Topics Missing From Official ISC2 CISSP CBK Reference 6th Edition – Arthur Deane, Aaron Kraus

To view and/or edit this document in Google Sheets, click here to view or request access. It’s not a perfect list by any means, so edits and comments are welcome, or you can create a copy for yourself.

DomainISC2 SELF PACED TRAINING Directly from ISC2 (Official CBK)“Official” ISC2 CISSP CBK Reference 6th Edition –
Arthur Deane
1Unilateral NDANot covered
1Bilateral NDANot covered
1Multilateral NDANot covered
1Prudent actionsNot covered
1Reasonable actionsNot covered
1Data portabilityNot covered
1Public chapterCalled public domain
3Restrictive defaultsNot covered
3Trust but verifyNot covered
1Privacy Management Framework (PMF)Not covered
1SWIFT security control frameworkNot covered
1Cloud Security Alliance’s IOT security control frameworkNot covered
1Maximum Allowable OutageMaximum “Acceptable” Outage
1Asset-based risk perspective (there are 4 risk perspectives in new CBK)Not covered
1Outcome-based risk perspectiveNot covered
1Vulnerability-based risk perspectiveNot covered
1Threat-based risk perspectiveNot covered
1Hazard (difference between hazard and risk – these are explicitly defined in the new CBK)Not covered
1Prioritize (the new pre-step before the standard 4 responses)Not covered
1Micro trainingNot covered
1GamificationNot covered
2Materials (CBK indicates there is a difference between materials and supplies)Not covered
2SuppliesNot covered
2Tangible assetsNot covered
2Intangible assetsNot covered
2IT asset management lifecycleDifferent phases
2Planning (part of IT asset management lifecycle)Different phases
2Assigning security needs (part of IT asset management lifecycle)Different phases
2Acquiring (part of IT asset management lifecycle)Different phases
2Deployment (part of IT asset management lifecycle)Different phases
2Managing (part of IT asset management lifecycle)Different phases
2Retiring (part of IT asset management lifecycle)Different phases
2Kiosk service pointNot covered
2Data lifecycle (note: there are two versions with different phases in the CBK)Not covered (not the versions in the CBK)
2Pervasive encryptionNot covered
3Complex Hybrid CryptographyNot covered
3VM sprawlNot covered
3Fog computingNot covered
3Key space clumpingNot covered
3Clustering/clumping of pseudorandom numbersNot covered
3Deterministic decryptionNot covered
3Digital envelopeNot covered
3Remote key management servicesNot covered
3Client-side key managementNot covered
3Kill chainsNot covered
3Contact devicesNot covered
3Contact alarmsNot covered
3Solid core / hollow coreNot covered
3High density equipmentNot covered
3Very Early Smoke Detection Apparatus (VESDA)Not covered
3Aqueous Firefighting Foam (AFFF)Not covered
3Non-conductive, nontoxic liquid suppressants (Novec)Not covered
3Balanced Magnetic Switch (BMS)Not covered
3Acoustic SensorsNot covered
3Infrared Linear Beam SensorsNot covered
3Passive Infrared SensorsNot covered
3Automatic Request to ExitNot covered
3Dual-Technology SensorsNot covered
3Condition monitoringNot covered
3BrickingNot covered
4Bound networkNot covered
4Unbound networkNot covered
4Acoustic wavesNot covered
4Line driverNot covered
4MultiplexerNot covered
4Dense-wave division multiplexer (DWDM)Not covered
4InfinibandNot covered
4Broadband over power lineNot covered
4Frequency division multiplexingNot covered
4PPPoENot covered
4ArbitrationNot covered
4DeconflictionNot covered
4Polling protocolsNot covered
4Contention-based protocolsNot covered
4AnycastNot covered
4GeocastNot covered
4Dual stackNot covered
4IPv6 at the edgeNot covered
4Automatic private IP addressing (APIPA)Not covered
4Distance vectorNot covered
4Path vectorNot covered
4Intermediate system to intermediate system (ISIS) (IS-IS)Partially covered
4Area border routerNot covered
4DHCPV6Not covered
4east bound interfaceNot covered
4west bound interfaceNot covered
4Root of trustNot covered
4Trust anchorNot covered
4Hardware-based ROT (root of trust)Not covered
4802.1X (PNAC)Not covered
5Strong Star PropertyNot covered
5Access Control As A SystemNot covered
5Physical Access TokenNot covered
5Logical Access TokenNot covered
5Identity lifecycleCovered as “Access Provisioning Life Cycle” with different phases
5Authentication (part of identity lifecycle)Not covered – different phases
5Authorization (part of identity lifecycle)Not covered – different phases
5Accounting (part of identity lifecycle)Not covered – different phases
5User behavior review (part of identity lifecycle)Not covered
5Job or duties review (part of identity lifecycle)Not covered
5Permission aggregationNot covered
5Dual custodyNot covered
5Identity storeNot covered
5Self service identityCovered
5Single sign-onNot covered
5NTP (kerberos)Not covered
6Formal assessmentNot covered
6Informal assessmentNot covered
6Condition (component of finding)Not covered
6Criteria (component of finding)Not covered
6Cause (component of finding)Not covered
6Effect (component of finding)Not covered
6Recommendation (component of finding)Not covered
6No notice assessmentNot covered
6SOC reports for cloud and data centersNot covered
6Conducting a SOC audit (two phases)Not covered
6Internal audit steps (chartering, testing, reporting, remediation)Not covered
6External audit steps (chartering, pre-audit planning, audit execution, audit reporting)Not covered
6Compliance audit (CBK now defines “types” of audits)Not covered
6Financial auditNot covered
6Operational auditNot covered
6Information systems auditNot covered
6Integrated auditNot covered
6Forensic auditNot covered
6Compliance testNot covered
6Substantive testNot covered
6Code review (the six objectives)Not covered
6Blind testNot covered
6Double-blind testNot covered
6Continuous full-cycle testingNot covered
6Chaos engineeringNot covered
6Service-level agreement validation (in the context of synthetic performance monitoring)Not covered
6Six sigma approach (five steps)Not covered
7Full cutoverCalled “Full Interruption”
7Desk checkNot covered
7XDRNot covered
7Self hosted, self-managedNot covered
7Cloud SIEM, self-managedNot covered
7Hybrid self-hostedNot covered
7SIEM as a serviceNot covered
7Precursor (CBK differentiates from indicator)Not covered
7External threat intelligenceNot covered
7Internal threat intelligenceNot covered
7Request for Change (RFC)Not covered
7Change management activities (initiation, review/approval, implementation and evaluation, release/deployment planning/control)Different activities
7NIST Forensic cycle (collection, examination, analysis, reporting)Not covered
7Incident response activities (preparation, detection, analysis, response/mitigation, recovery, remediation, reporting, review & improvement)Different phases
7Cloud backup as a serviceNot covered
7RAID 15 and 51Not covered
8Software Quality AssuranceNot covered
8Software Assurance During Acquisition (Five Phases)Not covered
8Functional requirementsNot covered
8Non-functional requirementsNot covered
8Unit TestNot covered
8Data ValidationNot covered
8Bounds CheckingNot covered
8Known-good data (testing)Not covered
8Software assurance policyNot covered
8Orphaned SoftwareNot covered
8Network Database Management ModelNot covered
8CODASYLNot covered
8Privileged applets (sandbox)Not covered
8Java Network Launch ProtocolNot covered
8CLASSPATHNot covered
8Class loaderNot covered
8Native librariesNot covered
8SDLCDifferent phases
8Memory leakNot covered
8Partnership for Systems Approaches to Safety and Security (PSASS)Not covered
8Intermediate codeNot covered
8Arbitrary codeNot covered
8Lower order languagesNot covered
8Higher order languagesNot covered
8Code protection/logic hidingNot covered
8Constraint based/logic programmingNot covered
8Business need identification (4 steps: Ask, evaluate, agree, document)Not covered
8Between the linesNot covered
8Bypass attackNot covered
8Database view (used for access control)Not covered
8Data contaminationNot covered
8Improper modificationNot covered
8Query attacksNot covered
8Data lakeNot covered
8Data farmNot covered
8Graph databaseNot covered
8Candidate keyNot covered
8Non-relational databaseNot covered
8Probabilistic methodNot covered
8Statistical approachNot covered
8Deviation and trend analysis (as part of KDD)Not covered
8Commodity systems (COTS)Not called “Commodity”