CISSP CBK MAY 2021 UPDATE

REVIEW AND COMPARISON

This document is a review of the May

2021CISSP® CBK® from (ISC)² and how it
compares with the older CBK® that was
published in April 2018.

This review was completed by

Clement Dupuis, CD
Owner and Founder of CCCure

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
1
 LIMIT OF LIABILITY / DISCLAIMER OF WARRANTY

The author makes no representations or warranties with respect to the accuracy or

completeness of the contents of this work and specifically disclaim all warranties, including
without limitation warranties of fitness for a particular purpose.

No warranty may be created or extended by sales or promotional materials. The information,

advice, and strategies contained herein may not be suitable for every single student or
situation. This work is given with the understanding that the author is not engaged in rendering
legal, accounting, or other professional services. If professional assistance is required, the
services of a competent professional person should be sought.

The author shall NOT be liable for damages arising here from. The fact that an organization
or Web site is referred to in this work as a citation and/or a potential source of further
information does not mean that the author endorses the information the organization or Web
site may provide or recommendations it may make.

Further, readers should be aware that Internet Web sites listed in this work may have changed
or disappeared between when this work was written and when it is read. Let us know so we
can update the links.

This study guide is provided to you “AS IS”. It is distributed under the following license:

Attribution-NonCommercial-NoDerivs
CC BY-NC-ND
Click on THIS LINK for details

The license allows the download this document and sharing with others if proper credit is given to
the author Clement Dupuis (Founder and Owner of CCCure) and it is not changed in any way.

Under this license Commercial usage and derivatives are prohibited.

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
2
 CCCURE QUIZ ENGINE UPDATE
https://cccure.education
Our quiz engine located at the URL above, will be updated to include ALL the new topics that were
added to the latest version of the exam.

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
3
LEGEND:
OVERSTRIKE indicates content that was DELETED from the latest CBK from (ISC)²

RED and the acronym NFC indicates a Note From Clement

BLUE color indicates NEW content

PURPLE color indicates rewording, a cosmetic change, addition of useful details, or very slight change

Domain 1:
Security and Risk Management
• Ethics was moved to the beginning of this domain to show that it is an important topic and that you must agree
to the (ISC)² code of ethics in order to become certified as a CISSP.
• Examples were added to some of the topics to better explain what is include within that topic.
• Investigation types used to be in domain 7 in the old CBK.
• Overall, nothing new, just a few cosmetic changes and a small quantity of content moved from domain 7 to this
domain.

(ISC)² CBK® MAY 2021 (ISC)² CBK® APRIL 2018

1.1 Understand, adhere to, and

promote professional ethics

» (ISC)2 Code of Professional Ethics

» Organizational code of ethics

1.2 Understand and apply security 1.1 Understand and apply security
concepts concepts of confidentiality, integrity,
and availability
» Confidentiality, integrity, and
availability, authenticity and
nonrepudiation
1.2 Evaluate and apply security
1.3 Evaluate and apply security governance principles
governance principles
» Alignment of security function to » Alignment of the security function to
business strategy, goals, mission, and business strategy, goals, mission, and
objectives objectives

» Organizational processes (e.g., » Organizational processes (e.g.,

acquisitions, divestitures, governance acquisitions, divestitures, governance
committees) committees)

» Organizational roles and responsibilities » Organizational roles and responsibilities

» Security control frameworks » Security control frameworks

» Due care/due diligence » Due care/due diligence

» Determine compliance requirements

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
4
 1.3 Determine compliance
1.4 Determine compliance andother requirements
requirements
» Contractual, legal, industry standards,
» Contractual, legal, industry standards,
and regulatory requirements
and regulatory requirements
» Privacy requirements
» Privacy requirements

1.4 Understand legal and regulatory

1.5 Understand legal and regulatory issues that pertain to information
issues that pertain to information security in a global context
security in a holistic context » Cybercrimes and data breaches
» Cybercrimes and data breaches » Licensing and Intellectual Property
» Licensing and intellectual property (IP) requirements
requirements » Import/export controls
» Import/export controls » Transborder data flow
» Trans-border data flow » Privacy
» Privacy
1.5 Understand, adhere to, and
1.6 Understand requirements for promote professional ethics
investigation types (i.e.,
» (ISC)² Code of Professional Ethics
administrative, criminal, civil,
regulatory, industry standards) » Organizational code of ethics
NFC: Ethics was moved to 1.1 in the new CBK
NFC: The item above is new content
within domain 1, it used to be in domain
7 of the old CBK.
1.6 Develop, document, and
1.7 Develop, document, and implement security policy,
implement security policy, standards, procedures, and
standards, procedures, and guidelines
guidelines
1.7 Identify, analyze, and prioritize
Business continuity (BC)
1.8 Identify, analyze, and prioritize requirements
Business Continuity (BC)
requirements » Develop and document the scope and
» Business Impact Analysis (BIA) the plan
» Develop and document scope and » Business Impact Analysis (BIA)
plan
NFC: The bullets above were reordered.

1.9 Contribute to and enforce 1.8 Contribute to and enforce

personnel security policies and personnel security policies and
procedures procedures
» Candidate screening and hiring » Candidate screening and hiring

» Employment agreements and policies » Employment agreements and policies

» Onboarding transfer, and termination » Onboarding and termination processes

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
5
 processes
» Vendor, consultant, and contractor
» Vendor, consultant, and contractor agreements and controls
agreements and controls
» Compliance policy requirements
» Compliance policy requirements
» Privacy policy requirements
» Privacy policy requirements
1.9 Understand and apply risk
1.10 Understand and apply risk management concepts
management concepts » Identify threats and vulnerabilities
» Identify threats and vulnerabilities » Risk assessment/analysis
» Risk assessment/analysis » Risk response
» Risk response » Countermeasure selection and
implementation
» Countermeasure selection and
implementation » Applicable types of controls (e.g.,
preventive, detective, corrective)
» Applicable types of controls (e.g.,
preventive, detective, corrective) » Security Control assessments (SCA)
» Control Assessment (security and » Monitoring and measurement
privacy) » Reporting
» Monitoring and measurement » Continuous improvement
» Reporting » Risk frameworks
» Continuous improvement (e.g., Risk
maturity modeling)
» Risk frameworks

NFC: Very minor changes on two bullets.

1.10 Understand and apply threat
modeling concepts and
1.11 Understand and apply threat
methodologies
modeling concepts and
methodologies » Threat modeling methodologies

NFC: Two bullet detailing Threat Modeling were » Threat modeling concepts
deleted in section 1.11.

1.11 Apply risk-based management

1.12 Apply Supply Chain Risk concepts to the supply chain
Management (SCRM) concepts
» Risks associated with hardware,
» Risks associated with hardware, software, and services
software, and services
» Third-party assessment and monitoring
» Third-party assessment and monitoring
» Minimum security requirements
» Minimum security requirements
» Service level requirements
» Service-level requirements

NFC: Very slight change on the bullet wording of

the section above

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
6
 1.13 Establish and maintain a security 1.12 Establish and maintain a security
awareness, education, and awareness, education, and training
training program program
» Methods and techniques to present » Methods and techniques to present
awareness and training (e.g., social awareness and training
engineering, phishing, security
» Periodic content reviews
champions, gamification)
» Program effectiveness evaluation
» Periodic content reviews
» Program effectiveness evaluation

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
7
 Domain 2: Asset Security
This domain has almost no new content. There was a lot of clarifying by adding examples of what is
included with some of the topics and Data location, Data maintenance, and Data retention were added.

2.1 Identify and classify information 1. 2.1 Identify and classify

and assets information and assets
» Data classification » Data classification
» Asset Classification » Asset Classification
2.2 Establish information and asset 2. 2.2 Determine and Maintain
handling requirements information and asset ownership

2.3 Provision resources securely 3. 2.3 Protect Privacy

» Information and asset ownership » Data owners
» Asset inventory (e.g., tangible, » Data processers
intangible)
» Asset management » Data remanence
» Collection limitation
2.4 Manage data lifecycle
NFC: Section 2.3 above was moved to 2.4
» Data roles (i.e., owners, controllers, in the new CBK
custodians, processors,
users/subjects)
» Data collection
» Data location
» Data maintenance
» Data retention
» Data remanence
» Data destruction 2.4 Ensure appropriate asset retention
2.5 Ensure appropriate asset
retention (e.g., End-of-Life
(EOL), End-of-Support (EOS))
2.5 Determine data security
2.6 Determine data security controls controls
and compliance requirement
» Data states
» Understand data states (e.g., in use, in » Scoping and tailoring
transit, at rest)
» Standards selection
» Scoping and tailoring
» Data protection methods
» Standards selection
» Data protection methods (e.g., Digital 4. 2.5 Establish information and
Rights Management (DRM), Data Loss asset handling requirements
Prevention (DLP), Cloud Access Security
Broker (CASB))
NFC: 2.5 above was moved to 2.2 in the new
CBK

CISSP® CBK® 2021 REVIEW COPYRIGHTED © CLEMENT DUPUIS/CCCURE 2000-2020 HTTPS://CCCURE.EDUCATION DISTRIBUTION AUTHORIZED AS IS WITHOUT ANY MODIFICATIONS
8
 Domain 3:
Security Architecture and Engineering
• It is great to finally see the addition of topics such as Microservices, Containerization, Serverless,
High-Performance Computing (HPC) systems, Edge computing systems, and Virtualized systems.
• The section on Understanding Methods of Cryptographic Attack has been expanded to include
examples of crypto attacks. There are 13 different types of Crypto Attacks listed now.
• This update finally added Ransomware as a topic. As I am writing this, the Department of Motor
Vehicle in multiple states are struggling with malware and they cannot issue driver license renewal.
There are multiple states using the same software and they were all hit at the same time. This is an
important topic.
• Quantum Computing was added as a new topic.
• Finally, having redundant power backup was added. This has been a hot topic as well with the fires
in California and the extreme cold weather we had in Texas this winter.
• Overall, this is one domain with quite a bit of content added in a few areas of expertise. The most
prevalent change is the addition of clarification for many of the topics.

3.1 Research, implement and manage 3.1 Implement and manage

engineering processes using engineering processes using
secure design principles secure design principles
» Threat modeling
NFC: This used to be in domain 1, it is now
duplicated within domain 1 and this domain. So
nothing new.
» Least privilege
NFC: This used to be Domain 7 of the old CBK
» Defense in depth
» Secure defaults
NFC: As detailed in Microsoft secure by design,
secure by default, secure by deployment principles
and also by NIST in their Secure Software
Development Framework (SSDF) to name only a
few.
» Fail securely
NFC: This used to be in the CBK, it was removed
and now it is brought back.
» Separation of Duties (SoD)
NFC: This used to be at 7.5 in the old CBK.
» Keep it simple
» Zero Trust
» Privacy by design
NFC: This used to fall within 1.3 in the old CBK,

9
under Privacy Requirements
» Trust but verify
» Shared responsibility
NFC: That is an important issue when it comes to
cloud and virtual service. You must understand how
responsibility is shared between the customer and
the cloud provider.
NFC: A lot of details was added to 3.1. Now the
student has a better idea what to study for this
domain.

3.1 Understand the fundamental 3.2 Understand the fundamentals

concepts of security models (e.g., concept of security models
Biba, Star Model, Bell-LaPadula)

3.2 Select controls based upon 3.3 Select controls based upon
systems security requirements systems security r e q u i r e m e n t s

3.3 Understand security capabilities 3.4 Understand security capabilities of

of information systems (IS) (e.g., Information systems (e.g., memory
memory protection, Trusted protection, Trusted Platform Module
Platform Module (TPM), (TPM), encryption/decryption)
encryption/decryption)

3.5 Assess and mitigate the

3.4 Assess and mitigate the vulnerabilities of security architectures,
vulnerabilities of security designs, and solution elements.
architectures, designs, and
» Client-based systems
solution elements
» Server-based systems
» Client-based systems » Database systems

» Server-based systems » Cryptographic systems

» Database systems » Industrial Control Systems (ICS)

» Cryptographic systems » Cloud-based systems

» Distributed systems
» Industrial Control Systems (ICS)
» Internet of Things (IoT)
» Cloud-based systems (e.g., Software as
a Service (SaaS), Infrastructure as a
Service (IaaS), Platform as a Service 3.6 Assess and mitigate
(PaaS)) vulnerabilities in web-based
» Distributed systems systems
» Internet of Things (IoT)
» Microservices
3.7 Assess and mitigate
vulnerabilities in mobile systems
» Containerization
» Serverless
3.8 Assess and mitigate
» Embedded systems vulnerabilities in embedded
» High-Performance Computing (HPC) devices
systems
10
 » Edge computing systems
» Virtualized systems NFC: The tree sections above were
moved to 3.4 within the new CBK.

3.9 Apply Cryptography

3.2 Select and determine
cryptographic solutions » Cryptographic life cycle (e.g., key
» Cryptographic life cycle (e.g., keys, management, algorithm selection)
algorithm selection)
» Cryptographic methods (e.g., symmetric,
» Cryptographic methods (e.g., symmetric,
asymmetric, elliptic curves)
asymmetric, elliptic curves, quantum)
» Public Key Infrastructure (PKI)
» Public Key Infrastructure (PKI)
» Key management practices
» Key management practices
» Digital signatures
» Digital signatures and digital certificates
» Non-repudiation
» Non-repudiation
» Integrity (e.g., hashing)
» Integrity (e.g., hashing)
» Understand methods of cryptanalytic
» Understand methods of cryptanalytic
attacks
attacks
NFC: The bullet above has become a sub-paragraph
» Digital Rights Management (DRM) by itself in the new CBK. See it at 3.3 within the new
CBK.
3.3 Understand methods of » Digital Rights Management (DRM)
cryptanalytic attacks NFC: DRM was moved to 2.6 within the new CBK.

» Brute force
» Ciphertext only
» Known plaintext
» Frequency analysis
» Chosen ciphertext
» Implementation attacks
» Side-channel
» Fault injection
» Timing
» Man-in-the-Middle (MITM)
» Pass the hash
» Kerberos exploitation
» Ransomware
3.5 Apply security principles to site 3.10 Apply security principles to site and
and facility design facility design

11
3.6 Design site and facility security
controls
» Wiring closets/intermediate distribution
facilities
» Server rooms/data centers
» Media storage facilities
» Evidence storage
» Restricted and work area security
» Utilities and Heating, Ventilation, and
Air Conditioning (HVAC)
» Environmental issues
» Fire prevention, detection, and
suppression
» Power (e.g., redundant, backup)
3.11 Implement site and facility security
controls
» Wiring closets/intermediate distribution
facilities
» Server rooms/data centers
» Media storage facilities
» Evidence storage
» Restricted and work area security
» Utilities and Heating, Ventilation, and
Air Conditioning (HVAC)
» Environmental issues
» Fire prevention, detection, and
suppression
12
 Domain 4:
Communication and Network Security
Overall, this is another domain where very little was added as new content and clarification of some of the topics was
added.
New topics include Third-party connectivity, Micro-Segmentation, and Cellular Networks

4.1 Assess and Implement secure

design principles in network
architectures
» Open System Interconnection (OSI) and
Transmission Control Protocol/Internet
Protocol (TCP/IP) models
» Internet Protocol (IP) networking (e.g.,
Internet Protocol Security (IPSec), Internet
Protocol (IP) v4/6)
» Secure protocols
» Implications of multilayer protocols
» Converged protocols (e.g., Fiber
Channel Over Ethernet (FCoE),
Internet Small Computer Systems
Interface (iSCSI), Voice over Internet
Protocol (VoIP))
» Micro-segmentation (e.g., Software
Defined Networks (SDN), Virtual
eXtensible Local Area Network
(VXLAN), Encapsulation, Software-
Defined Wide Area Network (SD-WAN))
» Wireless networks (e.g., Li-Fi, Wi-Fi,
Zigbee, satellite)
» Cellular networks (e.g., 4G, 5G)
» Content Distribution Networks (CDN)

4.2 Secure network components 4.1 Secure network components

» Operation of hardware (e.g.,
redundant power, warranty, support) » Operation of hardware

» Transmission media » Transmission media

» Network Access Control (NAC) » Network Access Control (NAC) devices

devices » Endpoint security

» Endpoint security » Content-distribution networks

NFC: CDN was removed from the new CBK list of
Secure Network Components. It was moved to 4.1
Secure Design in the new CBK.

13
 4.3 Implement secure
communication channels 4.2 Implement secure
according to design communication channels
according to design
» Voice
» Voice
» Multimedia collaboration
» Multimedia collaboration
» Remote access
» Remote access
» Data communications
» Data communications
» Virtualized networks
» Virtualized networks
» Third-party connectivity

14
 Domain 5:
Identity and Access Management (IAM)
This domain has very slight changes. A few topics were reworded.

Logical Access to applications, Just-In-Time (JIT), Role definition, Privilege Escalation, Single Sign-on, Just-in-time,
hybrid identity service, and Risk Based Access Control were added to this domain.

Overall, little content was added in this domain and clarifications of some of the topics were added which is a good
thing for the student getting ready for the exam.

5.1 Control physical and logical 5.1 Control physical and logical
access to assets access to assets
» Information
» Information
» Systems
» Systems
» Devices
» Devices
» Facilities
» Facilities
» Applications

5.2 Manage identification and 5.2 Manage identification and

authentication of people, authentication of people, devices,
devices, and services and services
» Identity management (IdM) » Identity Management implementation
implementation » Single/Multi-Factor Authentication
» Single/multi-factor authentication » Accountability
» Accountability » Session management
» Session management » Registration and proofing of identity
» Registration, proofing, and » Federated Identity Management (FIM)
establishment of identity
» Credential management systems
» Federated Identity Management (FIM)
» Credential management systems
» Single Sign On (SSO)
» Just-In-Time (JIT)

5.3 Integrate Identity as a third-party

5.3 Federated identity as a third-party service
service
» On-premise
» On-premise
» Cloud
» Cloud
» Hybrid
15
 » Hybrid

5.4 Implement and manage

authorization mechanisms
5.4 Implement and manage
authorization mechanisms » Role Based Access Control (RBAC)

» Role Based Access Control (RBAC) » Rule based access control

» Rule-based access control » Mandatory Access Control (MAC)

» Mandatory Access Control (MAC) » Discretionary Access Control (DAC)

» Discretionary Access Control (DAC) » Attribute Based Access Control

(ABAC)
» Attribute Based Access Control
(ABAC)
» Risk based access control
5.5 Manage the identity and access
provisioning lifecycle
5.5 Manage the identity and access
provisioning lifecycle » User access review
» System account access review
» Account access review (e.g., user,
system, service) » Provisioning and deprovisioning
» System account access review
NFC: This item was combined in the item above
» Provisioning and deprovisioning (e.g.,
on /off boarding and transfers)

» Role definition (e.g., people assigned

to new roles)
» Privilege escalation (e.g., managed
service accounts, use of sudo,
minimizing its use)

5.6 Implement authentication

systems

» OpenID Connect (OIDC)/Open

Authorization (Oauth)
» Security Assertion Markup Language
(SAML)
» Kerberos
» Remote Authentication Dial-In User
Service (RADIUS)/Terminal Access
Controller Access Control System Plus
(TACACS+)

NFC: The topics above have been within the CBK for

16
many years. However, they were not mentioned
specifically and would be included under other
topics.

17
 Domain 6:
Security Assessment and Testing
A few topics such as Breach attack simulations, Compliance checks were added.
More details were added under reporting such as Remediation, Exception handling, Ethical disclosure
Overall very little changes were introduced to this domain.

6.1 Design and validate 6.1 Design and validate assessment,

assessment, test, and audit test, and audit strategies
strategies » Internal
» Internal » External
» External » Third-party
» Third-party
6.2 Conduct security control testing
6.2 Conduct security control testing
» Vulnerability assessment
» Vulnerability assessment » Penetration testing
» Penetration testing » Log reviews
» Log reviews » Synthetic transactions
» Synthetic transactions » Code review and testing
» Code review and testing » Misuse case testing
» Misuse case testing
» Test coverage analysis
» Test coverage analysis
» Interface testing
» Interface testing
» Breach attack simulations
» Compliance checks
6.3 Collect security process data (e.g.,
technical and administrative)
6.3 Collect security process data
(e.g., technical and » Account management
administrative) » Management review and approval
» Account management » Key performance and risk indicators
» Management review and approval » Backup verification data
» Key performance and risk indicators » Training and awareness
» Backup verification data » Disaster Recovery (DR) and Business
» Training and awareness Continuity (BC)

» Disaster Recovery (DR) and

Business Continuity (BC)

18
 6.4 Analyze test output and generate
report
6.4 Analyze test output and
generate report

» Remediation
» Exception handling
» Ethical disclosure
6.5 Conduct or facilitate security
audits
6.5 Conduct or facilitate security
audits » Internal
» External
» Internal
» Third-party
» External
» Third-party

19
 Domain 7:
Security Operations
This domain has a few topics that were added such as Log management, Threat intelligence (e.g., threat feeds, threat
hunting), User and Entity Behavior Analytics (UEBA), Artifacts under forensics, Configuration Management, Media
Protection techniques, and Lessons Learned under BCP and DRP. It sounds like a lot but in reality most of that
content was already being covered in all of the study books and training material, it was just added to the list of topics.

7.1 Understand and comply with 7.1 Understand and support

investigations investigations
» Evidence collection and handling » Evidence collection and handling
» Reporting and documentation » Reporting and documentation
» Investigative techniques » Investigative techniques
» Digital forensics tools, tactics, and
procedures » Digital forensics tools, tactics, and
procedures
» Artifacts (e.g., computer, network,
mobile device)

7.2 Understand requirements for

investigation types
» Administrative
» Criminal
» Civil
» Regulatory
» Industry standards
NFC: Section 7.2 above was moved to domain 1 in
the new CBK.

7.2 Conduct logging and monitoring

activities 7.3 Conduct logging and monitoring
activities
» Intrusion detection and prevention » Intrusion detection and prevention
» Security Information and Event » Security Information and Event
Management (SIEM) Management (SIEM)
» Continuous monitoring » Continuous monitoring
» Egress monitoring » Egress monitoring
» Log management
» Threat intelligence (e.g., threat feeds, 7.4 Securely provisioning resources
threat hunting)
» User and Entity Behavior Analytics » Asset inventory

20
 (UEBA)
» Asset management
» Configuration management

7.3 Perform Configuration

Management (CM) (e.g.,
provisioning, baselining,
automation)

7.4 Apply foundational security 7.5 Understand and apply

operations concepts
» Need-to-know/least privilege
» Separation of Duties (SoD) and
responsibilities
» Privileged account management
foundational security operations
concepts
» Need-to-know/least privilege
» Separation of Duties (SoD) and
responsibilities

» Job rotation » Privileged account management

» Service Level Agreements (SLAs) » Job rotation

» Service Level Agreements (SLAs)

7.5 Apply resource protection

7.6 Apply resource protection
» Media management techniques
» Media management
» Media protection techniques
» Hardware and software asset
7.6 Conduct incident management management

» Detection
7.7 Conduct incident management
» Response
» Detection
» Mitigation
» Response
» Reporting
» Mitigation
» Recovery
» Reporting
» Remediation
» Recovery
» Lessons learned
» Remediation
» Lessons learned
7.7 Operate and maintain
detective and preventative
measures
7.8 Operate and maintain detective
» Firewalls (e.g., next generation, web and preventive measures
application, network)
» Firewalls
» Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS) » Intrusion Detection and Prevention
Systems
» Whitelisting/blacklisting
» Whitelisting/blacklisting
» Third-party provided security services
» Third-party provided security services
» Sandboxing

21
 » Honeypots/honeynets » Sandboxing
» Anti-malware » Honeypots/honeynets
» Machine learning and Artificial » Anti-malware
Intelligence (AI) based tools

7.8 Implement and support patch

and vulnerability management
7.9 Implement and support patch
7.9 Understand and participate in and vulnerability management
change management processes

7.10 Implement recovery strategies

» Backup storage strategies
» Recovery site strategies
» Multiple processing sites
» System resilience, High Availability
(HA), Quality of Service (QoS), and fault
tolerance
7.11 Implement Disaster Recovery
(DR) processes
» Response
7.10 Understand and participate in
change management processes
7.11 Implement recovery strategies
» Backup storage strategies
» Recovery site strategies
» Multiple processing sites
» System resilience, High Availability,
Quality of Service (QoS), and fault
tolerance

» Personnel
7.12 Implement Disaster Recovery
» Communications (DR) processes
» Assessment » Response
» Restoration » Personnel
» Training and awareness » Communications
» Lessons learned » Assessment
» Restoration
7.12 Test Disaster Recovery Plans » Training and awareness
(DRP)
7.13 Test Disaster Recovery Plans
» Read-through/tabletop
(DRP)
» Walkthrough
» Simulation » Read-through/tabletop
» Parallel » Walkthrough
» Full interruption » Simulation
» Parallel
7.13 Participate in Business » Full interruption
Continuity (BC) planning and
exercises 7.14 Participate in Business
Continuity (BC) planning and
7.14 Implement and manage physical exercises
security

22
 » Perimeter security controls
7.15 Implement and Manage Physical
» Internal security controls
Security
» Perimeter security controls
7.15 Address personnel safety and
security concerns » Internal security controls
» Travel
7.16 Address personnel safety and
» Security training and awareness security concerns
» Emergency management » Travel
» Duress » Security training and awareness
» Emergency management
» Duress

23
 Domain 8:
Software Development Security
This domain has some new topics

8.1 Understand and integrate 8.1 Understand and integrate

security in the Software security in the Software
Development Life Cycle (SDLC) Development Life Cycle (SDLC)
» Development methodologies (e.g., » Development methodologies
Agile, Waterfall, DevOps, DevSecOps)
» Maturity models
» Maturity models (e.g., Capability
» Operation and maintenance
Maturity Model (CMM), Software
Assurance Maturity Model (SAMM)) » Change management
» Operation and maintenance » Integrated Product Team
» Change management
» Integrated Product Team (IPT)

8.2 Identify and apply security 8.2 Identify and apply security
controls in software controls in development
development ecosystems environment
» Programming languages » Security of the software environments

» Libraries » Configuration management as an

aspect of secure coding
» Tool sets
» Security of code repositories
» Integrated Development Environment
(IDE)
» Runtime
» Continuous Integration and Continuous
Delivery (CI/CD)
» Security Orchestration, Automation,
and Response (SOAR)
» Software Configuration Management
(SCM)
» Code repositories
» Application security testing (e.g., Static
Application Security Testing (SAST),
Dynamic Application Security Testing
(DAST))
8.3 Assess the effectiveness of
software security
8.3 Assess the effectiveness of » Auditing and logging of changes
software security
» Risk analysis and mitigation
» Auditing and logging of changes
» Risk analysis and mitigation 8.4 Assess security impact of
acquired software
8.4 Assess security impact of
acquired software
» Commercial-off-the-shelf (COTS)
 » Open source
» Third-party
» Managed services (e.g., Software as a
Service (SaaS), Infrastructure as a Service
(IaaS), Platform as a Service (PaaS))
8.5 Define and Apply secure
coding guidelines and
8.5 A Define and apply secure standards
coding guidelines and standards
» Security weaknesses and
vulnerabilities at the source-code level
» Security weaknesses and
vulnerabilities at the source-code level » Security of Application Programming
Interfaces
» Security of Application Programming
Interfaces (APIs) » Secure coding practices
» Secure coding practices
» Software-defined security