The 2021 revised and updated version CISSP (Certified Information System Security Practitioner) certification exam will be released on May 1, 2021. This new version of the popular CISSP exam will include a modest revision and re-organization of previously included topics, but will integrate a significant number of new topics.
The test remains adaptive and preparing for the CISSP exam will be more challenging than ever before. You will need to be knowledgeable in all eight domains of CISSP in order to pass.
This article identifies the changes in topics, discusses the complexity of the adaptive testing format, and provides preparation guidance to help you successfully pass the CISSP exam.
Domain weighting changes
The domains are the groupings of topics defined and organized by (ISC)2 based upon their survey of the cybersecurity industry (previously referred to by the term Common Body of Knowledge (CBK)) and their annual Cybersecurity Workforce Study (a.k.a. Job Task Analysis (JTA)).
The CISSP exam has eight domains. The number and names of these domains are remaining consistent between the previous 2018 exam version and the 2021 exam version. The only domain-level changes are an adjustment to the weighting of domain focused questions where Domain 4 is reduced by one percent and Domain 8 is increased by one percent as seen in this table:
2018 CISSP Exam | 2021 CISSP Exam |
1. Security and Risk Management 15% | 1. Security and Risk Management 15% |
2. Asset Security 10% | 2. Asset Security 10% |
3. Security Architecture and Engineering 13% | 3. Security Architecture and Engineering 13% |
4. Communication and Network Security 14% | 4. Communication and Network Security 13% |
5. Identity and Access Management (IAM) 13% | 5. Identity and Access Management (IAM) 13% |
6. Security Assessment and Testing 12% | 6. Security Assessment and Testing 12% |
Security Operations 13% | Security Operations 13% |
Software Development Security 10% | Software Development Security 11% |
The Official Certification Exam Outline
The 2021 update to the CISSP exam introduces many new topics and revisions of topics present on the previous version of the exam. The official Certification Exam Outline is the primary source of what is included on this latest update of the CISSP exam. You can obtain your own copy of the Certification Exam Outline (which was previously known as the Candidate Information Bulletin or CIB) by visiting the CISSP section of the (ISC)2’s website (https://www.isc2.org/Certifications/CISSP) and scrolling down the page to the section titled “Your Pathway to Certification.”
Under this heading, click on the box labeled as “2| Register and Prepare for the Exam.” This reveals not only the current list of domains but also offers a download link for the Certification Exam Outline in various languages. Until May 1, 2021, this page will offer both the 2018 and the 2021 versions of the Exam Outline, so make your selection carefully. (Note: The first page of this PDF document shows the title as “Certification Exam Outline,” but many mentions of this document on (ISC)2’s website uses the name “CISSP Exam Outline.”)
The Certification Exam Outline, which is sometimes referred to as an objective list, is the presentation of the range of topics that (ISC)2 is including on the CISSP exam. It is organized into eight domains, which are sub-divided into numbered sub-objectives or sub-domain, which are often divided into numerous bullet point items.
These bullet items are defined by (ISC)2 as examples. Also, several items on the Exam Outline include parenthetical lists of related topics. Everything listed on the Exam Outline is fair game as a topic of focus for an exam question. However, do not assume that the Exam Outline is exhaustive and complete. (ISC)2 reserves the right to include related or similar topics on the exam that are not directly and specifically named in the Exam Outline.
New Topics to Master
The 2021 revision to CISSP has many new topics listing on the Certification Exam Outline. Some of the items listed here as new are topics that may have been covered or included in the 2018 CISSP exam, but they were not specifically mentioned on the 2018 Exam Outline.
Here are the new topics on the 2021 CISSP exam Certification Exam Outline:
Note: The domain topic numbering scheme used here is an extension of that found in the Certification Exam Outline. The first numeral is the primary domain and the second numeral is the sub-domain topic (often a longer phrase) these two numbers are used by (ISC)2 in the Certification Exam Outline. A third numeral (if present) is an additional reference number added by me to indicate the sub-sub-topic which is from the bulleted list under a sub-domain topic. This numbering scheme allows for ease in locating the numbered-in-order bulleted topics from the Certification Exam Outline.
Domain 1: Security and Risk Management
- 1.2.1 Confidentiality, integrity, availability, authenticity and nonrepudiation
- [Authenticity is a newly listed item, nonrepudiation is new in Domain 1, it also still appears as non-repudiation in 3.6]
- 1.9.3 Onboarding, transfers, and termination processes
- [“transfers” is new in 2021]
- 1.10.6 Control assessments (security and privacy)
- [Privacy control assessments is new, and this sub-sub-topic is renamed from 2018 1.9.6 “Security Control Assessment (SCA)”]
- 1.10.9 Continuous improvement (e.g., Risk maturity modeling)
- [“Risk maturity modeling” is new for 2021]
- 1.12 Apply Supply Chain Risk Management (SCRM) concepts
- [SCRM is new in 2021]
- 1.13.1 Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
- [“social engineering, phishing, security champions, gamification” are new topics in 2021]
Domain 2: Asset Security
- 2.3 Provision resources securely
- [new in 2021]
- 2.3.2 Asset inventory (e.g., tangible, intangible)
- [“tangible, intangible” new in 2021]
- 2.4 Manage data lifecycle
- [new in 2021, potentially renamed and moved from 2018 7.5.5 Information lifecycle]
- 2.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
- [new in 2021]
- 2.4.2 Data collection
- [new in 2021]
- 2.4.3 Data location
- [new in 2021]
- 2.4.4 Data maintenance
- [new in 2021]
- 2.4.5 Data retention
- [new in 2021]
- 2.4.6 Data destruction
- [new in 2021]
- 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
- [“EOL” and “EOS” are new in 2021]
- 2.6.1 Data states (e.g., in use, in transit, at rest)
- [“in use, in transit, at rest” data states are new in 2021]
- 2.6.4 Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
- [DLP and CASB new in 2021]
Domain 3: Security Architecture and Engineering
- 3.1.2 Least privilege
- [new for 2021 and present in 7.4.1]
- 3.1.3 Defense in depth
- [new in 2021]
- 3.1.4 Secure defaults
- [new in 2021]
- 3.1.5 Fail securely
- [new in 2021]
- 3.1.7 Keep it simple
- [new in 2021]
- 3.1.8 Zero Trust
- [new in 2021]
- 3.1.9 Privacy by design
- [new in 2021]
- 3.1.10 Trust but verify
- [new in 2021]
- 3.1.11 Shared responsibility
- [new in 2021]
- 3.2 Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
- [“Biba, Star Model, Bell-LaPadula” new in 2021]
- 3.5.6 Cloud-based systems (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
- [SaaS, IaaS, and PaaS new in 2021]
- 3.5.9 Microservices
- [new in 2021]
- 3.5.10 Containerization
- [new in 2021]
- 3.5.11 Serverless
- [new in 2021]
- 3.5.13 High-Performance Computing (HPC) systems
- [new in 2021]
- 3.5.14 Edge computing systems
- [new in 2021]
- 3.5.15 Virtualized systems
- [new in 2021]
- 3.6.2 Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
- [“quantum” new in 2021]
- 3.6.5 Digital signatures and digital certificates
- [“Digital certificates” new in 2021]
- 3.7.1 Brute force
- [new in 2021]
- 3.7.2 Ciphertext only
- [new in 2021]
- 3.7.3 Known plaintext
- [new in 2021]
- 3.7.4 Frequency analysis
- [new in 2021]
- 3.7.5 Chosen ciphertext
- [new in 2021]
- 3.7.6 Implementation attacks
- [new in 2021]
- 3.7.7 Side-channel
- [new in 2021]
- 3.7.8 Fault injection
- [new in 2021]
- 3.7.9 Timing
- [new in 2021]
- 3.7.10 Man-in-the-Middle (MITM)
- [new in 2021]
- 3.7.11 Pass the hash
- [new in 2021]
- 3.7.12 Kerberos exploitation
- [new in 2021]
- 3.7.13 Ransomware
- [new in 2021]
- 3.9.9 Power (e.g., redundant, backup)
- [new in 2021]
Domain 4: Communication and Network Security
- 4.1.2 Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6)
- [IPSec, IPv4, and IPv6 new in 2021]
- 4.1.3 Secure protocols
- [new in 2021]
- 4.1.5 Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP))
- [FCoE, iSCSI, and VoIP new in 2021]
- 4.1.6 Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
- [Micro-segmentation, VXLAN, encapsulation, and SD-WAN new in 2021]
- 4.1.7 Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite)
- [Li-Fi, Zigbee, and satellite new in 2021]
- 4.1.8 Cellular networks (e.g., 4G, 5G)
- [new in 2021]
- 4.2.1 Operation of hardware (e.g., redundant power, warranty, support)
- [new in 2021]
- 4.3.6 Third-party connectivity
- [new in 2021]
Domain 5: Identity and Access Management (IAM)
- 5.1.5 Applications
- [new in 2021]
- 5.2.5 Registration, proofing, and establishment of identity
- [“Establishment of identity” new in 2021]
- 5.2.8 Single Sign On (SSO)
- [new in 2021]
- 5.8.9 Just-In-Time (JIT)
- [new in 2021]
- 5.3.3 Hybrid
- [new in 2021]
- 5.4.6 Risk based access control
- [new in 2021]
- 5.5.1 Account access review (e.g., user, system, service)
- [“service” new in 2021]
- 5.5.2 Provisioning and deprovisioning (e.g., on /off boarding and transfers)
- [“on /off boarding and transfers” new in 2021]
- 5.2.3 Role definition (e.g., people assigned to new roles)
- [new in 2021]
- 5.2.4 Privilege escalation (e.g., managed service accounts, use of sudo, minimizing its use)
- [new in 2021]
- 5.6 Implement authentication systems
- [new in 2021]
- 5.6.1 OpenID Connect (OIDC)/Open Authorization (Oauth)
- [new in 2021]
- 5.6.2 Security Assertion Markup Language (SAML)
- [new in 2021]
- 5.6.3 Kerberos
- [new in 2021]
- 5.6.4 Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)
- [new in 2021]
Domain 6: Security Assessment and Testing
- 6.2.9 Breach attack simulations
- [new in 2021]
- 6.2.10 Compliance checks
- [new in 2021]
- 6.4.1 Remediation
- [new in 2021]
- 6.4.2 Exception handling
- [new in 2021]
- 6.4.3 Ethical disclosure
- [new in 2021]
Domain 7: Security Operations
- 7.1.5 Artifacts (e.g., computer, network, mobile device)
- [new in 2021]
- 7.2.5 Log management
- [new in 2021]
- 7.2.6 Threat intelligence (e.g., threat feeds, threat hunting)
- [new in 2021]
- 7.2.7 User and Entity Behavior Analytics (UEBA)
- [new in 2021]
- 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
- [new in 2021]
- 7.7.1 Firewalls (e.g., next generation, web application, network)
- [“next generation, web application, network” new in 2021]
- 7.7.8 Machine learning and Artificial Intelligence (AI) based tools
- [new in 2021]
- 7.11.7 Lessons learned
- [new in 2021]
Domain 8: Software Development Security
- 8.1.1 Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
- [“Agile, Waterfall, DevOps, DevSecOps” are new in 2021]
- 8.1.2 Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
- [CMM and SAMM are new in 2021]
- 8.2.1 Programming languages
- [new in 2021]
- 8.2.2 Libraries
- [new in 2021]
- 8.2.3 Tool sets
- [new in 2021]
- 8.2.4 Integrated Development Environment (IDE)
- [new in 2021]
- 8.2.5 Runtime
- [new in 2021]
- 8.2.6 Continuous Integration and Continuous Delivery (CI/CD)
- [new in 2021]
- 8.2.7 Security Orchestration, Automation, and Response (SOAR)
- [new in 2021]
- 8.2.10 Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))
- [new in 2021]
- 8.4.1 Commercial-off-the-shelf (COTS)
- [new in 2021]
- 8.4.2 Open source
- [new in 2021]
- 8.4.3 Third-party
- [new in 2021]
- 8.4.4 Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
- [new in 2021]
- 8.5.4 Software-defined security
- [new in 2021]
Upon close inspection you might recognize that some of these “new” topics are already covered or are reasonable expansions of the domains. Many of the “new” topics should be familiar to any current cybersecurity professional. Be sure to focus on these topics in your preparation as they may be slightly more prevalent in exam questions than “legacy” topics.
Note: Please refer to the full 2021 CISSP Certification Exam Outline for the complete current topic list.
Rewording issues to review
In addition to the actual new items on the 2021 CISSP exam, there are numerous rewordings of topics and detailed items. In addition to rewording, there is also some re-organization and renumbering of items. Since those have little to no impact on the exam or your preparations, I have only highlighted a few of those items that were moved or renamed that are noteworthy. I did not include items where acronyms were added or hyphenation changed.
Here is a list of some potentially important rewordings or location changes:
Domain 1: Security and Risk Management
- 1.1 Understand, adhere to, and promote professional ethics
- [was promoted to 1.1 from 1.5 in order to emphasis the importance of ethics]
- 1.4 Determine compliance and other requirements
- [revised 2018 1.3, and “Determine compliance requirements” removed from 2018 1.2.6]
- 1.5 Understand legal and regulatory issues that pertain to information security in a holistic context
- [changed from 2018 1.4 “global context”]
- 1.6 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
- [this was topic 2018 7.2, 7.2.1-7.2.5]
- 1.10.6 Control assessments (security and privacy)
- [renamed from 2018 1.9.6 “Security Control Assessment (SCA)”]
- 1.12 Apply Supply Chain Risk Management (SCRM) concepts
- [renamed from 2018 1.11 “Apply risk-based management concepts to the supply chain”]
Domain 2: Asset Security
- 2.2 Establish information and asset handling requirements
- [moved from 2018 2.6]
- 2.3.1 Information and asset ownership
- [renamed from 2018 2.2 “Determine and maintain information and asset ownership”]
- 2.3.2 Asset inventory (e.g., tangible, intangible)
- [moved from 2018 7.4.2]
- 2.3.3 Asset Management
- [moved from 2018 7.4.2]
- 2.4.1 Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
- [renamed from 2018 2.3.1 Data owners and 2.3.2 Data processors]
- 2.4.2 Data collection
- [renamed from 2018 2.3.4 Collection limitation]
- 2.6 Determine data security controls and compliance requirements
- [renamed from 2018 2.5 Determine data security controls]
- 2.6.1 Data states (e.g., in use, in transit, at rest)
- [renamed from 2018 2.5.1 Understand data states]
- 2.6.4 Data protection methods (e.g., Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB))
- [DRM moved from 2018 3.9.9, this item is also renamed from 2018 2.5.4]
Domain 3: Security Architecture and Engineering
- 3.1 Research, implement and manage engineering processes using secure design principles
- [renamed from 2018 3.1]
- 3.1.1 Threat modeling
- [renamed and moved from 2018 1.10, 1.10.1, and 1.10.2]
- 3.1.6 Separation of Duties (SoD)
- [also included in 7.4.2]
- 3.5.12 Embedded systems
- [renamed from 2018 3.8 Assess and mitigate vulnerabilities in embedded devices]
- 3.6 Select and determine cryptographic solutions
- [renamed from 2018 3.9 Apply cryptography]
- 3.7 Understand methods of cryptanalytic attacks
- [moved from 2018 3.9.8]
Domain 4: Communication and Network Security
- 4.1.9 Content Distribution Networks (CDN)
- [moved and renamed from 2018 4.2.5]
- 4.1.6 Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network (SD-WAN))
- [SDN moved and renamed from 2018 4.1.5]
Domain 5: Identity and Access Management (IAM)
- 5.3 Federated identity with a third-party service
-
- [renamed from 2018 5.3.3]
-
- 5.5.1 Account access review (e.g., user, system, service)
- [renamed from 2018 5.5.1 and 5.5.2]
Domain 6: Security Assessment and Testing
None
Domain 7: Security Operations
- 7.5.2 Media protection techniques
- [renamed from 2018 7.6.2 Hardware and software asset management]
Domain 8: Software Development Security
- 8.2.8 Software Configuration Management (SCM)
- [renamed from 2018 8.2.2]
- 8.2.9 Code repositories
- [renamed from 2018 8.2.3]
- Removed items
There are several items that were removed or at least not retained in the 2021 version of the CISSP exam. While these items are removed from the 2021 CISSP Certification Exam Outline, that does not typically mean the topic is not on the 2021 exam.
Most of the dropped items were removed because the topics are included in other topics already and their removal is resolving unnecessary repetition. Also, all number references in this list are from the 2018 Exam Outline since these items are not present in the 2021 CISSP Certification Exam Outline.
Domain 1: Security and Risk Management
- 1.9.8 Asset valuation
- [Removed from 2021, but still relevant to overall topic]
- 1.10.1 Threat modeling methodologies
- [This sub-sub-topic was removed for 2021, but it is still contained in the 1.11 Understand and apply threat modeling concepts and methodologies sub-domain.]
- 1.10.2 Threat modeling concepts
- [This sub-sub-topic was removed for 2021, but it is still contained in the 1.11 Understand and apply threat modeling concepts and methodologies sub-domain.]
Domain 2: Asset Security
- 2.3 Protect privacy
- [This sub-topic was removed for 2021, but it is contained in other 2021 topics, including 1.4.2, 1.5.5, 1.9.6, 1.10.6, and 3.1.9]
Domain 3: Security Architecture and Engineering
- 3.6 Assess and mitigate vulnerabilities in web-based systems
- [This sub-topic was removed for 2021, but likely still relevant to the exam]
- 3.7 Assess and mitigate vulnerabilities in mobile systems
- [This sub-topic was removed for 2021, but likely still relevant to the exam]
Domain 4 - 7
None
Domain 8: Software Development Security
- 8.2.1 Security of the software environments
- [Removed in 2021, but still relevant to 2021 8.2 Identify and apply security controls in software development ecosystems]
What to know about the CISSP-CAT process
The legacy original CISSP exam was a paper-based, bubble-sheet test consisting of 250 questions to be completed in a six-hour time window.
With the 2015 revision, the CISSP exam was available as a computer-based testing (CBT) option through Pearson VUE testing locations, but it retained the question count and time limit of its predecessor. With the 2018 revision, (ISC)2 adopted the current CISSP-CAT mode of exam delivery.
The CISSP-CAT is the current mode or method of exam delivery employed by (ISC)2 for the English version of the exam. CAT stands for Computer Adaptive Test. The CISSP-CAT only applies to the English version of the exam. For non-English versions, the linear 250-question, six-hour version is still used.
In the CISSP-CAT format, the student will view a minimum of 100 questions and a maximum of 150 with a three-hour time limit. Of the first 100 questions, only 75 are graded and count towards your score. The 25 ungraded questions are not marked, and are interspersed throughout the first 100 questions. These questions are used to evaluate questions for future tests.
Rather than working towards accumulating points to cross a line to pass, (ISC)2 evaluates your ability to demonstrate knowledge in relation to a concept called the passing standard. (ISC)2 does not publicly define what the level of achievement is to surpass the passing standard. However, it is most likely scoring 70% or greater within each of the eight domains.
At question 100, the system evaluates your potential to achieve the passing standard. If the system estimates your pass potential is 95% or higher, the test will end with a pass. If the system estimates your failure potential is 95% or higher, the test will end with a fail result. If a 95%+ pass/fail determination cannot be made at question 100, then it is evaluated again after each question until you reach question 150.
You are only assessed on the last 75 graded questions. This means that as you answer question 101, the first graded question is discarded and replaced with question 101. Then as you answer question 102, the second originally graded question is discarded and replaced with question 102, and so forth. As a question is “dropped” from being considered towards your pass/fail potential, it is replaced by a question of the same domain. This is how the exam maintains the domain coverage percentages.
Don’t skip questions.
You get one chance to view a question and provide an answer. You cannot revisit previous questions. Although it is not stated, a skipped question is likely marked as incorrect. Therefore, guessing is still a better strategy than skipping. You should always attempt to eliminate question options from consideration, then select your answer from the remaining options.
In early 2021, (ISC)2 announced that they are performing a pilot test for performing the CISSP exam through an online remote proctoring system. (ISC)2 has remained one of last major certification entities that had not adopted a remote examination and online proctoring process for taking their certification exams.
Based on the results of their preliminary pilot program which will occur in Feb 2021, (ISC)2 may elect to offer online remote proctored testing for CISSP and other (ISC)2 certs in the future. The statements released by (ISC)2 about the program indicate that the remote online exam will be a linear (i.e., not adaptive) 250 question six-hour exam, and you will not be able to revisit questions once an answer is submitted.
Why the test revisions?
(ISC)2 references several factors that led to the deployment of the CISSP-CAT examination format, such as:
- A more precise evaluation
- Shorter test sessions
- Enhanced exam security
Additionally, there has been a significant increase in exam fraud worldwide over the last decade, including both tester impersonations as well as attempts to steal copies of the question bank. (ISC)2 and other test owners are using a wide range of techniques to reduce fraud while increasing certification value.
The CISSP-CAT is a reasonable defense against stolen test banks. This is also one of the primary reasons why (ISC)2 has not offered online testing in the past. But, with the COVID-19 pandemic changing how the world works and improvements in remote exam verification and monitoring processes, (ISC)2 is considering this more convenient mode of exam delivery.
Read Next
- CISSP Exam Changes - 2021 Study Guide
- CISSP Certification is an Indicator of Cybersecurity Expertise