CISSP Exam 2021: Here are the Updates

CISSPThe Certified Information Systems Security Professional (CISSP) is an internationally recognized information security credential. It validates a professional’s knowledge and skill to design, engineer, and manage the security posture of their organization. 

(ISC)² released the revised and updated version of the exam on May 1, 2021. The main reason for this change is to ensure the exam remains current and relevant. That way, certification holders will be able to demonstrate knowledge and skill related to the latest cybersecurity processes and practices.

If you’re planning to take the certification exam this year, the following lines are for you. 

What are the 2021 Changes to the CISSP Exam?

The CISSP certification exam will be based on a new exam outline. According to the CISSP Domain Refresh Guide, the modules have been updated to reflect the shift in the issues cybersecurity professionals face. Further, the weights of two domains have been changed for the same reason. 

Changes to CISSP Subdomains 

The following indicates the new/updated modules in each of the certification exam’s eight domains. 

Domain 1: Security and Risk Management

There are a few changes to Domain 1. 

  • A new module “Understand and apply security concepts” was added. 
  • The module “Understand requirements for investigation types (i.e. administrative, criminal, civil, regulatory, industry standards)” moved from Domain 7 to Domain 1. 
  • The 2018 exam covered legal and regulatory issues related to information security in a global context. The 2021 one will cover the same in a holistic context. 

Domain 2: Asset Security

Here are the main changes in Domain 2:

  • A new module was added: “Manage data lifecycle”. 
  • The module “Ensure appropriate asset retention” has been further elaborated with the addition “(e.g. Eng-of-Life (EOL), End-of-Support (EOS))”. 
  • The module “Determine security controls” has been further expanded. The updated module is “Determine data security controls and compliance requirements”. 
  • The module “Provision resources securely” has been moved from Domain 7 to this domain. It has also been slightly reworded from “Securely provisioning resources”. 

Domain 3: Security Architecture and Engineering

Domain 3 no longer has the following three modules:

  • Assess and mitigate vulnerabilities in web-based systems
  • Assess and mitigate vulnerabilities in mobile systems
  • Assess and mitigate vulnerabilities in embedded devices

Instead, the new exam focuses on selecting and determining cryptographic solutions and understanding methods of cryptanalytic attacks. 

Another slight change to Domain 3’s modules is the addition of ‘research’ to implementing and managing engineering processes. Further, the “Implement site and facility security controls” module has been changed to “Design site and facility security controls”. 

Domain 4: Communication and Network Security

There are no major changes to Domain 4’s modules. The only change is the addition of assessing secure design principles in network architectures to implementing them. 

Domain 5: Identity and Access Management (IAM)

Domain 5 previously included the module “Integrate identity as a third-party service”. In the 2021 outline, this has been replaced with “Federated identity with a third-party service”. 

Also new in the 2021 is the module “Implement authentication systems”. 

Domain 6: Security Assessment and Testing

This domain remains unchanged in the 2021 CISSP outline. 

Domain 7: Security Operations 

The following changes took place in Domain 7:

  • A new module was added: “Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)”. 
  • The module “Understand and support investigations” has been reworded to “Understand and comply with investigations”. 

Domain 8: Software Development Security

This domain remains unchanged in the 2021 exam outline. 

Change to Domain Weights

The second change to the CISSP exam is the change in the weights of the following domains. 

  • Domain 4: Communication and Network Security 
  • Domain 8: Software Development Security

Domain 4’s weight decreased from 14% to 13%. Meanwhile. Domain 5’s increased from 10% to 11%. Like the subdomains, the change in domain weights is the result of current changes in cybersecurity issues. 

What these Changes Mean for CISSP Certification Candidates

Some of the new topics are already covered or further expand the domains. Their goal is to ensure certification candidates are familiar with current cybersecurity issues. 

As for the rewording of module and re-organization of items, these have little to no impact on your preparations or the exam itself. 

Finally, items that were removed are still part of the exam as they’re included in other topics. They were only removed to prevent unnecessary repetition. 

Don’t worry. The right CISSP training can help you with this. All you need to do in enroll in LearningCert’s CISSP boot camp and prepare for the exam with accredited trainers. And despite the apparently dry materials above, rest assured we’ll make this a fun learning experience. 

See you in one of our training sessions soon. 

About the Author

Currently serving as the Director Advisory Services at Business Beam, Syed Nabeel Iqbal is a lead trainer at LearningCert. In addition to being an established GRC lead consultant, he has over 16 years of industry experience, in which he conducted 10+ successful training sessions. He’s also an internationally accredited trainer for 15+ standards and frameworks, including COBIT, ITIL, and ISO standards.

Leave a comment


User Registration


Reset Password