Public service announcement to all CISSP candidates:
Approximately 190 topics are missing from Mike Chapple’s Official CISSP Study Guide (9th Edition), which means that roughly 2/3 of the new content from the updated 2021 Common Body of Knowledge (CBK) is missing from his book.
I was comparing Mr. Chapple’s Study Guide to the ISC2 source materials (Official CISSP Training Seminar, or Self-Paced Training) and began to keep track of all the new topics/words that were popping up but not appearing in Mike’s book. One of the biggest questions candidates have, and the one that I get asked the most, is “which book should I purchase?” Honestly at this point I can’t recommend any of them since a cursory review shows that all of these books are missing many of the same topics. With so many topics missing, it’s become apparent that either the source material given to the authors by ISC2 is inconsistent or incomplete, or that the publisher’s/author’s staff who actually write the content didn’t do a thorough enough job in examining the source material.
As a courtesy to CISSP candidates who rely on this book, I am providing a list of full topics & missing terminology here in the hopes that an update will be made to Mr. Chapple’s book. Since words are a big part of this exam, it’s imperative that a book holding the “Official” title (and one that is endorsed by ISC2) be fully updated with current terminology that is fully defined and explained. I am also providing this list so that candidates can be familiar with these terms in case they appear on the exam.
I sent this list to Mike Chapple and his publisher. I’ve also sent the list to multiple ISC2 email addresses. Whether it’s an oversight by ISC2, or an oversight by Mike’s staff, the issue needs to be addressed.
Here is the list of missing topics:
| Domain | ISC2 SELF PACED TRAINING OFFICIAL CISSP TRAINING SEMINAR (OFFICIAL CBK) | (ISC)2 CISSP Official Study Guide 9th Edition – Mike Chapple | |
| 1 | Unilateral NDA | Not covered | |
| 1 | Bilateral NDA | Not covered | |
| 1 | Multilateral NDA | Not covered | |
| 1 | Non-compete agreement | Not covered | |
| 1 | Prudent actions | Not covered | |
| 1 | Reasonable actions | Not covered | |
| 1 | Data portability | Not covered | |
| 1 | Data localization | Not covered | |
| 1 | Restrictive defaults | Not covered | |
| 1 | HITRUST | Not covered | |
| 1 | Privacy Management Framework (PMF) | Not covered | |
| 1 | SWIFT security control framework | Not covered | |
| 1 | Cloud Security Alliance’s IOT security control framework | Not covered | |
| 1 | Asset-based risk perspective (there are 4 risk perspectives in new CBK) | Not covered | |
| 1 | Outcome-based risk perspective | Not covered | |
| 1 | Vulnerability-based risk perspective | Not covered | |
| 1 | Threat-based risk perspective | Not covered | |
| 1 | Hazard (difference between hazard and risk – these are explicitly defined in the new CBK) | Not covered | |
| 1 | Prioritize (the new pre-step before the standard 4 responses) | Not covered | |
| 1 | Micro training | Not covered | |
| 2 | Materials (CBK indicates there is a difference between materials and supplies) | Not covered | |
| 2 | Supplies | Not covered | |
| 2 | IT asset management lifecycle | Not covered | |
| 2 | Planning (part of IT asset management lifecycle) | Not covered | |
| 2 | Assigning security needs (part of IT asset management lifecycle) | Not covered | |
| 2 | Acquiring (part of IT asset management lifecycle) | Not covered | |
| 2 | Deployment (part of IT asset management lifecycle) | Not covered | |
| 2 | Managing (part of IT asset management lifecycle) | Not covered | |
| 2 | Retiring (part of IT asset management lifecycle) | Not covered | |
| 2 | Kiosk service point | Not covered | |
| 2 | Data security lifecycle (CSUSAD) | Not covered | |
| 2 | Data lifecycle (note: there are two versions with different phases in the CBK) | Not covered | |
| 2 | Pervasive encryption | Not covered | |
| 2 | Enclave | Not covered | |
| 3 | Complex Hybrid Cryptography | Not covered | |
| 3 | Type 1 security | Not covered | |
| 3 | Type 2 security | Not covered | |
| 3 | Government cloud | Not covered | |
| 3 | High performance computing systems | Not covered | |
| 3 | Key space clumping | Not covered | |
| 3 | Clustering/clumping of pseudorandom numbers | Not covered | |
| 3 | Deterministic decryption | Not covered | |
| 3 | Remote key management services | Not covered | |
| 3 | Client-side key management | Not covered | |
| 3 | Contact devices | Not covered | |
| 3 | Contact alarms | Not covered | |
| 3 | Solid core / hollow core | Not covered | |
| 3 | High density equipment | Not covered | |
| 3 | Very Early Smoke Detection Apparatus (VESDA) | Not covered | |
| 3 | Aqueous Firefighting Foam (AFFF) | Not covered | |
| 3 | Non-conductive, nontoxic liquid suppressants (Novec) | Not covered | |
| 3 | Balanced Magnetic Switch (BMS) | Not covered | |
| 3 | Infrared Linear Beam Sensors | Not covered | |
| 3 | Automatic Request to Exit | Not covered | |
| 3 | Dual-Technology Sensors | Not covered | |
| 3 | Condition monitoring | Not covered | |
| 3 | Bricking | Not covered | |
| 4 | Unbound network | Not covered | |
| 4 | Acoustic waves | Not covered | |
| 4 | Line driver | Not covered | |
| 4 | Multiplexer | Not covered | |
| 4 | Dense-wave division multiplexer (DWDM) | Not covered | |
| 4 | Infiniband | Not covered | |
| 4 | Broadband over power line | Not covered | |
| 4 | Frequency division multiplexing | Not covered | |
| 4 | PPPoE | Not covered | |
| 4 | Arbitration | Not covered | |
| 4 | Deconfliction | Not covered | |
| 4 | Polling protocols | Not covered | |
| 4 | Contention-based protocols | Not covered | |
| 4 | Anycast | Not covered | |
| 4 | Geocast | Not covered | |
| 4 | Native IPv6 | Not covered | |
| 4 | IPv6 at the edge | Not covered | |
| 4 | Routed protocol | Not covered | |
| 4 | Autonomous systems (ASN) | Not covered | |
| 4 | Area border router | Not covered | |
| 4 | DHCPV6 | Not covered | |
| 4 | Modbus or Mod bus | Not covered | |
| 4 | east bound interface | Not covered | |
| 4 | west bound interface | Not covered | |
| 4 | Root of trust | Not covered | |
| 4 | Trust anchor | Not covered | |
| 4 | Hardware-based ROT (root of trust) | Not covered | |
| 5 | Strong Star Propery | Not covered | |
| 5 | Access Control As A System | Not covered | |
| 5 | Physical Access Token | Not covered | |
| 5 | Logical Access Token | Not covered | |
| 5 | Hybrid Identity as a Service | Not covered | |
| 5 | User behavior review (part of identity lifecycle) | Not covered | |
| 5 | Job or duties review (part of identity lifecycle) | Not covered | |
| 5 | Permission aggregation | Not covered | |
| 5 | Dual custody | Not covered | |
| 5 | Identity store | Not covered | |
| 5 | FICAM | Not covered | |
| 5 | Sponsorship (step 1 of 5 in FICAM) | Not covered | |
| 5 | Enrollment/registration (step 2 of 5 in FICAM) | Not covered | |
| 5 | Credential production (step 3 of 5 in FICAM) | Not covered | |
| 5 | Issuance (step 4 of 5 in FICAM) | Not covered | |
| 5 | Credential lifecycle management (step 5 of 5 in FICAM) | Not covered | |
| 6 | Formal assessment | Not covered | |
| 6 | Informal assessment | Not covered | |
| 6 | Condition (component of finding) | Not covered | |
| 6 | Criteria (component of finding) | Not covered | |
| 6 | Cause (component of finding) | Not covered | |
| 6 | Effect (component of finding) | Not covered | |
| 6 | Recommendation (component of finding) | Not covered | |
| 6 | No notice assessment | Not covered | |
| 6 | Trust services criteria | Not covered | |
| 6 | SOC reports for cloud and data centers | Not covered | |
| 6 | Conducting a SOC audit (two phases) | Not covered | |
| 6 | Internal audit steps (chartering, testing, reporting, remediation) | Not covered | |
| 6 | External audit steps (chartering, pre-audit planning, audit execution, audit reporting) | Not covered | |
| 6 | Compliance audit (CBK now defines “types” of audits) | Not covered | |
| 6 | Financial audit | Not covered | |
| 6 | Operational audit | Not covered | |
| 6 | Information systems audit | Not covered | |
| 6 | Integrated audit | Not covered | |
| 6 | Forensic audit | Not covered | |
| 6 | NCSC (12 principles) | Not covered | |
| 6 | Substantive test | Not covered | |
| 6 | Ethical penetration testing (includes steps/methodology: chartering, discovery, scanning, exploitation, reporting) | Not covered | |
| 6 | Rules of engagement | Not covered | |
| 6 | Bug bounty | Not covered | |
| 6 | Blind test | Not covered | |
| 6 | Double-blind test | Not covered | |
| 6 | Continuous full-cycle testing | Not covered | |
| 6 | Chaos engineering | Not covered | |
| 6 | Service-level agreement validation (in the context of synthetic performance monitoring) | Not covered | |
| 6 | Six sigma approach (five steps) | Not covered | |
| 6 | Plan-do-check-act (four steps) | Not covered | |
| 6 | Non-disclosure (in the context of ethical disclosure) | Not covered | |
| 6 | Full disclosure (in the context of ethical disclosure) | Not covered | |
| 6 | Responsible disclosure (in the context of ethical disclosure) | Not covered | |
| 6 | Mandatory reporting | Not covered | |
| 6 | Whistleblowing | Not covered | |
| 7 | Desk check | Not covered | |
| 7 | Self hosted, self-managed | Not covered | |
| 7 | Cloud SIEM, self-managed | Not covered | |
| 7 | Hybrid self-hosted | Not covered | |
| 7 | SIEM as a service | Not covered | |
| 7 | Precursor (CBK differentiates from indicator) | Not covered | |
| 7 | External threat intelligence | Not covered | |
| 7 | Internal threat intelligence | Not covered | |
| 7 | Request for Change (RFC) | Not covered | |
| 7 | Change management activities (initiation, review/approval, implementation and evaluation, release/deployment planning/control) | Different activities | |
| 7 | NIST Forensic cycle (collection, examination, analysis, reporting) | Not covered | |
| 7 | Incident response activities (preparation, detection, analysis, response/mitigation, recovery, remediation, reporting, review & improvement) | Different phases | |
| 7 | 3-2-1 backup strategy | Not covered | |
| 7 | Cloud backup as a service | Not covered | |
| 7 | RAID 15 and 51 | Not covered | |
| 8 | Software Quality Assurance | Not covered | |
| 8 | Software Assurance During Acquisition (Five Phases) | Not covered | |
| 8 | Non-functional requirements | Not covered | |
| 8 | Unit Test | Not covered | |
| 8 | Bounds Checking | Not covered | |
| 8 | Known-good data (testing) | Not covered | |
| 8 | Software assurance policy | Not covered | |
| 8 | Orphaned Software | Not covered | |
| 8 | Network Database Management Model | Not covered | |
| 8 | CODASYL | Not covered | |
| 8 | Strongly typed | Not covered | |
| 8 | Weakly typed | Not covered | |
| 8 | Privileged applets (sandbox) | Not covered | |
| 8 | Java Network Launch Protocol | Not covered | |
| 8 | CLASSPATH | Not covered | |
| 8 | Class loader | Not covered | |
| 8 | Native libraries | Not covered | |
| 8 | High granularity | Not covered | |
| 8 | Low granularity | Not covered | |
| 8 | System Lifecycle (SLC) | Not covered | |
| 8 | SDLC | Covered, but conflicting info | |
| 8 | IPPD | Not covered | |
| 8 | Partnership for Systems Approaches to Safety and Security (PSASS) | Not covered | |
| 8 | Intermediate code | Not covered | |
| 8 | Refactoring | Not covered | |
| 8 | Level of abstraction | Not covered | |
| 8 | Lower order languages | Not covered | |
| 8 | Code protection/logic hiding | Not covered | |
| 8 | Constraint based/logic programming | Not covered | |
| 8 | Business need identification (4 steps: Ask, evaluate, agree, document) | Not covered | |
| 8 | Between the lines | Not covered | |
| 8 | Bypass attack | Not covered | |
| 8 | Data contamination | Not covered | |
| 8 | Query attacks | Not covered | |
| 8 | Data lake | Not covered | |
| 8 | Data farm | Not covered | |
| 8 | Non-relational database | Not covered | |
| 8 | Probabilistic method | Not covered | |
| 8 | Statistical approach | Not covered | |
| 8 | Deviation and trend analysis (as part of KDD) | Not covered |
In Mike Chapple’s YouTube video “CISSP: What’s Changing in 2021?”
( https://www.youtube.com/watch?v=ERi6uB6qyHQ ) at minute 8:02, he specifically mentions that there are very few changes, for example, to Domain 3 which completely contradicts the actuality.
So, in defense, I strongly suspect it is the source material given to Chapple by ISC2 that was incomplete. (And I hate his books.)
Thank you for highlighting this issue. You have probably saved me from a train wreck in my upcoming exam.
David Griffiths