CobIT on CISSP exam - v4 or v5?

jonwinterburn

Reading the AIO or the CBK, they refer to CobIT 4 (with 34 processes), but don't mention CobIT 5, which is completely restructured (see: COBIT 5 FAQs). I've not studied version 5 at all. Do I need to? Or is it safe to assume as it's not in the CBK or AIO that it's not in the exam?

Thanks,

Jon

philz1982

Very little focus on COBIT, I would focus on ISO, CC, and NIST

jonwinterburn

Thanks. Presumably focusing on the concepts within those frameworks will be more valuable to me than rote memorisation of framework numbers? I'm assuming I'm not going to be asked "which NIST framework covers risk assessment?" but rather "which of the following best describes risk assessment"? - would you say that's about right?

philz1982

I vaguely recall being asked specific things around ISO and CC but not NIST. The point is to understand how it flows and when you would use stuff.

FIPS->NIST

ISO Flow. 27001 vs 27002

Common Criteria Levels ( I remember this one)

Trusted vs Untrusted

RBAC vs Tier

Ect.

Yes there is some memorization but if you memorize the Sunflower PDF you should be solid. Then it becomes just how to use the tools and when to use them

jonwinterburn

Great, thanks!