The CISSP CBK 5th Edition


Under Development…


  • Domain 1
    • The CIA Triad is extended to the Parkerian Hexad
    • Security Governance is highly simplified (almost cut off)
    • Cyber Warfare and Cyberthreat Information Sharing are introduced
    • Headings of topic 1.4 (Understand legal and regulatory issues that pertain to information security in a global context) are not adequately organized
    • Privacy is well explained
    • Policy is well explained
    • Business Continuity is well organized and addressed
    • The explicit official definition of risk from ISC2 is given
    • Risk Management Concepts are highly simplified in Domain 1, while the primary parts are addressed in Domain 8
    • Supply Chain is well addressed
  • Domain 2
    • Data Governance is introduced
    • Data Classification and Data Categorization (based on FIPS 199) are distinguished
    • Asset Classification is addressed
    • Asset Management Lifecycle based on NIST SP 1800-5a is introduced
    • Privacy contents are up-to-date
    • Data Remanence issues are highly simplified
  • Domain 3
    • The engineering process is not covered
    • The engineering architecture is not covered
    • Security engineering principles and ISO/IEC 19249
    • Physical Security is simplified, and CPTED is cut off
  • Domain 4
  • Domain 5
    • Emerging authentication technologies are introduced.
    • Identity Assurance Levels are introduced.
    • Identity lifecycle is mentioned.
    • Provisioning is defined.
  • Domain 6
    • Contents are well organized and addressed.
    • Assessment standards and PenTest approach are addressed.
    • CSA and STAR for security assurance in the cloud are introduced.
    • KPI and KRI are introduced.
    • ISO Standards for audits and audit programs are introduced.
  • Domain 7
    • Need to Know is clarified.
    • Information lifecycle based on ISO 27002
    • Physical Security is highly simplified
  • Domain 8
    • Agile is adequately introduced
    • Application security standards are introduced
    • Microsoft security development lifecycle is introduced
    • Trending topics are introduced, such as Microservices and AI
    • Maturity models are emphasized

Pros and Cons


  • Well-organized
  • Matching the CISSP exam outline to the first level of topics in each domain
  • Trending materials
  • Smaller in size


  • No review questions
  • No appendix for supplement materials or document templates
  • No glossary
  • No references


The Official Risk Definition from ISC2

We finally have the explicit official definition of risk from ISC2.😂 It reads as follows:

“The possibility of damage or harm and the likelihood that damage or harm will be realized.”

But I am not sure if the definition of risk from ISC2 has typos or not, I would revise it as follows:

The possibility of damage or harm and the “magnitude” that damage or harm will be realized.

As a certified professional in ISACA-CRISC and PMI-RMP, I developed my risk management concepts based on the definition from ISO and Dr. David Hillson’s approach, and treat information security as a subdiscipline of risk management.

If you are interested in risk management, please refer to and google the Risk Doctor, Dr. David Hillson for details.


The Clark-Wilson Model

Please refer to

Leave a Reply