As we move into 2024, cyber security professionals gearing up for the CISSP exam are encountering a new hurdle β the CISSP exam update 2024.
This anticipated update could potentially change one of the most prestigious certifications in the field. Understanding and adapting to these changes is important for anyone wanting this certification.
In this article, we discuss the difference in the CISSP exam refresh 2024 and explore what has changed and what has been removed. Is it significant? Did they overhaul the exam domains? Is the exam format the same?
Join us as we answer these questions and discuss everything you need to know about the new CISSP exam.
Thereβs a CISSP Exam Update 2024?
ISC2 updates CISSP to maintain the relevancy of the certification. The improvements come from its own process, ensuring the exam covers topics relevant to the roles and responsibilities of current cyber security professionals. This includes the necessary knowledge and skills.
How often does it happen?
ISC2 CISSP is updated every three years. This update is based on the Job Task Analysis (JTA) process. Simply put, the JTA thoroughly examines what skills and knowledge are important for cyber security.
It checks whether the CISSP exam matches real-world cyber security needs and challenges. So, every three years, ISC2 uses the JTA to ensure the CISSP exam stays current and useful for professionals in this field.
When does it take effect?
The ISC2 CISSP refresh will take effect on April 15, 2024. Below, we will summarize the official changes.
How Does CISSP Compare To Other Certifications?
CISSP vs CISA: Which Certification Is Best for You?
CISM vs CISSP: Which Certification Is Best for You?
What Has and Hasnβt Changed with the CISSP Exam Update 2024?
Letβs take a brief look at the details of both the current exam and the new CISSP exam.
2021 Exam:
Number of Questions: 125 to 175 questions.
Duration: 4 hours.
Beta Questions: 50 beta questions within the first 125 questions.
Format: Computer Adaptive Testing (CAT), with multiple-choice and advanced innovative questions
Scoring: 700 out of 1000 points to pass.
Cost: $749 USD and annual fee of $125
2024 Exam:
Number of Questions: 100 to 150 questions.
Duration: 3 hours.
Beta Questions: 25 beta questions within the first 100 questions.
Format: Remains a CAT exam.
Scoring: 700 out of 1000 points to pass.
Cost: $749 USD and annual fee of $125
The CISSP computer adaptive test (CAT) starts each candidate with an easy question. Based on each response, the test reestimates the candidate's ability level and selects the next question accordingly. The more questions answered, the more precisely it can estimate the candidate's true ability.
CISSP Exam Domains Compared
The changes for the actual domains are very minor. There are only two small adjustments that have been made to the percentages.
Domain 1 has increased by one percent, and Domain 8 has decreased by one percent.
Domains | Current Percentage | New Percentage |
---|---|---|
Security and Risk Management | 15% | 16% |
Asset Security | 10% | 10% |
Security Architecture and Engineering | 13% | 13% |
Communication and Network Security | 13% | 13% |
Identity and Access Management (IAM) | 13% | 13% |
Security Assessment and Testing | 12% | 12% |
Security Operations | 13% | 13% |
Software Development Security | 11% | 10% |
What Is New With the CISSP Exam Update 2024?
CISSP has remained relatively unchanged, with only about five percent of the material being new additions.
So, what exactly is new in the CISSP exam refresh 2024? Letβs review each of the eight domains and explain what has been added and why this is important.
Domain 1 - Security and Risk Management
Letβs look at some of the changes in Domain 1.
Section 1.7 (Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements):
New content about external dependencies in business continuity (BC) requirements has been included to highlight the importance of understanding external partnerships, such as vendors, contractors, etc., and their impact on business continuity, especially in today's business environments.
Section 1.9 (Understand and apply risk management concepts):
The term "scope" has been added to risk assessment/analysis and "continuous" to monitoring and measurement, emphasizing the need for an ongoing approach to risk management.
Section 1.12 Establish and maintain a security awareness, education, and training program:
ISC2 added topics like cryptocurrency, AI, and blockchain to βPeriodic content reviews.β This update shows the importance of new technologies, which are vital for handling current and future security issues.
Domain 2 - Asset Security
No changes have been made to Domain 2.
Domain 3 - Security Architecture and Engineering
Here are some of the changes in Domain 3.
Section 3.1 (Research, implement, and manage engineering processes using secure design principles):
The updates here include an emphasis on minimizing the coding base, utilizing microservices for a leaner architecture, and the addition of secure access services edge (SASE), a framework combining network security concepts and wide-area networking in a cloud service. The recent changes aim to improve efficiency and focus more on cloud-based security solutions.
Section 3.5 (Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements):
"Operational Technology" has been added to the industrial control system subdomain, expanding the focus to a wider range of equipment and systems, such as sensors and controllers, highlighting the increasing importance of securing a wide range of connected devices.
Section 3.6 (Select and determine cryptographic solutions):
This section now includes "Quantum key distribution," pointing to the future of encryption and the importance of preparing for advanced, secure communication technologies.
New Section 3.10 (Manage the system lifecycle):
This entirely new section covers the stages of system management, from stakeholder needs to retirement/disposal, emphasizing the importance of security at every stage of a systemβs lifecycle.
Domain 4 - Communication and Network Security
Letβs take a look at how Domain 4 has changed.
Section 4.1 (Apply secure design principles in network architectures):
The exam now looks deeper at transport network architecture and the data/control/management planes. It also goes into such performance metrics as bandwidth, latency, jitter, throughput, and signal-to-noise ratio, which are important while evaluating or optimizing the performance of a network.
More attention is paid to different types of network segmentation, like physical (e.g., in-band, out-of-band, air-gapped networks) and logical (e.g., VLANs, VPNs, virtual routing), which are essential for protecting and managing networks. Furthermore, ISC2 CISSP now covers traffic flow patterns such as north-south and east-west traffic that show how data moves inside and between networks.
New topics such as micro-segmentation, edge networks, and virtual private clouds (VPC) align with the latest trends in network security, including the shift towards zero trust models and the increasing importance of edge computing.
New content on network monitoring and management, such as network observability, traffic shaping, capacity management, and fault detection, speaks to the necessity of comprehensive oversight and proactive control for complex networking environments.
Domain 5 - Identity and Access Management (IAM)
Here are the changes to Domain 5.
Section 5.1 (Control physical and logical access to assets):
ISC2 added a new sub-domain on services, covering authentication services, directory services, and access control services. This addition shows the growing complexity and range of services in today's IT settings need strong methods to control who can access them.
Renamed Section 5.2.1:
Identity Management (IdM) implementation has been reworded to βGroups and Roles,β indicating a more focused approach to managing identities within groups and roles. This is very important for controlling access and ensuring policies are followed.
Section 5.4 (Implement and manage authorization mechanisms):
A new element focusing on access policy enforcement has been added, including concepts such as policy decision points and policy enforcement points. This highlights how crucial it is to manage policies well when it comes to allowing or denying permission for something.
Section 5.5 (Manage the identity and access provisioning lifecycle):
A new sub-domain called βService accounts managementβ has been added, emphasizing the need for careful management of service accounts, which are important in automated tasks but can be a huge security risk if not managed correctly.
Domain 6 - Security Assessment and Testing
Here are a few changes to Domain 6.
Section 6.1 (Design and validate assessment, test, and audit strategies):
This section now includes considerations for the location of assets and operations, such as on-premise, cloud, and hybrid environments. This new section emphasizes changing data security controls to fit different IT settings.
Section 6.2 (Conduct security controls testing):
Benchmarks have been added to synthetic transactions. This reflects an increasing focus on using standardized benchmarks to assess the effectiveness of security controls.
Section 6.5 (Conduct or facilitate security audits):
Another element focusing on location for security audits, including on-premise, cloud, and hybrid, has been added. This stresses the importance of flexible audit methods that work well in enhancing systems security.
Domain 7 - Security Operations
Here are the changes to Domain 7.
Section 7.2 (Conduct logging and monitoring activities):
The addition of βSecurity orchestration, automation, and responseβ (SOAR) signifies the increasing reliance on automated systems, which are becoming more prevalent over traditional systems, to streamline security operations and improve incident response efficiency.
Section 7.5 (Apply resource protection):
Emphasis on protecting data at rest and in transit. This recognizes the importance of keeping data safe at all stages, especially when data breaches are a big worry.
Section 7.12 (Test disaster recovery plan (DRP)):
Added focus on communications during disaster recovery testing. This underlines the importance of open and effective communication with stakeholders, regulatory bodies, and other parties.
Domain 8 - Software Development Security
Letβs look at some of the changes made to Domain 8.
Section 8.1 (Understand and integrate security in the Software Development Life Cycle (SDLC)):
Scaled agile framework has been added to the development methodologies. This addition acknowledges the increasing use of agile and large-scale agile methods that must be scaled up to work for sizable organizations.
Section 8.2 (Identify and apply security controls in development environments):
ISC2 added "software composition analysis" and "Interactive Application Security Test (IAST)" to the application security testing methods. This reflects the changing nature of software security, highlighting the need for thorough analysis and hands-on testing methods.
Section 8.4 (Assess security impact of acquired software):
The CISSP update adds a focus on "Cloud services," including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). This change recognizes the significant shift towards cloud computing in software development and the necessity to assess the security implications of using cloud services.
What Has Been Removed From the CISSP Exam Update 2024?
After reviewing the 2021 and 2024 CISSP content, we found only one topic that was fully removed in the 2024 update. Aside from this sole removal, the exam content has remained largely the same, with some items being taken from one area and moved to another or added to existing subdomains.
For example, the 2021 CISSP exam described multimedia collaboration in 4.3.2 separately from voice systems covered in 4.3.1. The 2024 exam domain streamlines these into one merged subsection - 4.3.1 (Voice, video, and collaboration (e.g., conferencing, Zoom rooms)).
Another example is with the 2021 exam section 5.6 (Implement authentication systems), which had subsections such as βKerberosβ or βOpenID Connect (OIDC)/Open Authorization (Oauth).β The CISSP 2024 refresh does not include the subsections but still lists 5.6 as (Implement authentication systems). We can assume it is the same curriculum they simply did not list them all out.
One item that seems to have been removed is "Develop and document the scope and the plan" from 1.8, likely to update the focus on more relevant aspects of enforcing personnel security policies and procedures.
Which CISSP Exam Should I Write?
We suggest taking the current one until you no longer can; you already know the exam content and all the available study materials are widely available.
There is normally a lag of about three to six months before sufficient study material is available for a new exam.
However, with minor changes to the exam objectives, the exams should be quite similar, and you would likely be fine with taking the new one.
According to ISC2, if you already have experience in the domains and you have sufficiently studied those domains, you should be ready to take the new exam.
Looking To Prepare For CISSP?
Conclusion
The new CISSP exam objectives contain some new additions but very few removals. As seen in our article, while changes have been made, most of the exam content remains intact from the previous version, with only a small amount of brand-new material introduced.
The exam itself is relatively unchanged other than the time allotted and the number of questions presented.
With our information, you are well prepared to decide which exam version you should pursue.
If you are preparing for CISSP and want to give yourself an edge, join our Accelerator program today and take advantage of all the great resources, such as mastermind and focus groups tailored to CISSP, connect with mentors, and join a community of like-minded individuals.