CISSP Domain Changes for 2015
The number of domains are being reduced from ten to eight with some exciting adaptations. It is important that the content of any certification is updated to be inline with real-world scenarios. The last update was in 2012 and for 2015 there are some major changes. The changes in 2012 were minimal and reflected more on the naming and the weight and importance of the domains. Here is the table with CISSP Domain Changes for 2015 with 2012 as a reference as well as some personal observations.
The first domain in the list is ‘Security and Risk Management’ which is a nice update which takes many attributes into consideration such as the security function in an organisation to address the Persistent Threat Matrix (PTM). Intellectual Property, legal issues, control frameworks. BCP and DRP are included in this section which is a nice dovetail as often it is overlooked.
We see Cryptography and Physical (Environmental) Security fold into some of the other domains. I always felt that Cryptography should be primarily done as part of network security and Physical Security.
|1||Access Control||Security and Risk Management
|2||Telecommunications and Network Security||Asset Security|
|3||Information Security Governance and Risk Management||Security Engineering|
|4||Software Development Security||Communication and Network Security.|
|5||Cryptography||Identity and Access Management|
|6||Security Architecture and Design||Security Assessment and Testing|
|7||Operations Security||Security Operations|
|8||Business Continuity and Disaster Recovery Planning||Software Development Security|
|9||Legal, Regulations, Compliance and Investigations||-|
|10||Physical (Environmental) Security||-|
(ISC)2 has made the right choice to focus more on the domains that seems to fit into the arsenal whereby we have to combat cyber security threats and the risks to assets which we are to secure adequately.
A question that was posed to me during a training session by a CISSP candidate was about the content of the ‘Security Architecture and Design’ where we handle formal models such as Take-Grant, Biba, Bell-Lapadula and others. ‘Why do we have to learn this theory? I have never used it in all my life working at large organisations’. Well, not that it is excluded now but the focus is on both the theory and the practical. You can make better decisions if you have knowledge at your side. I have seen many articles complaining about CISSP certification not being relevant due to the lack of hands-on testing, however it is all about the value that you add to your client or your organisation.
This to me is a great step in the right direction and it is time for grab your career, hold on tight, and make sure you are adding value to your engagements.