cybernous logo
CISSP Exam Update 2024: A detailed Guide CISSP-training-in-bangalore

CISSP Exam Update 2024: A detailed Guide

Manoj Sharma
Manoj SharmaCISSP | CCSP | CISM | CRISC | CPISI | CPEGP | ISMS

Cyber security experts preparing for the CISSP test are facing a new challenge as 2024 approaches: the CISSP exam update 2024.

This much-awaited update may alter one of the most esteemed credentials in the industry. Anyone wishing to obtain this certification must comprehend these changes and make adjustments accordingly.

We go over the differences in the CISSP exam refresh 2024 in this article, as well as the additions and deletions. Does that matter? Did they redesign the areas tested? Is this how the exam is formatted?

Come along as we address all of your concerns regarding the new CISSP test and provide answers to these queries.

CISSP Exam 2024 Update: Navigating New Changes for Success

To keep the CISSP certification current, ISC2 refreshes it with CISSP exam 2024 updates. The process itself ensures that the exam covers issues pertinent to the tasks and responsibilities of contemporary cybersecurity professionals, which is where the advances originate. This covers the essential know-how and abilities.

Introduction to the CISSP 2024 Update

Cybersecurity professionals gearing up for the CISSP exam face an exciting development: the CISSP 2024 update. This pivotal change aims to align the esteemed certification with the evolving landscape of the cybersecurity industry.

How frequently does it occur?

Updates to ISC2 CISSP are made every three years. On the Job Task Analysis (JTA) procedure, this update is based. In short, the JTA looks closely at the knowledge and abilities that are critical to cyber security.

It determines if the CISSP exam is appropriate for the demands and difficulties of modern cyber security. To guarantee that the CISSP test remains relevant and up-to-date for professionals working in this industry, ISC2 uses the JTA every three years

When does it start to work?

On April 15, 2024, the ISC2 CISSP refresh will go into effect.

Comparing the CISSP Exams: 2021 vs. 2024

Exam in 2021:

There are between 125 and 175 questions.

Time spent: 4 hours.

Within the first 125 questions are 50 beta questions.

Format: Computer Adaptive Testing (CAT) includes sophisticated, creative multiple-choice questions

700 out of 1000 points are needed to pass.

Cost: $ 749 plus $125 yearly

Exam question count for 2024: 100–150 questions.

It lasts for three hours.

Within the first 100 questions, there are 25 beta questions.

Format: Still a CAT test.

700 out of 1000 points are needed to pass.

Cost: $749 plus $125 yearly

Each applicant takes the CISSP computer adaptive exam (CAT), which begins with a simple question. The exam recalculates the candidate's skill level based on each response, and it chooses the subsequent question appropriately. It can measure a candidate's genuine ability more precisely the more questions they have answered.

What's New in the 2024 Update for the CISSP Exam?

The content of CISSP has not changed much throughout the years; just about 5% of it is new.

What specifically is new in the 2024 CISSP exam refresh, then? Let's review each of the eight domains, highlighting the additions and their significance.

Domain 1: Risk and Security Management

Let's examine a few of Domain 1's modifications.

The needs for business continuity (BC) are identified, analyzed, evaluated, prioritized, and implemented in Section 1.7.

To emphasize the significance of comprehending external partnerships, such as vendors, contractors, etc., and their impact on business continuity, especially in today's corporate environments, new content regarding external dependencies has been included in the business continuity (BC) standards.

Section 1.9: "Comprehend and implement risk management principles"

To emphasize the necessity of a continuous approach to risk management, the terms "scope" and "continuous" have been added to risk assessment/analysis and monitoring and measurement, respectively.

Section 1.12 Create and uphold a program for security awareness, instruction, and training:

ISC2 expanded its "Periodic content reviews" to include subjects like blockchain, AI, and cryptocurrencies. This update highlights the significance of emerging technologies, which are essential for addressing security concerns both now and in the future.

Domain 2: Security of Assets

Domain 2 has not undergone any modifications.

Domain 3: Engineering and Architecture for Security

Here are a few of Domain 3's modifications.

Section 3.1 (Apply secure design concepts to research, develop, and manage engineering processes):

The focus of these changes is on reducing the amount of code, making use of microservices to create a leaner architecture, and introducing secure access services edge (SASE), a framework that combines wide-area networking and network security principles in a cloud service. The most recent adjustments are meant to increase productivity and give more attention to cloud-based security options.

Section 3.5 (Evaluate and reduce security architectures, designs, and solution elements' vulnerabilities):

In the industrial control system subdomain, "Operational Technology" has been added to broaden the focus to include a larger range of devices and systems, including controllers and sensors, emphasizing the growing significance of securing a vast array of linked devices.

Section 3.6: Cryptographic Solutions Selection and Determination

There is now a section on "Quantum key distribution," which highlights the significance of getting ready for cutting-edge, secure communication technologies as well as the future of encryption.

Fresh Section 3.10: "System Lifecycle Management"

This completely new part emphasizes the value of security at every stage of a system's lifecycle as it covers the phases of system management, from stakeholder demands to retirement/disposal.


Domain 4: Security of Networks and Communication

Let's examine the changes that Domain 4 has undergone.

Apply secure design principles to network designs in Section 4.1:

Exam topics such as data/control/management planes and transport network architecture are now covered in more detail. It also covers performance parameters like signal-to-noise ratio, throughput, bandwidth, latency, jitter, and others that are crucial for assessing or improving network performance.

Different types of network segmentation, such as logical (such as VLANs, VPNs, and virtual routing) and physical (such as in-band, out-of-band, and air-gapped networks), are receiving more attention since they are crucial for controlling and safeguarding networks. In addition, ISC2 CISSP now covers traffic flow patterns that illustrate the movement of data within and between networks, such as east-west and north-south traffic.

Emerging themes including edge networks, virtual private clouds (VPC), and micro-segmentation fit nicely with the current developments in network security, such as the move toward zero trust models and the growing significance of edge computing.

Recent network administration and monitoring developments, including fault detection, capacity management, traffic shaping, and network observability, highlight the need for thorough supervision and proactive control in intricate networking settings.

Domain 5: Management of Identity and Access (IAM)

These are Domain 5's modifications.

Control both logical and physical access to assets in Section 5.1:

A new sub-domain on services was introduced by ISC2, encompassing access control, directory, and authentication services. This feature demonstrates the need for robust access control mechanisms due to the expanding complexity and breadth of services in today's IT environments.

Changed name The term "Groups and Roles" has been used in place of "Identity Management (IdM) implementation" in Section 5.2.1, suggesting a more targeted approach to managing identities inside groups and roles. This is crucial for maintaining policy compliance and regulating access.

Section 5.4: Authorization Mechanisms: Implementation and Management

Concepts like policy decision points and policy enforcement points have been added, with an emphasis on access policy enforcement. This demonstrates how important it is to effectively manage policies when deciding what can be approved or prohibited.

Oversee the identity and access provisioning lifecycle in Section 5.5.

To emphasize the importance of carefully managing service accounts—which are crucial for automated tasks but can pose a serious security risk if improperly managed—a new subdomain named "Service accounts management" has been introduced.

Domain 6: Evaluation and Testing of Security

These are some modifications to Domain 6.

Designing and validating assessment, test, and audit strategies is covered in Section 6.1.

The location of operations and assets, including on-premise, cloud, and hybrid environments, is now taken into account in this area. The emphasis of this new part is on modifying data security controls to accommodate various IT environments.

Testing security controls is covered in Section 6.2.

It has introduced benchmarks for fake transactions. This indicates a growing emphasis on evaluating the efficacy of security mechanisms using uniform criteria.

Section 6.5 (Conduct or assist security audits): An additional section has been included that addresses the on-premise, cloud, and hybrid security audit locations. This emphasizes how crucial adaptable audit techniques are for improving system security

Security Operations is Domain 7

These are Domain 7's modifications.

In Section 7.2, "Conduct logging and monitoring activities," the term "Security orchestration, automation, and response" (SOAR) is added. This indicates that automated systems are being used more frequently than traditional systems to expedite security operations and enhance the effectiveness of incident response.

Apply for resource protection in Section 7.5:

a focus on safeguarding data both in transit and at rest. This acknowledges how crucial it is to protect data at all times, particularly in light of the growing concern over data breaches.

Test disaster recovery plan (DRP) section 7.12:

heightened attention on communication in disaster recovery exercises. This emphasizes how crucial it is to communicate clearly and effectively with other parties, regulatory agencies, and stakeholders.

Domain 8: Security of Software Development

Let's examine a few of the modifications made to Domain 8.

Understanding and incorporating security into the Software Development Life Cycle (SDLC) is covered in Section 8.1.

The development approaches have been expanded to include a scaled agile framework. This update recognizes the growing popularity of large-scale, agile methodologies that need to be scaled up to fit the needs of major enterprises.

Finding and implementing security controls in development environments is covered in Section 8.2:

The application security testing techniques were expanded by ISC2 to include "software composition analysis" and "interactive application security test (IAST)". This illustrates how software security is evolving and emphasizes the need for in-depth research and practical testing techniques.

Analyze the security implications of newly purchased software in Section 8.4:

A new emphasis on "Cloud services," such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS), has been added to the CISSP upgrade. This modification acknowledges the important transition in software development toward cloud computing and the need to consider the security implications of using cloud services.

What Is Missing From the 2024 CISSP Exam Update?

Upon examining the CISSP content for 2021 and 2024, we discovered that the 2024 update eliminated just one topic. Except for this one removal, the exam's material has mostly not changed, however, certain items have been moved or added to already-existing subdomains or taken from one area and put in another.

For instance, the 2021 CISSP test separated the discussion of multimedia collaboration (in 4.3.2) from the discussion of voice systems (in 4.3.1). These are combined into a single subsection, 4.3.1 (Voice, video, and collaboration (e.g., conferencing, Zoom rooms)), in the 2024 exam domain.

Another illustration is found in part 5.6 of the 2021 test, "Implement authentication systems," which included subsections such as "OpenID Connect (OIDC)/Open Authorization (OAuth)" and "Kerberos." The subsections are absent from the CISSP 2024 refresh, but 5.6 (Implement authentication systems) is still listed. Since they did not list them all, we can presume that the curriculum is the same.

"Develop and document the scope and the plan" from item 1.8 appears to have been eliminated. This is probably because the emphasis now is on more pertinent elements of enforcing personnel security policies and procedures.

Conclusion

There are a few new additions to the CISSP exam objectives, but there are a few deletions. As can be observed in our post, despite the modifications, the majority of the exam's content is still from the prior iteration, except for a minor amount of newly added content.

Except for the time limit and the number of questions, the exam itself is mostly unaltered.

With this knowledge, you can make an informed decision about the exam version you want to take.