We did a not-so-quick comparison of the new May 2021 exam outline from ISC2. It looks like there is a 22% overall increase in material and indicators that some topics (such as Kerberos) are coming back into the CBK. The new topics are in bold as shown below. Reorganized topics are also shown. Our opinion – if you just started studying, wait until September to take the exam. If you’ve been studying for a few months, take it BEFORE MAY – you don’t want to walk into the exam having studied the “old” CBK, because you’ll likely encounter 22% new material, and if you need a score of 70% to pass, well, you can do the math on that… You may still pass, but just be aware of your risks – it’s only $50 to reschedule, which is better than re-paying $700 to retake it. Good luck!
| DOMAIN ALLOCATION 2021 (ignore the misalignment here, formatting issue) | ||||
| Security and Risk Management | 15% | Security and Risk Management | 15% | |
| Asset Security | 10% | Asset Security | 10% | |
| Security architecture and Engineering | 13% | Security architecture and Engineering | 13% | |
| Communication and Network Security | 14% | Communication and Network Security | 13% | |
| Identity and Access Management | 13% | Identity and Access Management | 13% | |
| Security Assessment and Testing | 12% | Security Assessment and Testing | 12% | |
| Security Opertations | 13% | Security Opertations | 13% | |
| Software Development Security | 10% | Software Development Security | 11% | |
| Domain 1: Security and Risk Management | May 2021 | |||
| 1.1 | Understand and apply concepts of confidentiality, integrity and availability | » Confidentiality, integrity, and availability, authenticity and nonrepudiation | reorganized | |
| 1.2 | Evaluate and apply security governance principles | |||
| Alignment of security function to business strategy, goals, mission, and objectives | ||||
| Organizational processes (e.g., acquisitions, divestitures, governance committees) | ||||
| Organizational roles and responsibilities | ||||
| Security control frameworks | ||||
| Due care/due diligence | ||||
| 1.3 | Determine compliance requirements | |||
| Contractual, legal, industry standards, and regulatory requirements | ||||
| Privacy requirements | ||||
| 1.4 | Legal/regulatory issues | Legal/regulatory issues | ||
| »» Cyber crimes and data breaches | » Cybercrimes and data breaches | |||
| »» Licensing and intellectual property requirements | » Licensing and Intellectual Property (IP) requirements | |||
| »» Import/export controls | » Import/export controls | |||
| »» Trans-border data flow | » Transborder data flow | |||
| »» Privacy | » Privacy | |||
| 1.5 | Professional Ethics | |||
| ISC2 code of professional ethics | ||||
| Organizational code of ethics | ||||
| 1.6 | Policy/procedure/standards/guidelines | New 1.6: Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) *Aligns with 1.3 *Moved from Domain 7 | reorganized | |
| 1.7 | Business continuity | |||
| Develop and document scope and plan | ||||
| BIA | ||||
| 1.8 | Personnel Security | |||
| Candidate screening and hiring | ||||
| Employment agreements and policies | ||||
| Onboarding and termination processes | ||||
| Vendor, consultant, and contractor agreements and controls | ||||
| Compliance policy requirements | ||||
| Privacy policy requirements | ||||
| 1.9 | Risk Management Concepts | |||
| Identify threats and vulnerabilities | » Identify threats and vulnerabilities | |||
| Risk assessment/analysis | » Risk assessment/analysis | |||
| Risk response | » Risk response | |||
| Countermeasure selection and implementation | » Countermeasure selection and implementation | |||
| Applicable types of controls (e.g., preventive, | » Applicable types of controls (e.g., preventive, | |||
| detective, corrective) | detective, corrective) | |||
| Security Control Assessment (SCA) | » Control assessments (security and privacy) | |||
| Monitoring and measurement | » Monitoring and measurement | |||
| Asset valuation | <removed Asset Valuation> | reorganized | ||
| Reporting | » Reporting | |||
| Continuous improvement | » Continuous improvement (e.g., Risk maturity modeling) | |||
| Risk frameworks | » Risk frameworks | |||
| 1.10 | Threat modeling | Threat modeling methodologies/concepts | reorganized | |
| Threat modeling methodologies | <removed subtopics> | |||
| Threat modeling concepts | ||||
| 1.11 | Risk Management/Supply chain | |||
| Risks associated with hardware, software, and | ||||
| services | ||||
| Third-party assessment and monitoring | ||||
| Minimum security requirements | ||||
| Service-level requirements | ||||
| 1.12 | Training/Awareness/Education | |||
| Methods and techniques to present awareness and training | » Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification) | new | ||
| Periodic content reviews | ||||
| Program effectiveness evaluation | ||||
| Domain 2: Asset Security | ||||
| 2.1 | Identify and classify information and assets | |||
| 2.2 | Determine and maintain information and asset ownership | |||
| 2.3 | Protect privacy | 2.3 – Provision resources securely | reorganized | |
| Data owners | » Information and asset ownership | |||
| Data processers | » Asset inventory (e.g., tangible, intangible) | |||
| Data remanence | » Asset management | |||
| Collection limitation | ||||
| 2.4 – Manage data lifecycle | reorganized | |||
| » Data roles (i.e., owners, controllers, custodians, | ||||
| processors, users/subjects) | ||||
| » Data collection | ||||
| » Data location | ||||
| » Data maintenance | ||||
| » Data retention | ||||
| » Data remanence | ||||
| » Data destruction | ||||
| 2.4 | Ensure appropriate asset retention | 2.5 – Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS)) | new | |
| <removed subtopics> | ||||
| 2.5 | Determine data security controls | |||
| Understand data states | ||||
| Scoping and tailoring | ||||
| Standards selection | ||||
| Data protection methods | ||||
| 2.6 | Establish information and asset handling requirements | Establish information and asset handling requirements | reorganized | |
| Data classification | <moved subtopics to 1st section> | |||
| Asset Classification | ||||
| Domain 3: Security Architecture and Engineering | ||||
| 3.1 | Engineering processes/Secure design principles | <New Subtopics> | ||
| » Threat modeling | ||||
| » Least privilege | ||||
| » Defense in depth | ||||
| » Secure defaults | new | |||
| » Fail securely | new | |||
| » Separation of Duties (SoD) | ||||
| » Keep it simple | new | |||
| » Zero Trust | new | |||
| » Privacy by design | new | |||
| » Trust but verify | new | |||
| » Shared responsibility | new | |||
| 3.2 | Security models | |||
| 3.3 | Security controls | |||
| 3.4 | Security capabilities / TPM, etc | |||
| 3.5 | Assess/mitigate vulns of security architectures | <New Subtopics> | ||
| »» Client-based systems | » Client-based systems | |||
| »» Server-based systems | » Server-based systems | |||
| »» Database systems | » Database systems | |||
| »» Cryptographic systems | » Cryptographic systems | |||
| »» Industrial Control Systems (ICS) | » Industrial Control Systems (ICS) | |||
| »» Cloud-based systems | » Cloud-based systems (e.g., Software as a Service | |||
| »» Distributed systems | (SaaS), Infrastructure as a Service (IaaS), Platform as | reorganized | ||
| »» Internet of Things (IoT) | a Service (PaaS)) | |||
| » Distributed systems | ||||
| » Internet of Things (IoT) | ||||
| » Microservices | new | |||
| » Containerization | new | |||
| » Serverless | new | |||
| » Embedded systems | reorganized | |||
| » High-Performance Computing (HPC) systems | New | |||
| » Edge computing systems | New | |||
| » Virtualized systems | New | |||
| 3.6 | Assess/mitigate vulns of web based systems | <removed> | ||
| 3.7 | Assess/mitigate vulns of mobile systems | <removed> | ||
| 3.8 | Assess/mitigate vulns of embedded systems | <moved> | ||
| 3.9 | Cryptography | Cryptographic Solutions | ||
| »» Cryptographic life cycle (e.g., key management, | ||||
| algorithm selection) | ||||
| »» Cryptographic methods (e.g., symmetric, | ||||
| asymmetric, elliptic curves) | ||||
| »» Public Key Infrastructure (PKI) | ||||
| »» Key management practices | ||||
| »» Digital signatures | ||||
| »» Non-repudiation | ||||
| »» Integrity (e.g., hashing) | ||||
| »» Understand methods of cryptanalytic attacks | 3.7 Understand methods of cryptanalytic attacks | More emphasis | ||
| »» Digital Rights Management (DRM) | » Brute force | |||
| » Ciphertext only | ||||
| » Known plaintext | ||||
| » Frequency analysis | ||||
| » Chosen ciphertext | ||||
| » Implementation attacks | ||||
| » Side-channel | ||||
| » Fault injection | ||||
| » Timing | ||||
| » Man-in-the-Middle (MITM) | ||||
| » Pass the hash | new | |||
| » Kerberos exploitation | new | |||
| » Ransomware | ||||
| 3.10 | Physical security / site facility design | |||
| 3.11 | Physical security / site facility security controls | |||
| »» Wiring closets/intermediate distribution facilities | » Power (e.g., redundant, backup) | new | ||
| »» Server rooms/data centers | ||||
| »» Media storage facilities | ||||
| »» Evidence storage | ||||
| »» Restricted and work area security | ||||
| »» Utilities and Heating, Ventilation, and Air | ||||
| Conditioning (HVAC) | ||||
| »» Environmental issues | ||||
| »» Fire prevention, detection, and suppression | ||||
| Domain 4 | ||||
| 4.1 | Secure design principles (network architecture) | » Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models | ||
| »» Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models | » Internet Protocol (IP) networking (e.g., Internet Protocol Security (IPSec), Internet Protocol (IP) v4/6) | |||
| »» Internet Protocol (IP) networking | » Secure protocols | new | ||
| »» Implications of multilayer protocols | » Implications of multilayer protocols | |||
| »» Converged protocols | » Converged protocols (e.g., Fiber Channel Over Ethernet (FCoE), | |||
| »» Software-defined networks | Internet Small Computer Systems Interface (iSCSI), Voice over Internet Protocol (VoIP)) | new | ||
| »» Wireless networks | » Micro-segmentation (e.g., Software Defined Networks (SDN), Virtual eXtensible Local Area Network (VXLAN), | new | ||
| Encapsulation, Software-Defined Wide Area Network (SD-WAN)) | new | |||
| » Wireless networks (e.g., Li-Fi, Wi-Fi, Zigbee, satellite) | new | |||
| » Cellular networks (e.g., 4G, 5G) | ||||
| » Content Distribution Networks (CDN) | ||||
| 4.2 | Secure network components | |||
| »» Operation of hardware | ||||
| »» Transmission media | ||||
| »» Network Access Control (NAC) devices | ||||
| »» Endpoint security | ||||
| »» Content-distribution networks | ||||
| 4.3 | Secure communication channels | |||
| »» Voice | »» Voice | |||
| »» Multimedia collaboration | »» Multimedia collaboration | |||
| »» Remote access | »» Remote access | |||
| »» Data communications | »» Data communications | |||
| »» Virtualized networks | »» Virtualized networks | |||
| » Third-party connectivity | new | |||
| Domain 5 – IAM | ||||
| 5.1 | Phys/Logical Access Control | Phys/Logical Access Control | ||
| »» Information | »» Information | |||
| »» Systems | »» Systems | |||
| »» Devices | »» Devices | |||
| »» Facilities | »» Facilities | |||
| » Applications | new | |||
| 5.2 | ID/Auth of People, Devices, Services | |||
| »» Identity management implementation | » Identity Management (IdM) implementation | |||
| »» Single/multi-factor authentication | » Single/Multi-Factor Authentication (MFA) | |||
| »» Accountability | » Accountability | |||
| »» Session management | » Session management | |||
| »» Registration and proofing of identity | » Registration, proofing, and establishment of identity | new | ||
| »» Federated Identity Management (FIM) | » Federated Identity Management (FIM) | |||
| »» Credential management systems | » Credential management systems | |||
| » Single Sign On (SSO) | new | |||
| » Just-In-Time (JIT) | new | |||
| 5.3 | Identity as a 3rd Party Service | |||
| »» On-premise | » On-premise | |||
| »» Cloud | » Cloud | |||
| »» Federated | » Hybrid | new | ||
| 5.4 | Auth Mechanism | |||
| »» Role Based Access Control (RBAC) | » Role Based Access Control (RBAC) | |||
| »» Rule-based access control | » Rule based access control | |||
| »» Mandatory Access Control (MAC) | » Mandatory Access Control (MAC) | |||
| »» Discretionary Access Control (DAC) | » Discretionary Access Control (DAC) | |||
| »» Attribute Based Access Control (ABAC) | » Attribute Based Access Control (ABAC) | |||
| » Risk based access control | new | |||
| 5.5 | Identity/Provisioning Lifecycle | |||
| »» User access review | » Account access review e.g., user, system, service | new | ||
| »» System account access review | » Provisioning and deprovisioning | |||
| »» Provisioning and deprovisioning | (e.g., on /off boarding and transfers) | |||
| » Role definition (e.g., people assigned to new roles) | new | |||
| » Privilege escalation (e.g., managed service, accounts, use of sudo, minimizing its use) | new | |||
| 5.6 Implement authentication systems | ||||
| » OpenID Connect (OIDC)/Open Authorization (Oauth) | new | |||
| » Security Assertion Markup Language (SAML) | ||||
| » Kerberos | new | |||
| » Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller, Access Control System Plus (TACACS+) | ||||
| Domain 6 | ||||
| 6.1 | Assessment/audit/test strategies | |||
| »» Internal | ||||
| »» External | ||||
| »» Third-party | ||||
| 6.2 | Security control testing | |||
| »» Vulnerability assessment | » Vulnerability assessment | |||
| »» Penetration testing | » Penetration testing | |||
| »» Log reviews | » Log reviews | |||
| »» Synthetic transactions | » Synthetic transactions | |||
| »» Code review and testing | » Code review and testing | |||
| »» Misuse case testing | » Misuse case testing | |||
| »» Test coverage analysis | » Test coverage analysis | |||
| »» Interface testing | » Interface testing | |||
| » Breach attack simulations | new | |||
| » Compliance checks | new | |||
| 6.3 | Collect Security Process Data | |||
| »» Account management | ||||
| »» Management review and approval | ||||
| »» Key performance and risk indicators | ||||
| »» Backup verification data | ||||
| »» Training and awareness | ||||
| »» Disaster Recovery (DR) and Business Continuity | ||||
| (BC) | ||||
| 6.4 | Analyze Test Output | Analyze Test Output | ||
| » Remediation | new | |||
| » Exception handling | new | |||
| » Ethical disclosure | new | |||
| 6.5 | Security audits | |||
| »» Internal | ||||
| »» External | ||||
| »» Third-party | ||||
| Domain 7 | ||||
| 7.1 | Investigations | |||
| »» Evidence collection and handling | » Evidence collection and handling | |||
| »» Reporting and documentation | » Reporting and documentation | |||
| »» Investigative techniques | » Investigative techniques | |||
| »» Digital forensics tools, tactics, and procedures | » Digital forensics tools, tactics, and procedures | |||
| » Artifacts (e.g., computer, network, mobile device) | new | |||
| 7.2 | Investigations | Moved to Domain 1 | reorganized | |
| »» Administrative | ||||
| »» Criminal | ||||
| »» Civil | ||||
| »» Regulatory | ||||
| »» Industry standards | ||||
| 7.3 | Audit Logging/Monitoring | |||
| »» Intrusion detection and prevention | » Intrusion detection and prevention | |||
| »» Security Information and Event Management (SIEM) | » Security Information and Event Management (SIEM) | |||
| »» Continuous monitoring | » Continuous monitoring | |||
| »» Egress monitoring | » Egress monitoring | |||
| » Log management | new | |||
| » Threat intelligence (e.g., threat feeds, threat hunting) | new | |||
| » User and Entity Behavior Analytics (UEBA) | new | |||
| 7.4 | Provisioning Resources | 7.3 Perform Configuration Management (CM) (e.g., provisioning, baselining, automation) | new | |
| »» Asset inventory | ||||
| »» Asset management | ||||
| »» Configuration management | ||||
| 7.5 | Foundational SecOps Concepts | Foundational SecOps Concepts | ||
| »» Need-to-know/least privileges | » Need-to-know/least privilege | |||
| »» Separation of duties and responsibilities | » Separation of Duties (SoD) and responsibilities | |||
| »» Privileged account management | » Privileged account management | |||
| »» Job rotation | » Job rotation | |||
| »» Information lifecycle | » Service Level Agreements (SLAs) | |||
| »» Service Level Agreements (SLA) | <Removed information lifecycle> | |||
| 7.6 | Resource Protection Techniques | Resource Protection Techniques | ||
| »» Media management | »» Media management | |||
| »» Hardware and software asset management | » Media protection techniques | new | ||
| 7.7 | Incident Management | |||
| »» Detection | ||||
| »» Response | ||||
| »» Mitigation | ||||
| »» Reporting | ||||
| »» Recovery | ||||
| »» Remediation | ||||
| »» Lessons learned | ||||
| 7.8 | Detective/Preventive Measures | |||
| »» Firewalls | » Firewalls (e.g., next generation, web application, network) | |||
| »» Intrusion detection and prevention systems | » Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) | |||
| »» Whitelisting/blacklisting | » Whitelisting/blacklisting | |||
| »» Third-party provided security services | » Third-party provided security services | |||
| »» Sandboxing | » Sandboxing | |||
| »» Honeypots/honeynets | » Honeypots/honeynets | |||
| »» Anti-malware | » Anti-malware | |||
| » Machine learning and Artificial Intelligence (AI) based tools | new | |||
| 7.9 | Patch/Vuln Management | |||
| 7.10 | Change Management | |||
| 7.11 | Recovery Strategies | |||
| »» Backup storage strategies | » Backup storage strategies | |||
| »» Recovery site strategies | » Recovery site strategies | |||
| »» Multiple processing sites | » Multiple processing sites | |||
| »» System resilience, high availability, Quality of | » System resilience, High Availability (HA), Quality | |||
| Service (QoS), and fault tolerance | of Service (QoS), and fault tolerance | |||
| 7.12 | Disaster Recovery | |||
| »» Response | » Response | |||
| »» Personnel | » Personnel | |||
| »» Communications | » Communications | |||
| »» Assessment | » Assessment | |||
| »» Restoration | » Restoration | |||
| »» Training and awareness | » Training and awareness | |||
| » Lessons learned | new | |||
| 7.13 | Disaster Recovery Plans | |||
| »» Read-through/tabletop | ||||
| »» Walkthrough | ||||
| »» Simulation | ||||
| »» Parallel | ||||
| »» Full interruption | ||||
| 7.14 | Businesss Continuity | |||
| 7.15 | Physical Security | |||
| »» Perimeter security controls | ||||
| »» Internal security controls | ||||
| 7.16 | Personnel Safety | |||
| »» Travel | ||||
| »» Security training and awareness | ||||
| »» Emergency management | ||||
| »» Duress | ||||
| Domain 8 | ||||
| 8.1 | SDLC | |||
| »» Development methodologies | ||||
| »» Maturity models | ||||
| »» Operation and maintenance | ||||
| »» Change management | ||||
| »» Integrated product team | ||||
| 8.2 | Identify and apply security controls in development environments | 8.2 Identify and apply security controls in software development ecosystems | ||
| »» Security of the software environments | » Programming languages | |||
| »» Configuration management as an aspect of secure coding | » Libraries | |||
| »» Security of code repositories | » Tool sets | |||
| » Integrated Development Environment (IDE) | new | |||
| » Runtime | new | |||
| » Continuous Integration and Continuous Delivery (CI/CD) | new | |||
| » Security Orchestration, Automation, and Response (SOAR) | new | |||
| » Software Configuration Management (SCM) | new | |||
| » Code repositories | new | |||
| » Application security testing (e.g., Static Application | new | |||
| Security Testing (SAST), Dynamic Application | ||||
| Security Testing (DAST)) | ||||
| 8.3 | Assess Effectiveness of Software Security | |||
| »» Auditing and logging of changes | ||||
| »» Risk analysis and mitigation | ||||
| 8.4 | Assess Security of Acquired Software | 8.4 Assess security impact of acquired software | ||
| » Commercial-off-the-shelf (COTS) | new | |||
| » Open source | new | |||
| » Third-party | new | |||
| » Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)) | new | |||
| 8.5 | Secure Coding Guidelines and Standards | |||
| »» Security weaknesses and vulnerabilities at the source-code level | » Security weaknesses and vulnerabilities at the source-code level | |||
| »» Security of application programming interfaces | » Security of Application Programming Interfaces (APIs) | |||
| »» Secure coding practices | » Secure coding practices | |||
| » Software-defined security | new |