Year-End Learning Carnival: Get Free Courses and Up to 50% off on Career Booster Combos!
D H M S

CISSP 2021 vs. New CISSP 2024

As the digital landscape evolves, so does the realm of cybersecurity. The Certified Information Systems Security Professional (CISSP) certification stands as a cornerstone in this field, adapting to emerging threats and technologies. In this article, we delve into the differences between the CISSP exam in 2021 and its 2024 iteration. From updated domains to evolving industry trends, uncover the nuances that distinguish these certifications and their relevance in safeguarding our digital future.

CISSP 2021 vs. New CISSP 2024

Table of Contents

Introduction to CISSP certification
CISSP Domains
CISSP Experience Requirements
CISSP CAT Exam Information
CISSP Linear Exam Information
CISSP Domain Details

Introduction to CISSP certification

Certified Information Systems Security Professional (CISSP) is a globally recognized certification for information security professionals. It validates expertise in designing, implementing, and managing cybersecurity programs. Covering domains like security architecture, risk management, and cryptography, CISSP signifies proficiency in safeguarding organizations against cyber threats and ensuring the confidentiality, integrity, and availability of sensitive information.

CISSP Domains:

Domains CISSP 2021 CISSP 2024
1 Security and Risk Management (15%) Security and Risk Management (16%) (weightage increased by 1%)
2 Asset Security (10%) Asset Security (10%)
3 Security Architecture and Engineering (13%) Security Architecture and Engineering (13%)
4 Communication and Network Security (13%) Communication and Network Security (13%)
5 Identity and Access Management (IAM) (13%) Identity and Access Management (IAM) (13%)
6 Security Assessment and Testing (12%) Security Assessment and Testing (12%)
7 Security Operations (13%) Security Operations (13%)
8 Software Development Security (11%) Software Development Security (10%) (weightage decreased by 1%)

CISSP Experience Requirements:

CISSP 2021 CISSP 2024
● Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK.

● Earning a four year college degree or regional equivalent or an additional credential from the ISC2 approved list will satisfy one year of the required experience.

● Education credit will only satisfy one year of experience

● A candidate that doesn’t have the required experience to become a CISSP may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience.

● Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP outline.

● Earning a four year college degree or regional equivalent or an additional credential from the ISC2 approved list will satisfy one year of the required experience.

● Education credit will only satisfy one year of experience.

● A candidate that doesn’t have the required experience to become a CISSP may become an Associate of ISC2 by successfully passing the CISSP examination. The Associate of ISC2 will then have six years to earn the five years required experience.
(No change)

CISSP CAT Exam Information

Exam Name CISSP CAT 2021 CISSP CAT 2024
Launch Date Effective May 1, 2021 Effective April 15, 2024
Exam Duration 4 hours 3 hours
Number of items 125-175 100-150
Exam Format Multiple-choice and advanced innovative items Multiple-choice and advanced innovative items
Passing Score 700 out of 1000 points 700 out of 1000 points
Language English English
Testing Center ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers

Note: Starting from April 15, 2024, the CISSP exam will be exclusively offered via CAT (Computer Adaptive Testing) and will be accessible solely in the following languages: English, Chinese, German, Japanese, and Spanish. Linear CISSP exams will no longer be available as of April 15, 2024.

CISSP Linear Exam Information

Exam Name CISSP Linear 2021
Exam Duration 6 hours
Number of items 250
Exam Format Multiple-choice and advanced innovative items
Passing Score 700 out of 1000 points
Language French, German, Brazilian Portuguese, Spanish-Modern, Japanese, Simplified Chinese, Korean
Testing Center ISC2 Authorized PPC and PVTC Select Pearson VUE Testing Centers

Note: Starting from April 15, 2024, the CISSP exam will be exclusively offered via CAT (Computer Adaptive Testing) and will be accessible solely in the following languages: English, Chinese, German, Japanese, and Spanish. Linear CISSP exams will no longer be available as of April 15, 2024.

Domain Details: 

Domains CISSP 2021 CISSP 2024
1. Security and Risk Management 1.1 Understand, adhere to, and promote professional ethics

  • ISC2 Code of Professional Ethics
  • Organizational code of ethics
1.1 Understand, adhere to, and promote professional ethics

  • ISC2 Code of Professional Ethics
  • Organizational code of ethics
1.2 Understand and apply security concepts

  • Confidentiality, integrity, and availability, authenticity and nonrepudiation

(Simply mentions “confidentiality, integrity, and availability, authenticity and nonrepudiation” as security concepts to understand and apply)

1.2 Understand and apply security concepts

  • Confidentiality, integrity, and availability, authenticity, and nonrepudiation (5 Pillars of Information Security)

(The 5 pillars of information security are now included in the exam framework, however, the core content remains the same)

1.3 Evaluate and apply security governance principles

  • Alignment of the security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks
  • Due care/due diligence
1.3 Evaluate, apply, and sustain security governance principles

  • Alignment of the security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))
  • Due care/due diligence
  • (The focus on security control frameworks is more detailed, listing specific frameworks like ISO, NIST, COBIT, SABSA, PCI, and FedRAMP. This update likely reflects the increasing importance of leveraging established frameworks for effective security management)
1.4 Determine compliance and other requirements

  • Contractual, legal, industry standards, and regulatory requirements
  • Privacy requirements
1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context

  • Cybercrimes and data breaches
  • Licensing and Intellectual Property requirements
  • Import/export controls
  • Transborder data flow
  • Issues related to privacy (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act)
  • Contractual, legal, industry standards, and regulatory requirements (Added)

(Updated version has merged two subsections, while the overall topics covered remain similar, the CISSP 2024 version seems to place slightly more emphasis on specific privacy issues)

1.5 Understand legal and regulatory issues that pertain to information security in a holistic context

  • Cybercrimes and data breaches
  • Licensing and Intellectual Property (IP) requirements
  • Import/export controls
  • Transborder data flow
  • Privacy
1.5 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) 1.6 Develop, document, and implement security policy, standards, procedures, and guidelines
1.7 Develop, document, and implement security policy, standards, procedures, and guidelines 1.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements

  • Business impact analysis (BIA)
  • External dependencies

(Adds a focus on assessing external dependencies alongside BIA)

1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements

  • Business Impact Analysis (BIA)
  • Develop and document the scope and the plan
1.8 Contribute to and enforce personnel security policies and procedures

  • Candidate screening and hiring
  • Employment agreements and policy driven requirements
  • Onboarding, transfers, and termination processes
  • Vendor, consultant, and contractor agreements and controls
1.9 Contribute to and enforce personnel security policies and procedure

  • Candidate screening and hiring
  • Employment agreements and policies
  • Onboarding, transfers, and termination processes
  • Vendor, consultant, and contractor agreements and controls
  • Compliance policy requirements
  • Privacy policy requirements
1.9 Understand and apply risk management concepts

  • Threat and vulnerability identification
  • Risk analysis, assessment, and scope
  • Risk response and treatment (e.g., cybersecurity insurance)
  • Applicable types of controls (e.g., preventive, detection, corrective)
  • Control assessments (e.g., security and privacy)
  • Continuous monitoring and measurement
  • Reporting (e.g., internal, external)
  • Continuous improvement (e.g., risk maturity modeling)
  • Risk frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI))
1.10 Understand and apply risk management concepts

  • Identify threats and vulnerabilities
  • Risk assessment/analysis
  • Risk response
  • Countermeasure selection and implementation
  • Applicable types of controls (e.g., preventive, detective, corrective)
  • Control assessments (security and privacy)
  • Monitoring and measurement
  • Reporting
  • Continuous improvement (e.g., Risk maturity modeling)
  • Risk frameworks
1.10 Understand and apply threat modeling concepts and methodologies
1.11 Understand and apply threat modeling concepts and methodologies 1.11 Apply Supply Chain Risk Management (SCRM) concepts

  • Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
  • Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)

(Expands to include risks associated with the acquisition of products and services from suppliers and providers)

1.12 Apply Supply Chain Risk Management (SCRM) concepts

  • Risks associated with hardware, software, and services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service level requirements
1.12 Establish and maintain a security awareness, education, and training program

  • Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification)
  • Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)
  • Program effectiveness evaluation

(Similar to 2021 but expands on periodic content reviews to include emerging technologies and trends such as cryptocurrency, AI, and blockchain)

1.13 Establish and maintain a security awareness, education, and training program

  • Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
  • Periodic content reviews
  • Program effectiveness evaluation
2. Asset Security

2.1 Identify and classify information and assets

  • Data classification
  • Asset Classification
2.1 Identify and classify information and assets

  • Data classification
  • Asset classification
2.2 Establish information and asset handling requirements 2.2 Establish information and asset handling requirements
2.3 Provision resources securely

  • Information and asset ownership
  • Asset inventory (e.g., tangible, intangible)
  • Asset management
2.3 Provision information and assets securely

  • Information and asset ownership
  • Asset inventory (e.g., tangible, intangible)
  • Asset management

(Specifically emphasizes provisioning information and assets securely)

2.4 Manage data lifecycle

  • Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
  • Data collection
  • Data location
  • Data maintenance
  • Data retention
  • Data remanence
  • Data destruction
2.4 Manage data lifecycle

  • Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
  • Data collection
  • Data location
  • Data maintenance
  • Data retention
  • Data remanence
  • Data destruction
2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS)) 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
2.6 Determine data security controls and compliance requirements(DRM, CASB, DLP)

  • Data states (e.g., in use, in transit, at rest)
  • Scoping and tailoring
  • Standards selection
  • Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
2.6 Determine data security controls and compliance requirements

  • Data states (e.g., in use, in transit, at rest)
  • Scoping and tailoring
  • Standards selection
  • Data protection methods (e.g., Digital Rights Management (DRM), data loss prevention (DLP), cloud access security broker (CASB))
3. Security Architecture and Engineering 3.1 Research, implement and manage engineering processes using secure design principles

  • Threat modeling
  • Least privilege
  • Defense in depth
  • Secure defaults
  • Fail securely
  • Separation of Duties (SoD)
  • Keep it simple
  • Zero Trust
  • Privacy by design
  • Trust but verify
  • Shared responsibility
3.1 Research, implement, and manage engineering processes using secure design principles

  • Threat modeling
  • Least privilege
  • Defense in depth
  • Secure defaults
  • Fail securely
  • Segregation of Duties (SoD)
  • Keep it simple and small
  • Zero trust or trust but verify
  • Privacy by design
  • Shared responsibility
  • Secure access service edge

(Adds “secure access service edge”)

3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
3.3 Select controls based upon systems security requirements 3.3 Select controls based upon systems security requirements
3.4 Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption) 3.4 Understand security capabilities of Information Systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

  • Client-based systems
  • Server-based systems
  • Database systems
  • Cryptographic systems
  • Industrial Control Systems (ICS)
  • Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
  • Distributed systems
  • Internet of Things (IoT)
  • Microservices
  • Containerization
  • Serverless
  • Embedded systems
  • High-Performance Computing (HPC) systems
  • Edge computing systems
  • Virtualized systems
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

  • Client-based systems
  • Server-based systems
  • Database systems
  • Cryptographic systems
  • Operational Technology/industrial control systems (ICS)
  • Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
  • Distributed systems
  • Internet of Things (IoT)
  • Microservices (e.g., application programming interface (API))
  • Containerization
  • Serverless
  • Embedded systems
  • High-Performance Computing systems
  • Edge computing systems
  • Virtualized systems

(Separates the cryptographic solutions into a standalone section and organizes the vulnerabilities assessment and mitigation by specific system types)

3.6 Select and determine cryptographic solutions

  • Cryptographic life cycle (e.g., keys, algorithm selection)
  • Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
  • Public Key Infrastructure (PKI)
  • Key management practices
  • Digital signatures and digital certificates
  • Non-repudiation
  • Integrity (e.g., hashing)

(Removed separate sections “Non-repudiation and integrity (e.g., hashing)”)

3.6 Select and determine cryptographic solutions

  • Cryptographic life cycle (e.g., keys, algorithm selection)
  • Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
  • Public key infrastructure (PKI) (e.g., quantum key distribution)
  • Key management practices (e.g., rotation)
  • Digital signatures and digital certificates (e.g., non-repudiation, integrity)

(Organizes the topics into separate sections)

3.7 Understand methods of cryptanalytic attacks

  • Brute force
  • Ciphertext only
  • Known plaintext
  • Frequency analysis
  • Chosen ciphertext
  • Implementation attacks
  • Side-channel
  • Fault injection
  • Timing
  • Man-in-the-Middle (MITM)
  • Pass the hash
  • Kerberos exploitation
  • Ransomware
3.7 Understand methods of cryptanalytic attacks

  • Brute force
  • Ciphertext only
  • Known plaintext
  • Frequency analysis
  • Chosen ciphertext
  • Implementation attacks
  • Side-channel
  • Fault injection
  • Timing
  • Man-in-the-middle (MITM)
  • Pass the hash
  • Kerberos exploitation
  • Ransomware
3.8 Apply security principles to site and facility design 3.8 Apply security principles to site and facility design
3.9 Design site and facility security controls

  • Wiring closets/intermediate distribution facilities
  • Server rooms/data centers
  • Media storage facilities
  • Evidence storage
  • Restricted and work area security
  • Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
  • Environmental issues
  • Fire prevention, detection, and suppression
  • Power (e.g., redundant, backup)
3.9 Design site and facility security controls

  • Wiring closets/intermediate distribution frame
  • Server rooms/data centers
  • Media storage facilities
  • Evidence storage
  • Restricted and work area security
  • Utilities and Heating, Ventilation, and Air Conditioning (HVAC)
  • Environmental issues (e.g., natural disasters, man-made)
  • Fire prevention, detection, and suppression
  • Power (e.g., redundant, backup)
3.10 Manage the information system lifecycle

  • Stakeholders needs and requirements
  • Requirements analysis
  • Architectural design
  • Development /implementation
  • Integration
  • Verification and validation
  • Transition/deployment
  • Operations and maintenance/sustainment
  • Retirement/disposal
4. Communication and Network Security 4.1 Assess and implement secure design principles in network architectures

  • Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
  • Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6)
  • Secure protocols
  • Implications of multilayer protocols
  • Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP))
  • Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
  • Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite)
  • Cellular networks (e.g., 4G, 5G)
  • Content Distribution Networks (CDN)
4.1 Apply secure design principles in network architectures

  • Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
  • Internet Protocol (IP) version 4 and 6 (IPv6) (e.g., unicast, broadcast, multicast, anycast)
  • Secure protocols (e.g., Internet Protocol Security (IPSec), Secure Shell (SSH), Secure Sockets Layer (SSL)/Transport Layer Security (TLS))
  • Implications of multilayer protocols
  • Converged protocols (e.g., Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP), InfiniBand over Ethernet, Compute Express Link)
  • Transport architecture (e.g., topology, data/control/management plane, cut-through/store-and-forward)
  • Performance metrics (e.g., bandwidth, latency, jitter, throughput, signal-to-noise ratio)
  • Traffic flows (e.g., north-south, east-west)
  • Physical segmentation (e.g., in-band, out-of-band, air-gapped)
  • Logical segmentation (e.g., virtual local area networks (VLANs), virtual private networks (VPNs), virtual routing and forwarding, virtual domain) and forward
  • Micro-segmentation (e.g., network overlays/encapsulation; distributed firewalls, routers, intrusion detection system (IDS)/intrusion prevention system (IPS), zero trust)
  • Edge networks (e.g., ingress/egress, peering)
  • Wireless networks (e.g., Bluetooth, Wi-Fi, Zigbee, satellite)
  • Cellular/mobile networks (e.g., 4G, 5G)
  • Content distribution networks (CDN)
  • Software defined networks (SDN), (e.g., application programming interface (API), Software-Defined Wide-Area Network, network functions virtualization)
  • Virtual Private Cloud (VPC)
  • Monitoring and management (e.g., network observability, traffic flow/shaping, capacity management, fault detection and handling)

(Renamed and emphasizes applying secure design principles in network architectures)

4.2 Secure network components

  • Operation of infrastructure (e.g., redundant power, warranty, support)
  • Transmission media (e.g., physical security of media, signal propagation quality)
  • Network Access Control (NAC) systems (e.g., physical, and virtual solutions)
  • Endpoint security (e.g., host-based)

(Details the operation of infrastructure)

4.2 Secure network components

  • Operation of infrastructure (e.g., redundant power, warranty, support)
  • Transmission media (e.g., physical security of media, signal propagation quality)
  • Network Access Control (NAC) systems (e.g., physical, and virtual solutions)
  • Endpoint security (e.g., host-based

(Details the operation of infrastructure)

4.3 Implement secure communication channels according to design

  • Voice
  • Multimedia collaboration
  • Remote access
  • Data communication
  • Virtualized networks
  • Third-party connectivity
4.3 Implement secure communication channels according to design

  • Voice, video, and collaboration (e.g., conferencing, Zoom rooms)
  • Remote access (e.g., network administrative functions)
  • Data communications (e.g., backhaul networks, satellite)
  • Third-party connectivity (e.g., telecom providers, hardware support)

(Details the implementation of secure communication channels for voice, video, and collaboration)

5. Identity and Access Management (IAM) 5.1 Control physical and logical access to assets

  • Information
  • Systems
  • Devices
  • Facilities
  • Applications
5.1 Control physical and logical access to assets

  • Information
  • Systems
  • Devices
  • Facilities
  • Applications
  • Services

 (Adds “services”)

5.2 Manage identification and authentication of people, devices, and services

  • Identity Management (IdM) implementation
  • Single/Multi-Factor Authentication (MFA)
  • Accountability
  • Session management
  • Registration, proofing, and establishment of identity
  • Federated Identity Management (FIM)
  • Credential management systems
  • Single Sign On (SSO)
  • Just-In-Time (JIT)
5.2 Design identification and authentication strategy (e.g., people, devices, and services)

  • Groups and Roles
  • Authentication, Authorization and Accounting (AAA) (e.g., multi-factor authentication (MFA), password-less authentication)
  • Session management
  • Registration, proofing, and establishment of identity
  • Federated Identity Management (FIM)
  • Credential management systems (e.g., Password vault)
  • Single sign-on (SSO)
  • Just-In-Time

(Shifts the focus to designing an identification and authentication strategy for people, devices, and services)

5.3 Federated identity with a third-party service

  • On-premise
  • Cloud
  • Hybrid
5.3 Federated identity with a third-party service

  • On-premise
  • Cloud
  • Hybrid
5.4 Implement and manage authorization mechanisms

  • Role-based access control (RBAC)
  • Rule based access control
  • Mandatory access control (MAC)
  • Discretionary access control (DAC)
  • Attribute-based access control (ABAC)
  • Risk based access control
5.4 Implement and manage authorization mechanisms

  • Role-based access control (RBAC)
  • Rule based access control
  • Mandatory access control (MAC)
  • Discretionary access control (DAC)
  • Attribute-based access control (ABAC)
  • Risk based access control
  • Access policy enforcement (e.g., policy decision point, policy enforcement point)

(Adds “Access policy enforcement”)

5.5 Manage the identity and access provisioning lifecycle

  • Account access review (e.g., user, system, service)
  • Provisioning and deprovisioning (e.g., on /off boarding and transfers)
  • Role definition (e.g., people assigned to new roles)
  • Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)
5.5 Manage the identity and access provisioning lifecycle

  • Account access review (e.g., user, system, service)
  • Provisioning and deprovisioning (e.g., on/off boarding and transfers)
  • Role definition and transition (e.g., people assigned to new roles)
  • Privilege escalation (e.g., use of sudo, auditing its use)
  • Service accounts management

(Details the management of the identity and access provisioning lifecycle)

5.6 Implement authentication systems

  • OpenID Connect (OIDC)/Open Authorization (Oauth)
  • Security Assertion Markup Language (SAML)
  • Kerberos
  • Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) 
5.6 Implement authentication systems
6. Security Assessment and Testing 6.1 Design and validate assessment, test, and audit strategies

  • Internal
  • External
  • Third-party
6.1 Design and validate assessment, test, and audit strategies

  • Internal (e.g., within organization control)
  • External (e.g., outside organization control)
  • Third-party (e.g., outside of enterprise control)
  • Location (e.g., on-premise, cloud, hybrid)

(Adds a new aspect regarding the location of assessments, tests, and audits, specifying whether they are conducted on-premise, in the cloud, or in a hybrid environment)

6.2 Conduct security control testing

  • Vulnerability assessment
  • Penetration testing
  • Log reviews
  • Synthetic transactions
  • Code review and testing
  • Misuse case testing
  • Test coverage analysis
  • Interface testing
  • Breach attack simulations
  • Compliance checks
6.2 Conduct security control testing

  • Vulnerability assessment
  • Penetration testing (e.g., red, blue, and/or purple team exercises)
  • Log reviews
  • Synthetic transactions/benchmarks
  • Code review and testing
  • Misuse case testing
  • Coverage analysis
  • Interface testing (e.g., user interface, network interface, application programming interface (API))
  • Breach attack simulations
  • Compliance checks

(Details the conduct of security controls testing)

6.3 Collect security process data (e.g., technical and administrative)

  • Account management
  • Management review and approval
  • Key performance and risk indicators
  • Backup verification data
  • Training and awareness
  • Disaster recovery (DR) and Business Continuity (BC)
6.3 Collect security process data (e.g., technical, and administrative)

  • Account management
  • Management review and approval
  • Key performance and risk indicators
  • Backup verification data
  • Training and awareness
  • Disaster recovery (DR) and Business Continuity (BC)

6.4 Analyze test output and generate report

  • Remediation
  • Exception handling
  • Ethical disclosure
6.4 Analyze test output and generate report

  • Remediation
  • Exception handling
  • Ethical disclosure
6.5 Conduct or facilitate security audits

  • Internal
  • External
  • Third-party
6.5 Conduct or facilitate security audits

  • Internal (e.g., within organization control)
  • External (e.g., outside organization control)
  • Third-party (e.g., outside of enterprise control)
  • Location (e.g., on-premise, cloud, hybrid)

(Adds a new aspect regarding the location of audits, specifying whether they are conducted on-premise, in the cloud, or in a hybrid environment)

7. Security Operations 7.1 Understand and comply with investigations

  • Evidence collection and handling
  • Reporting and documentation
  • Investigative techniques
  • Digital forensics tools, tactics, and procedures
  • Artifacts (e.g., computer, network, mobile device)
7.1 Understand and comply with investigations

  • Evidence collection and handling
  • Reporting and documentation
  • Investigative techniques
  • Digital forensics tools, tactics, and procedures
  • Artifacts (e.g., data, computer, network, mobile device)

(Specifies “data” as one of the artifacts and details and details understanding and compliance with investigations)

7.2 Conduct logging and monitoring activities

  • Intrusion detection and prevention
  • system (IDPS)
  • Security Information and Event Management (SIEM)
  • Continuous monitoring
  • Egress monitoring
  • Log management
  • Threat intelligence (e.g., threat feeds, threat hunting)
  • User and Entity Behavior Analytics (UEBA)
7.2 Conduct logging and monitoring activities

  • Intrusion detection and prevention system (IDPS)
  • Security information and event management (SIEM)
  • Security orchestration, automation and response (SOAR)
  • Continuous monitoring and tuning
  • Egress monitoring
  • Log management
  • Threat intelligence (e.g., threat feeds, threat hunting)
  • User and Entity Behavior Analytics

(Details logging and monitoring activities)

7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation) 7.3 Perform configuration management (CM) (e.g., provisioning, baselining, automation)
7.4 Apply foundational security operations concepts

  • Need-to-know/least privilege
  • Segregation of Duties (SoD) and responsibilities
  • Privileged account management
  • Job rotation
  • Service-level agreements (SLA)
7.4 Apply foundational security operations concepts

  • Need-to-know/least privilege
  • Segregation of Duties (SoD) and responsibilities
  • Privileged account management
  • Job rotation
  • Service-level agreements (SLA)
7.5 Apply resource protection

  • Media management
  • Media protection techniques
7.5 Apply resource protection

  • Media management
  • Media protection techniques
  • Data at rest/data in transit

(Adds “Data at rest/data in transit”)

7.6 Conduct incident management

  • Detection
  • Response
  • Mitigation
  • Reporting
  • Recovery
  • Remediation
  • Lessons learned
7.6 Conduct incident management

  • Detection
  • Response
  • Mitigation
  • Reporting
  • Recovery
  • Remediation
  • Lessons learned
7.7 Operate and maintain detective and preventative measures

  • Firewalls (e.g., next generation, web application, network)
  • Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
  • Whitelisting/blacklisting
  • Third-party provided security services
  • Sandboxing
  • Honeypots/honeynets
  • Anti-malware
  • Machine learning and artificial intelligence (AI) based tools
7.7 Operate and maintain detection and preventative measures

  • Firewalls (e.g., next generation, web application, network)
  • Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
  • Whitelisting/blacklisting
  • Third-party provided security services
  • Sandboxing
  • Honeypots/honeynets
  • Anti-malware
  • Machine learning and artificial intelligence (AI) based tools
7.8 Implement and support patch and vulnerability management 7.8 Implement and support patch and vulnerability management
7.9 Understand and participate in change management processes 7.9 Understand and participate in change management processes
7.10 Implement recovery strategies

  • Backup storage strategies
  • Recovery site strategies
  • Multiple processing sites
  • System resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance
7.10 Implement recovery strategies

  • Backup storage strategies (e.g., cloud storage, onsite, offsite)
  • Recovery site strategies (e.g., cold vs. hot, resource capacity agreements)
  • Multiple processing sites
  • System resilience, high availability (HA), Quality of Service (QoS), and fault tolerance
7.11 Implement Disaster Recovery (DR) processes

  • Response
  • Personnel
  • Communications
  • Assessment
  • Restoration
  • Training and awareness
  • Lessons learned
7.11 Implement Disaster Recovery (DR) processes

  • Response
  • Personnel
  • Communications (e.g., methods)
  • Assessment
  • Restoration
  • Training and awareness
  • Lessons learned
7.12 Test Disaster Recovery Plans (DRP)

  • Read-through/tabletop
  • Walkthrough
  • Simulation
  • Parallel
  • Full interruption
7.12 Test Disaster Recovery Plans (DRP)

  • Read-through/tabletop
  • Walkthrough
  • Simulation
  • Parallel
  • Full interruption
  • Communications (e.g., stakeholders, test status, regulators)
7.13 Participate in Business Continuity (BC) planning and exercises 7.13 Participate in Business Continuity (BC) planning and exercises
7.14 Implement and manage physical security

  • Perimeter security controls
  • Internal security controls
7.14 Implement and manage physical security

  • Perimeter security controls
  • Internal security controls
7.15 Address personnel safety and security concerns

  • Travel
  • Security training and awareness
  • Emergency management
  • Duress
7.15 Address personnel safety and security concerns

  • Travel
  • Security training and awareness (e.g., insider threat, social media impacts, two-factor authentication (2FA) fatigue)
  • Emergency management
  • Duress
8. Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)

  • Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
  • Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
  • Operation and maintenance
  • Change management
  • Integrated Product Team
8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)

  • Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps, Scaled Agile Framework)
  • Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
  • Operation and maintenance
  • Change management
  • Integrated Product Team

(Specifies “Scaled Agile Framework” as part of development methodologies)

8.2 Identify and apply security controls in software development ecosystems

  • Programming languages
  • Libraries
  • Tool sets
  • Integrated Development Environment (IDE)
  • Runtime
  • Continuous Integration and Continuous Delivery (CI/CD)
  • Security Orchestration, Automation, and Response (SOAR)
  • Software Configuration Management (SCM)
  • Code repositories
  • Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))
8.2 Identify and apply security controls in software development ecosystems

  • Programming languages
  • Libraries
  • Tool sets
  • Integrated Development Environment
  • Runtime
  • Continuous Integration and Continuous Delivery (CI/CD)
  • Software Configuration Management
  • Code repositories
  • Application security testing (e.g., static application security testing (SAST), dynamic application security testing (DAST), software composition analysis, Interactive Application Security Test (IAST))

(Specifies additional application security testing methods such as software composition analysis and Interactive Application Security Test (IAST))

8.3 Assess the effectiveness of software security

  • Auditing and logging of changes
  • Risk analysis and mitigation
8.3 Assess the effectiveness of software security

  • Auditing and logging of changes
  • Risk analysis and mitigation
8.4 Assess security impact of acquired software

  • Commercial off-the-shelf (COTS)
  • Open source
  • Third-party
  • Managed services
8.4 Assess security impact of acquired software

  • Commercial off-the-shelf (COTS)
  • Open source
  • Third-party
  • Managed services (e.g., enterprise applications)
  • Cloud services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

(Specifies “enterprise applications” under managed services and adds “cloud services” as a separate category)

8.5 Define and apply secure coding guidelines and standards

  • Security weaknesses and vulnerabilities at the source-code level
  • Security of application programming interfaces (API)
  • Secure coding practices
  • Software-defined security
8.5 Define and apply secure coding guidelines and standards

  • Security weaknesses and vulnerabilities at the source-code level
  • Security of application programming interfaces (API)
  • Secure coding practices
  • Software-defined security

Feel free to check out the blogs: 

What’s New in the CISSP Certification Exam in 2024?
How To Prepare For CISSP Exam in 2024

Final Words:

The changes are relatively minor. The specific changes from the 2021 to the 2024 CISSP exam outline underline ISC2’s commitment to ensuring the certification remains relevant in the face of rapidly evolving technology landscapes and threat vectors.

CISSP

TRAINING CALENDAR of Upcoming Batches For CISSP

Start Date End Date Start - End Time Batch Type Training Mode Batch Status
23-Dec-2024 27-Jan-2025 08:00 - 10:00 IST Weekday Online [ Open ]
18-Jan-2025 01-Mar-2025 19:00 - 23:00 IST Weekend Online [ Open ]
21-Jan-2025 07-Feb-2025 07:00 - 12:00 IST Weekday Online [ Open ]
10-Feb-2025 27-Feb-2025 07:00 - 12:00 IST Weekday Online [ Close ]
22-Feb-2025 05-Apr-2025 09:00 - 13:00 IST Weekend Online [ Open ]

The following changes are observed:

  • Starting from April 15, 2024, the CISSP exam will be exclusively offered via CAT and will be accessible solely in the following languages: English, Chinese, German, Japanese, and Spanish. Linear CISSP exams will no longer be available as of April 15, 2024.
  • The overall domain weights have been adjusted slightly.
  • The detailed content within each domain has been updated, with some subtopics being revised, added, or removed to reflect the current state of information security practices and knowledge.
  • While not explicitly detailed in the content outline, there may be updates to the exam format, question types, or evaluation criteria to better assess candidate competencies.
  • The 2024 outline places a greater emphasis on emerging technologies.

References:
Reference 1 : Click Here
Reference 2 : Click Here

AUTHOR
Monika Kukreti ( )
Infosec Train
Monika Kukreti holds a bachelor's degree in Electronics and Communication Engineering. She is a voracious reader and a keen learner. She is passionate about writing technical blogs and articles. Currently, she is working as a content writer with InfosecTrain.
Your Guide to ISO IEC 42001
TOP
whatsapp