If you have purchased, or are about to purchase the Shon Harris CISSP All-In-One Exam Guide, buyer beware:
Approximately 193 topics are missing, which means that (similar to the Mike Chapple book) roughly 2/3 of the new content from the updated 2021 Common Body of Knowledge (CBK) is missing. The odd thing is, the lists are quite different. Meaning that the Harris book covers topics that the Chapple book doesn’t, and vice versa (which doesn’t make any sense!)
If you’ve read my other post, you know what I’ve been doing so I won’t repeat it here, but as a courtesy to CISSP candidates who rely on the Shon Harris brand, I am providing a list of full topics & missing terminology here in the hopes that an update will be made. I am also providing this list so that candidates can be familiar with these terms in case they appear on the exam.
I will send this list to the publisher, McGraw Hill over the next few days. Whether it’s an oversight by ISC2, or an oversight by the author and his staff, the issue needs to be resolved.
Here is the list of missing topics:
| Domain | ISC2 SELF PACED TRAINING Directly from ISC2 | All-In-One Exam Guide 9th Edition – Shon Harris |
| 1 | Unilateral NDA | Not covered |
| 1 | Bilateral NDA | Not covered |
| 1 | Multilateral NDA | Not covered |
| 1 | Non-compete agreement | Not covered |
| 1 | Prudent actions | Not covered |
| 1 | Reasonable actions | Not covered |
| 1 | Data portability | Not covered |
| 1 | Data localization | Covered |
| 1 | GDPR privacy principles | Not covered |
| 1 | Article 5 (accountability) | Not covered |
| 1 | Public chapter | Called public domain |
| 3 | Secure defaults | Covered |
| 3 | Restrictive defaults | Not covered |
| 3 | Zero trust | Covered |
| 3 | Privacy by design | Covered |
| 3 | Trust but verify | Covered |
| 1 | HITRUST | Not covered |
| 1 | Privacy Management Framework (PMF) | Not covered |
| 1 | SWIFT security control framework | Not covered |
| 1 | Cloud Security Alliance’s IOT security control framework | Not covered |
| 1 | Maximum Allowable Outage | Still called MTD |
| 1 | Lessons learned (phase of disaster recovery/biz continuity) | Covered |
| 1 | Asset-based risk perspective (there are 4 risk perspectives in new CBK) | Not covered |
| 1 | Outcome-based risk perspective | Not covered |
| 1 | Vulnerability-based risk perspective | Not covered |
| 1 | Threat-based risk perspective | Not covered |
| 1 | Hazard (difference between hazard and risk – these are explicitly defined in the new CBK) | Not covered |
| 1 | Prioritize (the new pre-step before the standard 4 responses) | Covered as part of Risk Assessment |
| 1 | Micro training | Not covered |
| 1 | Gamification | Covered |
| 2 | Materials (CBK indicates there is a difference between materials and supplies) | Not covered |
| 2 | Supplies | Not covered |
| 2 | Tanigble assets | Covered |
| 2 | Intangible assets | Covered |
| 2 | IT asset management lifecycle | Not covered |
| 2 | Planning (part of IT asset management lifecycle) | Not covered |
| 2 | Assigning security needs (part of IT asset management lifecycle) | Not covered |
| 2 | Acquiring (part of IT asset management lifecycle) | Not covered |
| 2 | Deployment (part of IT asset management lifecycle) | Not covered |
| 2 | Managing (part of IT asset management lifecycle) | Not covered |
| 2 | Retiring (part of IT asset management lifecycle) | Not covered |
| 2 | Kiosk service point | Not covered |
| 2 | Data security lifecycle (CSUSAD) | Covered as Data/Information Lifecycle |
| 2 | Data lifecycle (note: there are two versions with different phases in the CBK) | Covered; discrepancies |
| 2 | Media marking | Covered |
| 2 | Pervasive encryption | Not covered |
| 2 | Enclave | Covered |
| 2 | Data collection (phase of data lifecycle) | Covered |
| 2 | Data location (phase of data lifecycle) | Covered |
| 2 | Data maintenance (phase of data lifecycle) | Covered |
| 2 | Hybrid cloud architecture | Covered |
| 3 | Complex Hybrid Cryptography | Not covered |
| 3 | Abstraction | Covered |
| 3 | Type I hypervisor (type 1) | Covered |
| 3 | Type II hypervisor (type 2) | Covered |
| 3 | Type 1 security | Not covered |
| 3 | Type 2 security | Not covered |
| 3 | Government cloud | Not covered |
| 3 | Microservices | Covered |
| 3 | VM sprawl | Not covered |
| 3 | Application container | Covered |
| 3 | Serverless systems | Covered |
| 3 | High performance computing systems | Not covered |
| 3 | Edge computing | Covered |
| 3 | Fog computing | Not covered |
| 3 | Key space clumping | Not covered |
| 3 | Clustering/clumping of pseudorandom numbers | Not covered |
| 3 | Deterministic decryption | Not covered |
| 3 | Bulk encryption | Covered |
| 3 | Digital envelope | Not covered |
| 3 | Distributed ledger | Not covered |
| 3 | Blockchain | Not covered |
| 3 | Internet key exchange | Covered |
| 3 | Scalability | Covered |
| 3 | Remote key management services | Not covered |
| 3 | Client-side key management | Covered |
| 3 | Pass the hash | Covered |
| 3 | Advanced persistent threat | Covered |
| 3 | Kill chains | Covered |
| 3 | Crime Prevention through Environmental Design (CPTED) | Covered |
| 3 | Contact devices | Not covered |
| 3 | Contact alarms | Not covered |
| 3 | Solid core / hollow core | Not covered |
| 3 | Turnstile | Covered |
| 3 | Sensitive compartmented information facilities (SCIF) | Covered |
| 3 | American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) | Not covered |
| 3 | ANSI/ASHRAE Standard 90.4-2019 | Not covered |
| 3 | High density equipment | Not covered |
| 3 | Very Early Smoke Detection Apparatus (VESDA) | Not covered |
| 3 | Class A, B, C, D, K | Covered |
| 3 | Aqueous Firefighting Foam (AFFF) | Not covered |
| 3 | Non-conductive, nontoxic liquid suppressants (Novec) | Not covered |
| 3 | Balanced Magnetic Switch (BMS) | Not covered |
| 3 | Acoustic Sensors | Called “Acoustical Detection System” |
| 3 | Infrared Linear Beam Sensors | Not covered |
| 3 | Passive Infrared Sensors | Covered |
| 3 | Automatic Request to Exit | Not covered |
| 3 | Dual-Technology Sensors | Not covered |
| 3 | Condition monitoring | Not covered |
| 3 | Bricking | Not covered |
| 4 | Bound network | Not covered |
| 4 | Unbound network | Not covered |
| 4 | Li-fi | Covered |
| 4 | Acoustic waves | Not covered |
| 4 | Line driver | Not covered |
| 4 | Multiplexer | Covered |
| 4 | Dense-wave division multiplexer (DWDM) | Not covered |
| 4 | Infiniband | Not covered |
| 4 | Broadband over power line | Not covered |
| 4 | Frequency division multiplexing | Covered |
| 4 | PPPoE | Not covered |
| 4 | Arbitration | Not covered |
| 4 | Deconfliction | Not covered |
| 4 | Polling protocols | Not covered |
| 4 | Contention-based protocols | Covered |
| 4 | Anycast | Covered |
| 4 | Geocast | Not covered |
| 4 | Dual stack | Not covered |
| 4 | Native IPv6 | Not covered |
| 4 | IPv6 at the edge | Not covered |
| 4 | Automatic private IP addressing (APIPA) | Not covered |
| 4 | Distance vector | Covered |
| 4 | Path vector | Not covered |
| 4 | Link-state | Covered |
| 4 | Routed protocol | Covered |
| 4 | Autonomous systems (ASN) | Covered |
| 4 | Routing protocol classifications (interior, exterior gateway, classical, classless, distance vector, path vector, link-state) | Covered |
| 4 | Border gateway protocol | Covered |
| 4 | Intermediate system to intermediate system (ISIS) (IS-IS) | Covered |
| 4 | Area border router | Not covered |
| 4 | DHCPV6 | Not covered |
| 4 | Modbus or Mod bus | Covered |
| 4 | east bound interface | Not covered |
| 4 | west bound interface | Not covered |
| 4 | microsegmentation | Covered |
| 4 | Root of trust | Covered |
| 4 | Trust anchor | Not covered |
| 4 | Immutability | Not covered |
| 4 | Hardware-based ROT (root of trust) | Covered |
| 4 | 802.1X (PNAC) | Covered |
| 4 | Captive portal | Not covered |
| 5 | Vertical Privilege Escalation | Not covered |
| 5 | Horizontal Privilege Escalation | Not covered |
| 5 | Strong Star Propery | Covered |
| 5 | Access Control As A System | Not covered |
| 5 | Physical Access Token | Not covered |
| 5 | Logical Access Token | Not covered |
| 5 | Just-in-time Identity | Covered |
| 5 | Privileged account management | Covered |
| 5 | Hybrid Identity as a Service | Not covered |
| 5 | Risk-based access controls | Covered |
| 5 | Identity lifecycle | Covered as “Access Provisioning Life Cycle” with different phases |
| 5 | Provisioning (part of identity lifecycle) | Covered |
| 5 | Authentication (part of identity lifecycle) | Not covered – different phases |
| 5 | Authorization (part of identity lifecycle) | Not covered – different phases |
| 5 | Accounting (part of identity lifecycle) | Not covered – different phases |
| 5 | User behavior review (part of identity lifecycle) | Covered |
| 5 | Job or duties review (part of identity lifecycle) | Covered |
| 5 | Disable and deprovision (part of identity lifecycle) | Covered |
| 5 | Account access review (part of identity lifecycle) | Covered |
| 5 | Permission aggregation | Not covered |
| 5 | Dual custody | Not covered |
| 5 | Identity store | Covered |
| 5 | FICAM | Not covered |
| 5 | Sponsorship (step 1 of 5 in FICAM) | Not covered |
| 5 | Enrollment/registration (step 2 of 5 in FICAM) | Not covered |
| 5 | Credential production (step 3 of 5 in FICAM) | Not covered |
| 5 | Issuance (step 4 of 5 in FICAM) | Not covered |
| 5 | Credential lifecycle management (step 5 of 5 in FICAM) | Not covered |
| 5 | Self service identity | Covered |
| 5 | Single sign-on | Covered |
| 5 | Kerberos ticket | Covered |
| 5 | NTP (kerberos) | Covered |
| 5 | TGT (kerberos) | Covered |
| 5 | TGS (kerberos) | Covered |
| 5 | KDC (kerberos) | Covered |
| 5 | Authentication server (AS – part of kerberos) | Covered |
| 5 | OpenID | Covered |
| 5 | Oauth | Covered |
| 5 | OpenID Connect | Covered |
| 6 | Formal assessment | Not covered |
| 6 | Informal assessment | Not covered |
| 6 | Condition (component of finding) | Not covered |
| 6 | Criteria (component of finding) | Not covered |
| 6 | Cause (component of finding) | Not covered |
| 6 | Effect (component of finding) | Not covered |
| 6 | Recommendation (component of finding) | Not covered |
| 6 | No notice assessment | Not covered |
| 6 | Trust services criteria | Not covered |
| 6 | SOC reports for cloud and data centers | Not covered |
| 6 | Conducting a SOC audit (two phases) | Not covered |
| 6 | Internal audit steps (chartering, testing, reporting, remediation) | Not covered |
| 6 | External audit steps (chartering, pre-audit planning, audit execution, audit reporting) | Not covered |
| 6 | Compliance audit (CBK now defines “types” of audits) | Not covered |
| 6 | Financial audit | Not covered |
| 6 | Operational audit | Not covered |
| 6 | Information systems audit | Not covered |
| 6 | Integrated audit | Not covered |
| 6 | Forensic audit | Not covered |
| 6 | NCSC (12 principles) | Not covered |
| 6 | Compliance test | Not covered |
| 6 | Substantive test | Not covered |
| 6 | Code review (the six objectives) | Not covered |
| 6 | Ethical penetration testing (includes steps/methodology: chartering, discovery, scanning, exploitation, reporting) | Not covered |
| 6 | Rules of engagement | Not covered |
| 6 | Bug bounty | Not covered |
| 6 | Blind test | Covered |
| 6 | Double-blind test | Covered |
| 6 | Continuous full-cycle testing | Not covered |
| 6 | Chaos engineering | Not covered |
| 6 | Service-level agreement validation (in the context of synthetic performance monitoring) | Not covered |
| 6 | Six sigma approach (five steps) | Not covered |
| 6 | Plan-do-check-act (four steps) | Covered |
| 6 | Non-disclosure (in the context of ethical disclosure) | Not covered |
| 6 | Full disclosure (in the context of ethical disclosure) | Not covered |
| 6 | Responsible disclosure (in the context of ethical disclosure) | Covered |
| 6 | Mandatory reporting | Not covered |
| 6 | Whistleblowing | Not covered |
| 7 | Full cutover | Called “Full Interruption” |
| 7 | Desk check | Covered |
| 7 | EDR | Covered |
| 7 | XDR | Covered |
| 7 | Self hosted, self-managed | Not covered |
| 7 | Cloud SIEM, self-managed | Not covered |
| 7 | Hybrid self-hosted | Not covered |
| 7 | SIEM as a service | Not covered |
| 7 | Precursor (CBK differentiates from indicator) | Not covered |
| 7 | External threat intelligence | Not covered |
| 7 | Internal threat intelligence | Not covered |
| 7 | User and Entity Behavior Analytics (UEBA) | Covered |
| 7 | MITRE | Covered |
| 7 | Request for Change (RFC) | Covered |
| 7 | Change management activities (initiation, review/approval, implementation and evaluation, release/deployment planning/control) | Different activities |
| 7 | NIST Forensic cycle (collection, examination, analysis, reporting) | Not covered |
| 7 | Incident response activities (preparation, detection, analysis, response/mitigation, recovery, remediation, reporting, review & improvement) | Different phases |
| 7 | SOAR | Covered |
| 7 | Allowed list | Covered |
| 7 | Blocked list | Covered |
| 7 | 3-2-1 backup strategy | Not covered |
| 7 | Cloud backup as a service | Not covered |
| 7 | RAID 15 and 51 | Not covered |
| 8 | Software Quality Assurance | Covered |
| 8 | Software Assurance Maturity Model (SAMM) – very brief | Covered |
| 8 | Software Assurance During Acquisition (Five Phases) | Not covered |
| 8 | Functional requirements | Covered |
| 8 | Non-functional requirements | Covered |
| 8 | Acceptance Testing | Covered |
| 8 | Unit Test | Covered |
| 8 | Regression Testing | Covered |
| 8 | Data Validation | Not covered |
| 8 | Fuzzing | Covered |
| 8 | Bounds Checking | Called something else |
| 8 | Known-good data (testing) | Not covered |
| 8 | Software assurance policy | Not covered |
| 8 | Orphaned Software | Not covered |
| 8 | Network Database Management Model | Not covered |
| 8 | CODASYL | Not covered |
| 8 | Strongly typed | Covered |
| 8 | Weakly typed | Not covered |
| 8 | SAST | Covered |
| 8 | DAST | Covered |
| 8 | IAST | Not covered |
| 8 | Privileged applets (sandbox) | Not covered |
| 8 | Java Network Launch Protocol | Not covered |
| 8 | CLASSPATH | Not covered |
| 8 | Class loader | Covered |
| 8 | Native libraries | Not covered |
| 8 | Runtime | Covered |
| 8 | Code Repositories | Covered |
| 8 | Configuration Management | Covered |
| 8 | High granularity | Not covered |
| 8 | Low granularity | Not covered |
| 8 | Continuous Integration / Continuous Delivery (CICD) | Covered |
| 8 | Configuration Audit | Not covered |
| 8 | System Lifecycle (SLC) | Covered |
| 8 | SDLC | Covered |
| 8 | Memory leak | Covered |
| 8 | IPPD | Not covered |
| 8 | IPT | Covered |
| 8 | Partnership for Systems Approaches to Safety and Security (PSASS) | Not covered |
| 8 | Intermediate code | Covered |
| 8 | Arbitrary code | Not covered |
| 8 | Refactoring | Not covered |
| 8 | Level of abstraction | Covered |
| 8 | Lower order languages | Not covered |
| 8 | Higher order languages | Called “High-Level” |
| 8 | Data protection/data hiding | Covered |
| 8 | Code protection/logic hiding | Not covered |
| 8 | Compiled language | Covered |
| 8 | Interpreted language | Covered |
| 8 | Constraint based/logic programming | Not covered |
| 8 | Business need identification (4 steps: Ask, evaluate, agree, document) | Not covered |
| 8 | Between the lines | Not covered |
| 8 | Bypass attack | Not covered |
| 8 | Database view (used for access control) | Not covered |
| 8 | Data contamination | Not covered |
| 8 | Improper modification | Not covered |
| 8 | Query attacks | Not covered |
| 8 | Data lake | Not covered |
| 8 | Data farm | Not covered |
| 8 | Parallel processing | Covered |
| 8 | Graph database | Not covered |
| 8 | Candidate key | Not covered |
| 8 | Non-relational database | Not covered |
| 8 | Probabilistic method | Not covered |
| 8 | Statistical approach | Not covered |
| 8 | Deviation and trend analysis (as part of KDD) | Not covered |
| 8 | Integrated development environment (IDE) | Covered |
| 8 | Commodity systems (COTS) | Partially covered |