top of page

CISSP Exam Changes Are A Good Thing

Dr. Rae Hayward, a member of the ISC2 management team, has said this about the old material vs the new material:

“…you should be adequately prepared or confident that you should have success with your current knowledge and the information you gained by either reading the book or attending the seminar.”

What this means for you future CISSP exam takers is that the old material will only help you in the new exam! So don’t worry, the old material you’ve been studying will STILL be tested on the new exam.

These were my immediate thoughts:

  • Oh crap! I better take my exam soon!

  • I’ve studied so long I’d HATE to have to re-learn new material!!

  • The new changes are going to affect how I think about security and I have to learn new concepts ALL OVER AGAIN!

But you know what? Those are all selfish points of view on my part.

Changes to the CISSP exam are a GOOD THING!


Because technology is a very dynamic beast, it is constantly changing and adapting to the world around us.

Or is it the other way around? Is the world adapting to changes in technology?

When hackers from the rogue nation of North Korea can effectively prevent American movie theaters from showing “The Interview”, the world has entered an era of electronic intimidation.

Excuse the cliche` but, the security principles we use today may not be effective against the security threats of tomorrow. It’s as simple as that. We should be glad the CISSP exam domains are changing as it will open our eyes to cooler security stuff!

Here are the new domains as compared to the old domains:

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)

  • This domain sounds like it is combining a few of the other domains into one.

  • Asset Security (Protecting Security of Assets)

  • Probably the same material as the Operations Security domain.

  • Security Engineering (Engineering and Management of Security)

  • This is new! Should be awesome.

  • Communications and Network Security (Designing and Protecting Network Security)

  • Another name for Telecommunications and Network Security?

  • Identity and Access Management (Controlling Access and Managing Identity)

  • This sounds like the Access Control domain.

  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)

  • New! Penetration testing stuff maybe?!

  • Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

  • Again, sounds like a combination of a few domains into one.

  • Software Development Security (Understanding, Applying, and Enforcing Software Security)

  • Was really hoping “Software Development Security” domain was taken out, it’s is my weakest domain.

It reads like the (ISC)2 is trying to focus more on the management of the technical side of information security (security engineering, penetration testing, access control) more so than the non-technical (disaster recovery, laws and regulations) by combining them into one domain.

Changes will take place on April 15, 2015!

How do you feel about it?


bottom of page