For the people that wish to see the official existing and new outline
I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
| CISSP - Before Apr 2018 | CISSP - from Apr 2018 | |
| 1. Security and Risk Management | 16% | 15% |
| 2. Asset Security | 10% | 10% |
| 3. Security Engineering | 12% | 13% |
| 4. Communications and Network Security | 12% | 14% |
| 5. Identity and Access Management | 13% | 13% |
| 6. Security Assessment and Testing | 11% | 12% |
| 7. Security Operations | 16% | 13% |
| 8. Software Development Security | 10% | 10% |
So as you can see from the table above there are not mind blowing ground up changes , we are still in 8 Domain format, there are small variations in the ratio between the domains and since we have 250 Questions still questions have the same wight 1% eq 2.5 questions so if you look at that this way and take an example Domain 1 was reduced in 2 - 3 questions for the favor of Domain 3 that Ratio was increased by 1%. I would see that as a very minor diff.
Now if you look into each Domain in more details then
Domain 1 Security and Risk Management - originally with 12 Sections and still is with 12 Sections however
- Section 1.2 was reduced to 5 sub areas from 6 by merging Due Care and Due Diligence into one section, does it mean we need to know less about them ?! I think not
- Section 1.4 Similarly Computer Crime (The law Term) was changed to Cyber Crime and was merged with Data Breachs
- Section 1.9 Again 12 sub areas where trimmed by merging content to 11 sections
Domain 3 Security Engineering
- Section 3.5 was appended with IOT, I would say kind of expected change with all the buzz around it (no offense intended).
- Section 3.11.7 Water Issues was modified to Environment Issues, as well seem to be kind of obvious to change as focus only on Water hazards kind of ...
Domain 4 Communication and Network Security
- Section 4.1.7 Cryptography used to maintain communication security - removed
- Section 4.2.6 Physical devices - removed
- Section 4.4 Prevent and Mitigate network Attack was removed
Domain 5 IAM
- Section 5.3 as was was removed and new 5.3 is equivalent to Old Section 5.4 and in addition it seem to be segmented to 3 sub areas Cloud, On-Premise and Federated.
- Section 5.6 Prevent and Mitigate access control - removed
- Section 5.7 Manage the Identity - removed
Domain 6 Security Assessment and Testing
- Section 6.1 was extended with 3 sub areas of Internal , External Third Party
- Section 6.5 was getting the same workout Section 6.1 received
Domain 7 Security Operations
- Section 7.16 Address personnel safety and security concerns was extended and received 4 sub areas Travel , Security training and awareness, Emergency management , Duress
Domain 8 Software Development Security
- Section 8.2 was trimmed from 5 sub areas to 3
- Security weaknesses and vulnerabilities at the source-code level - removed
- Security or API -removed
- Section 8.3 Acceptance testing - removed
- New Section 8.5 Define and apply secure coding guidelines and standards with 3 sub areas
- Security weaknesses and vulnerabilities at the source-code level
- Security of application programming interfaces
- Secure coding practices
So overall if looking on the changes there are not fundamental but I think they are the necessary to be made if looking into the industry, so good luck to me and who ever is going to take the challenge :-)
No comments:
Post a Comment