The cybersecurity landscape is evolving at a very rapid pace, which makes it a must for professionals to remain committed to their thirst for knowledge to be one jump ahead of emerging threats and industry standards. As we embark on the journey of exploring the latest updates to the CISSP domains in the year 2024, it becomes evident that adaptability and continuous learning are of the greatest importance. The Certified Information Systems Security Professional acronym CISSP certification is a cornerstone for individuals who wish to achieve exceptional growth in the field of cybersecurity. In this article, we will look briefly at each of the eight domains specified by CISSP and analyze the recent updates and knowledge that are vital to flourish in the cybersecurity domain and CISSP exam.
Domain 1: Security and Risk Management (16%)
Domain 1 of CISSP, “Security and Risk Management,” covers a comprehensive range of topics essential for professionals in the field. It begins with a focus on professional ethics, including adherence to codes of conduct and organizational ethics. Understanding security concepts such as confidentiality, integrity, and availability is crucial. Security governance principles, legal and regulatory issues, and risk management concepts are emphasized. Additionally, the domain addresses business continuity, personnel security policies, threat modeling, supply chain risk management, and security awareness programs. Ensuring program effectiveness through evaluation rounds off this foundational domain, providing a robust framework for managing security and risks effectively.
What’s updated?
CISSP 2021 | CISSP 2024 |
1.2 Understand and apply security concepts | 1.2 Understand and apply security concepts
|
1.3 Evaluate and apply security governance principles | 1.3 Evaluate, apply, and sustain security governance principles
|
1.4 Determine compliance and other requirements
1.5 Understand legal and regulatory issues that pertain to information security in a holistic context |
1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
(Updated version has merged subsections 1.4 and 1.5) |
1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements
|
1.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements
|
1.9 Contribute to and enforce personnel security policies and procedure
|
1.8 Contribute to and enforce personnel security policies and procedures
|
1.10 Understand and apply risk management concepts
|
1.9 Understand and apply risk management concepts
|
1.12 Apply Supply Chain Risk Management (SCRM) concepts
|
1.11 Apply Supply Chain Risk Management (SCRM) concepts
|
1.13 Establish and maintain a security awareness, education, and training program
|
1.12 Establish and maintain a security awareness, education, and training program
|
Domain 2: Asset Security (10%)
Domain 2 of CISSP, “Asset Security,” delves into the identification, classification, and management of information and assets. It begins with the crucial task of identifying and classifying data and assets according to their sensitivity and importance. Establishing handling requirements ensures that information and assets are provisioned securely, considering ownership, inventory, and management practices. Managing the data lifecycle involves understanding roles, collection, location, maintenance, retention, remanence, and destruction processes. Additionally, ensuring appropriate asset retention and determining data security controls and compliance requirements, including data states, scoping, tailoring, standards selection, and protection methods, are essential aspects of this domain.
What’s updated?
CISSP 2021 | CISSP 2024 |
2.3 Provision resources securely | 2.3 Provision information and assets securely |
Domain 3: Security Architecture and Engineering (13%)
Domain 3 of CISSP, “Security Architecture and Engineering,” encompasses the research, implementation, and management of secure design principles and engineering processes. It begins with understanding and applying concepts such as threat modeling, least privilege, defense in depth, secure defaults, and segregation of duties. Security models and capabilities of information systems are explored, along with selecting controls based on system security requirements. Assessing and mitigating vulnerabilities across various systems, including client-based, server-based, database, cryptographic, cloud-based, IoT, and distributed systems, are critical components. Cryptographic solutions, cryptanalytic attacks, and security principles in site and facility design are addressed. Lastly, managing the information system lifecycle, from stakeholders’ needs and requirements to retirement and disposal, is emphasized.
What’s updated?
CISSP 2021 | CISSP 2024 |
3.1 Research, implement and manage engineering processes using secure design principles
|
3.1 Research, implement, and manage engineering processes using secure design principles
|
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements | 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
|
3.6 Select and determine cryptographic solutions
|
3.6 Select and determine cryptographic solutions
|
3.9 Design site and facility security controls
|
3.9 Design site and facility security controls
|
3.10 Manage the information system lifecycle
|
Domain 4: Communication and Network Security (13%)
Domain 4 of CISSP, “Communication and Network Security,” focuses on applying secure design principles in network architectures. It covers a wide range of topics including network models such as OSI and TCP/IP, secure protocols like IPSec and SSH, and implications of multilayer protocols. Converged protocols and transport architectures are explored alongside performance metrics and traffic flows. Physical and logical segmentation, micro-segmentation, edge networks, and various types of networks including wireless, cellular, and content distribution networks are discussed. Additionally, topics such as software-defined networks, virtual private clouds, and monitoring and management are addressed. Implementing secure network components and communication channels, including endpoint security and secure transmission media, is crucial for ensuring robust network security.
What’s updated?
CISSP 2021 | CISSP 2024 |
4.1 Assess and implement secure design principles in network architectures
|
4.1 Apply secure design principles in network architectures
|
4.3 Implement secure communication channels according to design
|
4.3 Implement secure communication channels according to design
|
Domain 5: Identity and Access Management (IAM) (13%)
Domain 5 of CISSP, “Identity and Access Management (IAM),” focuses on controlling physical and logical access to assets. It encompasses designing identification and authentication strategies for people, devices, and services, including groups, roles, and AAA mechanisms like MFA and password-less authentication. Session management, registration, proofing, and identity establishment are crucial aspects, along with Federated Identity Management (FIM), credential management, SSO, and Just-In-Time access. Federated identity with third-party services, both on-premise and in the cloud, is explored. Implementing and managing authorization mechanisms such as RBAC, MAC, DAC, and ABAC, along with access policy enforcement, are discussed. Managing the identity and access provisioning lifecycle, including account access reviews, provisioning, deprovisioning, role transitions, and service accounts, is emphasized. Implementing authentication systems effectively is essential for robust identity and access management.
What’s updated?
CISSP 2021 | CISSP 2024 |
5.1 Control physical and logical access to assets | 5.1 Control physical and logical access to assets
|
5.2 Manage identification and authentication of people, devices, and services
|
5.2 Design identification and authentication strategy (e.g., people, devices, and services) ● Groups and Roles ● Authentication, Authorization and Accounting (AAA) (e.g., multi-factor authentication (MFA), password-less authentication) ● Credential management systems (e.g., Password vault) |
5.4 Implement and manage authorization mechanisms | 5.4 Implement and manage authorization mechanisms
|
5.5 Manage the identity and access provisioning lifecycle
|
5.5 Manage the identity and access provisioning lifecycle
|
5.6 Implement authentication systems
|
5.6 Implement authentication systems |
Domain 6: Security Assessment and Testing (12%)
Domain 6 of CISSP, “Security Assessment and Testing,” focuses on designing and validating assessment, test, and audit strategies to ensure the robustness of security controls. This involves conducting various types of assessments, including internal, external, and third-party assessments, across different locations such as on-premise, cloud, or hybrid environments. Security controls testing encompasses vulnerability assessment, penetration testing, log reviews, code review and testing, and breach attack simulations, among others. Collecting security process data involves monitoring account management, management review and approval, key performance indicators, and training and awareness. Analyzing test output and generating reports is crucial for identifying remediation actions and handling exceptions ethically. Additionally, conducting or facilitating security audits, whether internal, external, or third-party, further strengthens the security posture of an organization across different environments.
What’s updated?
CISSP 2021 | CISSP 2024 |
6.1 Design and validate assessment, test, and audit strategies | 6.1 Design and validate assessment, test, and audit strategies
|
6.2 Conduct security control testing
|
6.2 Conduct security control testing
|
6.5 Conduct or facilitate security audits | 6.5 Conduct or facilitate security audits
|
Domain 7: Security Operations (13%)
Domain 7 of CISSP, “Security Operations,” covers a broad spectrum of activities essential for maintaining effective security measures within an organization. Understanding and complying with investigations involve various aspects such as evidence collection and handling, reporting, investigative techniques, and digital forensics tools and procedures. Conducting logging and monitoring activities includes intrusion detection and prevention, SIEM, continuous monitoring, threat intelligence, and user and entity behavior analytics. Configuration management, foundational security operations concepts, and resource protection are fundamental for maintaining security posture. Incident management involves detection, response, mitigation, reporting, recovery, remediation, and lessons learned. Operating and maintaining detection and preventative measures include firewalls, IDS/IPS, whitelisting/blacklisting, and anti-malware tools. Implementing patch and vulnerability management, participating in change management processes, and implementing recovery and disaster recovery strategies are vital aspects. Testing disaster recovery plans and participating in business continuity planning and exercises ensure preparedness for potential disruptions. Implementing and managing physical security and addressing personnel safety and security concerns further contribute to overall security operations.
What’s updated?
CISSP 2021 | CISSP 2024 |
7.1 Understand and comply with investigations | 7.1 Understand and comply with investigations
|
7.2 Conduct logging and monitoring activities | 7.2 Conduct logging and monitoring activities
|
7.5 Apply resource protection | 7.5 Apply resource protection
|
7.12 Test Disaster Recovery Plans (DRP) | 7.12 Test Disaster Recovery Plans (DRP)
|
Domain 8: Software Development Security (10%)
Domain 8 of CISSP, “Software Development Security,” focuses on integrating security throughout the Software Development Life Cycle (SDLC) and ensuring secure software development practices. Understanding and integrating security in SDLC involves various aspects such as development methodologies (Agile, Waterfall, DevOps, etc.), maturity models, operation, maintenance, change management, and integrated product teams. Identifying and applying security controls in software development ecosystems cover programming languages, libraries, toolsets, integrated development environments, runtime environments, CI/CD pipelines, software configuration management, code repositories, and application security testing techniques like SAST, DAST, software composition analysis, and IAST. Assessing the effectiveness of software security involves auditing, logging, risk analysis, and mitigation. Evaluating the security impact of acquired software includes considerations for COTS, open-source, third-party, managed services, and cloud services. Defining and applying secure coding guidelines and standards encompasses identifying security weaknesses and vulnerabilities, securing APIs, following secure coding practices, and implementing software-defined security measures. These efforts ensure that software is developed with security in mind, reducing the risk of vulnerabilities and enhancing overall security posture.
What’s updated?
CISSP 2021 | CISSP 2024 |
8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) | 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
|
8.2 Identify and apply security controls in software development ecosystems
|
8.2 Identify and apply security controls in software development ecosystems
|
8.4 Assess security impact of acquired software | 8.4 Assess security impact of acquired software
|
CISSP with InfosecTrain:
The CISSP 2024 content outline reflects the evolving landscape of cybersecurity, incorporating updates across all eight domains to address emerging threats and technological advancements. From emphasizing professional ethics and governance to integrating security throughout software development processes, each domain covers essential aspects crucial for effective security management. With a focus on risk management, security operations, identity and access management, and secure software development, the CISSP certification remains at the forefront of ensuring professionals are equipped with the knowledge and skills needed to protect organizations in an ever-changing threat landscape.
Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
---|---|---|---|---|---|---|
23-Dec-2024 | 27-Jan-2025 | 08:00 - 10:00 IST | Weekday | Online | [ Open ] | |
18-Jan-2025 | 01-Mar-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
21-Jan-2025 | 07-Feb-2025 | 07:00 - 12:00 IST | Weekday | Online | [ Open ] | |
10-Feb-2025 | 27-Feb-2025 | 07:00 - 12:00 IST | Weekday | Online | [ Close ] | |
22-Feb-2025 | 05-Apr-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |
InfosecTrain’s CISSP certification training provides comprehensive coverage of all domains, preparing professionals to excel in the CISSP exam and in cybersecurity roles.
You can read the following to learn more, where we compare CISSP 2021 with the latest version, CISSP 2024: