Changes in CISSP: 2021 versus 2018

| Joost Krapels | Security

In April 2020, we wrote an article on the then current 2018 version of the Certified Information Systems Security Professional (CISSP) Body of Knowledge and provided a free study template. Technology evolves in a rapid pace, and with that the risks to an organisation’s information assets. The capabilities of and tools available to malicious actors do not exactly decrease either. The creators of CISSP, (ISC)², have updated the certification to keep up with these changes. In this article, we give a short overview of the changes between CISSP 2018 and CISSP 2021, and provide you with an updated template.

What is CISSP again?

CISSP, or Certified Information Systems Security Professional, is a well-known and widely accepted certification for security professionals. All who pass the exam have shown a solid understanding of all main topics of Information Security, and know their way around technical and organisational aspects of security. CISSP is not a specialisation, but provides security professionals with an all-round skillset. To pass the exam, they must show to master most (if not all) of the topics described in the CISSP Body of Knowledge. (ISC)² divided these topics into eight domains:

  1. Security and Risk Management
  2. Asset Security
  3. Security Architecture and Engineering
  4. Communication and Network Security
  5. Identity and Access Management (IAM)
  6. Security Assessment and Testing
  7. Security Operations
  8. Software Development Security

During the three hour exam, you must score at least 700 out of 1000 points. Interestingly enough, not everyone receives the same amount of questions. Every time you answer a question, the exam calculates your chance of passing. This means that it is possible to pass with 100 questions answered, 150 answered, fail in considerably less, or something in between. As you progress successfully, the questions get harder.

Changes in the 2021 version

There are some significant changes in the new CISSP, which is not immediately visible by just looking at the eight domains. They have remained the same, and their weights have only slightly changed:

The real changes are, however, spread out over many different subtopics in all eight domains. In CISSP 2021, 42 subtopics are either completely new or significantly expanded compared to the 2018 version. 44 topics are at least slightly changed, and six are completely removed. With a total of 340 subtopics compare to the precious 270, the 2021 version seems more challenging than before.

In the CISSP Official Study Guide, the changes are found below the surface as well. The first thing you notice when placing the new ninth edition (2021) beside the previous eight edition (2018), is that the former is significantly thinner than the latter by almost two full centimeters. Luckily, you need not worry about missing content; the ninth edition is a longer read with 1040 pages compared to the previous 948. This contradiction can be explained by the simple fact the ninth edition’s pages are made of a different, thinner, type of paper.

New body of knowledge template

Anyone studying for the 2021 Body of Knowledge version of the CISSP exam can use our up to date study template. It replaces the one in our  free CISSP study template article we published in 2018. The template contains all topic and sub-topics described in the newest Body of Knowledge, and helps you keep track which of them you have read, tested yourself on, and have mastered on a practice exam. Once you have finished reading one of the 21 chapters, tick off the subdomains mentioned at the start of that chapter. The template automatically ticks off the main domains as you go and shows your progress as a percentage.

We have created the template under the Creative Commons licence; you may use, edit, and share the template, as long as you credit ICT Institute for the original version. The template is based on the (ISC)²’s orginal exam outline.


Image credit: @mikael_k via Unsplash

Author: Joost Krapels
Joost Krapels has completed his BSc. Artificial Intelligence and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Joost provides IT advice to clients, advises clients on Security and Privacy, and further develops our internal tools and templates.