- Domain 1
- The CIA Triad is extended to the Parkerian Hexad
- Security Governance is highly simplified (almost cut off)
- Cyber Warfare and Cyberthreat Information Sharing are introduced
- Headings of topic 1.4 (Understand legal and regulatory issues that pertain to information security in a global context) are not adequately organized
- Privacy is well explained
- Policy is well explained
- Business Continuity is well organized and addressed
- The explicit official definition of risk from ISC2 is given
- Risk Management Concepts are highly simplified in Domain 1, while the primary parts are addressed in Domain 8
- Supply Chain is well addressed
- Domain 2
- Data Governance is introduced
- Data Classification and Data Categorization (based on FIPS 199) are distinguished
- Asset Classification is addressed
- Asset Management Lifecycle based on NIST SP 1800-5a is introduced
- Privacy contents are up-to-date
- Data Remanence issues are highly simplified
- Domain 3
- The engineering process is not covered
- The engineering architecture is not covered
- Security engineering principles and ISO/IEC 19249
- Physical Security is simplified, and CPTED is cut off
- Domain 4
- Domain 5
- Emerging authentication technologies are introduced.
- Identity Assurance Levels are introduced.
- Identity lifecycle is mentioned.
- Provisioning is defined.
- Domain 6
- Contents are well organized and addressed.
- Assessment standards and PenTest approach are addressed.
- CSA and STAR for security assurance in the cloud are introduced.
- KPI and KRI are introduced.
- ISO Standards for audits and audit programs are introduced.
- Domain 7
- Need to Know is clarified.
- Information lifecycle based on ISO 27002
- Physical Security is highly simplified
- Domain 8
- Agile is adequately introduced
- Application security standards are introduced
- Microsoft security development lifecycle is introduced
- Trending topics are introduced, such as Microservices and AI
- Maturity models are emphasized
Pros and Cons
- Matching the CISSP exam outline to the first level of topics in each domain
- Trending materials
- Smaller in size
- No review questions
- No appendix for supplement materials or document templates
- No glossary
- No references
The Official Risk Definition from ISC2
We finally have the explicit official definition of risk from ISC2.😂 It reads as follows:
“The possibility of damage or harm and the likelihood that damage or harm will be realized.”
But I am not sure if the definition of risk from ISC2 has typos or not, I would revise it as follows:
The possibility of damage or harm and the “magnitude” that damage or harm will be realized.
As a certified professional in ISACA-CRISC and PMI-RMP, I developed my risk management concepts based on the definition from ISO and Dr. David Hillson’s approach, and treat information security as a subdiscipline of risk management.
If you are interested in risk management, please refer to and google the Risk Doctor, Dr. David Hillson for details.
The Clark-Wilson Model
Please refer to https://wentzwu.com/2019/05/14/security-model-practice-question