I just noticed that OWASP has a new Top 10 for 2021. All of the ISC2 books I have seen, even the CBK 3rd Ed, refer to 2017. How do we know if the 2021 OWASP Top 10 will be on the exam in the next month or so?
Good that you spot out the new OWASP Top 10 is getting update in 2021.
I am not an exam writer/designer, where I am not able to give you officially answer.
Just share my view.
Among all 9 of ISC2 exams (without violating the terms that I have signed up for ISC2 exam), I have not seen they are demanding very specific order of this kind of question. I am not saying order is not important, for some they are, like CAP, it's heavily on authorization process, hence fair to say ISC2 expect you to know which process goes before which one within the cycle..
I give another example, it's fair to say you need to perform authentication before you can authorize it (and before you can claim non-repudiation ), therefore the exam may expect you to know the order is first authentication, next is authorization. Fair enough
Back to the change of OWASP Top 10, there are 3 news one and others are reordering, it does not affect they are still the top 10 which you should know in the cloud app security , cloud design and architecture and cloud platform in general. Even the three new ones, they are not anything new in term of concept to any security professional and you should know what the vulnerability means, how to avoid or correct them in real life
the Insecure design ( in SDLC, secure design is important)
software and data integrality failure (CIA triad - the "I")