Update 02/08/2011: This post tends to receive spam in the comments. I am sorry about that and I try to remove it as soon as I see it. You can read about where the spam is coming from here.
I recently got word that I passed the CISSP exam. It took exactly 1 month and 7 days of waiting to know the result since I took the exam, (ISC)2 say it may take up to 6 weeks for them to let you know about the result.
– CISSP All in One Guide – by Shon Harris
– CISSP Study Guide – by Eric Conrad, Seth Misenar and Joshua Feldman
To prepare for the exam I used my “spare time” after work, weekends, etc during a bit less than 2 months, this was a bit daring of me but worked in my case, personal experience plus trying to catch up with security news and security podcasts for a few years proved helpful probably :).
I took the bilingual version of the exam, I was advised that by a friend since we are both Spanish-speaking people and he told me he found that option useful for him during the exam.
A bit more depth:
Q: What is the CISSP certification about?
A: This is like CompTIA Security+ but on steroids, basically you have to prove a wide security knowledge on a range of security topics which (ISC)2 call the 10 Common Body of Knowledge (CBK) Domains, these are:
Domain 1: Information security governance and risk management
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Physical (Environmental) Security
Domain 5: Security architecture and design
Domain 6: Business Continuity and disaster recovery planning
Domain 7: Telecommunications and network security
Domain 8: Application development security
Domain 9: Operations security
Domain 10: Legal regulations, investigations and compliance
Because of the similarity with CompTIA Security+ if you plan to take the CISSP I would suggest to “warm up” with the CompTIA Security+ certification first and then, shortly after, go straight for the CISSP. This will definitely improve your odds of passing the test. I took the CompTIA Security+ exam more than 3 years before the CISSP but even then, many concepts repeat since both certifications have a broad security background focus.
The CISSP is a management-like exam and covers a wide body of knowledge, therefore it is unlikely for anybody to know all the material just from experience, you will have to learn something new to pass this certification even if you have been in the security industry for a good few years.
– CISSP Exam Prep 800+ practice questions with detailed solutions – by Shon Harris
What is particularly useful about this book is that in the exam you will find (extremely) vague questions, questions you have to read again just to figure out what the question is, although the questions in the book are definitely not the same as in the exam, the nasty way in which they are written warms you up for what you will find in the exam.
As other tests, the benefit of this is also the obvious highlight of your weakest areas: the ones that you should review prior to the exam. For example, if you always fail the business continuity plan questions, then you know you should review that harder than other sections you tend to get questions right on.
– CISSP All in One Guide – by Shon Harris
Because of all the circles to explain simple concepts, longer than necessary explanations and unnecessary repetition, this book is not the fastest way to prepare for the CISSP exam.
Another area this book is superior on is the questions at the end of each chapter, I found these questions more relevant to the exam style than the Eric Conrad book.
Finally, there is something were this book really shines: The 2-3 chapter summary review pages, those pages are invaluable to quickly review all the contents for a given Chapter and there is nothing like this on the Eric Conrad book (discussed below). In addition to this, it would be unfair not to mention the great number of cool diagrams and notes/reminders/schematics to facilitate the review of important concepts.
The only problem I found on the chapter summary reviews at the end of each chapter is that sometimes the acronyms are not spelled out, which defeats the purpose of the review in my opinion.
– CISSP mp3s by Shon Harris
For this reason, the mp3s seemed an attractive idea to me, just to reinforce the concepts as quickly as possible I stopped all other listening during the exam preparation and only listened to Shon Harris for almost 2 months!
Although I would consider this very helpful, it is not enough, you need to see some things to understand them properly and the true power of these mp3s is unleashed when you only use them to reinforce what you studied, hammer the concepts again and again in your brain so that they stick for as long as possible in there.
Finally the mp3s are great but they repeat the All-in-One book biggest sin: Emphasis on the basics you know and skimming through the important stuff you may have trouble remembering. Therefore they are useful, but not as useful or efficient as they could be.
– CISSP Study Guide – by Eric Conrad, Seth Misenar and Joshua Feldman
The thing is I started to prepare using the All-in-One book from Shon Harris and was desperate at my poor progress (was around page 600 almost 1 month before the exam roughly), my original plan was to read the All-in-One, then the CISSP Study guide and then take exam preparation tests and review 2 weeks prior to the exam.
Because I was running out of time I dropped the All-in-One book and only used it for looking up some concepts eventually.
The CISSP Study Guide by Eric Conrad was my new friend: I was sold in the intro when I read: “We know what is important and we will not waste your time”. That is exactly what I needed: to use my time effectively!
The book lives up to what it promises, it is really concise and perhaps only the legal chapter, which seemed to me like a bit rushed, might need to be tidied up (Some concepts are a bit shuffled and unstructured in the legal chapter in a similar fashion to the All-in-One book and unlike other CISSP Study Guide chapters)
The book also goes in incredibly deeper depth than Shon’s book on the Crypto chapter, which was cool from a learning perspective but at the same time made me wonder if Crypto was really one of my strongest domains :).
In a similar fashion to the All-in-One book the CISSP Study Guide book contains questions at the end of each chapter, however there are two problems with this:
1 – There are less questions per chapter: 13 questions is not enough, the All-in-One book contains more than 20 questions per chapter on average.
the mp3 in my opinion). The “online book podcast” is only a rough introduction and does not attempt to cover all the ground covered in the book: it just emphasises the most important concepts for each chapter, they are a useful complement to the book and could be listened to before and/or after studying each chapter.
Where this book really shines, apart from its truly concise and clear explanation of the concepts (night and day from the All-in-One book) is that 2 online exams are offered for free as part of the book. I found these tests much better than the questions in the book but many questions had obviously a different style than the common uncomfortable vagueness found in the exam.
It is important to note that the time it takes you to take the online exam can be misleading because it took me around 45 minutes to draw up the circles in the actual exam: A computer exam is much faster to do than a manual exam! (more on this later)
Overall material opinion:
– Clear and efficient explanations from the Eric Conrad book to learn
If you combine those two resources you have more than 1300 questions to practice, 800+ from Shon Harris and 500 + 130 from Eric Conrad and company, which I believe is a good mix in style, not only to pass but also to learn cool stuff.
Suggested preparation strategy:
5 – Write down all your mistakes AND questions you were not sure about, go back to the book (and sometimes, yes, Google) and make sure you understand why each answer was the right one.
6 – Steps 4 and 5 can be alternated as you feel more useful to you. But write everything down and then REVIEW THAT. Review what you were not sure about, what you got wrong, etc. Write down the concepts you had trouble to remember and put all that in a review excel file or whatever, then try to review that a few times and particularly right before the exam. The day before the exam you should have a list of the concepts you have the most trouble with for review, this recommendation is on Eric’s book and was truly valuable for me too.
Q: How long do I need to prepare for this exam?
Taking the exam
Ok, As I mentioned before, and unlike what other people may say: The exam is not easy, some questions are easier than others but there is a group of questions that I call “the shades of gray”, these are extremely uncomfortable to answer (at least to me) because there is no clear “black and white” answer to choose from and instead you have to choose from “a shade of gray”, in other words: The least bad from the bad or the best from the poor/decent.
I suppose the vague nature of these questions stems from the fact that in a business-level certification like the CISSP the successful applicant should demonstrate to be able to take correct decisions even when not enough information is present or even take the best option from a range of poor choices.
To cope with this vagueness you can warm up with Shon’s 800+ question book, that is the one that resembles those tough questions the best in my opinion.
Another thing to take into account is that this exam is NOT a computer-based exam, you have to physically write stuff in an answer sheet! For a person like me that signs stuff very occasionally and perhaps writes a couple of weekly shopping lines here and there, this was a bit of a shocker. Remember:
The time to fill out the answer sheet is NOT zero, there are 250 circles to fill out and they should be filled out as perfectly as possible (which takes a few seconds), if you add “double-checking that the question in the answer sheet is the one I am looking at on the booklet” a good few seconds fly by with each question you answer. As a reference, it took me roughly 45 minutes to answer all 250 questions and double-check they were correct as I flicked through the pages (I know this because I mistakenly did it at the end)
Another issue is the bilingual exam, if you go for the bilingual exam you will have a side by side exam in both English and your language. In my case this was English and Spanish.
I only went for this option because a friend suggested it to me arguing that some of those super-vague questions were a bit clearer in the translation. To me personally going for the bilingual exam was a big disadvantage:
– Answer as much as you can on each pass: The exam is 6 hours long but you do not have a lot of time to answer each question (there are 250 questions, you do the math): I would recommend to answer as many questions as you can in the first pass (i.e. only skip what you truly have no idea about, which should be 1 in 10 or less) and then complete the test in a second pass for the truly tough ones. If you do more passes or skip questions randomly your time management will be bad and you may run into problems wasting time on flicking through pages back and forth. I did more passes than necessary and this was a waste of time!
– Do NOT waste time writing on the booklet: Write directly on the answer sheet instead! (verify each answer is the best you can answer as you go). This was another mistake I made, I wrote on the booklet and left the answer sheet to “verify the questions at the end” but I ran out of time and there was no time to verify anything! :). So I would suggest that you write directly on the answer sheet, this accomplishes two goals:
1 – You waste absolutely no time, you draw directly on the answer sheet
2 – You will monitor the remaining time more accurately: As you monitor how much time you have left, since you are including the time to circle each answer the time left to finish the exam is more accurate. Because I did not fill out any circle until the end I completely underestimated how long that would take!
– Have a good night of sleep before the exam: I slept badly and had a 10 hour train trip right before the exam and my performance was really affected, do not do the same mistake!. The exam is 6 hours long, make sure you are at 100% of your capacity, the last thing you want to happen is to crash in the middle of the exam!