Are there a lot of new changes to the CISSP exam starting April 15th, 2018?
There really doesn't seem to be a lot of changes...really.
Looking at the syllabus, I'd say the material is still 95% the same. That's a big percentage of the same material.
I'm saying this because I'm a CISSP nerd and derive great pleasure by going through each line of the 2018 CISSP syllabus to see what's up.
All the changes seem to be very minor in terms of the overall CBK, the new topics are just meant to keep your knowledge fresh on some new security trends. This is actually a good thing, no?
This is a high-level conceptual exam anyway, it is not detailed like CCNA or CEH. Everything is about concepts, and concepts are fundamental - they don't change.
When you take the exam you might not even feel there is a difference between what you studied, and what is on the exam. It's all about the concepts.
I'll give you a real life example of what it means to know the fundamental concepts. While I studied for my exam, I was hired as a junior level network security engineer. I had no idea how to configure or implement IPSec on the different types of firewalls like Checkpoint, Cisco, or Palo Alto. I thought I had to study how to configure a VPN tunnel separately on each of those firewalls. It was incredibly intimidating, and I faced much pressure from work to learn quickly.
But instead of reading up on the technical manuals of each type of firewall, I noticed something. After reading Domain 3 and Domain 4 multiple times from my Shon Harris 7th Edition book about IPSec, symmetric encryption, integrity algorithms, high-availability, and firewalls in general...things started to make sense. I started to "get" it.
If I knew about the concept of IPSec and encryption, it didn't matter what kind of firewall was in front of me, the basic and general implementation is the same on any device. You have Phase 1 to exchange the cipher suites and Diffie-Hellmann keys, and you have Phase 2 to exchange the interesting traffic, and maybe even add Perfect Forward Secrecy if necessary. Implementing Phase 1 and Phase 2 was the same no matter if I was on Checkpoint 2200, a Cisco ASA 5505, or a Palo Alto 3200 series. It didn't matter. I could implement IPSec on every firewall now because the "concept" was the exact same.
The same with the CISSP exam, the fundamental concepts are still going to be the same. Just because the exam is changing doesn't mean that suddenly the concepts will be changing.
It's all about the concepts if you want to pass the CISSP.
What are some of the new topics for the new exam?
As the times change so will the technology and innovations, which means brand new security concerns. Here's what I know as of right now about the new topics for the April exam:
Internet of Things (IoT)
Smart TVs, a ceiling light you can turn off with your phone, a drone, a surveillance camera...anything that can be turned on or off and have some sort of IP address to connect to the Internet, belongs to the IoT. There's billions of devices within the Internet of things, with billions of security risks.
Attribute-Based Access Control
After RBAC, MAC, and DAC, the CISSP Detailed Content Outline now has ABAC. It makes sense for this to be in the new exam, it's a more flexible method when it comes to granting access rights. ABAC is not as rigid as RBAC, and uses multiple user "attributes" to satisfy an access condition, think of them as "IF" --> "THEN" statements. ABAC is not set in pre-defined conditions, it can adapt to changing and multiple combinations of requirements to grant access.
Below are some of the new topics from the Software Development domain, but I just don't have enough information on them right now to provide useful information. The new Sybex and Official ISC2 book for the new exam change comes out in May 2018. But I will try to provide insight into these topics beforehand. I mean there is info out there on the Internet, but I would rather give you the info as it pertains to the CISSP, what you have to know for the exam.
Define and Apply Secure Coding Guidelines and Standards
This is the general heading for the below topics.
Security weaknesses and vulnerabilities at the source-code level
The current CBK does not really go into source-code level vulnerabilities, and frankly I'm not too familiar with them either. Software development security was my worst domain as I did not have direct security experience in it. I can only guess this new topic may have something to do with the functions of compilers, reverse engineering, or maybe some scripting languages.
Security of application programming interfaces
APIs do so much for us on a daily basis and we may not even be aware of it. In case you are not familiar with what an API is, it's like the interface between two applications, databases, or devices - they are a part of our everyday lives.
In the April exam, APIs would be part of the Software Development Security domain, but I've even seen them used in network security as well. For example, custom XML APIs can be used for making calls to Palo Alto firewalls in order to obtain host names, IP addresses, routes etc. etc. Some APIs are used in Checkpoint firewalls when it comes to version upgrades or migrations.
New APIs are being created every day...because new devices and software are being created everyday. Anything "new" in security comes with its own security issues, and APIs aren't any different. As far as the CISSP exam, I'm thinking you will have to know something about the authentication process between the two parties involved using API.
Secure coding practices
This new topic sounds like a mix of some of the older topics like knowing about input validation, making sure there are no backdoors or hooks in a program, or just keeping code simple. The more complex the coding, the more the security vulnerabilities.
The new exam might focus more on least privilege and architecture, but I'm really just speculating. I'll update this post as more information comes in.
Is the exam going to be completely different?
I don't think the ISC2 is going to completely throw out all their tens of thousands of questions they have amassed over the years and introduce a completely new exam on April 15th.
And since the syllabus doesn't look like it has changed that much, it doesn't make sense for me to think they'd just create new questions.
I can't tell for sure if the exam is going to be completely different, I'm just doing a qualitative analysis based on my instinct and experience dealing with the CISSP. I'm not doing a quantitative analysis using numbers, formulas, or math.
I mean....if the exam is going to be a completely different beast, then other CISSP websites, bootcamps, training facilities, teaching platforms, UDemy courses, practice question engines, official ISC2 training centers...all of that would become meaningless. Everyone would have to start all over again.
Looking at it in a business perspective, it would not be the most prudent course of due diligence from the makes of the CISSP exam. It would put a lot of companies and people out of business.
Can I still study my current material or wait for the new material?
Please, keep studying your current material which you have paid for with your hard-earned money.
If you've been studying for the CISSP exam for over 2 months and have purchased books, apps, practice questions, and boot camps, it's all still relevant.
The domains are the same, the Common Body of Knowledge (CBK) is still the same, which means the content in the book is generally still the same.
Whether you have the Sybex 7th Edition or Shon Harris AIO 7th Edition, learning about single loss expectancy, symmetric encryption, or penetration testing isn't going to suddenly change to mean something else. It's still the same information.
Think of it this way: the definitions of risk, threat, exploit, or a vulnerability are not going to suddenly change into something else for the new April exam. They are still going to mean the same thing. You should be fine to continue studying your current material.
I'm sure McGraw Hill and Sybex will be coming out with newer editions of their books, but per precedent, they aren't coming out with completely newly written books.
The definition of "risk" is still going to be the possibility of a threat agent using an exploit to take advantage of a vulnerability - no matter what book, no matter what year: 1999, 2020, or April 15th 2018. It's all still going to mean the same thing. It's still a fundamental concept, and concepts aren't easily transfigured.
If you want to fully perform your due diligence and would rather get the newer editions of the current CISSP books, click below:
Books for April CISSP Changes 2018
Should I reschedule my exam for after the new April exam material has come out?
If you've been studying for over 3-4 months and feel confident about your knowledge, and also a complete nervous wreck over the new April exam, then take it before the exam changes.
Just get it over with. This way, if you pass, you're done. Your daily studying will come to an end, as well as that lingering nervousness of the new exam syllabus.
If you're been studying less than a month or two, it might be a better choice to wait until after the new exam. First of all, 2 months is probably not enough time to study for the CISSP, unless you're a really good test taker, love absorbing books, or have worked in the security industry in a management role for years. Or just a genius.
I suggest to keep on pushing forward with your dedicated CISSP studies, and then start learning about the new material as it becomes available.
If you're interested, I will continue making CISSP videos of the current and the new topics for the exam for members of this site. If you'd like to become a member, please click here.