CISSP Exam Update

Content Update for April 15, 2018

Effective April 15, 2018, test takers will see an updated version of the CISSP exam. The exam content is updating as per the regular three-year cycle. This update entails adding, subtracting, and renaming certain content from the CISSP exam’s testable topics. This update will affect how you study and the resources you should use. Below are the answers to questions that you are likely asking.


Simply put, an exam update is any change to the certification exam itself. In this case, the most important change to the CISSP exam revolves around content. This update entails adding, renaming, and reorganizing content from testable topics within the CISSP exam.


General Questions

What content is being added?

Across most of the eight domains, new content is being added to the exam objectives. The new content, in (ISC)²’s words, include:

  • Contractual, legal, industry standards, and regulatory requirements
  • Threat modeling methodologies [and concepts]
  • Understanding data states
  • Internet of Things (IoT)
  • Attribute Based Access Control (ABAC)
  • Integrating Identity as a Third-Party service via Cloud
  • Understanding and conducting Internal, External, Third-party audit strategies
  • Personnel travel and duress
  • Secure coding practices

If I prepared for the pre-April 15 version of the exam, will I be prepared for the new one?

No. The added content is significant enough that you need to prepare for the new exam content. On a CAT especially, every question matters. One question could mean the difference between passing or not, so you’ll want to be as prepared as possible by knowing all the testable content.  You shouldn’t walk into your test not knowing how ABAC  enforces access control. 

Will the new exam be harder than the old one?

No and yes. Overall, the passing rate of the exam is unlikely to change. However, it is important that you use study resources that are up-to-date and reflect the most recent CISSP exam objectives.

In addition, any work experience in the added content knowledge areas will be helpful on test day. For example, if you are a test taker with first-hand experience with security audits or source-code level security (or any of the before-mentioned new content), you will be at an advantage.

Why is the CISSP content updating?

The whole purpose of content updates is to ensure certification exams stay in tune with the real world. Indeed, the cybersecurity landscape is constantly evolving. Every three years (ISC)² adds topics to the testable material that are emerging priorities for security practitioners and managers.

Am I guaranteed to see the new content on my test?

Probably. While every exam experience is different and there is no guarantee on the material you will and won’t see, it’s unlikely that your exam will not include questions covering the new content. Just like we teach in our Test Day Strategy lessons, think like the test maker: To prepare for this content update, (ISC)² put thousands of students through experimental questions to refine the new questions that will appear on the new exam. It’s unlikely that after so much preparation and refining, (ISC)² would not include the new content.

What other changes, besides content, will there be?

Old Weight
New Weight
1. Security and Risk Management 16% 15% 1% Decrease
2. Asset Security 10% 10% No Change
3. Security Engineering

*New Domain name: Security Architecture and Engineering

12% 13% 1% Increase
4. Communications and Network Security 12% 14% 2% Increase
5. Identity and Access Management 13% 13% No Change
6. Security Assessment and Testing 11% 12% 1% Increase
7. Security Operations 16% 13% 3% Decrease
8. Software Development Security 10% 10% No Change

In addition to new content, the number of questions that appear from each of the eight domains will be shifting. This breakdown is known as the exam’s ‘Domain Weight.’ The chart below summarizes the updated domain weights.

What other changes, besides content, will there be?

The new exam is slightly emphasizing the two most technical domains (Domains 3 and 4), while slightly de-emphasizing Domain 7, Security Operations. Test takers, as usual, can expect to see technical questions about the details of security architecture, cryptography, and network security.

It’s important to recognize that even though the percentages of Domains 1 and 7 decreased, they remain extremely relevant to the exam. Items such as Business Continuity and Disaster Recovery Plans are important knowledge for the exam and in the real-world. All-in-all, the exam remains a technical exam with a managerial twist.

Is this update different than the CAT update?

Yes. The April 2018 exam update revolves around content. The December 2017 CAT update was an exam format update. After April 14, 2018, the exam will still be a CAT.

Where can I find the new exam outline?

If you want to personally sift through the new exam outline, go for it! Find the new exam outline here.


Don’t worry! Exam updates are nothing new to us, and many of our team members have been preparing students for these types of transitions for years.  We’re happy to help you in your preparation to earn your CISSP credential. Check out a CyberVista sample lesson of the new content, our latest promotions for the CISSP, and information on other certifications here. We’ll see you in class.

CISSP Certification Training
Loading posts...
Sort Gallery
Enter your email here