CISSP domains for 2015 crystalball

10 years ago when I first started teaching the CISSP, my first action was to go to ISC2 and download the common body of knowledge (CBK). I took the outline and detailed everything in it. Oh what a fool I was.

After becoming an official instructor, after authoring and project managing the official curriculum for two years, after going to item writing school at ISC2, and after talking to people on the “inside,” I realized all organizations are just as screwed up as everybody else out there. All the things that you think are wrong with your organization are also wrong with ISC2. My conclusion is/was: there is very little rhyme or reason how the common body of knowledge is related to the exam or the course. And in the recent past, the official curriculum course went way off the deep end.


Instead of whining and complaining about it: Figure out exactly how the system works and work around the system. Not to cheat the system but to ignore the flawed process that everybody else is using.


Once every few years, ISC2 rewrites and reorganizes the CBK and the course. You should see a big announcement early in 2015 from ISC2.  The press release will be something like: Only get curriculum from us because everybody else in the market doesn’t have a clue as to what’s going on and we know when they don’t blah blah blah…Well they did not count on us paying attention. We started working on our new course late summer 2014.


The new version of the common body of knowledge rearranges the names and the underlying materials. I see 8 domains, 50 major topics that are the same, and 14 new topics. The exam will take about 3-9 months to catch up to the CBK while questions are incorporated via the research method.


Here is the reason for writing my article. If you download the CBK from ISC2, you agree to use it for personal use only. Therefore I am publishing this outline here before it is on the ISC2 site. There is no secret here. I paid attention. I do have all the subtopics, but they are not listed here. If you want the full details, either wait for ISC2 in January 2015 or signup for our VMLT iPad app (see below).

I GIVE YOU THESE 10 no 8 Domains

I gave the domains a short three-letter acronyms because that is what every good technologist does. Here are the new domains mapped to the old domains. The mapping is not perfect and there are a great many details that make it wrong to say there is a one-to-one correspondence of old names to new names. I’m sure there are going to be slight adjustments to names and topics when they are released.

1. SRM- Security and Risk Management = InfoSEC governance risk; Compliance from law & some BCP

2. ATS – Asset Security = Partial Operations security

3. ENG – Security Engineering = Security architecture and design has a small part of Cryptography

4. CNS – Communication and Network Security = Telecommunications and network security

5. IAM – Identity and Access Management = Access control

6. ANT – Security Assessment and Testing = was part of law domain

7. OPS – Security Operations  = Physical security, Legal, regulations, investigations & disaster recovery

8. DEV – Software Development Security = Application security, but OWASP is in other domain

My only criticism of the new domain names: Do you think that we need the word “Security” in almost every domain name?


Past students: Have you been keeping up with your CPE’s? Come to class, free!

New students: We have added the new topics to our course and changed the names to match. We are staying ahead. We are ready to help students kick some EXAM butt. We have already built our course for live on line. Registration starts now with the 2014 prices. January 17, 2015 is the class start date.

For those of you who do not want our full course: we make it a subscription on our apple iPad app VMLT. The app will be $1 and require that you buy a subscription on our site to unlock most of the details and recordings. We will make it a free limited subscription to the first 100 people who download. The new material will be released slowly over the next 30 days.

Please don’t ask about Droid. The answer is NO unless you have a $100,000 and 6 months.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.