The (ISC)² CBK

• A CBK – sometimes simply called a Body of Knowledge – refers to a peer-developed compendium of what a competent professional in their respective field must know, including the skills, techniques and practices that are routinely employed.1
• The (ISC)² CBK is a collection of topics relevant to cybersecurity professionals around the world. It establishes a common framework of information security terms and principles which enables cybersecurity and IT/ICT professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding, taxonomy and lexicon.
• (ISC)² was established, in part, to aggregate, standardize and maintain the (ISC)² CBK for security professionals worldwide. Domains from the (ISC)² credentials are drawn from various topics within the (ISC)² CBK, which are used to assess a candidate’s level of mastery of the most critical aspects of information security.
• The (ISC)² CBK is updated annually by the (ISC)² CBK Committee to reflect the most current and relevant topics required to practice the profession.

Certification subject matter

From 15 April 2018, the CISSP curriculum is updated as follows:[10]

1. Security and Risk Management
   • Fundamentals
     • Clear defined goals
     • Know what to protect: at rest, in transit and while processing
     • Everything must be balanced: business needs vs CIA, accountability, and Assurance
     • Accountability: who did it, non-repudiation and legal consequences
     • Assurance: how do we know if our systems are secure and functioning as intended
   • The CIA Triad
     • Confidentiality
     • Availability
     • Integrity
   • Control Types
     • Physical
     • Technical
     • Administrative
   • Delaying, Preventing, and Detecting
   • Due Care and Due Diligence
     • Due Care: knowing what the right thing is, then doing what is right
     • Due Diligence:
2. Asset Security
3. Security Architecture and Engineering
4. Communication and Network Security
5. Identity and Access Management (IAM)
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security

From 2015 to early 2018, the CISSP curriculum is divided into eight domains similar to the latest curriculum above.

Before 2015, it covered ten similar domains.