(Another) CISSP Exam Update Coming April 2018
Many CISSP candidates feel like hard-working TCP network communications. Just when you closed out with the FIN packet, (ISC)² hits you with another SYN message. Even though (ISC)2 recently announced the CISSP exam format update in December 2017, there is another exam update coming soon that will affect how you prepare for the exam.
Effective April 15, 2018, the content of the CISSP exam will update as per the regular three-year cycle. Similar to the 2015 update that condensed exam material from 10 domains down to eight, this update entails adding and subtracting certain content from the CISSP exam’s testable topics. Overall, the content update isn’t a dramatic one (about a 10% content change) but you will need to study and understand the new content if you want to pass the CISSP exam after April 14.
The whole purpose of content updates is to ensure certification exams stay in tune with the real world. After all, we all know that the cybersecurity landscape is constantly evolving. It makes sense, then, that (ISC)² is adding topics that are becoming priorities for security practitioners and managers. For example, come April 2018, CISSP exam will feature new content covering Internet of Things (IoT), Security Auditing, and Secure Code Development. Let’s take a deep look at the most important, new content.
IoT (Internet of Things)
The security vulnerabilities associated with IoT devices have become a challenge for security practitioners and consumers alike. IoT devices are gadgets, systems, or technologies that are designed to make our lives more convenient. But all IoT devices represent a potential vulnerability because they are connected to the Internet. Increasingly, the “things” that are connected to IoT are critical to the world’s infrastructure. Nuclear power plants, hydroelectric dams, automobiles, air traffic controls, and other technologies that our economy and safety depend on, are connected to the Internet and thus possess a broad attack surface.
Vulnerabilities are increased when device manufactures fail to create the devices with basic security controls in mind and forgo security reviews. The CISSP exam is attempting to address the security issues associated with IoT devices and demonstrate that without a strong personal device policy, IoT devices represent a risk to corporate security.
Another, new focus of the CISSP exam come April will be Security Auditing. Security evaluations and audits are designed to test the effectiveness of security controls and programs. The best audits are performed by third parties to avoid conflicts of interests. Those who design and implement security should not be the ones evaluating its effectiveness.
Don’t be surprised if the updated CISSP exam asks about the value, roles, and steps of a security audit.
The final, most important content addition to discuss is the exam’s focus on “security weaknesses and vulnerabilities at the source-code level.” For previous CISSPs, knowing how an application is developed and knowing how security is built into the development process was enough. Beginning in April, it seems the CISSP exam is asking test takers to go a little deeper. CISSPs will have to identify code that not only works, but is also secure.
Test takers can expect to inspect source code or code input, and look for vulnerabilities in applications or potential attacks. For example, <SCRIPT> input should alert test takers to a potential cross site scripting (XSS) attack. (‘) symbols should scream SQL inject to CISSPs.
Updated Domain Percentages
While it’s important to acknowledge the exam updated content in a general sense, it’s also critical to understand the breakdown and the difference in change of each domain that appears on the exam.
The following chart summarizes the most important changes to the domain percentages.
|1. Security and Risk Management||16%||15%||Decrease|
|2. Asset Security||10%||10%||No Change|
|3. Security Engineering||12%||13%||Increase|
|4 Communications and Network Security||12%||14%||Increase|
|5. Identity and Access Management||13%||13%||No Change|
|6. Security Assessment and Testing||11%||12%||Increase|
|7. Security Operations||16%||13%||Decrease|
|8. Software Development Security||10%||10%||No Change|
The updated exam outline is slightly emphasizing the two most technical domains (Domains 3 and 4), while slightly de-emphasizing Domain 7, Security Operations, or the day-to-day tasks of a security practitioner. Test takers, as usual, can expect to see technical questions about the details of security architecture, cryptography, and network security.
It’s important to recognize that even though the percentages of Domains 1 and 7 slightly decreased, they remain extremely relevant to the exam. Items such as Business Continuity and Disaster Recovery Plans are important knowledge for the exam and in the real-world. All-in-all, the exam remains a technical exam with a managerial twist.
What This Means For You
If you are currently studying for the CISSP, book your exam as soon as possible, and book it for a date before April 15th, 2018. If your exam date falls sometime after April 15th, then you should assume that you will have to digest and understand the updated content in order to pass the exam.
If you’re in the process of preparing for the CISSP or have just started looking for an up-to-date training course, we’d love to be your training partner. Check out our upcoming CISSP course schedule and enroll in a course that is always in tune with the latest (ISC)² updates, whether exam format or content. You can also check out our latest offers here.