The CISSP exam last updated its content outline in April 2024, and candidates preparing in 2026 are still working with that revision. The eight domains didn’t change, but their relative weights shifted — and the detailed exam outline incorporated zero trust architecture, privacy engineering, and cloud security controls more explicitly than previous versions. These are not future topics to watch for; they are in the current exam right now.
Domain 1 (Security and Risk Management) received an increased weighting in the 2024 update and now represents the largest single domain on the exam. Domain 8 (Software Development Security) moved from 11% to 10%. Analysis of the updated exam outline by preparation providers has identified increased emphasis on zero trust principles spread across multiple domains — appearing in Security Architecture and Engineering, Communications and Network Security, and Identity and Access Management scenarios rather than being isolated in a single section.
What Zero Trust Looks Like on CISSP Questions
Zero trust on the CISSP exam is not about vendor products or implementation specifics. Exam questions test whether candidates can reason about security architectural decisions — when micro-segmentation is appropriate, how identity-centric access models differ from perimeter-based ones, and how continuous verification principles apply to different organizational scenarios. The conceptual foundation for this material is well-captured in NIST SP 800-207, Zero Trust Architecture, which defines these principles without vendor alignment and matches the abstraction level the CISSP exam uses.
For candidates currently studying: study guides and books written before April 2024 may underrepresent these topics relative to their current exam weight. Reviewing the current exam outline directly from ISC2’s website and cross-referencing your study resources against it is worth doing before scheduling your exam. The official CISSP certification page links to the current exam outline PDF.
AI-related content is a different conversation. AI risk management, machine learning model security, and governance frameworks for AI systems are appearing more in exam scenarios as ISC2 updates its question bank, but this content fits within existing domain frameworks rather than requiring a new domain. Domain 1’s risk management coverage logically extends to AI system risk. Domain 2’s asset security framework applies to training data and model outputs. Candidates don’t need specialized AI knowledge — they need to apply CISSP’s existing risk and governance thinking to AI-specific scenarios. A next full exam outline revision is expected in the 2027 timeframe; until then, the April 2024 outline governs what’s tested.