does the realm of cybersecurity. The Certified Information Systems Security Professional (CISSP) certification stands as a cornerstone in this field, adapting to emerging threats and technologies. In this article, we delve into the differences between the CISSP exam in 2021 and its 2024 iteration. From updated domains to evolving industry trends, uncover the nuances that distinguish these certifications and their relevance in safeguarding our digital future.
Introduction to CISSP certification
CISSP Domains
CISSP Experience Requirements
CISSP CAT Exam Information
CISSP Linear Exam Information
CISSP Domain Details
Introduction to CISSP certification
Certified Information Systems Security Professional (CISSP) is a globally recognized certification for information security professionals. It validates expertise in designing, implementing, and managing cybersecurity programs. Covering domains like security architecture, risk management, and cryptography, CISSP signifies proficiency in safeguarding organizations against cyber threats and ensuring the confidentiality, integrity, and availability of sensitive information.
CISSP Domains:
Domains | CISSP 2021 | CISSP 2024 |
1 | Security and Risk Management (15%) | Security and Risk Management (16%) (weightage increased by 1%) |
2 | Asset Security (10%) | Asset Security (10%) |
3 | Security Architecture and Engineering (13%) | Security Architecture and Engineering (13%) |
4 | Communication and Network Security (13%) | Communication and Network Security (13%) |
5 | Identity and Access Management (IAM) (13%) | Identity and Access Management (IAM) (13%) |
6 | Security Assessment and Testing (12%) | Security Assessment and Testing (12%) |
7 | Security Operations (13%) | Security Operations (13%) |
8 | Software Development Security (11%) | Software Development Security (10%) (weightage decreased by 1%) |
CISSP Experience Requirements:
CISSP 2021 | CISSP 2024 |
● Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK.
● Earning a four year college degree or regional equivalent or an additional credential from the ISC2 approved list will satisfy one year of the required experience. ● Education credit will only satisfy one year of experience ● A candidate that doesn’t have the required experience to become a CISSP may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience. |
● Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP outline.
● Earning a four year college degree or regional equivalent or an additional credential from the ISC2 approved list will satisfy one year of the required experience. ● Education credit will only satisfy one year of experience. ● A candidate that doesn’t have the required experience to become a CISSP may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience. |
CISSP CAT Exam Information
Exam Name | CISSP CAT 2021 | CISSP CAT 2024 |
Launch Date | Effective May 1, 2021 | Effective April 15, 2024 |
Exam Duration | 4 hours | 3 hours |
Number of items | 125-175 | 100-150 |
Exam Format | Multiple-choice and advanced innovative items | Multiple-choice and advanced innovative items |
Passing Score | 700 out of 1000 points | 700 out of 1000 points |
Language | English | English |
Testing Center | ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers | ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers |
Note: Starting from April 15, 2024, the CISSP exam will be exclusively offered via CAT (Computer Adaptive Testing) and will be accessible solely in the following languages: English, Chinese, German, Japanese, and Spanish. Linear CISSP exams will no longer be available as of April 15, 2024.
CISSP Linear Exam Information
Exam Name | CISSP Linear 2021 |
Exam Duration | 6 hours |
Number of items | 250 |
Exam Format | Multiple-choice and advanced innovative items |
Passing Score | 700 out of 1000 points |
Language | French, German, Brazilian Portuguese, Spanish-Modern, Japanese, Simplified Chinese, Korean |
Testing Center | ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers |
Note: Starting from April 15, 2024, the CISSP exam will be exclusively offered via CAT (Computer Adaptive Testing) and will be accessible solely in the following languages: English, Chinese, German, Japanese, and Spanish. Linear CISSP exams will no longer be available as of April 15, 2024.
Domain Details:
Domains | CISSP 2021 | CISSP 2024 |
1. Security and Risk Management | 1.1 Understand, adhere to, and promote professional ethics
|
1.1 Understand, adhere to, and promote professional ethics
|
1.2 Understand and apply security concepts
(Simply mentions “confidentiality, integrity, and availability, authenticity and nonrepudiation” as security concepts to understand and apply) |
1.2 Understand and apply security concepts
(The 5 pillars of information security are now included in the exam framework, however, the core content remains the same) |
|
1.3 Evaluate and apply security governance principles
|
1.3 Evaluate, apply, and sustain security governance principles
|
|
1.4 Determine compliance and other requirements
|
1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
(Updated version has merged two subsections, while the overall topics covered remain similar, the CISSP 2024 version seems to place slightly more emphasis on specific privacy issues) |
|
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context
|
1.5 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) | |
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) | 1.6 Develop, document, and implement security policy, standards, procedures, and guidelines | |
1.7 Develop, document, and implement security policy, standards, procedures, and guidelines | 1.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
(Adds a focus on assessing external dependencies alongside BIA) |
|
1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements
|
1.8 Contribute to and enforce personnel security policies and procedures
|
|
1.9 Contribute to and enforce personnel security policies and procedure
|
1.9 Understand and apply risk management concepts
|
|
1.10 Understand and apply risk management concepts
|
1.10 Understand and apply threat modeling concepts and methodologies | |
1.11 Understand and apply threat modeling concepts and methodologies | 1.11 Apply Supply Chain Risk Management (SCRM) concepts
(Expands to include risks associated with the acquisition of products and services from suppliers and providers) |
|
1.12 Apply Supply Chain Risk Management (SCRM) concepts
|
1.12 Establish and maintain a security awareness, education, and training program
(Similar to 2021 but expands on periodic content reviews to include emerging technologies and trends such as cryptocurrency, AI, and blockchain) |
|
1.13 Establish and maintain a security awareness, education, and training program
|
||
2. Asset Security |
2.1 Identify and classify information and assets
|
2.1 Identify and classify information and assets
|
2.2 Establish information and asset handling requirements | 2.2 Establish information and asset handling requirements | |
2.3 Provision resources securely
|
2.3 Provision information and assets securely
(Specifically emphasizes provisioning information and assets securely) |
|
2.4 Manage data lifecycle
|
2.4 Manage data lifecycle
|
|
2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS)) | 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS)) | |
2.6 Determine data security controls and compliance requirements(DRM, CASB, DLP)
|
2.6 Determine data security controls and compliance requirements
|
|
3. Security Architecture and Engineering | 3.1 Research, implement and manage engineering processes using secure design principles
|
3.1 Research, implement, and manage engineering processes using secure design principles
(Adds “secure access service edge”) |
3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) | 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) | |
3.3 Select controls based upon systems security requirements | 3.3 Select controls based upon systems security requirements | |
3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) | 3.4 Understand security capabilities of Information Systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) | |
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
|
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
(Separates the cryptographic solutions into a standalone section and organizes the vulnerabilities assessment and mitigation by specific system types) |
|
3.6 Select and determine cryptographic solutions
(Removed separate sections “Non-repudiation and integrity (e.g., hashing)”) |
3.6 Select and determine cryptographic solutions
(Organizes the topics into separate sections) |
|
3.7 Understand methods of cryptanalytic attacks
|
3.7 Understand methods of cryptanalytic attacks
|
|
3.8 Apply security principles to site and facility design | 3.8 Apply security principles to site and facility design | |
3.9 Design site and facility security controls
|
3.9 Design site and facility security controls
|
|
3.10 Manage the information system lifecycle
|
||
4. Communication and Network Security | 4.1 Assess and implement secure design principles in network architectures
|
4.1 Apply secure design principles in network architectures
(Renamed and emphasizes applying secure design principles in network architectures) |
4.2 Secure network components
(Details the operation of infrastructure) |
4.2 Secure network components
(Details the operation of infrastructure) |
|
4.3 Implement secure communication channels according to design
|
4.3 Implement secure communication channels according to design
(Details the implementation of secure communication channels for voice, video, and collaboration) |
|
5. Identity and Access Management (IAM) | 5.1 Control physical and logical access to assets
|
5.1 Control physical and logical access to assets
(Adds “services”) |
5.2 Manage identification and authentication of people, devices, and services
|
5.2 Design identification and authentication strategy (e.g., people, devices, and services)
(Shifts the focus to designing an identification and authentication strategy for people, devices, and services) |
|
5.3 Federated identity with a third-party service
|
5.3 Federated identity with a third-party service
|
|
5.4 Implement and manage authorization mechanisms
|
5.4 Implement and manage authorization mechanisms
(Adds “Access policy enforcement”) |
|
5.5 Manage the identity and access provisioning lifecycle
|
5.5 Manage the identity and access provisioning lifecycle
(Details the management of the identity and access provisioning lifecycle) |
|
5.6 Implement authentication systems
|
5.6 Implement authentication systems | |
6. Security Assessment and Testing | 6.1 Design and validate assessment, test, and audit strategies
|
6.1 Design and validate assessment, test, and audit strategies
(Adds a new aspect regarding the location of assessments, tests, and audits, specifying whether they are conducted on-premise, in the cloud, or in a hybrid environment) |
6.2 Conduct security control testing
|
6.2 Conduct security control testing
(Details the conduct of security controls testing) |
|
6.3 Collect security process data (e.g., technical and administrative)
|
6.3 Collect security process data (e.g., technical, and administrative)
|
|
6.4 Analyze test output and generate report
|
6.4 Analyze test output and generate report
|
|
6.5 Conduct or facilitate security audits
|
6.5 Conduct or facilitate security audits
(Adds a new aspect regarding the location of audits, specifying whether they are conducted on-premise, in the cloud, or in a hybrid environment) |
|
7. Security Operations | 7.1 Understand and comply with investigations
|
7.1 Understand and comply with investigations
(Specifies “data” as one of the artifacts and details and details understanding and compliance with investigations) |
7.2 Conduct logging and monitoring activities
|
7.2 Conduct logging and monitoring activities
(Details logging and monitoring activities) |
|
7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation) | 7.3 Perform configuration management (CM) (e.g., provisioning, baselining, automation) | |
7.4 Apply foundational security operations concepts
|
7.4 Apply foundational security operations concepts
|
|
7.5 Apply resource protection
|
7.5 Apply resource protection
(Adds “Data at rest/data in transit”) |
|
7.6 Conduct incident management
|
7.6 Conduct incident management
|
|
7.7 Operate and maintain detective and preventative measures
|
7.7 Operate and maintain detection and preventative measures
|
|
7.8 Implement and support patch and vulnerability management | 7.8 Implement and support patch and vulnerability management | |
7.9 Understand and participate in change management processes | 7.9 Understand and participate in change management processes | |
7.10 Implement recovery strategies
|
7.10 Implement recovery strategies
|
|
7.11 Implement Disaster Recovery (DR) processes
|
7.11 Implement Disaster Recovery (DR) processes
|
|
7.12 Test Disaster Recovery Plans (DRP)
|
7.12 Test Disaster Recovery Plans (DRP)
|
|
7.13 Participate in Business Continuity (BC) planning and exercises | 7.13 Participate in Business Continuity (BC) planning and exercises | |
7.14 Implement and manage physical security
|
7.14 Implement and manage physical security
|
|
7.15 Address personnel safety and security concerns
|
7.15 Address personnel safety and security concerns
|
|
8. Software Development Security | 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
|
8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
(Specifies “Scaled Agile Framework” as part of development methodologies) |
8.2 Identify and apply security controls in software development ecosystems
|
8.2 Identify and apply security controls in software development ecosystems
(Specifies additional application security testing methods such as software composition analysis and Interactive Application Security Test (IAST)) |
|
8.3 Assess the effectiveness of software security
|
8.3 Assess the effectiveness of software security
|
|
8.4 Assess security impact of acquired software
|
8.4 Assess security impact of acquired software
(Specifies “enterprise applications” under managed services and adds “cloud services” as a separate category) |
|
8.5 Define and apply secure coding guidelines and standards
|
8.5 Define and apply secure coding guidelines and standards
|
Feel free to check out the blogs:
What’s New in the CISSP Certification Exam in 2024?
How To Prepare For CISSP Exam in 2024
Final Words:
The changes are relatively minor. The specific changes from the 2021 to the 2024 CISSP exam outline underline ISC2’s commitment to ensuring the certification remains relevant in the face of rapidly evolving technology landscapes and threat vectors.
Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
---|---|---|---|---|---|---|
23-Dec-2024 | 27-Jan-2025 | 08:00 - 10:00 IST | Weekday | Online | [ Open ] | |
18-Jan-2025 | 01-Mar-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
21-Jan-2025 | 07-Feb-2025 | 07:00 - 12:00 IST | Weekday | Online | [ Open ] | |
10-Feb-2025 | 27-Feb-2025 | 07:00 - 12:00 IST | Weekday | Online | [ Close ] | |
22-Feb-2025 | 05-Apr-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |
The following changes are observed:
References:
Reference 1 : Click Here
Reference 2 : Click Here