Hi,

I understand your concern. however please note that the Security concepts in general origin from the US and especially - mostly from the US military. Most of the basic security concepts are derived from there and even though - right now they might seem a bit transformed - the core is still there - all comes from the USA. CISSP is a holistic course and aims to educate you not only about the principles themselves but also provides a bit of knowledge on "where the whole thing starts" which in my opinion - gives a good awareness of the security realm in general. Exam-wise - I would not say you need to know all the US law/military stuff - however be aware that the security principles you would learn throughout the course are closely related to them as this is where they origin from. All the info you can get about security - no matter from where.... would help you for this exam.

It's been a while (13 years) since I took the exam; for questions about the exam, I will defer to someone with more recent experience. In terms of figuring out relevance of certain laws, let's take a specific U.S. example, the New York cybersecurity rules for financial institutions. It may just be a state law, but it covers financial institutions and insurers licensed to do business in NY. Given, NY's linchpin status in the global market, it has the effect of being not just a U.S. law but also an international one.

Something to be aware of is that in the U.S., our 50 state legislatures tend to act quicker than Congress. So when it comes to navigating legal compliance in the U.S., when you factor in the individual states, there are probably a good 85 different laws which deal significantly with information security. If we pile on top of that any number of international laws - most significant of which is probably GDPR right now - I think you encounter an uncertainty principle: By the time you achieve mastery of these regulations, they have already changed or expanded. It is also quite difficult to filter which laws are relevant because in this day and age, it is hard to categorically say we don't or never will do business with - fill in the blank. This doesn't even broach the subject of how do you address having to comply with multiple laws that might conflict with each other.

I think the point that really needs to be emphasized is that legal compliance is at best very difficult to guarantee. It instead needs to be factored into a broader risk management program - likely seeking to insure against a fine (again that is where GDPR is sounding alarms) more than seeking 100 percent compliance at all times.

I used to contribute to Test Development for CISSP and other credentials. 

1. You're using study material that's not developed by (ISC)2 and the author has no insight into the exam content outline if they are including US specific content in their study material. My recommendation is first of all to download the exam content outline 

https://cert.isc2.org/cissp-exam-outline-form/

You won't get any question on the exam that isn't directly related to a specification on the outline i.e. you won't find anything on the outline that mention a particular jurisdiction, industry, product/vendor, etc. Understand the outline - be comfortable that you have good knowledge of all of the sub-domains.

2. The exam outline follows the CBK (the common body of knowledge). The two key words are underlined here. The knowledge has to be common i.e. it has to be general to security professions regardless of geography, industry, or security role within an organisation (as long as the candidate is operating in a professional capacity).

The test is not about whether the candidate has retained what they've learnt in a weeks training that's being tested, but rather the knowledge that they possess that allows them to function at a high level (with at least five years experience) as a security professional within their organisation. 

Best of luck with the exam