Professional Documents
Culture Documents
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
1
LIMIT OF LIABILITY / DISCLAIMER OF WARRANTY
The author shall NOT be liable for damages arising here from. The fact that an organization
or Web site is referred to in this work as a citation and/or a potential source of further
information does not mean that the author endorses the information the organization or Web
site may provide or recommendations it may make.
Further, readers should be aware that Internet Web sites listed in this work may have changed
or disappeared between when this work was written and when it is read. Let us know so we
can update the links.
This study guide is provided to you “AS IS”. It is distributed under the following license:
Attribution-NonCommercial-NoDerivs
CC BY-NC-ND
Click on THIS LINK for details
The license allows the download this document and sharing with others if proper credit is given to
the author Clement Dupuis (Founder and Owner of CCCure) and it is not changed in any way.
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
2
CCCURE QUIZ ENGINE UPDATE
https://cccure.education
Our quiz engine located at the URL above, will be updated to include ALL the new topics that were
added to the latest version of the exam.
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
3
LEGEND:
OVERSTRIKE indicates content that was DELETED from the latest CBK from (ISC)²
PURPLE color indicates rewording, a cosmetic change, addition of useful details, or very slight change
Domain 1:
Security and Risk Management
• Ethics was moved to the beginning of this domain to show that it is an important topic and that you must agree
to the (ISC)² code of ethics in order to become certified as a CISSP.
• Examples were added to some of the topics to better explain what is include within that topic.
• Investigation types used to be in domain 7 in the old CBK.
• Overall, nothing new, just a few cosmetic changes and a small quantity of content moved from domain 7 to this
domain.
1.2 Understand and apply security 1.1 Understand and apply security
concepts concepts of confidentiality, integrity,
and availability
» Confidentiality, integrity, and
availability, authenticity and
nonrepudiation
1.2 Evaluate and apply security
1.3 Evaluate and apply security governance principles
governance principles
» Alignment of security function to » Alignment of the security function to
business strategy, goals, mission, and business strategy, goals, mission, and
objectives objectives
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
4
1.3 Determine compliance
1.4 Determine compliance andother requirements
requirements
» Contractual, legal, industry standards,
» Contractual, legal, industry standards,
and regulatory requirements
and regulatory requirements
» Privacy requirements
» Privacy requirements
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
5
processes
» Vendor, consultant, and contractor
» Vendor, consultant, and contractor agreements and controls
agreements and controls
» Compliance policy requirements
» Compliance policy requirements
» Privacy policy requirements
» Privacy policy requirements
1.9 Understand and apply risk
1.10 Understand and apply risk management concepts
management concepts » Identify threats and vulnerabilities
» Identify threats and vulnerabilities » Risk assessment/analysis
» Risk assessment/analysis » Risk response
» Risk response » Countermeasure selection and
implementation
» Countermeasure selection and
implementation » Applicable types of controls (e.g.,
preventive, detective, corrective)
» Applicable types of controls (e.g.,
preventive, detective, corrective) » Security Control assessments (SCA)
» Control Assessment (security and » Monitoring and measurement
privacy) » Reporting
» Monitoring and measurement » Continuous improvement
» Reporting » Risk frameworks
» Continuous improvement (e.g., Risk
maturity modeling)
» Risk frameworks
NFC: Two bullet detailing Threat Modeling were » Threat modeling concepts
deleted in section 1.11.
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
6
1.13 Establish and maintain a security 1.12 Establish and maintain a security
awareness, education, and awareness, education, and training
training program program
» Methods and techniques to present » Methods and techniques to present
awareness and training (e.g., social awareness and training
engineering, phishing, security
» Periodic content reviews
champions, gamification)
» Program effectiveness evaluation
» Periodic content reviews
» Program effectiveness evaluation
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
7
Domain 2: Asset Security
This domain has almost no new content. There was a lot of clarifying by adding examples of what is
included with some of the topics and Data location, Data maintenance, and Data retention were added.
CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
8
Domain 3:
Security Architecture and Engineering
• It is great to finally see the addition of topics such as Microservices, Containerization, Serverless,
High-Performance Computing (HPC) systems, Edge computing systems, and Virtualized systems.
• The section on Understanding Methods of Cryptographic Attack has been expanded to include
examples of crypto attacks. There are 13 different types of Crypto Attacks listed now.
• This update finally added Ransomware as a topic. As I am writing this, the Department of Motor
Vehicle in multiple states are struggling with malware and they cannot issue driver license renewal.
There are multiple states using the same software and they were all hit at the same time. This is an
important topic.
• Quantum Computing was added as a new topic.
• Finally, having redundant power backup was added. This has been a hot topic as well with the fires
in California and the extreme cold weather we had in Texas this winter.
• Overall, this is one domain with quite a bit of content added in a few areas of expertise. The most
prevalent change is the addition of clarification for many of the topics.
9
under Privacy Requirements
» Trust but verify
» Shared responsibility
NFC: That is an important issue when it comes to
cloud and virtual service. You must understand how
responsibility is shared between the customer and
the cloud provider.
NFC: A lot of details was added to 3.1. Now the
student has a better idea what to study for this
domain.
3.2 Select controls based upon 3.3 Select controls based upon
systems security requirements systems security r e q u i r e m e n t s
» Brute force
» Ciphertext only
» Known plaintext
» Frequency analysis
» Chosen ciphertext
» Implementation attacks
» Side-channel
» Fault injection
» Timing
» Man-in-the-Middle (MITM)
» Pass the hash
» Kerberos exploitation
» Ransomware
3.5 Apply security principles to site 3.10 Apply security principles to site and
and facility design facility design
11
3.6 Design site and facility security
controls 3.11 Implement site and facility security
controls
» Wiring closets/intermediate distribution » Wiring closets/intermediate distribution
facilities facilities
» Server rooms/data centers » Server rooms/data centers
» Media storage facilities » Media storage facilities
» Evidence storage » Evidence storage
» Restricted and work area security » Restricted and work area security
» Utilities and Heating, Ventilation, and » Utilities and Heating, Ventilation, and
Air Conditioning (HVAC) Air Conditioning (HVAC)
» Environmental issues » Environmental issues
» Fire prevention, detection, and » Fire prevention, detection, and
suppression suppression
» Power (e.g., redundant, backup)
12
Domain 4:
Communication and Network Security
Overall, this is another domain where very little was added as new content and clarification of some of the topics was
added.
New topics include Third-party connectivity, Micro-Segmentation, and Cellular Networks
13
4.3 Implement secure
communication channels 4.2 Implement secure
according to design communication channels
according to design
» Voice
» Voice
» Multimedia collaboration
» Multimedia collaboration
» Remote access
» Remote access
» Data communications
» Data communications
» Virtualized networks
» Virtualized networks
» Third-party connectivity
14
Domain 5:
Identity and Access Management (IAM)
This domain has very slight changes. A few topics were reworded.
Logical Access to applications, Just-In-Time (JIT), Role definition, Privilege Escalation, Single Sign-on, Just-in-time,
hybrid identity service, and Risk Based Access Control were added to this domain.
Overall, little content was added in this domain and clarifications of some of the topics were added which is a good
thing for the student getting ready for the exam.
5.1 Control physical and logical 5.1 Control physical and logical
access to assets access to assets
» Information
» Information
» Systems
» Systems
» Devices
» Devices
» Facilities
» Facilities
» Applications
NFC: The topics above have been within the CBK for
16
many years. However, they were not mentioned
specifically and would be included under other
topics.
17
Domain 6:
Security Assessment and Testing
A few topics such as Breach attack simulations, Compliance checks were added.
More details were added under reporting such as Remediation, Exception handling, Ethical disclosure
Overall very little changes were introduced to this domain.
18
6.4 Analyze test output and generate
report
6.4 Analyze test output and
generate report
» Remediation
» Exception handling
» Ethical disclosure
6.5 Conduct or facilitate security
audits
6.5 Conduct or facilitate security
audits » Internal
» External
» Internal
» Third-party
» External
» Third-party
19
Domain 7:
Security Operations
This domain has a few topics that were added such as Log management, Threat intelligence (e.g., threat feeds, threat
hunting), User and Entity Behavior Analytics (UEBA), Artifacts under forensics, Configuration Management, Media
Protection techniques, and Lessons Learned under BCP and DRP. It sounds like a lot but in reality most of that
content was already being covered in all of the study books and training material, it was just added to the list of topics.
20
(UEBA)
» Asset management
» Configuration management
» Detection
7.7 Conduct incident management
» Response
» Detection
» Mitigation
» Response
» Reporting
» Mitigation
» Recovery
» Reporting
» Remediation
» Recovery
» Lessons learned
» Remediation
» Lessons learned
7.7 Operate and maintain
detective and preventative
measures
7.8 Operate and maintain detective
» Firewalls (e.g., next generation, web and preventive measures
application, network)
» Firewalls
» Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS) » Intrusion Detection and Prevention
Systems
» Whitelisting/blacklisting
» Whitelisting/blacklisting
» Third-party provided security services
» Third-party provided security services
» Sandboxing
21
» Honeypots/honeynets » Sandboxing
» Anti-malware » Honeypots/honeynets
» Machine learning and Artificial » Anti-malware
Intelligence (AI) based tools
» Personnel
7.12 Implement Disaster Recovery
» Communications (DR) processes
» Assessment » Response
» Restoration » Personnel
» Training and awareness » Communications
» Lessons learned » Assessment
» Restoration
7.12 Test Disaster Recovery Plans » Training and awareness
(DRP)
7.13 Test Disaster Recovery Plans
» Read-through/tabletop
(DRP)
» Walkthrough
» Simulation » Read-through/tabletop
» Parallel » Walkthrough
» Full interruption » Simulation
» Parallel
7.13 Participate in Business » Full interruption
Continuity (BC) planning and
exercises 7.14 Participate in Business
Continuity (BC) planning and
7.14 Implement and manage physical exercises
security
22
» Perimeter security controls
7.15 Implement and Manage Physical
» Internal security controls
Security
» Perimeter security controls
7.15 Address personnel safety and
security concerns » Internal security controls
» Travel
7.16 Address personnel safety and
» Security training and awareness security concerns
» Emergency management » Travel
» Duress » Security training and awareness
» Emergency management
» Duress
23
Domain 8:
Software Development Security
This domain has some new topics
8.2 Identify and apply security 8.2 Identify and apply security
controls in software controls in development
development ecosystems environment
» Programming languages » Security of the software environments