Live Chat
Monday - Friday 8am - 6pm EST Chat Now
Contact Us
Monday - Friday 8am - 8pm EST 1-800-268-7737 Other Contact Options

Cart () Loading...

    • Quantity:
    • Delivery:
    • Dates:
    • Location:


Everything You Need to Know About the CISSP Exam Changes

March 20, 2019
James Michael Stewart

The CISSP (Certified Information System Security Practitioner) certification exam update in 2018 included a modest revision of the topics and a significant change to the testing process. Preparing for the CISSP exam has become more challenging. You will need to be knowledgeable in all eight domains of CISSP in order to pass. This article identifies the changes in topics, reveals the complexity of the new testing format, and provides preparation guidance to help you successfully pass the CISSP exam.


Domain topic changes

The 2018 update to the CISSP exam introduced only minor overall changes to the topics covered, as listed in the official Certification Exam Outline (which was previously known as the Candidate Information Bulletin or CIB). To find the outline, scroll down the page to the section titled “Your Pathway to Certification.” Under this heading, click on the second box with the contents of “Register and Prepare for the Exam.” This reveals not only the current list of domains but also offers a download link for the Certification Exam Outline. (Note: The first page of this PDF document shows the title as “Certification Exam Outline,” but many mentions of this document on (ISC)2’s website uses the name “CISSP Exam Outline.”)

There are two changes from the previous exam in regards to the domains themselves. First, the previous domain of “Security Engineering” has been renamed “Security Architecture and Engineering.” The second adds an acronym to the domain “Identity and Access Management” to make it “Identity and Access Management (IAM).” (Note: No other domain includes an acronym in its name. This was likely done to reflect that this phrase has become a common acronym in the IT and security community.)

These two name changes are mostly cosmetic. The IAM acronym addition does not change the focus of domain 5, while the additional term in the name of domain 3 is more of a clarification than a true topic change for this domain.


New topics to master

While the 2018 revision to CISSP had only minor changes to the names of the domains, there was a significant amount of change to the actual content listed for the domains. There is a mixture of topic rewording, reorganizing topics, and adding new topics. The reorganization of topics between or within domains is of no significant value for prep or study. Here is a list of the topics that were renamed:

  • Domain 1: Security and Risk Management
    • 1.2 Evaluate and apply security governance principles
    • 1.2.3 Organizational roles and responsibilities
    • 1.3 Determine compliance requirements
    • 1.7 Identify, analyze, and prioritize Business Continuity (BC) requirements
    • 1.8.3 Onboarding and termination processes
    • 1.12 Establish and maintain a security awareness, education, and training program
  • Domain 2: Asset Security
    • 2.1 Identify and classify information and assets
    • 2.2 Determine and maintain information and asset ownership
  • Domain 3: Security Architecture and Engineering
    • 3.3 Select controls based upon systems security requirements
    • 3.4 Understand security capabilities of information systems (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
    • 3.9.2 Cryptographic methods (e.g., symmetric, asymmetric, elliptic curves)
  • Domain 4: Communication and Network Security
    • 4.1 Implement secure design principles in network architectures
    • 4.3 Implement secure communication channels according to design
  • Domain 5: Identity and Access Management (IAM)
    • 5.3 Integrate identity as a third-party service
  • Domain 6: Security Assessment and Testing
    • 6.1 Design and validate assessment, test, and audit strategies
    • 6.4 Analyze test output and generate report
  • Domain 7: Security Operations
    • 7.8 Operate and maintain detective and preventative measures
    • 7.10 Understand and participate in change management processes
    • 7.16 Address personnel safety and security concerns
  • Domain 8: Software Development Security
    • 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
    • 8.2 Identify and apply security controls in development environments

Note: The domain topic numbering scheme used here is an extension of that found in the Certification Exam Outline. The first numeral is the primary domain, the second numeral is the sub-domain topic (often a longer phrase), and the third numeral (if present) is an additional reference number added by me to indicate the sub-sub-topic which is from the bulleted list under a sub-domain topic. This numbering scheme allows for locating the topic in order from the Certification Exam Outline.

If you compare these renamed topics to the previous 2015 revision, you will see that most of these are clarifications and do not really introduce any new topics into the materials.

The following is a list of topics that were added with the 2018 revision of the CISSP exam:

  • Domain 1: Security and Risk Management
    • 1.3.1 Contractual, legal, industry standards, and regulatory requirements
    • 1.4.1 Cyber crimes and data breaches
    • 1.5 Understand, adhere to, and promote professional ethics
    • 1.9.3 Risk response
    • 1.10.1 Threat modeling methodologies
    • 1.10.2 Threat modeling concepts
    • 1.11 Apply risk-based management concepts to the supply chain
    • 1.11.1 Risks associated with hardware, software, and services
    • 1.12.1 Methods and techniques to present awareness and training
    • 1.12.3 Program effectiveness evaluation
  • Domain 2: Asset Security
    • 2.1.1 Data classification
    • 2.1.2 Asset Classification
    • 2.5.1 Understand data states
    • 2.5.4 Data protection methods
    • 2.6 Establish information and asset handling requirements
  • Domain 3: Security Architecture and Engineering
    • 3.5.6 Cloud-based systems
    • 3.5.8 Internet of Things (IoT)
    • 3.11 Implement site and facility security controls
    • 3.11.7 Environmental issues
  • Domain 4: Communication and Network Security
    • none
  • Domain 5: Identity and Access Management (IAM)
    • 5.3.1 On-premise
    • 5.3.2 Cloud
    • 5.3.3 Federated
    • 5.4.5 Attribute Based Access Control (ABAC)
    • 5.5.1 User access review
    • 5.5.2 System account access review
    • 5.5.3 Provisioning and deprovisioning
  • Domain 6: Security Assessment and Testing
    • 6.1.1 Internal
    • 6.1.2 External
    • 6.1.3 Third-party
    • 6.5 Conduct or facilitate security audits
    • 6.5.1 Internal
    • 6.5.2 External
    • 6.5.3 Third-party
  • Domain 7: Security Operations
    • 7.1.4 Digital forensics tools, tactics, and procedures
    • 7.2.1 Administrative
    • 7.2.5 Industry standards
    • 7.4.2 Asset management
    • 7.5.3 Privileged account management
    • 7.16.1 Travel
    • 7.16.2 Security training and awareness
    • 7.16.3 Emergency management
    • 7.16.4 Duress
  • Domain 8: Software Development Security
    • 8.5 Define and apply secure coding guidelines and standards
    • 8.5.1 Security weaknesses and vulnerabilities at the source-code level
    • 8.5.2 Security of application programming interfaces
    • 8.5.3 Secure coding practices

Note: Some of the new items are new sub-elements of existing topics. Please refer to the full 2018 Certification Exam Outline for the complete current topic list.

These new items do not appear in the 2015 Exam Outline/CIB and represent new topics for the 2018 revision. However, upon close inspection you might recognize that some of these topics are already covered or are reasonable expansions of the domains. Many of the “new” topics should be familiar to any current cybersecurity professional. Be sure to focus on these topics in your preparation as they are slightly more prevalent in exam questions than “legacy” topics.


What to know about the new test process

The biggest change from the 2015 version to the 2018 revision is the testing process itself. The original CISSP exam was a paper-based, bubble-sheet test consisting of 250 questions to be completed in a six-hour time window. With the 2015 revision, the CISSP exam finally adopted a computer-based testing (CBT) option through Pearson Vue, but it retained the question count and time limit of its predecessor.

With the release of the 2018 revision, the CISSP exam has been converted into an adaptive test. (ISC)2 calls this version the CISSP Computer Adaptive Test or CISSP-CAT. The CISSP-CAT only applies to the English version of the exam. For non-English versions, the 250-question, six-hour version is still used.

In the new format, the student will view a minimum of 100 questions and a maximum of 150. Of the first 100 questions, only 75 are graded and count towards your score. The 25 ungraded questions are not marked, and are interspersed throughout the first 100 questions. These questions are used to evaluate questions for future tests.

At question 100, the system evaluates your potential to achieve a passing score. If the system estimates your pass potential is 95% or higher, the test will end with a pass. If the system estimates your failure potential is 95% or higher, the test will end with a fail. If a pass/fail determination is not made at question 100, then it is evaluated again after each question until you reach 150. You are only assessed on the last 75 graded questions. This means that as you answer question 101, the first graded question is discarded and replaced with question 101. Then as you answer question 102, the second originally graded question is discarded and replaced with question 102, and so forth.

Furthermore, you are not able to revisit previous questions. You get one chance to view a question and provide an answer. Although it is not stated, a skipped question is likely marked as incorrect. Therefore, guessing is still a better strategy than skipping. You should always attempt to eliminate question options from consideration, then select your answer from the remaining options.


Why the test revisions?

(ISC)2 references several factors that led to the 2018 CISSP-CAT revision:

  • A more precise evaluation
  • Shorter test sessions
  • Enhanced exam security

There has been a significant increase in exam fraud worldwide over the last few years, including both tester impersonations as well as attempts to steal copies of the question bank. (ISC)2 and other test owners are using a wide range of techniques to reduce fraud while increasing certification value. The CISSP-CAT is a reasonable defense against stolen test banks.


CISSP exam tips

The 2018 CISSP exam questions seem to have the same level of depth and complexity as previous versions, with only a handful of new topics. The CISSP-CAT testing method or structure is the most daunting part of achieving the certification.

(ISC)2 claims that the assessment of a candidate’s knowledge and mastery of relevant topics is equivalent between the CISSP-CAT and the traditional flat version of the exam. However, I think there is an increased requirement to be knowledgeable across all eight domains rather than only needing to be proficient in just six on the traditional flat version.

Some training and exam preparation guidance for previous versions of the exam seem to indicate that you could overlook or ignore one or two domains that you found overly challenging and focus on the six topical areas that were more comfortable to the test taker. I don’t think this is now a valid and responsible strategy for passing the CISSP exam. Therefore, you may need to spend additional time studying and preparing for the CISSP exam to ensure you are well-versed in most topics across all eight domains.


The value of CISSP

CISSP continues to be one of the most respected and sought after cybersecurity certifications. With the recent update, (ISC)2 has maintained the high bar it has set to validate the knowledge and skills of senior cybersecurity managers.

With 125,000 CISSP-certified individuals worldwide and one of the highest salary ranges in IT, the CISSP certification is a widely recognized credential key to the development of cybersecurity experts.


Related course

CISSP Certification Prep Course