The popularity of the CISSP certification has spurred a plethora of training offers and magic recipes claiming to help candidates effortlessly reach their certification goals. However, no single resource provides the magic answers you need to pass the CISSP exam. Success comes only from a proper mix of real life experience and study. Here are some dos and don'ts to help you along the way.
Before you invest in a pricey study guide or boot camp, make sure you qualify for the CISSP exam. Visit... (ISC)2 (International Information Systems Security Certification Consortium) online for the minimum requirements and other details about the exam process. Note that at least three years of professional experience plus a degree, or four years of experience without a degree is required to take the exam. If you do not have the required experience, you can elect to become a CISSP Associate, which allows you to take the CISSP exam and fulfill the experience requirement later. Once you have attained the minimum number of years of professional experience, you become a CISSP in good standing.
Several months prior to test date: Create a study plan
The CISSP certification is based on a very wide Common Body of Knowledge (CBK), which consists of 10 domains or areas of expertise. Most security professional are familiar with four to six domains and need to spend more time on the domains they have less exposure to in their day-to-day activities.
Schedule your exam a few months in advance (allow three to six months depending on experience), and then use this target date in developing your study plan. Discipline is key. Tell the people around you about your study plans and make them realize that it might take away from the time you regularly have with them. Moral support from your close friends and relatives can make a huge difference while going through some of the more demanding domains of the CBK.
If you simply cannot find the time for independent study, I suggest you consider attending an intensive one week boot camp where you can fully review the 10 domains with a master of the CISSP CBK. Pick your provider carefully and ask who will be your instructor. The boot camp is not a replacement for proper preparation. You still need to do homework and independent study. The boot camp should be a confirmation of your preparation and is a great occasion to polish on your weak areas. Remember what I said above -- no single resource will allow you to pass this test.
There are currently about 18 different study books for the CISSP. Some of them are great and cover all aspects of the CBK, while others aren't worth the paper they are printed on. A word of caution: Do not overload yourself with half a dozen books. Pick one or two, depending on your reading style. As you read, concentrate on understanding the concepts within each domain. Do not attempt to get too deep within the material; the CBK has hundreds of concepts and you must stay at a high level or else you will never get through them all.
The books that I highly recommend are:
- CISSP All-in-One Exam Guide by Shon Harris
- Official (ISC)2 Guide to the CISSP Exam by Susan Hansche, John Berti and Chris Hare
- CISSP Study Guide by Ed Tittel
- CISSP Prep Guide Gold Edition by Ronald L. Krutz and Russell Dean Vines
After you review each domain, test yourself to see how well you're doing. Taking practice quizzes will increase your chances of passing the exam, as they will help you become accustomed to different styles of questions. Answer all of the questions at the end of the book that you bought and answer the questions provided by your training provider. Last but not least, visit the CISSP and SSCP Open Study Guides quiz engine, which I maintain, at www.cccure.org. It has close to 2,000 questions available for free and the quiz engine will tell you which domain and sub-domain you experience the most difficulties.
The day before the exam
Get a good night's sleep the day before the exam. Do not cram until the early hours of the morning. The last thing you should review is the cram study guide produced by Michael Overly that is available for free at cccure.org. You should be done studying early in the afternoon in order to grab the maximum rest that you can.
Taking the exam
Six hours of testing is just as physically demanding as it is mentally demanding. It will drain you. Bring an energy snack with you and, if needed, take a break to recharge your batteries, and then continue the test.
Before you begin answering questions, read through the whole exam at least once. This will build your confidence level and help you find answers for some of the questions. While answering the exam questions, pay particular attention to keywords that indicate the context of the question. The exam is on paper and you are allowed to write on the exam booklet. When you see a keyword word like "not," circle it. When you see the words "greatest to smallest," make an arrowhead pointing to the right. Make an arrowhead pointing to the left for "smallest to greatest."
Read the entire question before you answer it. There is no penalty for wrong answers, so answer all of the questions, even if you have to guess. If all of the answers seem valid (which might happen), select the most correct answer. The answer that includes the others, or the answer that applies to management will usually be the most correct answer.
After the exam
Finally, beware of the post-exam syndrome. You will most likely feel like you under performed. This is a normal. Twenty-five of the 250 questions don't count toward your final score, but you won't know which ones. Questions are also weighted and the value of each question is not indicated. The first question might be worth one point while the second might be worth three points. Given these variables, it's normal to feel uncertain about whether or not you passed.
Final words of advice
There is no shortcut to becoming a CISSP. Do your homework, stick to the concepts and keep in mind that the exam is oriented towards management.
About the author
Clément Dupuis is well known for being the maintainer of the CISSP and SSCP Open Study Guides Web site located at www.cccure.org. As such he has been collecting information, tips, tricks and documents related to the CISSP for the past five years and sharing them freely with the community. Clement has also developed and taught CISSP classes for many companies. He currently teaches regular classes for Intense School based in Fort Lauderdale, Fla. He welcomes reader correspondence at firstname.lastname@example.org.