CISSP is changing! Common body of knowledge changes for 2024

Chris Sienko: 0:00

Hey, hey. Cyberwork Hacks is back to keep you up to date with the CISSP exam. Today, infosec Bootcamp instructor Steve Spearman joins me to talk about the new changes to the CISSP's common body of knowledge, how these changes to the CBK should or shouldn't affect your study and preparation for the exam. Keep learning and keep it here for another CyberWork hack. Welcome to a new episode of CyberWork Hacks. The purpose of this spinoff of our CyberWork podcast is to take a single fundamental question and give you quick, clear and actionable solutions, or give you a new insight into how to utilize InfoSec products and training to achieve your work and career goals. So, for example, today Steve Spearman is an InfoSec instructor and, among his many areas of InfoSec expertise, he is our Bootcamp instructor for one of the most desired, demanded and elite certifications ISE, squares, certified Information Systems Security Professional, or the CISSP certification. So for today's CyberWork hack, steve and I are going to break down some of the forthcoming changes to the CISSP's common body of knowledge, or CBK, in 2024. Thanks for joining me today, steve. It's my pleasure, chris, all right? So, steve, as we know, the CISSP has made some pretty noteworthy changes in what it calls its common body of knowledge this year, so or it will be soon. This involves shifting priorities of certain topics or assigning different weights or importance as different security concepts in order to keep up with current cybersecurity practice. So can you talk about what the CBK changes will look like and when they're exactly going to take effect?

Steve Spearman: 1:31

Yeah, yeah, we'd love to. And if it's okay, why don't I step back just a bit and talk a little bit about what is the CBK? I mean? Yeah, so this stands for common body of knowledge and it really is the official truth about the CISSP. If there's a question on the exam, it should originate from the CBK. In fact, one of the questions I get asked quite a lot is like should I get the CBK? Because you can buy it? It's expensive, but you can buy the common body of knowledge. My general recommendation to students is eh, you don't need to. The official study guide is much more readable. It contains probably 90% of the CBK. There's been some interesting. There's been in the last year. There's been some interesting talk about the fact that somebody did a little bit of an analysis and they were able to find questions in different resources available from the ISC too, looking at exam questions, and they couldn't really find topics in either the official study guide or in the CBK. But that doesn't really help as much. I just think it's an interesting fact. The CBK is where questions come from, so the ISC too, makes changes really almost pretty strictly about every three years. Try inally, try inally try inally. Try inally, try inally. Anyway, I'm not going to talk too much about it Close enough, you're viewers will understand. The last one was so it was. The last one was 2021. Before that was 2018. With that transition, they added a point to the software. They took a point away from the telecom. So the main change that they've made is they've actually that will take place and it's going to happen April 15th this year, 2024, is they are adding a point to the domain one, which is the management, the governance management. It is, in many ways, sort of the anchor for the whole exam. This is a management exam and it's going from 15% to 16% and they're actually taking a point away from software, but we're taking a percentage away from software. I think it's worth understanding. You'll hear the term waiting. Yes, exam waits. Waiting is not actually a really good way to describe what's happening. Waiting would imply that the questions in domain one are more important than the ones in the. That's really. It just means the amount of topics that are in the thing. So they're adding some content to domain one in there. I don't know if removing it from the software domain or just adjusting. Yeah, exactly. So the only thing that really happens in the exam that's more like a true weighting is the. We don't know the algorithm, we don't know the scoring algorithm, the exam itself, but we but there is. The exam does measure difficult questions in a manner that's different than then. Quote easy questions, and every question on the exam is literally ranked as easy, medium or hard, and ultimately, your ability to pass the exam is is tied to your ability to get hard questions Correct. Yeah, yeah, so, anyway. So the big changes are they? They change, they're changing the weighting for those two domains and then, interestingly, they're going back to change both the number of questions and the length of the exam. So, in order to kind of get to what's going on with this, I want to go back to a little bit of history. And in June June 1st 2022, the CISSP decided to increase the number of questions on the exam and increase the time. So on that date, they increased the number the minimum number of exam questions on the on the on the computer adaptive test from from a hundred to 125. And the maximum number of questions went from 150 to 175. And and then they increased the exam time by one hour, so it went from three hours to four hours. Okay, interestingly, when they did that, they didn't change the number of scored questions at all, not like that. In other words, they just did it to have more sample questions, and sample questions are questions that are being statistically validated for use in a future exam Interesting. So in other words, they don't benefit test takers at all. I've been kind of complaining about this for a couple of years.

Chris Sienko: 7:01

You're basically doing unpaid labor there for them.

Steve Spearman: 7:04

It's kind of unpaid labor, exactly. It's like you know they're adding an hour to every you know, to every test taker's time or whatever it's like, and they're getting all the benefit. I suspect that they probably now have a very, very, very healthy database of usable questions that have been statistically validated, because on April 15th they're going back, it's going to be a three hour exam. Minimum number of questions is 100. Maximum number of questions is 150. So that's the other significant change.

Chris Sienko: 7:42

So I know that ISE2 makes these changes every three years, but can you talk about why you think they made these specific changes, and I won't say weights, but these changes and allocations to their certification like? What aspects of the industry were they trying to address by making these changes, do you think?

Steve Spearman: 8:00

We can't really know exactly, but they do. The ISEE-2 does have a board that does a review of the questions and the certification and the common body of knowledge. That board determined that they needed to adjust the waiting, those domain waiting, and add some content. I don't have a other than what the ISEE-2 has said and other pundits have said. I don't really know exactly why that decision was made, except to feel like the CBK and the changes of the CBK all come down to trying to make the CISSP relevant, like maintaining its relevance in the marketplace. Their own internal analysis must have shown that there was a need for that change.

Chris Sienko: 8:52

Yeah, I ask only because of past guest Layton Johnson. We did this with the CISM certification and he was saying that there's a massive change over there from going back to the security side, from the management side. I know that they're always thinking in terms of addressing specific needs in the industry. Also, I realize that there is a black-back nature to what they do, especially with regards to test scoring and so forth. Yeah, I appreciate the insights there. If you're currently studying for the CISSP but not scheduled to take the exam just yet and I know the changes are coming in April 15th at what point do you need to change your study or learning strategy, if at all?

Steve Spearman: 9:31

I would say first of all, today you really can't change it. There's no new material available. The ISEE-2 is going to drop their own internal training content on April 15th and not before. Historically, if you have the experience requirements, this is an exam that you have to lean into your experience a lot. You need five years in order to become a CISSP. You need to have five years experience Worth pointing out. Yeah. Yeah, you've, then, been doing the kind of methodical study that's necessary to pass this exam. I strongly suspect that you'll do fun. I don't think you're going to see earth-shattering changes. That would be pretty disruptive. I'm sure even though I'm not dismissing the significance of those changes, I'm sure that they were properly evaluated Historically. When those changes have happened, it didn't really impact the way that you prepared. I guess I can't be too definitive until we see what happens April 15th, but I suspect it'll be the same thing. You'll methodically prepare the same ways you have in the past. Yeah.

Chris Sienko: 10:53

I think it's probably something that, if you're already well on your way, you just steady as she goes. But if you're considering starting to study for the CISSP at this point, you might almost want to wait until we get closer to April 15th and you have a better sense of what's going on.

Steve Spearman: 11:07

Yeah, it's the opposite. If you've been studying, you feel like you're ready. It's like, make sure you schedule it before April 15th.

Chris Sienko: 11:13

For sure yeah.

Steve Spearman: 11:14

You know what I'm saying. If you feel like you're ready and you want to be able to work within a known quantity and know, then yeah, go ahead and take it. That would be my advice, I guess. Yeah.

Chris Sienko: 11:28

It's no less of a CISSP that you get if you get this one, versus the brand spanking new one. Yeah, exactly. Obviously, infosex is all about helping our students pass their certification exams with flying colors, but we also want to be with you for the long term and help you retain that info and use it to level up your skills and your career. Steve, I want to just ask more of a broad brush question. For people who are taking the CISSP, I know that an awful lot of the buildup to it is that you're just pushing a metric ton of stuff into your head so that you can pass the exam in the moment. What aspects of the information on the exam, would you say, are more important, the most crucial to continue learning and practicing to keep your skills at the top of the heap.

Steve Spearman: 12:11

Um, you know, the thing is, I think that gets into more just core preparation stuff, which is, you know, content, like content, and, uh, in content, understanding how to take the exam, uh, in the techniques around that. I'd love to have another discussion with you about kind of recommended you know ideas around that, but, um, the content, like I said, we don't expect any dramatic changes. You should just keep working with the content that's currently available. Uh, I have, you know, I have opinions about sticking with ISC to material. Uh, you know I'm not and additional stuff. There's other things that I recommend skills, the skills website and info sec is excellent. Um, but I, but I, I lean heavily into the official study guide. Uh, uh, practice exam I'm sorry, probably not practice exams the study, the study questions and the practice exams and the official practice test, third edition, uh, to kind of help the thing and one and again, the benefit is it helps you identify the areas that you're you're weak. You know that you can, you can continue to study on. So, um, yeah, so I I think that, um, you know your actual preparation doesn't change a lot. Uh, and you need to. You know, uh, keep plugging away. Again, my, my recommendation for people that really want to shortcut your best option as a bootcamp. Uh, there's, there's no question that the bootcamp is. The bootcamps are effective. Yeah, uh, actually, I think extraordinary a good bootcamp, or they're extraordinary, uh, extraordinarily effective at helping people prepare for this exam.

Chris Sienko: 13:49

So well, I hope our listeners will keep, uh, keep listening to the site word heck series, because in a few weeks here Steve will be uh talking to us about, uh, what a bootcamp is like for CISSP. So, uh, it'll be great. I'm looking forward to it. So as as someone who's taught so so many students over the years, steve, what's your top piece of advice for studying for and taking the CISSP exam?

Steve Spearman: 14:09

I mean, top piece of advice is um, do lots of questions. I mean, I hit to break it down, but so you need to understand how to take the exam. That's maybe for another you know, uh, cyber hacks thing, but you need to understand how to take the exam. What do you know what? What are the techniques you use all that sort of stuff? Uh, you also want to familiarize yourself with the content, as we said. But, honestly, the key thing is lots of questions. It's sort of like you know, if you decided, hey, I'd like to run a half marathon, you know you're going to not just, okay, they are the marathon, and you haven't you know, haven't put on your running shoes.

Chris Sienko: 14:49

Just read a book about how to run a marathon. Yeah Right, exactly, exactly. So, yeah, exactly.

Steve Spearman: 14:56

You got to put the miles in and that in your best way. Most important kind of uh technique to do that is to do lots of questions.

Chris Sienko: 15:02

So well, perfect. Steve Spearman, thanks for getting us caught up on the new aspects of the CISSP. Appreciate it. It has been a pleasure, chris, thank you, and thank you all for watching this episode. If you enjoyed this video and felt it helped you, I hope you'll please share it with colleagues, forums or on your own social media accounts and definitely subscribe to our podcast feed and YouTube page. You can type in cyber work info second to any of them and you'll be well on your way. There's plenty more to come, including more CISSP with Steve Spearman, so if you have any topics you'd like us to cover, absolutely drop them in the comments. We read them and we take them to heart. Until then, we'll see you next time and happy learning.