CISSP Exam Length Change


Computerized Adaptive Testing (CAT) format of the exam update, which will begin on June 1, 2022, the CISSP exam will include 50 pretest (unscored) questions, increasing the minimum and maximum amount of questions applicants must answer throughout the exam from 100-150 to 125-175. The maximum test administration duration will be increased from 3 to 4 hours to accommodate these new topics.

It is conceivable that these extra 25 pretest questions will be used as operational (scored) things in future tests; nevertheless, since they may be used as operational (scored) items, candidates should carefully study each item and choose the best possible response. Candidate responses to pretest items have no bearing on their final exam score or pass/fail status.

Pretest questions for the CISSP CAT exam are presently number 25. It is now possible for (ISC)2 to continue building up our item bank, ensuring that the CISSP is more secure and reliable for everyone who earns it.

The CISSP exam’s material has not been altered in any other way. The CISSP test outline’s domains and weights have not changed.

These modifications will be reflected in CISSP tests scheduled after June 1, 2022.

If you or your students have questions or need CISSP Online Training or practice Questions, please contact us: or +1 (276) 325-2024


CISSP exam updates march 2022 – video

Changes to domain weights


CISSP still has eight domains, all of which have the same name. As seen in the accompanying table, two domains received a small adjustment in their weight:

Changes to domain content

Security and Risk Management

    • New features in 1.2 include authenticity and nonrepudiation.
    • New to the subject of onboarding and termination are transfers in version 1.9.
    • In 1.10, privacy is referenced in a subtle way. 1.10 mentions risk maturity modelling (assessing an organization’s risk model maturity), which is also mentioned. In this area, you should expect to see more test questions around privacy. Security was formerly the top concern.
    • A new acronym for supply chain risk management was introduced in 1.12. (SCRM). The information on this subject is unchanged, however you should be aware of the acronym.
    • 1.13 included new awareness and training examples: social engineering (phishing), security champions (gamification), and gamification examples (social engineering).

Asset Security

    • Assent inventory (physical and intangible) and asset management are now included in version 2.3.
    • Information about the data lifecycle and responsibilities is included in this release’s 2.4 update.
    • The words “end of life” and “end of support” are introduced in 2.5.
    • For example, “data in motion” has been changed to “data in transit.” However, new references to DRM, DLP, and CASB appear in 2.6; no examples of technology or solutions were previously provided. As a result, if you’re faced with a circumstance where you need to pick an acceptable solution, be sure you know what DRM, DLP, and CASB are and how to distinguish between them.

Security Architecture and Engineering

    • The term “research” has been added to the title of 3.1, as well as to a few of the bulleted elements. Previous exams focused solely on the implementation and management aspects. There will be new research information, such as assessing solutions and comparing and contrasting alternative solutions.
    • Biba, Star Model, and Bell-LaPadula are only a few of the security models mentioned in 3.2. This time around, certain models were listed in the exam’s prior edition. Biba and Bell-LaPadula have long been mentioned in study guides and books, but not as much attention has been paid to Star Model.
    • The acronyms SaaS, IaaS, and PaaS are introduced in section 3.5. Other types of systems and services made possible by the cloud include microservices, containerized systems, serverless architectures, and embedded and high-performance computing architectures, as well as cloud-enabled edge computing and virtualized cloud infrastructure. Pay attention to the particular security issues that arise because of the use of these technologies.
    • In Section 3.6, quantum cryptography is introduced as a method. The term “digital certificates” is also introduced. The last test included certificates under “Apply Cryptography,” however this is the first time the word “digital certificate” has been used in a formal sense. Despite this, the fundamentals haven’t changed.
      When it comes to high availability, the concept of “power” is first introduced in 3.9.


Also Read: How Practice Questions Can Help You Pass CISSP?


Communication and Network Security

  • 4.1 includes multiple changes:
      • Assess and implement” has been added to the title.
      • It is almost guaranteed that IPv4, IPv6, and IPsec will be included in test questions.
      • In a new area, you’ll find information about security protocols like Kerberos, SSL/TLS, SFTP, SSH, and IPSec, which you should be familiar with.
      • In the section on convergent protocols, new examples have been included, including FCoE, iSCSI, and VOIP.
      • It has been enhanced to incorporate VXLAN, encapsulation, and SD-WAN under the micro-segmentation portion.
    • In the section on wireless networks, new examples are called out: Li-Fi, Wi-Fi, Zigbee, and satellites. Wireless networks (4G and 5G), as well as content distribution systems (CDNs), have been updated (CDNs). What they are and how you can tell them apart are important to know. Make sure you keep an eye on the safety factors.
    • Redundant power, warranty, and support have been added to the list in the first article on hardware operation in 4.2.
    • Third-party connection is a new feature in 4.3, and it deals with third parties connecting to your network to do work or consume data and services.

Identity and Access Management

    • A new item for apps was included in 5.1 when it came to managing access to assets. Prior to this time, applications were not included.
    • JIT (just-in-time) is introduced in 5.2.
    • In 5.3, a new item was added for hybrid implementations of federated identity with a third-party service. For their federated identification environment, it includes some on-premises and some cloud-based solutions combined.
    • An item for risk-based access control was included in version 5.4. Risk-based access control assesses the individual risks associated with each user’s authentication to determine what measures should be performed. For example, with a low-risk authentication, no action is required. MFA, on the other hand, may be necessary in cases of high-risk authentication.
    • Provisioning and deprovisioning have been expanded to accommodate transfers in 5.5. New roles and privilege escalation elements have also been added (managed service accounts, use of sudo, and minimising its use).
    • OpenID Connect, SAML, Kerberos, RADIUS, and TACACS+ are all covered in 5.6, which is completely new.

Security and Assessment Testing

    • Two new things were introduced to the testing of security controls in 6.2: simulations of breach attacks and compliance checks. A high-level description of each of these topics is expected.
    • Remediation, exception management, and ethical disclosure have been added to 6.4. Make sure you’re aware of the differences between them.

Security Operations

    • Artifacts have a new item in the investigations section of 7.1. (computer, network mobile device). Remains (information) left behind on a gadget can be used in investigations as artefacts
    • Log management, threat intelligence, and user and entity behaviour analytics have been included to 7.2. (UEBA).
    • Provisioning, baselines, and automation are three of the many additions in 7.4.
    • 7.5 includes a new section for media protection approaches, such as encrypting media or using WORM technology to safeguard media in a virtual environment.
    • In 7.7, there are new examples of firewalls, such as next-generation, web application, and network. Machine learning and artificial intelligence (AI)-based tools are now included in this area. Make sure you grasp the advantages of these tools for incident management before using them.
    • A new lesson learnt item was added in 7.11. You should be able to articulate why and when an organisation should make use of lessons learnt.

Software Development Security

    • Libraries, toolkits, IDEs, runtimes, CI/CD, SOAR, and application security testing are among the numerous new features in version 8.2. (SAST and DAST).
    • With the addition of additional items for COTS, open source, third-party, and managed services in 8.4, the software acquisition options are laid out in greater detail. Learn about software security and how it varies depending on how you obtain the programme.
    • Software-defined security has been added to 8.5.