CISSP Exam Update: April 2018

Following a change on April 15, 2018, test takers now see an updated version of the CISSP exam. The exam content is updating as per the regular three-year cycle. This update entails adding, subtracting, and renaming certain content from the CISSP exam’s testable topics. This update will affect how CISSP hopefuls prepare and the resources that should be utilized. Below are the answers to frequently asked questions regarding this change.

What is an exam update?

Simply put, an exam update is any change to the certification exam itself. In this case, the most important change to the CISSP exam revolves around content. This update entails adding, renaming, and reorganizing content from testable topics within the CISSP exam.

Additional FAQs

  • Across most of the eight domains, new content is being added to the exam objectives. The new content, in (ISC)²’s words, include:

    • Contractual, legal, industry standards, and regulatory requirements
    • Threat modeling methodologies [and concepts]
    • Understanding data states
    • Internet of Things (IoT)
    • Attribute Based Access Control (ABAC)
    • Integrating Identity as a Third-Party service via Cloud
    • Understanding and conducting Internal, External, Third-party audit strategies
    • Personnel travel and duress
    • Secure coding practices
  • No. The added content is significant enough that you need to prepare for the new exam content. On a CAT especially, every question matters. One question could mean the difference between passing or not, so you’ll want to be as prepared as possible by knowing all the testable content.  You shouldn’t walk into your test not knowing how ABAC  enforces access control. 

  • No and yes. Overall, the passing rate of the exam is unlikely to change. However, it is important that you use study resources that are up-to-date and reflect the most recent CISSP exam objectives.

    In addition, any work experience in the added content knowledge areas will be helpful on test day. For example, if you are a test taker with first-hand experience with security audits or source-code level security (or any of the before-mentioned new content), you will be at an advantage.

  • The whole purpose of content updates is to ensure certification exams stay in tune with the real world. Indeed, the cybersecurity landscape is constantly evolving. Every three years (ISC)² adds topics to the testable material that are emerging priorities for security practitioners and managers.

  • Probably. While every exam experience is different and there is no guarantee on the material you will and won’t see, it’s unlikely that your exam will not include questions covering the new content. Just like we teach in our Test Day Strategy lessons, think like the test maker: To prepare for this content update, (ISC)² put thousands of students through experimental questions to refine the new questions that will appear on the new exam. It’s unlikely that after so much preparation and refining, (ISC)² would not include the new content.

  • What other changes, besides content, will there be?

    Domain
    Old Weight
    New Weight
    Change
    1. Security and Risk Management 16% 15% 1% Decrease
    2. Asset Security 10% 10% No Change
    3. Security Engineering

    *New Domain name: Security Architecture and Engineering

    12% 13% 1% Increase
    4. Communications and Network Security 12% 14% 2% Increase
    5. Identity and Access Management 13% 13% No Change
    6. Security Assessment and Testing 11% 12% 1% Increase
    7. Security Operations 16% 13% 3% Decrease
    8. Software Development Security 10% 10% No Change

    In addition to new content, the number of questions that appear from each of the eight domains will be shifting. This breakdown is known as the exam’s ‘Domain Weight.’ The chart below summarizes the updated domain weights.

  • The new exam is slightly emphasizing the two most technical domains (Domains 3 and 4), while slightly de-emphasizing Domain 7, Security Operations. Test takers, as usual, can expect to see technical questions about the details of security architecture, cryptography, and network security.

    It’s important to recognize that even though the percentages of Domains 1 and 7 decreased, they remain extremely relevant to the exam. Items such as Business Continuity and Disaster Recovery Plans are important knowledge for the exam and in the real-world. All-in-all, the exam remains a technical exam with a managerial twist.

  • Yes. The April 2018 exam update revolves around content. The December 2017 CAT update was an exam format update. After April 14, 2018, the exam will still be a CAT.

  • If you want to personally sift through the new exam outline, go for it! Find the new exam outline here.

What now?

Don’t worry! Exam updates are nothing new to us, and many of our team members have been preparing students for these types of transitions for years.  We’re happy to help you in your preparation to earn your CISSP credential. Check out a N2K sample lesson of the new content and information on other certifications here. We’ll see you in class.