As many of you are probably aware, (ISC)2 updated the Certified Information Systems Security Professional (CISSP) exam in April 2015. You may be worried that the update meant all the existing CISSP products out there immediately became obsolete. Fortunately, that is just not true.
So what did change? Well, there are several points that you need to understand about this new version. (ISC)2 posted a wonderful FAQ regarding the new version: https://www.isc2.org/cissp-sscp-domains-faq/default.aspx.
Here’s what I found from my own investigation of the new CISSP exam.
No topics were REMOVED from the exam.
From the FAQ link above: “Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains.” There was also this answer to a question: “Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.”
New topics WERE added to the exam.
From the FAQ link above: “The CISSP exam is being updated to stay relevant amidst the changes occurring in the information security field. Refreshed technical content has been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today.”
New item types WERE added to the exam.
The exam includes both multiple choice and “advanced innovative” questions. The new innovative questions are hot spot and drag-and-drop questions. For more information on these question types, see https://www.isc2.org/innovative-cissp-questions/default.aspx.
The exam contains the same number of questions as before.
This exam still have 250 questions. You still have 6 hours to complete the exam.
The exam was condensed from 10 domains to 8 domains.
But let me repeat, content was not removed. It was simply restructured.
The new domains are:
- Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
- Asset Security (Protecting Security of Assets)
- Security Engineering (Engineering and Management of Security)
- Communications and Network Security (Designing and Protecting Network Security)
- Identity and Access Management (Controlling Access and Managing Identity)
- Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
- Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
- Software Development Security (Understanding, Applying, and Enforcing Software Security)
The experience prerequisites have not changed.
Again, as per the FAQ: “For the CISSP, a candidate is required to have a minimum of 5 years of cumulative paid full-time work experience in 2 out of the 8 domains (experience in 2 out of the total number of domains) of the CISSP CBK.”
If you don’t meet the experience requirements, you can still take the exam.
Basically, if you take and pass the exam without having the experience requirements, you don’t get the CISSP certification, but you do become an Associate of (ISC)2. That means they give you six years to meet the experience and CISSP endorsement requirements. See https://www.isc2.org/how-to-become-an-associate.aspx for more information on this loophole.
It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.
Wishing you certification success!
-Robin Abernathy