mnovelo - Fotolia
Everything you've heard about what it takes to pass the CISSP exam is true. It's both disarmingly easy and bewilderingly difficult; at once incredibly rewarding and pull-out-your-hair aggravating. This article aims to demystify the process and help you prepare.
What is the CISSP?
CISSP stands for Certified Information Systems Security Professional. The credential was created in 1991 by the International Information Systems Security Certification Consortium (ISC)2, a nonprofit that is the caretaker and credentialing body for the CISSP.
According to (ISC)2, the certification is "an elite way to demonstrate your knowledge, advance your career and become a member of a community of cybersecurity leaders. It shows you have all it takes to design, engineer, implement and run an information security program."
What are the requirements for obtaining and maintaining a CISSP?
To qualify, you need at least five cumulative years of paid, full-time professional experience, including at least two years of work in the exam's eight Common Body of Knowledge (CBK) domains.
Alternatively, you can have four years of experience, plus either a four-year college degree or an approved credential from the CISSP Prerequisite Pathway. You also have to agree to the (ISC)2 Code of Ethics and provide background information on things like felony convictions and involvement with hackers.
The second step is to pass the CISSP exam. If you fail the first time, you can retake it, though you have to pay each time. If you pass, you must obtain a written endorsement within nine months from someone who can attest to your professional experience and who is an active (ISC)2 credential holder in good standing.
The certification is valid for three years. Each year, you must earn and post at least 40 continuing professional education credits through educational activities, such as attending live events, online seminars and other learning opportunities. There is also an annual maintenance fee.
Why get a CISSP?
Most current and would-be CISSPs say the primary reason they want a CISSP is to increase their marketability. Other motivations include filling in knowledge gaps, earning peer recognition, expanding one's professional network and contributing to the development and maturation of the profession.
One benefit of CISSP certification is that, in preparing for the exam, you're going to learn a lot about subjects you didn't know about before. Sure, some of this material is boring and impractical, but studying for the exam will give you a very strong knowledge base, no matter how hard it seems at the time.
What's the exam like?
The English-language exam is 100 to 150 questions. These comprise multiple-choice questions, as well as advanced innovative questions.
The English exam uses Computerized Adaptive Testing, using an algorithm to adjust the difficulty of each successive question based on the candidate's ability level. Candidates are given three hours to complete the exam.
The questions are weighted differently, adding up to 1,000 points. To pass the CISSP exam, you must obtain a minimum passing score of 700. You only receive a score of pass or fail.
If you fail the exam, (ISC)2 reveals some details of your performance. You will receive a ranking of the exam domains according to the percentage of questions you answered correctly.
What subjects does the exam cover?
The exam tests on topics from the eight CBK domains:
How hard is it to pass the CISSP exam?
The exam is best characterized as an inch deep and a mile wide. With that in mind, how difficult is the CISSP exam? It is a matter of perspective.
Some domains cover more material -- and in greater depth -- than others, but this can be deceiving. Many candidates score poorly because they over-prepare for the big domains and under-prepare for the small ones. It's unlikely that the exam will present you with an equal distribution of questions across all eight domains. To achieve a passing score, the only safe bet is to study each domain thoroughly.
Another common mistake is to adopt a uniform approach to learning the material. Some domains are fact-oriented. You either know the bit size of an MD5 message digest or you don't. Others are more contextual and interpretative, focusing on standards, principles or best practices.
What should I study?
The first thing you should do is review the main topics in each domain. This will reveal your strengths and weaknesses.
Then, take the plunge and buy at least one of the all-in-one books. As you read each chapter/domain, take the practice exams in the book and online. Plan to take at least two full-length practice tests before sitting for the exam.
Do I need to take one of the CISSP exam-cram classes?
If you can get your boss to pay for a boot camp class -- they often cost several thousand dollars -- and can afford the time out of the office, do it. You won't necessarily learn anything different from an equivalent course of independent study, but a boot camp will give you a lot more confidence that you're on the right track. The instructors can help you grasp complex topics, and you can band together with fellow students to form study groups. All of these things help you get motivated and pass the CISSP exam.