Everything you've heard about what it takes to pass the CISSP exam is true. It's both disarmingly easy and bewilderingly...
difficult. It's at once incredibly rewarding and pull-out-your-hair aggravating.
This article aims to demystify the process and help you prepare with tips for obtaining one of the most prestigious cybersecurity certifications in the field.
What is the CISSP?
CISSP stands for Certified Information Systems Security Professional. The credential was created in 1991 by (ISC)2 Inc., a nonprofit that is the caretaker and credentialing body for the CISSP.
According to (ISC)2, the certification is "an elite way to demonstrate your knowledge, advance your career and become a member of a community of cybersecurity leaders. It shows you have all it takes to design, engineer, implement and run an information security program."
What are the requirements for obtaining and maintaining a CISSP?
To qualify, you need at least five cumulative years of paid, full-time professional experience, including at least two years of work in the exam's eight Common Body of Knowledge (CBK) domains.
Alternatively, you can have four years of experience, plus either a four-year college degree or an approved credential from the CISSP Prerequisite Pathway. You also have to agree to the (ISC)2 Code of Ethics and provide background information on things like felony convictions and involvement with hackers.
The second step is to pass the CISSP exam. If you fail the first time, you can retake it, though you have to pay each time. If you pass, you must obtain a written endorsement within nine months from someone who can attest to your professional experience and who is an active (ISC)2 credential holder in good standing.
The certification is valid for three years. Each year, you must earn and post at least 40 continuing professional education credits through educational activities, such as attending live events, online seminars and other learning opportunities. There is also an annual maintenance fee.
Why get a CISSP?
Most current and would-be CISSPs say the primary reason they want a CISSP is to increase their marketability. Other motivations include filling in knowledge gaps, earning peer recognition, expanding one's professional network and contributing to the development and maturation of the cybersecurity profession.
One benefit of CISSP certification is that, in preparing for the exam, you're going to learn a lot about subjects you didn't know about before. Sure, some of this material is boring and impractical, but studying for the exam will give you a very strong knowledge base in topics like security architecture, risk management, business continuity, information assurance and more -- no matter how hard they seem at the time.
What's the exam like?
The English-language exam is 100 to 150 questions. These comprise multiple-choice questions, as well as advanced innovative questions.
The English exam uses Computerized Adaptive Testing, using an algorithm to adjust the difficulty of each successive question based on the candidate's ability level. Candidates are given three hours to complete the exam.
The questions are weighted differently, adding up to 1,000 points. To pass the CISSP exam, you must obtain a minimum passing score of 700. You only receive a score of pass or fail.
If you fail the exam, (ISC)2 reveals some details of your performance. You will receive a ranking of the exam domains according to the percentage of questions you answered correctly. If you're preparing to take the test a second or third time, one of the most important tips is to look at which domains you did poorly on and pay extra attention to those areas when studying.
What subjects does the exam cover?
The exam tests on topics from the eight CBK domains:
Tips for passing the CISSP exam
The exam is best characterized as an inch deep and a mile wide. With that in mind, how difficult is it to pass the CISSP exam? It is a matter of perspective.
Here are a few tips to consider when preparing for the big day:
- Don't play favorites when studying. Some domains cover more material -- and in greater depth -- than others, but this can be deceiving. Many candidates score poorly because they over-prepare for the big domains and under-prepare for the small ones. It's unlikely that the exam will present you with an equal distribution of questions across all eight domains. To achieve a passing score, the only safe bet is to study each domain thoroughly.
- But remember that the exam isn't homogenous. Another common mistake is to adopt a uniform approach to learning the material. Some domains are fact-oriented. You either know the range of dynamic port numbers or you don't. Others are more contextual and interpretative, focusing on cybersecurity standards, principles or best practices.
- Mind the gaps. The first thing you should do is review the main topics in each domain. This will reveal your strengths and weaknesses, helping you to identify and subsequently fill any gaps in knowledge.
- Practice questions are your friend. Take the plunge and buy at least one of the all-in-one books. As you read each chapter or domain, take the practice exams in the book and online. Plan to take at least two full-length practice tests before sitting for the exam. Considering that you'll need to answer 70% of the real exam questions correctly, it's advisable to reach a point where you can consistently nail at least 85% of a practice test. While you'll never encounter a practice question on the actual exam, running through them will help drill the broader concepts into your head.
- Develop -- and stick to -- a training schedule. Just as if you were preparing to run a marathon, create a study schedule. It can be helpful to work backward from your exam date to ensure you're allotting enough time to cover each domain. While you should stick to your training plan as closely as possible, it's also important to be flexible. Don't arbitrarily move on from one topic before you're ready just because the schedule says so.
- Make time to review previously studied material. Decades of research have shown that cramming simply does not work. The brain retains information best when it's been reviewed several times over a longer term. Think about how many times you've met someone and forgotten their name within five seconds. Earning a CISSP passing score will require you to recall a lot more than that.
- Don't underestimate basic logistics. It sounds cliché, but get plenty of sleep the night before. Eat before the test. Avoid selecting an exam location more than an hour away or an exam time close to rush hour. Find out whether the test computers at your location use Macs or PCs. If you're uncomfortable with one, choose a location that uses your preferred machine -- and, importantly, mouse.
Do I need to take one of the CISSP exam-cram classes?
If you can get your boss to pay for a boot camp class -- they often cost several thousand dollars -- and can afford the time out of the office, do it. You won't necessarily learn anything different from an equivalent course of independent study, but a boot camp will give you a lot more confidence that you're on the right track. The instructors can help you grasp complex topics, and you can band together with fellow students to form study groups. All of these things help you get motivated and pass the CISSP exam.