11 Must Know Changes to the 2021 CISSP Exam
2021 CISSP Requirements
With every attempted hack, data breach, system intrusion, or full-scale attack, Technology and Developer teams grow increasingly more concerned about cybersecurity. IT organizations have good reason to worry. The MITRE ATTACK Framework, a respected watchdog, identifies 291 know threats. This extraordinary tally doesn’t include unknown threats from offbeat bad actors.
More than 130,000 IT security professionals worldwide have achieved certification by passing the rigorous CISSP exam and meeting the extensive work experience prerequisite. Still, HR experts estimate more than 2 million IT security job openings will not be filled in 2021. This is a bad news story for technology organizations wishing to strengthen their security posture as rapidly as possible.
Bad news for the industry is good news for job seekers with a commitment to mastering security.
The CISSP (Certified Information Systems Security Professional) certification exam is perhaps the most recognized and respected credential for security professionals. This is in part because the certification is not vendor-sponsored. Instead, the certification is granted by a neutral body (ISC)2.
Certification recognizes mastery of a large and growing common body of knowledge (CBK). Every three years, the CISSP certification exam is reviewed and is updated to reflect industry trends and technology innovation. 2021 is a new exam year. The new exam will continue to test proficiency in the required eight domains. More than 20% of the tested material is new, and the first test in May is expected to be more challenging than ever.
The CISSP certification exam is an adaptive test that presents questions based upon correctly answered questions. Candidates don’t receive identical tests or even the same number of questions. Most exams have 100-150 questions across the eight domains. Incorrect answers may generate more questions in the same domain.
Candidates can obtain a detailed outline of content from the exam sponsor (ISC)2. This outline covers most of the tested content, but not all. Work experience is not only a prerequisite; it’s essential to have the lived reality of fending off intrusions that are ever-present and inventive. Let’s examine some of the more important new topics.
New exam content
The following topics are new in 2021 and provide a high-level overview of the changes in the exam:
- Risk maturity models: approach for measuring an organization’s capability to manage risk. Helps organizations assess good choices and good decisions. Evaluates the degree of risk maturity based on risk culture, skills, and experience of people, process support, and application effectiveness. Scores an organization’s adaptability to risk.
- Owner’s rights to privacy: Process for self-imposed limits on data collection and use. Privacy should be proactive and preventative and not a process for remediation for failures to safeguard data or limit use—approach for imbedding privacy into an organization’s architecture and not as an afterthought.
- Digital rights management (DRM): Governance for protecting digital content regardless of format including documents, music, medical records, videos, and autonomous vehicles. Establishes rules and licensing requirements for digital keys to unlock encrypted content. Management system for shielding creativity and intellectual property.
- Data pipelines: All actions related to creating and protecting resilient and reliable data pipelines across infrastructures. Includes collection of data from all sources, location and secure storage, maintenance of data currency and integrity, retention rules, and requirements and trusted destruction.
- Trust but verify: the software supply chain, Open-Source programs, and 3rd party tools are all suspects for introducing malware. Trusted insiders such as DBAs, developers, and administrators are needed to patch and maintain code and authorize access. Methods for verifying trust and auditability to ensure changes are legitimate. Means to verify the authenticity of insider behavior.
- Security models: different service types, such as Software as a Service, Infrastructure as a Service, and Platform as a Service, prevent contrasting security risks. Threat modeling by service constructs real-life scenarios of intrusions and attacks and challenges professionals to practice mitigation techniques in a penalty-free learning environment.
- Cloud computing: the flexibility and scalability of cloud apps are driving universal adoption. Microservices accelerate software development but may mask dependencies and exposures. Containers offer a layer of security, and orchestration services are the backbone of scalability.
- Internet of Things (IoT) and Edge computing: the explosion of internet-connected devices is driving more computing resources to the edge of networks. Defending the last mile of networks is essential to Edge computing to ensure availability and resilience. Edge expands network management practices.
- Continuous Integration Continuous Delivery (CICD): the outcome of process automation which ensures new releases are available daily or hourly to meet business requirements. It is closely aligned with cloud computing and container orchestration. Increases security challenges from software dependencies. Incorporates DevOps principles and removing toil from work.
- Agile and DevOps:the SCRUM methodology is used to simplify software development by breaking large projects into small pieces. Development and operations teams deploy DevOps principles to automate much of the build and deployment processes. Both support cloud.
- DevSecOps: an expansion of DevOps to embrace security throughout the development and operations process. Shifts security resources to the Build phase to integrate protection into front-end systems and 3rd party tools and repositories. Elevates security challenges across the development life cycle.
These examples of new content are tracking closely with technology trends many IT organizations are deploying. The exam questions are likely to focus on the managerial challenges of implementing technology and cultural change.
The CISSP exam has been characterized as a mile wide but only a few feet deep. There is an extraordinary amount of information to absorb. The official textbook is more than 1,500 pages. The shorter study guide is more than 1,000 pages. Experience helps but isn’t a replacement for a winning strategy. Follow these suggestions and tips to elevate your odds of success – the first time you take the exam.
These tips and techniques have proven to be a successful strategy:
- Put on your manager hat when learning new topics. Selecting the best answer to an exam question requires a managerial mindset. CISSP is not a technical certification. Jobs that require CISSP certification are typically managerial jobs.
- Seek live or live online instruction for exam preparation. Live instruction has many advantages. Seasoned instructors have passed the exam multiple times over their careers. Classmates are a resource for Q&A. Learners have the opportunity to share experiences. Learners are committed security professionals with at least 5-years of experience making for a unique learning environment.
- Vary learning methods. Books, videos, audio recordings, flashcards, and practice exams from ISC Squared and 3rd party providers make it easy to mix it up and minimize study fatigue. Research has proven that multiple learning methods increase retention.
- Repetition pays off. Reviewing a topic 4 or 5 times is an effective way of storing information in long-term memory. Cramming utilizes short-term memory, which is less dependable for recall under pressure.
- Practice memorization techniques like mnemonics (acronyms), picmonics (picture mnemonics), chunking, and other proven methods. Some content just has to be memorized.
- Get a study buddy. A study partner helps to keep both partners on track with a study schedule. Partners can challenge each other with flashcards and share experiences.
- The long haul vs. the hail Mary. Intentionally repeating this point. Fixing concepts in long-term memory works and requires time. Plan your time and build in reviews. Cramming crushes content into short-term memory, which can be fleeting at the worst times.
- Don’t rush. Take your time with the first ten questions. The exam is adaptive. New questions are presented based on prior correct answers. Incorrect responses may prompt more questions in an area of weakness. There may be multiple correct answers, but only one best answer.
Skillsoft for your CISSP journey
With Skillsoft, you’ll train with the most effective tools and techniques. In a discipline without a single standard, get a holistic view of various CISSP resources from experts and find the approach that fits your needs the best. Take command of your journey by trusting a proven leader.
Regardless of whether you are a security novice, early adopter, or master, Skillsoft can help you achieve your goals and advance in your career by acquiring new skills.
ABOUT THE AUTHOR
Michael Shannon has worked at Skillsoft more than 17 years. He developed his skills in the security through working in the field and has passed the CISSP Exam 3 times. He enjoys teaching the live bootcamps because of the diversity of the students and their active engagement in learning. Michael is also an accomplished musician and singer/songwriter.