Candidates must have a minimum of 5 years of full – time security work experience in 2 or more of the 8 domains of the CISSP CBK. Earning a 4 year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy 1 year of required experience. Educational credit will only satisfy 1 year of experience.
A candidate that doesn’t have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The Associate of (ISC)2 will have 6 years to earn the 5 years of required experience.
Requirement Waivers
Old CISSP Syllabus Effective from 1st April, 2018
Domain 1: Security and Risk Management (15 %)
Domain 2: Asset Security (10 %)
Domain 3: Security Architecture and Engineering (13 %)
Domain 4: Communication and Network Security (14 %)
Domain 5: Identify And Access Management (IAM) (13 %)
Domain 6: Security Assessment and Testing (12 %)
Domain 7: Security Operations (13 %)
Domain 8: Software Development Security (10 %)
New CISSP Syllabus Effective from 1st May, 2021
Domain 1: Security and Risk Management (15 %)
Domain 2: Asset Security (10 %)
Domain 3: Security Architecture and Engineering (13 %)
Domain 4: Communication and Network Security (13 %)
Domain 5: Identify And Access Management (IAM) (13 %)
Domain 6: Security Assessment and Testing (12 %)
Domain 7: Security Operations (13 %)
Domain 8: Software Development Security (11 %)
Domain 1: Security and Risk Management
1.1 Understand, adhere to, and
promote professional ethics
» (ISC)2 Code of
Professional Ethics
» Organizational
code of ethics
1.2 Understand and apply security
concepts
»
Confidentiality, integrity, and availability, authenticity and nonrepudiation
1.3 Evaluate and apply security
governance principles
» Alignment of
the security function to business strategy, goals, mission, and objectives
» Organizational
processes (e.g., acquisitions, divestitures, governance committees)
» Organizational
roles and responsibilities
» Security
control frameworks
» Due care/due
diligence
1.4 Determine compliance and other
requirements
» Contractual,
legal, industry standards, and regulatory requirements
» Privacy
requirements
1.5 Understand legal and
regulatory issues that pertain to information security in a holistic context
» Cybercrimes
and data breaches
» Licensing and
Intellectual Property (IP) requirements
» Import/export
controls
» Transborder
data flow
» Privacy
1.6 Understand requirements for
investigation types (i.e., administrative, criminal, civil, regulatory,
industry standards)
1.7 Develop, document, and
implement security policy, standards, procedures, and guidelines
1.8 Identify, analyze, and
prioritize Business Continuity (BC) requirements
» Business
Impact Analysis (BIA)
» Develop and
document the scope and the plan
1.9 Contribute to and enforce
personnel security policies and procedures
» Candidate
screening and hiring
» Compliance
policy requirements
» Employment
agreements and policies » Privacy policy
requirements
» Onboarding,
transfers, and termination processes
» Vendor, consultant, and
contractor agreements and controls
1.10 Understand and apply risk management
concepts
» Identify
threats and vulnerabilities
» Risk
assessment/analysis
» Risk response
» Countermeasure
selection and implementation
» Applicable
types of controls (e.g., preventive, detective, corrective)
» Control
assessments (security and privacy)
» Monitoring and
measurement
» Reporting
» Continuous
improvement
(e.g., Risk
maturity modeling) » Risk frameworks
1.11 Understand and apply threat
modeling concepts and methodologies
1.12 Apply Supply Chain Risk
Management (SCRM) concepts
» Risks
associated with hardware, software,
» Minimum
security requirements and services
» Service level
requirements
» Third-party
assessment and monitoring
1.13 Establish and maintain a
security awareness, education, and training program
» Methods and techniques to present
awareness and training (e.g., social engineering, phishing, security champions,
gamification)
» Periodic
content reviews
» Program
effectiveness evaluation
2.1 Identify and classify
information and assets
» Data classification
» Asset
Classification
2.2 Establish information and
asset handling requirements
2.3 Provision resources securely
» Information
and asset ownership
» Asset
inventory (e.g., tangible, intangible)
» Asset
management
2.4 Manage data lifecycle
» Data roles
(i.e., owners, controllers, custodians, processors, users/subjects)
» Data
collection
» Data location
» Data
maintenance
» Data retention
» Data remanence
» Data
destruction
2.5 Ensure appropriate asset
retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
2.6 Determine data security
controls and compliance requirements
» Data states
(e.g., in use, in transit, at rest)
» Scoping and
tailoring » Standards selection
» Data protection methods (e.g.,
Digital Rights Management (DRM), Data Loss Prevention (DLP), Cloud Access
Security Broker (CASB))
Domain 3: Security Architecture and Engineering
3.1 Research, implement and manage
engineering processes using secure design principles
»
Threat modeling » Keep it simple
»
Least privilege » Zero Trust
»
Defense in depth » Privacy by
design
»
Secure defaults » Trust but
verify
»
Fail securely » Shared responsibility
» Separation of
Duties (SoD)
3.2 Understand the fundamental
concepts of security models (e.g., Biba, Star Model, Bell-LaPadula) 3.3 Select controls based upon systems
security requirements
3.4 Understand security capabilities of Information Systems (IS) (e.g., memory
protection, Trusted Platform Module (TPM), encryption/decryption)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs,
and solution elements
» Client-based
systems
» Server-based
systems
» Database
systems
» Cryptographic
systems
» Industrial
Control Systems (ICS)
» Cloud-based systems (e.g.,
Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a
Service (PaaS))
» Distributed
systems
3.6 Select and determine
cryptographic solutions
» Internet of
Things (IoT)
» Microservices
» Containerization
» Serverless
» Embedded
systems
»
High-Performance Computing (HPC) systems
» Edge computing
systems
» Virtualized
systems
» Cryptographic
life cycle (e.g., keys, algorithm selection)
» Cryptographic
methods (e.g., symmetric, asymmetric, elliptic curves, quantum)
» Public Key
Infrastructure (PKI)
» Key management
practices
» Digital
signatures and digital certificates
»
Non-repudiation
» Integrity
(e.g., hashing)
3.7 Understand methods of
cryptanalytic attacks
»
Brute force » Fault injection
»
Ciphertext only » Timing
»
Known plaintext »
Man-in-the-Middle (MITM)
»
Frequency analysis » Pass the hash
»
Chosen ciphertext » Kerberos
exploitation
»
Implementation attacks »
Ransomware
» Side-channel
3.8 Apply security principles to
site and facility design
3.9 Design site and facility
security controls
» Wiring
closets/intermediate distribution facilities
» Server
rooms/data centers
» Media storage
facilities
» Evidence
storage
» Restricted and
work area security
» Utilities and
Heating, Ventilation, and Air Conditioning (HVAC)
» Environmental
issues
» Fire
prevention, detection, and suppression
» Power (e.g.,
redundant, backup)
4.1 Assess and implement secure
design principles in network architectures
» Open System Interconnection (OSI)
and Transmission Control Protocol/Internet Protocol (TCP/IP) models
» Internet Protocol (IP) networking
(e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6)
» Secure
protocols
» Implications
of multilayer protocols
» Converged
protocols (e.g., Fiber Channel Over Ethernet (FCoE),
Internet Small Computer Systems
Interface (iSCSI), Voice over Internet Protocol (VoIP))
»
Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible
Local Area Network (VXLAN), Encapsulation, Software-Defined Wide Area Network
(SD-WAN))
» Wireless
networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite)
» Cellular
networks (e.g., 4G, 5G)
» Content
Distribution Networks (CDN)
4.2 Secure network components
» Operation of
hardware
» Network Access
Control (NAC) devices
(e.g., redundant power, warranty,
support) » Endpoint security » Transmission media
4.3 Implement secure communication
channels according to design
» Voice
» Multimedia
collaboration
» Remote access
» Data
communications
» Virtualized
networks
» Third-party
connectivity
5.1 Control physical and logical
access to assets
»
Information » Facilities
»
Systems » Applications
» Devices
5.2 Manage identification and
authentication of people, devices, and services
»
Identity Management (IdM) implementation
» Federated
Identity Management (FIM)
»
Single/Multi-Factor Authentication (MFA)
» Credential
management systems
»
Accountability » Single
Sign On (SSO)
»
Session management » Just-In-Time (JIT)
» Registration,
proofing, and establishment of identity
5.3 Federated identity with a
third-party service
»
On-premise » Hybrid
» Cloud
5.4 Implement and manage
authorization mechanisms
»
Role Based Access Control (RBAC) »
Discretionary Access Control (DAC)
»
Rule based access control » Attribute Based Access Control
(ABAC)
»
Mandatory Access Control (MAC) »
Risk based access control
5.5 Manage the identity and access
provisioning lifecycle
» Account access review (e.g.,
user, system, service) » Role
definition (e.g., people assigned to new roles)
» Provisioning and deprovisioning » Privilege escalation (e.g., managed service (e.g., on /off boarding and transfers)
5.6 Implement authentication
systems
»
OpenID Connect (OIDC)/Open Authorization
» Remote
Authentication Dial-In User Service
(Oauth) (RADIUS)/Terminal Access Controller Access
» Security
Assertion Markup Language (SAML) Control System Plus (TACACS+)
» Kerberos
6.1 Design and validate
assessment, test, and audit strategies
» Internal
» External
» Third-party
6.2 Conduct security control
testing
»
Vulnerability assessment »
Misuse case testing
»
Penetration testing » Test coverage analysis
»
Log reviews » Interface testing
»
Synthetic transactions » Breach attack
simulations
»
Code review and testing »
Compliance checks
6.3 Collect security process data
(e.g., technical and administrative)
»
Account management » Training and
awareness
»
Management review and approval »
Disaster Recovery (DR) and Business Continuity
»
Key performance and risk indicators (BC)
» Backup
verification data
6.4 Analyze test output and
generate report
» Remediation
» Exception
handling
» Ethical
disclosure
6.5 Conduct or facilitate security
audits
» Internal
» External
» Third-party
Domain 7: Security Operations
7.1 Understand and comply with
investigations
» Evidence
collection and handling
» Reporting and
documentation
» Investigative
techniques
7.2 Conduct logging and monitoring
activities
» Intrusion
detection and prevention
» Security
Information and Event Management
(SIEM)
» Continuous
monitoring
» Egress
monitoring
» Digital
forensics tools, tactics, and procedures
» Artifacts
(e.g., computer, network, mobile device)
» Log management
» Threat
intelligence (e.g., threat feeds, threat hunting)
» User and
Entity Behavior Analytics (UEBA)
7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
7.4 Apply foundational security
operations concepts
»
Need-to-know/least privilege » Job
rotation
» Separation of
Duties (SoD) and responsibilities
» Service Level
Agreements (SLAs)
» Privileged
account management
7.5 Apply resource protection
» Media
management
» Media
protection techniques
7.6 Conduct incident management
»
Detection » Recovery
»
Response » Remediation
»
Mitigation » Lessons learned
» Reporting
7.7 Operate and maintain detective
and preventative measures
»
Firewalls (e.g., next generation, web »
Sandboxing
application,
network) » Honeypots/honeynets
» Intrusion Detection Systems (IDS)
and Intrusion » Anti-malware
Prevention Systems (IPS)
» Machine
learning and Artificial Intelligence (AI)
»
Whitelisting/blacklisting based
tools
» Third-party
provided security services
7.8 Implement and support patch
and vulnerability management 7.9 Understand and participate in change
management processes 7.10 Implement recovery strategies
»
Backup storage strategies » System
resilience, High Availability (HA), Quality
»
Recovery site strategies of
Service (QoS), and fault tolerance
» Multiple processing sites
7.11 Implement Disaster Recovery
(DR) processes
» Response
» Personnel
» Communications
» Assessment
7.12 Test Disaster Recovery Plans
(DRP) » Restoration
» Training and
awareness
» Lessons
learned
»
Read-through/tabletop
» Walkthrough
» Simulation » Parallel
» Full
interruption
7.13 Participate in Business
Continuity (BC) planning and exercises 7.14 Implement and manage physical
security
» Perimeter
security controls
» Internal
security controls
7.15 Address personnel safety and
security concerns
» Travel
» Security
training and awareness »
Emergency management
» Duress
Domain 8: Software Development Security
8.1 Understand and integrate
security in the Software Development Life Cycle (SDLC)
» Development
methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
» Maturity models (e.g., Capability
Maturity Model (CMM), Software Assurance Maturity Model (SAMM)) » Operation and
maintenance
» Change
management
» Integrated
Product Team (IPT)
8.2 Identify and apply security
controls in software development ecosystems
» Programming
languages
» Libraries
» Tool sets
» Integrated
Development Environment (IDE)
» Runtime
» Continuous
Integration and Continuous Delivery (CI/CD)
8.3 Assess the effectiveness of
software security
» Auditing and
logging of changes
» Risk analysis
and mitigation
8.4 Assess security impact of
acquired software
» Security
Orchestration, Automation, and Response (SOAR)
» Software
Configuration Management (SCM)
» Code
repositories
» Application
security testing (e.g., Static Application
» Security
Testing (SAST), Dynamic Application Security Testing (DAST))
» Commercial-off-the-shelf
(COTS)
» Open source
» Third-party
» Managed services (e.g., Software
as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service
(PaaS))
8.5 Define and apply secure coding
guidelines and standards
» Security
weaknesses and vulnerabilities at the source-code level
» Security of
Application Programming Interfaces (APIs)
» Secure coding
practices
»
Software-defined security
Required fields are marked (*).
Anamnagar - 32 Kathmandu, Nepal
info@labanepal.com
+977-1-4102721, 4102722, 4244804
10 AM - 5 PM
Required fields are marked (*).
Anamnagar - 32 Kathmandu, Nepal
info@labanepal.com
+977-1-4102721, 4102722, 4244804
10 AM - 5 PM