CISSP 2024 Domains: Navigating the Latest Updates

The cybersecurity landscape is evolving at a very rapid pace, which makes it a must for professionals to remain committed to their thirst for knowledge to be one jump ahead of emerging threats and industry standards. As we embark on the journey of exploring the latest updates to the CISSP domains in the year 2024, it becomes evident that adaptability and continuous learning are of the greatest importance. The Certified Information Systems Security Professional acronym CISSP certification is a cornerstone for individuals who wish to achieve exceptional growth in the field of cybersecurity. In this article, we will look briefly at each of the eight domains specified by CISSP and analyze the recent updates and knowledge that are vital to flourish in the cybersecurity domain and CISSP exam.

Domain 1: Security and Risk Management (16%)

Domain 1 of CISSP, “Security and Risk Management,” covers a comprehensive range of topics essential for professionals in the field. It begins with a focus on professional ethics, including adherence to codes of conduct and organizational ethics. Understanding security concepts such as confidentiality, integrity, and availability is crucial. Security governance principles, legal and regulatory issues, and risk management concepts are emphasized. Additionally, the domain addresses business continuity, personnel security policies, threat modeling, supply chain risk management, and security awareness programs. Ensuring program effectiveness through evaluation rounds off this foundational domain, providing a robust framework for managing security and risks effectively.

What’s updated?

• Ethics and Governance: 2024 introduces more explicit references to understanding, adhering to, and promoting professional ethics, including both ISC2 and organizational codes of ethics. There’s a deeper emphasis on evaluating, applying, and sustaining security governance principles, aligning security function to business strategy, and understanding legal, regulatory, and compliance issues in a more holistic context.
• Risk Management: The 2024 outline provides a more structured approach to understanding and applying risk management concepts, with detailed subtopics on threat and vulnerability identification, risk analysis, assessment, response, and treatment.
• Supply Chain Risk Management (SCRM): 2024 explicitly includes SCRM concepts, highlighting risks associated with the acquisition of products and services and risk mitigation strategies, indicating an increased focus on supply chain security.

Domain 2: Asset Security (10%)

Domain 2 of CISSP, “Asset Security,” delves into the identification, classification, and management of information and assets. It begins with the crucial task of identifying and classifying data and assets according to their sensitivity and importance. Establishing handling requirements ensures that information and assets are provisioned securely, considering ownership, inventory, and management practices. Managing the data lifecycle involves understanding roles, collection, location, maintenance, retention, remanence, and destruction processes. Additionally, ensuring appropriate asset retention and determining data security controls and compliance requirements, including data states, scoping, tailoring, standards selection, and protection methods, are essential aspects of this domain.

What’s updated?

• • • Data Security: Both CISSP 2021 and 2024 outlines cover data lifecycle management comprehensively, but the 2024 version may include updated methodologies or technologies affecting data classification, handling, retention, and destruction based on emerging threats and compliance requirements.

Domain 3: Security Architecture and Engineering (13%)

Domain 3 of CISSP, “Security Architecture and Engineering,” encompasses the research, implementation, and management of secure design principles and engineering processes. It begins with understanding and applying concepts such as threat modeling, least privilege, defense in depth, secure defaults, and segregation of duties. Security models and capabilities of information systems are explored, along with selecting controls based on system security requirements. Assessing and mitigating vulnerabilities across various systems, including client-based, server-based, database, cryptographic, cloud-based, IoT, and distributed systems, are critical components. Cryptographic solutions, cryptanalytic attacks, and security principles in site and facility design are addressed. Lastly, managing the information system lifecycle, from stakeholders’ needs and requirements to retirement and disposal, is emphasized.

What’s updated?

• • • Security Models and Architectures: The 2024 outline potentially expands on secure design principles, engineering processes, and security models, reflecting advancements in technology and the evolving threat landscape.

Domain 4: Communication and Network Security (13%)

Domain 4 of CISSP, “Communication and Network Security,” focuses on applying secure design principles in network architectures. It covers a wide range of topics including network models such as OSI and TCP/IP, secure protocols like IPSec and SSH, and implications of multilayer protocols. Converged protocols and transport architectures are explored alongside performance metrics and traffic flows. Physical and logical segmentation, micro-segmentation, edge networks, and various types of networks including wireless, cellular, and content distribution networks are discussed. Additionally, topics such as software-defined networks, virtual private clouds, and monitoring and management are addressed. Implementing secure network components and communication channels, including endpoint security and secure transmission media, is crucial for ensuring robust network security.

What’s updated?

• • • Secure Network Design: Updates in network security technologies and protocols, especially in the context of increased cloud adoption and the proliferation of remote work, are likely reflected in the 2024 outline.

Domain 5: Identity and Access Management (IAM) (13%)

Domain 5 of CISSP, “Identity and Access Management (IAM),” focuses on controlling physical and logical access to assets. It encompasses designing identification and authentication strategies for people, devices, and services, including groups, roles, and AAA mechanisms like MFA and password-less authentication. Session management, registration, proofing, and identity establishment are crucial aspects, along with Federated Identity Management (FIM), credential management, SSO, and Just-In-Time access. Federated identity with third-party services, both on-premise and in the cloud, is explored. Implementing and managing authorization mechanisms such as RBAC, MAC, DAC, and ABAC, along with access policy enforcement, are discussed. Managing the identity and access provisioning lifecycle, including account access reviews, provisioning, deprovisioning, role transitions, and service accounts, is emphasized. Implementing authentication systems effectively is essential for robust identity and access management.

What’s updated?

• • • IAM Strategies: The evolution of IAM solutions and practices, especially concerning cloud environments and hybrid IT infrastructures, might be more pronounced in the 2024 outline.

Domain 6: Security Assessment and Testing (12%)

Domain 6 of CISSP, “Security Assessment and Testing,” focuses on designing and validating assessment, test, and audit strategies to ensure the robustness of security controls. This involves conducting various types of assessments, including internal, external, and third-party assessments, across different locations such as on-premise, cloud, or hybrid environments. Security controls testing encompasses vulnerability assessment, penetration testing, log reviews, code review and testing, and breach attack simulations, among others. Collecting security process data involves monitoring account management, management review and approval, key performance indicators, and training and awareness. Analyzing test output and generating reports is crucial for identifying remediation actions and handling exceptions ethically. Additionally, conducting or facilitating security audits, whether internal, external, or third-party, further strengthens the security posture of an organization across different environments.

What’s updated?

• • • Assessment Techniques: Given the dynamic nature of cybersecurity threats, the 2024 outline likely emphasizes newer assessment and testing methodologies, including automation and integration with continuous deployment pipelines.

Domain 7: Security Operations (13%)

Domain 7 of CISSP, “Security Operations,” covers a broad spectrum of activities essential for maintaining effective security measures within an organization. Understanding and complying with investigations involve various aspects such as evidence collection and handling, reporting, investigative techniques, and digital forensics tools and procedures. Conducting logging and monitoring activities includes intrusion detection and prevention, SIEM, continuous monitoring, threat intelligence, and user and entity behavior analytics. Configuration management, foundational security operations concepts, and resource protection are fundamental for maintaining security posture. Incident management involves detection, response, mitigation, reporting, recovery, remediation, and lessons learned. Operating and maintaining detection and preventative measures include firewalls, IDS/IPS, whitelisting/blacklisting, and anti-malware tools. Implementing patch and vulnerability management, participating in change management processes, and implementing recovery and disaster recovery strategies are vital aspects. Testing disaster recovery plans and participating in business continuity planning and exercises ensure preparedness for potential disruptions. Implementing and managing physical security and addressing personnel safety and security concerns further contribute to overall security operations.

What’s updated?

• • • Operational Security and Incident Management: The 2024 version could introduce new or revised content on the application of security operations concepts, resource protection, incident management, and the operation of detective and preventative measures, reflecting new best practices and technologies.

Domain 8: Software Development Security (10%)

Domain 8 of CISSP, “Software Development Security,” focuses on integrating security throughout the Software Development Life Cycle (SDLC) and ensuring secure software development practices. Understanding and integrating security in SDLC involves various aspects such as development methodologies (Agile, Waterfall, DevOps, etc.), maturity models, operation, maintenance, change management, and integrated product teams. Identifying and applying security controls in software development ecosystems cover programming languages, libraries, toolsets, integrated development environments, runtime environments, CI/CD pipelines, software configuration management, code repositories, and application security testing techniques like SAST, DAST, software composition analysis, and IAST. Assessing the effectiveness of software security involves auditing, logging, risk analysis, and mitigation. Evaluating the security impact of acquired software includes considerations for COTS, open-source, third-party, managed services, and cloud services. Defining and applying secure coding guidelines and standards encompasses identifying security weaknesses and vulnerabilities, securing APIs, following secure coding practices, and implementing software-defined security measures. These efforts ensure that software is developed with security in mind, reducing the risk of vulnerabilities and enhancing overall security posture.

What’s updated?

• • • Secure Development: Changes in this domain might include more on secure coding practices, assessing the security of acquired software, and integrating security throughout the Software Development Life Cycle (SDLC), considering the rise of DevSecOps and other agile methodologies.

CISSP with InfosecTrain:

The CISSP 2024 content outline reflects the evolving landscape of cybersecurity, incorporating updates across all eight domains to address emerging threats and technological advancements. From emphasizing professional ethics and governance to integrating security throughout software development processes, each domain covers essential aspects crucial for effective security management. With a focus on risk management, security operations, identity and access management, and secure software development, the CISSP certification remains at the forefront of ensuring professionals are equipped with the knowledge and skills needed to protect organizations in an ever-changing threat landscape.

TRAINING CALENDAR of Upcoming Batches For CISSP

InfosecTrain’s CISSP certification training provides comprehensive coverage of all domains, preparing professionals to excel in the CISSP exam and in cybersecurity roles.

You can read the following to learn more, where we compare CISSP 2021 with the latest version, CISSP 2024:

• • CISSP 2021 vs. New CISSP 2024

AUTHOR
Monika Kukreti ( )
Infosec Train

“ Monika Kukreti holds a bachelor's degree in Electronics and Communication Engineering. She is a voracious reader and a keen learner. She is passionate about writing technical blogs and articles. Currently, she is working as a content writer with InfosecTrain. “