FROM THE AUTHOR

In April 2018, (ISC)² released a revised version of the CISSP Common Body of Knowledge (CBK). After reviewing the changes, and in light of an ever-changing information security landscape, we felt compelled to update the CISSP All-in-One Exam Guide and publish its eighth edition. What are the big changes in the CBK? None, really. What this revision did was shuffle some topics around and make some adjustments to the emphasis that previous topics receive. Some notable changes are listed here:

•  Secure coding This is probably the biggest winner. (ISC)² is placing increased emphasis on this critical topic. The seventh edition of this book already placed a fair amount of emphasis on secure coding, but we updated our coverage to ensure you have the information you need whether or not you have a background in software development.

•  IoT It is noteworthy that, while the 2015 CBK included the more general terms “embedded devices” and “cyber-physical systems,” the Internet of Things (IoT) is now being singled out as an area of increased attention. We had already included a section on IoT security in the previous edition and just call this out to help you prepare.

•  Supply chain (ISC)² has broadened the scope of acquisition practices to look at the entire supply chain and has integrated this new topic with risk management. It all makes sense, particularly in the wake of multiple incidents that have come to light in the last couple of years highlighting the vulnerabilities that the supply chain poses to many organizations.

•  Audits Whereas in the last version of the CBK this was a single topic, we now see it broken down into internal, external, and third-party audit issues. We already covered internal and third-party audits in the previous edition of this book, so we freshened those up and added coverage of external audits.

The goal of this book is not just to get you to pass the CISSP exam, but to provide you the bedrock of knowledge that will allow you to flourish as an information systems security professional before and after you pass the certification exam. If you strive for excellence in your own development, the CISSP certification will follow as a natural byproduct. This approach will demand that you devote time and energy to topics and issues that may seem to have no direct or immediate return on investment. That is OK. We each have our own areas of strength and weakness, and many of us tend to reinforce the former while ignoring the latter. This leads to individuals who have tremendous depth in a very specific topic, but who lack the breadth to understand context or thrive in new and unexpected conditions. What we propose is an inversion of this natural tendency, so that we devote appropriate amounts of effort to those areas in which we are weakest. What we propose is that we balance the urge to be specialists with the need to be well-rounded professionals. This is what our organizations and societies need from us.

The very definition of a profession describes a group of trusted, well-trained individuals that performs a critical service that societies cannot do for themselves. In the case of the CISSP, this professional ensures the availability, integrity, and confidentiality of our information systems. This cannot be done simply by being the best firewall administrator, or the best forensic examiner, or the best reverse engineer. Instead, our service requires a breadth of knowledge that will allow us to choose the right tool for the job. This relevant knowledge, in turn, requires a foundation of (apparently less relevant) knowledge upon which we can build our expertise. This is why, in order to be competent professionals, we all need to devote ourselves to learning topics that may not be immediately useful.

This book provides an encyclopedic treatment of both directly applicable and foundational knowledge. It is designed, as it always was, to be both a study guide and an enduring reference. Our hope is that, long after you obtain your CISSP certification, you will turn to this tome time and again to brush up on your areas of weakness as well as to guide you in a lifelong pursuit of self-learning and excellence.

Acknowledgments

We would like to thank all the people who work in the information security industry who are driven by their passion, dedication, and a true sense of doing right. The best security people are the ones who are driven toward an ethical outcome.

In this eighth edition, we would also like to thank the following:

•  David Miller, whose work ethic, loyalty, and friendship have continuously inspired us.

•  All the teammates from Logical Security.

•  The men and women of our armed forces, who selflessly defend our way of life.

•  Kathy Conlon, who, more than anyone else, set the conditions that led to eight editions of this book.

•  David Harris.

•  Carol Remicci.

•  Chris Gramling.

Most especially, we thank you, our readers, for standing on the frontlines of our digital conflicts and for devoting your professional lives to keeping all of us safe in cyberspace.