The Cyber Security Body of Knowledge project or CyBOK is a collaborative initiative mobilised in 2017 with an aspiration to “codify the foundational and generally recognized knowledge on Cyber Security.” Version 1.0 of the published output of this consultative exercise was quietly released last year and then more publicly launched in January 2020.

Yet, this free and information-packed publication does not appear to have captured the attention it perhaps deserves across the wider industry. Hence the reason for blogging and discussing a very quick overview of it here on State of Security. So, what does it look like?

AppSec/API Security 2022

Composition and Domain Categories

Across its 800+ pages, the CyBOK is effectively organized into nineteen top-level Knowledge Areas (KAs) and then grouped into five overarching categories, as shown in this diagram.

Diagram showing composition of knowledge areas
CyBOK Knowledge Areas

Much of this will be familiar territory for many security professionals, some of whom have actually questioned if it is not simply “reinventing the wheel?’” (ISC)² has after all, already established a widely recognized ‘Common Body of Knowledge’ or CBK for its Certified Information Systems Security Professional (CISSP) accreditation. For those unfamiliar, the overarching CISSP CBK domain categories, are:

  • Security and Risk Management (including Legal & Regulatory, Personnel Security, Threat Modelling)
  • Asset Security (including Data Management, Privacy)
  • Security Architecture and Engineering (including Security Models, Cryptography, Physical Site)
  • Communication and Network Security
  • Identity and Access Management (including IAM, IDaaS)
  • Security Assessment and Testing
  • Security Operations (including Incident Response)
  • Software Development Security (including Malware)

Origins and Definitions

Originating in the early 1990s before the term ‘Cyber’ was common parlance for IT related security matters, the (ISC)² CBK has more traditionally been known by many as a ‘Common Body of Knowledge for Information Security’ of course.

Whereas the CyBOK begins by offering distinct definitions for both (Read more...)