To view and/or edit this document in Google Sheets, click here to view or request access. It’s not a perfect list by any means, so edits and comments are welcome, or you can create a copy for yourself.
| Domain | ISC2 SELF PACED TRAINING Directly from ISC2 (Official CBK) | “Official” ISC2 CISSP CBK Reference 6th Edition – Arthur Deane |
| 1 | Unilateral NDA | Not covered |
| 1 | Bilateral NDA | Not covered |
| 1 | Multilateral NDA | Not covered |
| 1 | Prudent actions | Not covered |
| 1 | Reasonable actions | Not covered |
| 1 | Data portability | Not covered |
| 1 | Public chapter | Called public domain |
| 3 | Restrictive defaults | Not covered |
| 3 | Trust but verify | Not covered |
| 1 | Privacy Management Framework (PMF) | Not covered |
| 1 | SWIFT security control framework | Not covered |
| 1 | Cloud Security Alliance’s IOT security control framework | Not covered |
| 1 | Maximum Allowable Outage | Maximum “Acceptable” Outage |
| 1 | Asset-based risk perspective (there are 4 risk perspectives in new CBK) | Not covered |
| 1 | Outcome-based risk perspective | Not covered |
| 1 | Vulnerability-based risk perspective | Not covered |
| 1 | Threat-based risk perspective | Not covered |
| 1 | Hazard (difference between hazard and risk – these are explicitly defined in the new CBK) | Not covered |
| 1 | Prioritize (the new pre-step before the standard 4 responses) | Not covered |
| 1 | Micro training | Not covered |
| 1 | Gamification | Not covered |
| 2 | Materials (CBK indicates there is a difference between materials and supplies) | Not covered |
| 2 | Supplies | Not covered |
| 2 | Tangible assets | Not covered |
| 2 | Intangible assets | Not covered |
| 2 | IT asset management lifecycle | Different phases |
| 2 | Planning (part of IT asset management lifecycle) | Different phases |
| 2 | Assigning security needs (part of IT asset management lifecycle) | Different phases |
| 2 | Acquiring (part of IT asset management lifecycle) | Different phases |
| 2 | Deployment (part of IT asset management lifecycle) | Different phases |
| 2 | Managing (part of IT asset management lifecycle) | Different phases |
| 2 | Retiring (part of IT asset management lifecycle) | Different phases |
| 2 | Kiosk service point | Not covered |
| 2 | Data lifecycle (note: there are two versions with different phases in the CBK) | Not covered (not the versions in the CBK) |
| 2 | Pervasive encryption | Not covered |
| 3 | Complex Hybrid Cryptography | Not covered |
| 3 | VM sprawl | Not covered |
| 3 | Fog computing | Not covered |
| 3 | Key space clumping | Not covered |
| 3 | Clustering/clumping of pseudorandom numbers | Not covered |
| 3 | Deterministic decryption | Not covered |
| 3 | Digital envelope | Not covered |
| 3 | Remote key management services | Not covered |
| 3 | Client-side key management | Not covered |
| 3 | Kill chains | Not covered |
| 3 | Contact devices | Not covered |
| 3 | Contact alarms | Not covered |
| 3 | Solid core / hollow core | Not covered |
| 3 | High density equipment | Not covered |
| 3 | Very Early Smoke Detection Apparatus (VESDA) | Not covered |
| 3 | Aqueous Firefighting Foam (AFFF) | Not covered |
| 3 | Non-conductive, nontoxic liquid suppressants (Novec) | Not covered |
| 3 | Balanced Magnetic Switch (BMS) | Not covered |
| 3 | Acoustic Sensors | Not covered |
| 3 | Infrared Linear Beam Sensors | Not covered |
| 3 | Passive Infrared Sensors | Not covered |
| 3 | Automatic Request to Exit | Not covered |
| 3 | Dual-Technology Sensors | Not covered |
| 3 | Condition monitoring | Not covered |
| 3 | Bricking | Not covered |
| 4 | Bound network | Not covered |
| 4 | Unbound network | Not covered |
| 4 | Acoustic waves | Not covered |
| 4 | Line driver | Not covered |
| 4 | Multiplexer | Not covered |
| 4 | Dense-wave division multiplexer (DWDM) | Not covered |
| 4 | Infiniband | Not covered |
| 4 | Broadband over power line | Not covered |
| 4 | Frequency division multiplexing | Not covered |
| 4 | PPPoE | Not covered |
| 4 | Arbitration | Not covered |
| 4 | Deconfliction | Not covered |
| 4 | Polling protocols | Not covered |
| 4 | Contention-based protocols | Not covered |
| 4 | Anycast | Not covered |
| 4 | Geocast | Not covered |
| 4 | Dual stack | Not covered |
| 4 | IPv6 at the edge | Not covered |
| 4 | Automatic private IP addressing (APIPA) | Not covered |
| 4 | Distance vector | Not covered |
| 4 | Path vector | Not covered |
| 4 | Intermediate system to intermediate system (ISIS) (IS-IS) | Partially covered |
| 4 | Area border router | Not covered |
| 4 | DHCPV6 | Not covered |
| 4 | east bound interface | Not covered |
| 4 | west bound interface | Not covered |
| 4 | Root of trust | Not covered |
| 4 | Trust anchor | Not covered |
| 4 | Hardware-based ROT (root of trust) | Not covered |
| 4 | 802.1X (PNAC) | Not covered |
| 5 | Strong Star Property | Not covered |
| 5 | Access Control As A System | Not covered |
| 5 | Physical Access Token | Not covered |
| 5 | Logical Access Token | Not covered |
| 5 | Identity lifecycle | Covered as “Access Provisioning Life Cycle” with different phases |
| 5 | Authentication (part of identity lifecycle) | Not covered – different phases |
| 5 | Authorization (part of identity lifecycle) | Not covered – different phases |
| 5 | Accounting (part of identity lifecycle) | Not covered – different phases |
| 5 | User behavior review (part of identity lifecycle) | Not covered |
| 5 | Job or duties review (part of identity lifecycle) | Not covered |
| 5 | Permission aggregation | Not covered |
| 5 | Dual custody | Not covered |
| 5 | Identity store | Not covered |
| 5 | Self service identity | Covered |
| 5 | Single sign-on | Not covered |
| 5 | NTP (kerberos) | Not covered |
| 6 | Formal assessment | Not covered |
| 6 | Informal assessment | Not covered |
| 6 | Condition (component of finding) | Not covered |
| 6 | Criteria (component of finding) | Not covered |
| 6 | Cause (component of finding) | Not covered |
| 6 | Effect (component of finding) | Not covered |
| 6 | Recommendation (component of finding) | Not covered |
| 6 | No notice assessment | Not covered |
| 6 | SOC reports for cloud and data centers | Not covered |
| 6 | Conducting a SOC audit (two phases) | Not covered |
| 6 | Internal audit steps (chartering, testing, reporting, remediation) | Not covered |
| 6 | External audit steps (chartering, pre-audit planning, audit execution, audit reporting) | Not covered |
| 6 | Compliance audit (CBK now defines “types” of audits) | Not covered |
| 6 | Financial audit | Not covered |
| 6 | Operational audit | Not covered |
| 6 | Information systems audit | Not covered |
| 6 | Integrated audit | Not covered |
| 6 | Forensic audit | Not covered |
| 6 | Compliance test | Not covered |
| 6 | Substantive test | Not covered |
| 6 | Code review (the six objectives) | Not covered |
| 6 | Blind test | Not covered |
| 6 | Double-blind test | Not covered |
| 6 | Continuous full-cycle testing | Not covered |
| 6 | Chaos engineering | Not covered |
| 6 | Service-level agreement validation (in the context of synthetic performance monitoring) | Not covered |
| 6 | Six sigma approach (five steps) | Not covered |
| 7 | Full cutover | Called “Full Interruption” |
| 7 | Desk check | Not covered |
| 7 | XDR | Not covered |
| 7 | Self hosted, self-managed | Not covered |
| 7 | Cloud SIEM, self-managed | Not covered |
| 7 | Hybrid self-hosted | Not covered |
| 7 | SIEM as a service | Not covered |
| 7 | Precursor (CBK differentiates from indicator) | Not covered |
| 7 | External threat intelligence | Not covered |
| 7 | Internal threat intelligence | Not covered |
| 7 | Request for Change (RFC) | Not covered |
| 7 | Change management activities (initiation, review/approval, implementation and evaluation, release/deployment planning/control) | Different activities |
| 7 | NIST Forensic cycle (collection, examination, analysis, reporting) | Not covered |
| 7 | Incident response activities (preparation, detection, analysis, response/mitigation, recovery, remediation, reporting, review & improvement) | Different phases |
| 7 | Cloud backup as a service | Not covered |
| 7 | RAID 15 and 51 | Not covered |
| 8 | Software Quality Assurance | Not covered |
| 8 | Software Assurance During Acquisition (Five Phases) | Not covered |
| 8 | Functional requirements | Not covered |
| 8 | Non-functional requirements | Not covered |
| 8 | Unit Test | Not covered |
| 8 | Data Validation | Not covered |
| 8 | Bounds Checking | Not covered |
| 8 | Known-good data (testing) | Not covered |
| 8 | Software assurance policy | Not covered |
| 8 | Orphaned Software | Not covered |
| 8 | Network Database Management Model | Not covered |
| 8 | CODASYL | Not covered |
| 8 | Privileged applets (sandbox) | Not covered |
| 8 | Java Network Launch Protocol | Not covered |
| 8 | CLASSPATH | Not covered |
| 8 | Class loader | Not covered |
| 8 | Native libraries | Not covered |
| 8 | SDLC | Different phases |
| 8 | Memory leak | Not covered |
| 8 | Partnership for Systems Approaches to Safety and Security (PSASS) | Not covered |
| 8 | Intermediate code | Not covered |
| 8 | Arbitrary code | Not covered |
| 8 | Lower order languages | Not covered |
| 8 | Higher order languages | Not covered |
| 8 | Code protection/logic hiding | Not covered |
| 8 | Constraint based/logic programming | Not covered |
| 8 | Business need identification (4 steps: Ask, evaluate, agree, document) | Not covered |
| 8 | Between the lines | Not covered |
| 8 | Bypass attack | Not covered |
| 8 | Database view (used for access control) | Not covered |
| 8 | Data contamination | Not covered |
| 8 | Improper modification | Not covered |
| 8 | Query attacks | Not covered |
| 8 | Data lake | Not covered |
| 8 | Data farm | Not covered |
| 8 | Graph database | Not covered |
| 8 | Candidate key | Not covered |
| 8 | Non-relational database | Not covered |
| 8 | Probabilistic method | Not covered |
| 8 | Statistical approach | Not covered |
| 8 | Deviation and trend analysis (as part of KDD) | Not covered |
| 8 | Commodity systems (COTS) | Not called “Commodity” |