Good day to all, 

A new CBK was released in April of 2018.   The new and updated study book from ISC2 has not been updated as of the writing of this article, almost a year after the CBK was updated.  Why are they so slow, simply because there is almost no changes within their new CBK. 

Does this mean you need to panic?  NOT AT ALL

The past updates to the CBK have always been incremental with only a few changes being introduced.  Based on the latest CBK that has been published, this is also the case.    In fact, it seems this is the update with the least amount of changes that I have ever ever seen as far as content being introduced or removed from the exam CBK.


WEIGHING OF EACH DOMAIN

The weight given to each of the domains have changed quite a bit on some of them and it seems to come back to what they used to be when we had 10 domains versus 8 domains.

DOMAIN    % on 2015 CBK® 
% on April 2018 CBK®
Security and Risk Management 16%  15% 
Asset Security 10%  10% 
Security Architecture and Engineering 12%  13% 
Communications and Network Security 12%  14% 
Identity and Access Management (IAM) 13%  13% 
Security Assessment and Testing 11%  12% 
Security Operations 16%  13% 
Software Development Security 10%  10% 

 

Security and Risk management is the most important domain on the new CBK ®, that makes a lot of sense considering that Security is all about managing risk after all. It is now sitting at 15%.

Communication and Network Security went up by 2%, that makes sense as well considering the huge amount of material covered and the fact the network today is really the computer.  No network = No service = No Availability.

Security Assessment and Testing went up by 1%.  This is a very obscure area to many security professionals who have never performed testing and it is not something you can learn in one week.  People spend their life becoming great penetration testers and security assessor.  I think the increase is justified.

Security Operations is the domain that lost the most percentage, it dropped by 3%.  That makes sense,  it is, after all, a review of what is covered within the other 7 domains but applied in the context of security operations.  

The other three domains are at exactly the same percentage.

As you can see the score distribution per domain seems to be getting more even and that means you must study hard for all of the domains but you MUST master at least the top six domains which are the ones that will make you pass or fail this exam.  


OVERVIEW OF CHANGES OR THE LACK OF

The changes that are introduced are very much cosmetics and minor changes where action verbs such as Evaluate, Determine, Identify, Analyse, Adhere, and Prioritize have been introduced to better indicate what is expected from you as an Information Security Professional.   

I have compared the Detailed Content Outline (DCO) for April 2018 with the old 2015 CBK®, see a resume below per domain.

The tables presented below are what was changed, added or removed from the old CBK® compared with the new CBK®.   Anything else NOT LISTED is exactly the same.

DOMAIN 1: SECURITY AND RISK MANAGEMENT (15% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Overall, I can honestly say there was at most 1% change within this domain.  Nothing significant.

Apply Security governance principles through:

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
1.2 Apply security governance principles through: Evaluate & Apply security governance principles through:
1.2 Control frameworks Security Control frameworks
1.3 Compliance Determine Compliance Requirements
1.3 Legislative and regulatory compliance Contractual, Legal, Industry standards, and Regulatory Requirements.
1.3 Privacy requirements compliance Privacy requirements
1.4 Computer crimes Cyber Crimes and Data Breaches
1.4 Licensing and intellectual property Licensing and intellectual property requirements
1.4 Data Breaches REMOVED AND ADDED TO BULLET ABOVE
1.5 Understand professional ethics Understand, adhere to, and promote professional ethics
1.5  Exercise (ISC)2 Code of Professional Ethics (ISC)2 Code of Professional Ethics
1.5 Support organization's code of ethics Organizational code of ethics
1.6 Develop and Implement documented security policy, standards, procedures, and guidelines. Develop, Document, and Implement security policy, standards, procedures, and guidelines.
1.7 Understand Business Continuity requirements Identify, Analyse, and Prioritize Business Continuity requirements
1.7 Develop and document project scope and plan Develop and document scope and plan
1.7  Conduct business impact analysis Business impact analysis
1.8 Contribute to personnel security policies Contribute to and enforce personnel security policies and procedures
 1.8 Employment Candidate Screening Candidate Screening and Hiring
 1.8 Employment termination processes  Onboarding and termination process 
 1.8 Vendor, consultant, and contractor controls  Vendor, consultant, and contractor agreements and controls
 1.8 Compliance Compliance Policy Requirements
 1.8 Privacy Privacy Policy Requirements
 1.9 Risk Assessment/acceptance Risk Response
 1.9 Countermeasure Selection Countermeasure Selection and Implementation
 1.9 Implementation REMOVED AND ADDED TO BULLET ABOVE
 1.9 Control Assessment Security Control Assessment
 1.9 Types of Controls Applicable types of controls
1.10 Understand and apply threat modeling  Understand and apply threat modeling concepts and methodology
1.10 Identifying threats REMOVED
1.10 Determining and Diagramming potential attacks REMOVED
1.10 Performing reduction analysis REMOVED
1.10 Technology and processes to remediate threats  REMOVED
1.10   Added: Threat Modeling concepts
1.10   Added: Threat modeling methodologies
1.11 Integrate security risk considerations into acquisition strategy and practice Apply risk-based management concepts to the supply chain
1.11 Hardware, Software, and Services Risks associated with Hardware, Software, and Services
1.12 Establish and manage information security education, training, and awareness Establish and maintain a security education, training, and awareness program
1.12 Appropriate levels of awareness, training, and education required within organization REMOVED AND REPLACE BY THE TWO BULLETS BELOW
1.12 Periodic reviews for content relevancy Periodic content reviews
1.12   Added: Method and Techniques to present awareness and training
1.12   Added: Program effectiveness evaluation 
     

 

DOMAIN 2: ASSET SECURITY (10% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Overall, I can honestly say there was less than 1% change within this domain.  Nothing significant.

I was glad to see that Cryptography was removed. However, Data Protection Methods has been added and of course, that will talk about cryptography used to protect your data.  So in summary:  No change just different names.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
2.1 Classify Information and Supporting assets Identify and Classify information and assets
2.2 Determine and Maintain ownership Determine and maintain information and assets ownership
2.1   Added: Data Classification
2.1   Added: Asset Classification
2.5 Baselines REMOVED
2.5   Added: Understand data states
2.5 Cryptography REMOVED
2.5   Added: Data Protection Methods
2.6 Establish handling requirements   Establish Information and Assets handling requirements
     

 

DOMAIN 3 - NEW DOMAIN NAME IS: Security Architecture and Engineering (13% of the exam content)

Hum...  This change reminds me of the old Security Architecture and Design domain we had on the 2012 CBK®.   As you can see History always repeats itself.

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

If I am being generous I can say there is about 1% of changes in this domain.   

Topics such as the Internet of Things (IOT) and  Cloud-Based systems were added to the description.  However, those topics were already included in the 2012 CBk and there is no new content just bullets added to Domain 3 list.   Some of the other topics were removed from the list but were simply moved and kept on the list by combining them with other topics.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
 3.3 Select controls and countermeasures based upon systems security evaluation models  Select controls based upon systems security requirements
 3.4 Understand security capabilities of information systems (e.g., memory protection, trusted platform module, interfaces, fault tolerance) Understand security capabilities of information systems (e.g., memory protection, trusted platform module, encryption/decryption)
 3.5 Large-scale parallel data systems REMOVED
 3.5   Added: Internet of Things (IOT)
 3.5   Added: Cloud-Based Systems
3.8 Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, internet of things (IOT)  Assess and mitigate vulnerabilities in embedded devices 
3.9  Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance)  Cryptographic life cycle (Key Management, Algorithm selection)
3.9 Cryptographic Types (e.g., symmetric, asymmetric, elliptic curves)  Cryptographic Methods
3.9  Integrity (hashing and salting)  Integrity (hashing)
3.9 Methods of Cryptanalytic attacks (e.g., brute  force, ciphertext only, known plaintext) Understand methods of Cryptanalytic attacks
3.10 Apply secure principles to site and facility design REMOVED
3.11 Design and Implement physical security Implement site and facility Security Controls
3.11 Wiring closets Wiring Closets/Intermediate distribution facility
3.11 Server rooms Server rooms/data centers
3.11 Data Center Security REMOVED combined with bullet above
3.11 Utilities and HVAC considerations Utilities and HVAC
3.11 Water Issues (e.g., leakage, flooding) Environmental issues

 

DOMAIN 4: Communications and Network Security (14% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

A few items were removed.  As you can see Cryptography was removed and like I have mentioned previously that makes senses considering it is covered in depth with other domains.  It seems ISC2 is bundling all of the Crypto content in one major section.

What amazed me with this domain is how wide it is and how short the description is.  The CBK® and the Detailed Content Outline (DCO) does not do justice to this domain.

Overall there was less than 1% of changes within this domain.  Nothing significant.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
4 .1 Apply secure design principle to network architecture  Apply secure design principle in network architecture
4.1 Cryptography used to maintain communication security  REMOVED
4.2 Network Access Control devices  Network Access Control (NAC) devices
4.2 Physical Devices REMOVED
4.3 Design and establish secure communication channels Implement secure communication channels according to design
4.4 Prevent and Mitigate network attacks REMOVED

 

DOMAIN 5: Identity and Access Management (IAM) (13% of the exam content)

The acronym (IAM) was added to the end of the domain name.

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Six items were added to further clarify the existing content.  Attribute-Based Access Control is a new topic that was added.

This is another domain with less than 1% of changes within the domain content.  Nothing significant.

What is Attribute Based Access Controls?  

Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). This model supports Boolean logic, in which rules contain "IF, THEN" statements about who is making the request, the resource, and the action. For example: IF the requestor is a manager, THEN allow read/write access to sensitive data.  See https://en.wikipedia.org/wiki/Attribute-based_access_control for more details.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
5.2 Manage Identification and authentication of people and devices  Manage Identification and authentication of people, devices, and Services
5.2 Federated Identity Management  Federated Identity Management (FIM)
5.3 Integrate Identity as a service (e.g., cloud identity)   Integrate Identity as a third-party service
5.3   Added: On-premise
    Added: Cloud 
    Added: Federated 
5.4  Integrate third-party identity services (e.g., on premised) REMOVED replaced by bullet above
5.5   Added: Attribute Based Access Controls 
5.6 Prevent and Mitigate access control attacks REMOVED
5.7   Added: User Access Review
5.7   Added: System Account Access Review
5.7    Added: Provisioning and Deprovisioning

 

DOMAIN 6: Security Assessment and Testing (12% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and a few items were added to further clarify what is the content.

Overall, there was 0% of new content added to this domain.  

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
6.1 Design and Validate assessment and test strategies Design and Validate Assessment, test, and audit strategies.
6.1   Added: internal 
6.1    Added: external
6.3 Collect security process data (e.g., management and operational controls) Collect security process data (e.g., Technical and Administrative)
6.3 Management review Management review and approval
6.3  Disaster Recovery and Business Continuity  Disaster Recovery (DR) and Business Continuity (BC)
6.4 Analyze and report test outputs (e.g., automated, manual)  Analyze and report test outputs and generate reports
6.5 Conduct or facilitate internal and third-party audits  Conduct or facilitate security audits
6.5   Added: Internal 
6.5   Added: External
6.5    Added: Third-Party 

 

DOMAIN 7: Security Operations (13% of the exam content)

As you will see below, there almost no change in content for this domain.  There was some reformatting of the names of some of the bullets.

As you will see a single entry was divided into multiple entries for more clarity.

Subjects such as Industry Standards, Asset management, and Duress were added.

Overall, I can honestly say there is less than 1%  of changes within this domain.  Nothing significant.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
 7.1 Digital Forensics (e.g., media, network, software and embedded devices) Digital Forensics tools, tactics, procedures
7.2 Operational Administrative
7.2 Electronic Discovery (eDiscovery) REMOVED
7.2   Added: Industry Standards
7.3 Security information and event managment Security information and event management (SIEM)
7.4 Secure provisioning of resources Securely provisioning resources
7.4   Added: Asset Management
7.4 Physical Assets REMOVED
7.4 Virtual Assets (e.g., Software-defined network, virtual SAN, guest operating systems) REMOVED
7.4 Cloud Assets (e.g., services, VMs, storage, networks) REMOVED
7.4 Applications (e.g., workloads or private clouds, web services, software as a service. REMOVED
7.5 Monitor Special Privilege (e.g., operations, administrator) Privilege Account Management
7.5 Service-level agreements  Service-level agreements (SLA)
7.6 Employ resource protection techniques Apply resource protection technique
7.10 Participate and Understand change management processes (e.g., versioning, baselining, security impact analysis) Understand and participate in change management processes 
7.13 Read-through Read-through / TableTop
7.14 Participate in business continuity planning and exercises Participate in business continuity (BC) planning and exercises
7.15 Perimeter (e.g., access control and monitoring) Perimeter Security Controls
7.15 Internal Security Internal Security Controls
7.16 Participate in addressing personnel safety concerns (e.g.,  duress, travel, monitoring) Address personal safety and security controls
7.16   Added: Travel
7.16   Added: Security Training and Awareness
7.16   Added: Emergency Management
7.16    Added: Duress

 

DOMAIN 8: Software Development Security (10% of the exam content)

As you will see below, there is almost no change in content for this domain.  There was some reformatting of the names of some of the bullets and that is about it.

Overall, I can honestly say there was less than 1% of changes within this domain.  Nothing significant.

TOPIC 2015 CBK® OLD NAME
2018 CBK® NEW NAME
8.1 Understand and apply security in the software development lifecycle  Understand and integrate security in the software development lifecycle (SDLC)
8.2 Enforce security controls in development environments Identity and Apply security controls in development environments
8.2 Security weaknesses and vulnerabilities at the source code level (e.g., buffer overflow, escalation of privileges, input/output validation) REMOVED but added further down as new topics and section.  See 8.5 below.
8.2 Security of application programming interfaces REMOVED but added further down as a new topic.  See 8.5 below. 
8.3 Acceptance testing  REMOVED
8.5   Added: Define and Apply Secure Coding Guidelines and Standards.
8.5   Added: Security weaknesses and Vulnerabilities at the source code level
8.5   Added: Security of Application Programming Interfaces (API)
8.5   Added: Secure Coding Practices

 

SUMMARY

THE GOOD

1.  Almost nothing has changed.

2. The money you have already invested in study tools is not wasted.

3.  Acronyms are now spelled out for items such as TCP/IP, IP, and a few others.

4.  It seems ISC2® is making an attempt to consolidate Cryptography, Physical Security, and Cloud Topics under one domain instead of having the material spread over multiple domains in little chunks that did not make any sense on the old CBK®.


THE BAD

1. Almost nothing has changed

2. Some of the newer threats and challenges to Information Security are missing.

3. The Detailed Content Overview and previous CBK®'s have always suffered a severe lack of details.  This new update suffers from the same issue, what is up with keeping the CBK® content as if it is some type of secrets. That does not help the student in focusing on what is relevant.

 

COMMENTS 

If you have anything you would like to add or wish to share with other studenst, please leave a comment below.   

 

NOTE FROM CLEMENT: 

This is work in progress.  The content could still change a tiny bit between now and April 2018.  I will review and update this document as needed.

Please click on the SUBSCRIBE button at the top right of this page to receive notification of any changes or updates in the future.

Best regards

Clement

CCCure Owner and Founder