Year-End Learning Carnival: Get Free Courses and Up to 50% off on Career Booster Combos!
D H M S

CISSP 2024 Domains: Navigating the Latest Updates

The cybersecurity landscape is evolving at a very rapid pace, which makes it a must for professionals to remain committed to their thirst for knowledge to be one jump ahead of emerging threats and industry standards. As we embark on the journey of exploring the latest updates to the CISSP domains in the year 2024, it becomes evident that adaptability and continuous learning are of the greatest importance. The Certified Information Systems Security Professional acronym CISSP certification is a cornerstone for individuals who wish to achieve exceptional growth in the field of cybersecurity. In this article, we will look briefly at each of the eight domains specified by CISSP and analyze the recent updates and knowledge that are vital to flourish in the cybersecurity domain and CISSP exam.

CISSP 2024 Domains

Domain 1: Security and Risk Management (16%)

Domain 1 of CISSP, “Security and Risk Management,” covers a comprehensive range of topics essential for professionals in the field. It begins with a focus on professional ethics, including adherence to codes of conduct and organizational ethics. Understanding security concepts such as confidentiality, integrity, and availability is crucial. Security governance principles, legal and regulatory issues, and risk management concepts are emphasized. Additionally, the domain addresses business continuity, personnel security policies, threat modeling, supply chain risk management, and security awareness programs. Ensuring program effectiveness through evaluation rounds off this foundational domain, providing a robust framework for managing security and risks effectively.

What’s updated?

  • Ethics and Governance: 2024 introduces more explicit references to understanding, adhering to, and promoting professional ethics, including both ISC2 and organizational codes of ethics. There’s a deeper emphasis on evaluating, applying, and sustaining security governance principles, aligning security function to business strategy, and understanding legal, regulatory, and compliance issues in a more holistic context.
  • Risk Management: The 2024 outline provides a more structured approach to understanding and applying risk management concepts, with detailed subtopics on threat and vulnerability identification, risk analysis, assessment, response, and treatment.
  • Supply Chain Risk Management (SCRM): 2024 explicitly includes SCRM concepts, highlighting risks associated with the acquisition of products and services and risk mitigation strategies, indicating an increased focus on supply chain security.
CISSP 2021 CISSP 2024
1.2 Understand and apply security concepts 1.2 Understand and apply security concepts

  • 5 Pillars of Information Security
1.3 Evaluate and apply security governance principles 1.3 Evaluate, apply, and sustain security governance principles

  • Security control frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI), Federal Risk and Authorization Management Program (FedRAMP))
1.4 Determine compliance and other requirements

 

1.5 Understand legal and regulatory issues that pertain to information security in a holistic context

1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context

  • Issues related to privacy (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act)

(Updated version has merged subsections 1.4 and 1.5)

1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements

  • Develop and document the scope and the plan
1.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements

  • External dependencies
1.9 Contribute to and enforce personnel security policies and procedure

  • Compliance policy requirements
  • Privacy policy requirements
1.8 Contribute to and enforce personnel security policies and procedures

  • Employment agreements and policy driven requirements
1.10 Understand and apply risk management concepts

  • Countermeasure selection and implementation
  • Monitoring and measurement
  • Reporting
  • Risk frameworks
1.9 Understand and apply risk management concepts

  • Risk analysis, assessment, and scope
  • Risk response and treatment (e.g., cybersecurity insurance)
  • Continuous monitoring and measurement
  • Reporting (e.g., internal, external)
  • Risk frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Sherwood Applied Business Security Architecture (SABSA), Payment Card Industry (PCI))
1.12 Apply Supply Chain Risk Management (SCRM) concepts

  • Risks associated with hardware, software, and services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service level requirements
1.11 Apply Supply Chain Risk Management (SCRM) concepts

  • Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants)
  • Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, silicon root of trust, physically unclonable function, software bill of materials)
1.13 Establish and maintain a security awareness, education, and training program

  • Periodic content reviews
1.12 Establish and maintain a security awareness, education, and training program

  • Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, artificial intelligence (AI), blockchain)

Domain 2: Asset Security (10%)

Domain 2 of CISSP, “Asset Security,” delves into the identification, classification, and management of information and assets. It begins with the crucial task of identifying and classifying data and assets according to their sensitivity and importance. Establishing handling requirements ensures that information and assets are provisioned securely, considering ownership, inventory, and management practices. Managing the data lifecycle involves understanding roles, collection, location, maintenance, retention, remanence, and destruction processes. Additionally, ensuring appropriate asset retention and determining data security controls and compliance requirements, including data states, scoping, tailoring, standards selection, and protection methods, are essential aspects of this domain.

What’s updated?

      • Data Security: Both CISSP 2021 and 2024 outlines cover data lifecycle management comprehensively, but the 2024 version may include updated methodologies or technologies affecting data classification, handling, retention, and destruction based on emerging threats and compliance requirements.
CISSP 2021 CISSP 2024
2.3 Provision resources securely 2.3 Provision information and assets securely

Domain 3: Security Architecture and Engineering (13%)

Domain 3 of CISSP, “Security Architecture and Engineering,” encompasses the research, implementation, and management of secure design principles and engineering processes. It begins with understanding and applying concepts such as threat modeling, least privilege, defense in depth, secure defaults, and segregation of duties. Security models and capabilities of information systems are explored, along with selecting controls based on system security requirements. Assessing and mitigating vulnerabilities across various systems, including client-based, server-based, database, cryptographic, cloud-based, IoT, and distributed systems, are critical components. Cryptographic solutions, cryptanalytic attacks, and security principles in site and facility design are addressed. Lastly, managing the information system lifecycle, from stakeholders’ needs and requirements to retirement and disposal, is emphasized.

What’s updated?

      • Security Models and Architectures: The 2024 outline potentially expands on secure design principles, engineering processes, and security models, reflecting advancements in technology and the evolving threat landscape.
CISSP 2021 CISSP 2024
3.1 Research, implement and manage engineering processes using secure design principles

  • Zero Trust
  • Trust but verify
3.1 Research, implement, and manage engineering processes using secure design principles

  • Keep it simple and small
  • Zero trust or trust but verify
  • Privacy by design
  • Secure access service edge
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

  • Operational Technology/Industrial Control Systems (ICS)
  • Microservices (e.g., application programming interface (API))
3.6 Select and determine cryptographic solutions

  • Non-repudiation
  • Integrity (e.g., hashing)
3.6 Select and determine cryptographic solutions

  • Public Key Infrastructure (PKI) (e.g., quantum key distribution)
  • Key management practices (e.g., rotation)
  • Digital signatures and digital certificates (e.g., non-repudiation, integrity)
3.9 Design site and facility security controls

  • Wiring closets/intermediate distribution facilities
3.9 Design site and facility security controls

  • Wiring closets/intermediate distribution frame
  • Environmental issues (e.g., natural disasters, man-made)

3.10 Manage the information system lifecycle

  • Stakeholders needs and requirements
  • Requirements analysis
  • Architectural design
  • Development /implementation
  • Integration
  • Verification and validation
  • Transition/deployment
  • Operations and maintenance/sustainment
  • Retirement/disposal

Domain 4: Communication and Network Security (13%)

Domain 4 of CISSP, “Communication and Network Security,” focuses on applying secure design principles in network architectures. It covers a wide range of topics including network models such as OSI and TCP/IP, secure protocols like IPSec and SSH, and implications of multilayer protocols. Converged protocols and transport architectures are explored alongside performance metrics and traffic flows. Physical and logical segmentation, micro-segmentation, edge networks, and various types of networks including wireless, cellular, and content distribution networks are discussed. Additionally, topics such as software-defined networks, virtual private clouds, and monitoring and management are addressed. Implementing secure network components and communication channels, including endpoint security and secure transmission media, is crucial for ensuring robust network security.

What’s updated?

      • Secure Network Design: Updates in network security technologies and protocols, especially in the context of increased cloud adoption and the proliferation of remote work, are likely reflected in the 2024 outline.
CISSP 2021 CISSP 2024
4.1 Assess and implement secure design principles in network architectures

  • Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
4.1 Apply secure design principles in network architectures

  • Secure protocols (e.g., Internet Protocol Security (IPSec), Secure Shell (SSH), Secure Sockets Layer (SSL)/Transport Layer Security (TLS))
  • Converged protocols (e.g., Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP), InfiniBand over Ethernet, Compute Express Link)
  • Transport architecture (e.g., topology, data/control/management plane, cut-through/store-and-forward)
  • Performance metrics (e.g., bandwidth, latency, jitter, throughput, signal-to-noise ratio)
  • Traffic flows (e.g., north-south, east-west)
  • Physical segmentation (e.g., in-band, out-of-band, air-gapped)
  • Logical segmentation (e.g., virtual local area networks (VLANs), virtual private networks (VPNs), virtual routing and forwarding, virtual domain)
  • Micro-segmentation (e.g., network overlays/encapsulation; distributed firewalls, routers, intrusion detection system (IDS)/intrusion prevention system (IPS), zero trust)
  • Edge networks (e.g., ingress/egress, peering)
  • Software defined networks (SDN), (e.g., application programming interface (API), Software-Defined Wide-Area Network, network functions virtualization)
  • Virtual Private Cloud (VPC)
  • Monitoring and management (e.g., network observability, traffic flow/shaping, capacity management, fault detection and handling)
4.3 Implement secure communication channels according to design

  • Multimedia collaboration
  • Virtualized networks
4.3 Implement secure communication channels according to design

  • Voice, video, and collaboration

Domain 5: Identity and Access Management (IAM) (13%)

Domain 5 of CISSP, “Identity and Access Management (IAM),” focuses on controlling physical and logical access to assets. It encompasses designing identification and authentication strategies for people, devices, and services, including groups, roles, and AAA mechanisms like MFA and password-less authentication. Session management, registration, proofing, and identity establishment are crucial aspects, along with Federated Identity Management (FIM), credential management, SSO, and Just-In-Time access. Federated identity with third-party services, both on-premise and in the cloud, is explored. Implementing and managing authorization mechanisms such as RBAC, MAC, DAC, and ABAC, along with access policy enforcement, are discussed. Managing the identity and access provisioning lifecycle, including account access reviews, provisioning, deprovisioning, role transitions, and service accounts, is emphasized. Implementing authentication systems effectively is essential for robust identity and access management.

What’s updated?

      • IAM Strategies: The evolution of IAM solutions and practices, especially concerning cloud environments and hybrid IT infrastructures, might be more pronounced in the 2024 outline.
CISSP 2021 CISSP 2024
5.1 Control physical and logical access to assets 5.1 Control physical and logical access to assets

  • Services
5.2 Manage identification and authentication of people, devices, and services

  • Identity Management (IdM) implementation
  • Single/Multi-Factor Authentication (MFA)
  • Accountability
5.2 Design identification and authentication strategy (e.g., people, devices, and services)
● Groups and Roles
● Authentication, Authorization and Accounting (AAA) (e.g., multi-factor authentication (MFA), password-less authentication)
● Credential management systems (e.g., Password vault)
5.4 Implement and manage authorization mechanisms 5.4 Implement and manage authorization mechanisms

  • Access policy enforcement (e.g., policy decision point, policy enforcement point)
5.5 Manage the identity and access provisioning lifecycle

  • Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)
5.5 Manage the identity and access provisioning lifecycle

  • Role definition and transition (e.g., people assigned to new roles)
  • Privilege escalation (e.g., use of sudo, auditing its use)
  • Service accounts management
5.6 Implement authentication systems

  • OpenID Connect (OIDC)/Open Authorization (Oauth)
  • Security Assertion Markup Language (SAML)
  • Kerberos
  • Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)
5.6 Implement authentication systems

Domain 6: Security Assessment and Testing (12%)

Domain 6 of CISSP, “Security Assessment and Testing,” focuses on designing and validating assessment, test, and audit strategies to ensure the robustness of security controls. This involves conducting various types of assessments, including internal, external, and third-party assessments, across different locations such as on-premise, cloud, or hybrid environments. Security controls testing encompasses vulnerability assessment, penetration testing, log reviews, code review and testing, and breach attack simulations, among others. Collecting security process data involves monitoring account management, management review and approval, key performance indicators, and training and awareness. Analyzing test output and generating reports is crucial for identifying remediation actions and handling exceptions ethically. Additionally, conducting or facilitating security audits, whether internal, external, or third-party, further strengthens the security posture of an organization across different environments.

What’s updated?

      • Assessment Techniques: Given the dynamic nature of cybersecurity threats, the 2024 outline likely emphasizes newer assessment and testing methodologies, including automation and integration with continuous deployment pipelines.
CISSP 2021 CISSP 2024
6.1 Design and validate assessment, test, and audit strategies 6.1 Design and validate assessment, test, and audit strategies

  • Internal (e.g., within organization control)
  • External (e.g., outside organization control)
  • Third-party (e.g., outside of enterprise control)
  • Location (e.g., on-premise, cloud, hybrid)
6.2 Conduct security control testing

  • Test coverage analysis
6.2 Conduct security control testing

  • Penetration testing (e.g., red, blue, and/or purple team exercises)
  • Synthetic transactions/benchmarks
  • Interface testing (e.g., user interface, network interface, application programming interface (API))
6.5 Conduct or facilitate security audits 6.5 Conduct or facilitate security audits

  • Internal (e.g., within organization control)
  • External (e.g., outside organization control)
  • Third-party (e.g., outside of enterprise control)
  • Location (e.g., on-premise, cloud, hybrid)

Domain 7: Security Operations (13%)

Domain 7 of CISSP, “Security Operations,” covers a broad spectrum of activities essential for maintaining effective security measures within an organization. Understanding and complying with investigations involve various aspects such as evidence collection and handling, reporting, investigative techniques, and digital forensics tools and procedures. Conducting logging and monitoring activities includes intrusion detection and prevention, SIEM, continuous monitoring, threat intelligence, and user and entity behavior analytics. Configuration management, foundational security operations concepts, and resource protection are fundamental for maintaining security posture. Incident management involves detection, response, mitigation, reporting, recovery, remediation, and lessons learned. Operating and maintaining detection and preventative measures include firewalls, IDS/IPS, whitelisting/blacklisting, and anti-malware tools. Implementing patch and vulnerability management, participating in change management processes, and implementing recovery and disaster recovery strategies are vital aspects. Testing disaster recovery plans and participating in business continuity planning and exercises ensure preparedness for potential disruptions. Implementing and managing physical security and addressing personnel safety and security concerns further contribute to overall security operations.

What’s updated?

      • Operational Security and Incident Management: The 2024 version could introduce new or revised content on the application of security operations concepts, resource protection, incident management, and the operation of detective and preventative measures, reflecting new best practices and technologies.
CISSP 2021 CISSP 2024
7.1 Understand and comply with investigations 7.1 Understand and comply with investigations

  • Artifacts (e.g., data, computer, network, mobile device)
7.2 Conduct logging and monitoring activities 7.2 Conduct logging and monitoring activities

  • Security orchestration, automation and response (SOAR)
  •  Continuous monitoring and tuning
7.5 Apply resource protection 7.5 Apply resource protection

  • Data at rest/data in transit
7.12 Test Disaster Recovery Plans (DRP) 7.12 Test Disaster Recovery Plans (DRP)

  • Communications (e.g., stakeholders, test status, regulators)

Domain 8: Software Development Security (10%)

Domain 8 of CISSP, “Software Development Security,” focuses on integrating security throughout the Software Development Life Cycle (SDLC) and ensuring secure software development practices. Understanding and integrating security in SDLC involves various aspects such as development methodologies (Agile, Waterfall, DevOps, etc.), maturity models, operation, maintenance, change management, and integrated product teams. Identifying and applying security controls in software development ecosystems cover programming languages, libraries, toolsets, integrated development environments, runtime environments, CI/CD pipelines, software configuration management, code repositories, and application security testing techniques like SAST, DAST, software composition analysis, and IAST. Assessing the effectiveness of software security involves auditing, logging, risk analysis, and mitigation. Evaluating the security impact of acquired software includes considerations for COTS, open-source, third-party, managed services, and cloud services. Defining and applying secure coding guidelines and standards encompasses identifying security weaknesses and vulnerabilities, securing APIs, following secure coding practices, and implementing software-defined security measures. These efforts ensure that software is developed with security in mind, reducing the risk of vulnerabilities and enhancing overall security posture.

What’s updated?

      • Secure Development: Changes in this domain might include more on secure coding practices, assessing the security of acquired software, and integrating security throughout the Software Development Life Cycle (SDLC), considering the rise of DevSecOps and other agile methodologies.
CISSP 2021 CISSP 2024
8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)

  • Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps, Scaled Agile Framework)
8.2 Identify and apply security controls in software development ecosystems

  • Security Orchestration, Automation, and Response (SOAR)
8.2 Identify and apply security controls in software development ecosystems

  • Application security testing (e.g., static application security testing (SAST), dynamic application security testing (DAST), software composition analysis, Interactive Application Security Test (IAST))
8.4 Assess security impact of acquired software 8.4 Assess security impact of acquired software

  • Managed services (e.g., enterprise applications)
  • Cloud services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

CISSP with InfosecTrain:

The CISSP 2024 content outline reflects the evolving landscape of cybersecurity, incorporating updates across all eight domains to address emerging threats and technological advancements. From emphasizing professional ethics and governance to integrating security throughout software development processes, each domain covers essential aspects crucial for effective security management. With a focus on risk management, security operations, identity and access management, and secure software development, the CISSP certification remains at the forefront of ensuring professionals are equipped with the knowledge and skills needed to protect organizations in an ever-changing threat landscape.

CISSP

TRAINING CALENDAR of Upcoming Batches For CISSP

Start Date End Date Start - End Time Batch Type Training Mode Batch Status
23-Dec-2024 27-Jan-2025 08:00 - 10:00 IST Weekday Online [ Open ]
18-Jan-2025 01-Mar-2025 19:00 - 23:00 IST Weekend Online [ Open ]
21-Jan-2025 07-Feb-2025 07:00 - 12:00 IST Weekday Online [ Open ]
10-Feb-2025 27-Feb-2025 07:00 - 12:00 IST Weekday Online [ Close ]
22-Feb-2025 05-Apr-2025 09:00 - 13:00 IST Weekend Online [ Open ]

InfosecTrain’s CISSP certification training provides comprehensive coverage of all domains, preparing professionals to excel in the CISSP exam and in cybersecurity roles.

You can read the following to learn more, where we compare CISSP 2021 with the latest version, CISSP 2024:

AUTHOR
Monika Kukreti ( )
Infosec Train
Monika Kukreti holds a bachelor's degree in Electronics and Communication Engineering. She is a voracious reader and a keen learner. She is passionate about writing technical blogs and articles. Currently, she is working as a content writer with InfosecTrain.
Your Guide to ISO IEC 42001
TOP
whatsapp