I took the CISSP exam a while back and wanted to share a few thoughts. I’ve long been a security practitioner, going back to my teenage years attending local 2600 meetings. I got my Security+ back in 2004. Yikes! With the current ransomware driven technology climate, it seemed like high time to put some effort into that part of my background. I’d say my primary interest was to validate my credibility when speaking at events or directly helping organizations deal with present day security challenges.
The Certified Information Systems Security Professional (CISSP) is an advanced security related certification managed by ISC2.
Candidates must pass an exam and meet certain experience requirements. They need to have either 5 years of professional security experience, OR have 4 years of experience plus a 4 year degree in a related field. Its easiest if you know someone who is already a CISSP to endorse you. It makes the whole process go much smoother. If you do not, then you need to submit your work history to CISSP to evaluate. This takes longer and is more effort.
The exam is a computerized adaptive testing (CAT) exam. What this means is that the system will adjust the difficulty of the questions based on your performance. According to ISC2: Each exam will “start with an item that is well below the passing standard. Following a candidate’s response to an item, the scoring algorithm re-estimates the candidate’s ability based on the difficulty of all items presented and answers provided.”
One interesting aspect about this CAT exam is that it is fixed length. In order to determine if a candidate meets the requirements, the exam will run somewhere from 125 – 175 total questions. Read more about the CAT exam here.
A passing grade is 700, and you have 4 hours to complete it.
Domains are what the exam calls the various topical areas of the exam. Here are the various domains and their respective weights as it relates to scoring in the exam.
|Security and Risk Management||15%|
|Security Architecture and Engineering||13%|
|Communication and Network Security||13%|
|Identity and Access Management (IAM)||13%|
|Security Assessment and Testing||12%|
|Software Development Security||11%|
Overall, I think that the “Common Book of Knowledge” for the CISSP is very closely aligned with what a senior level technologist and security practitioner already knows. I would guess that if you really fit the profile of what a CISSP should be, you probably won’t have to study all that much. It will likely be more a matter of filling in the gaps across a domain or two that you aren’t strong in.
For me, the weak domain was Software Development Security. I’ve worked as a software developer at points in my career, and still fancy myself fairly competent. My opinion on this domain was that it waded into too much detail at some points, and that damaged the credibility of the entire domain. Rather than sticking to best practices that would be great for every CISSP to know, it tried to get too specific on some database and architecture topics that I would consider arguable at best.
Here is what I did to prepare:
- I listened to some parts of 11th hour CISSP as an audio book.
- I followed the CISSP subreddit to hear what other people were saying about the exam and what resources they were using.
- These cram sheets were linked from that subreddit, and they look pretty good. I’ll admit I didn’t use them, but I could see them being useful: https://www.comparitech.com/blog/information-security/cissp-certification-courses/
- I also found this short video from the subreddit. Everyone over there loved it. Its not a technical guide, but all about the mindset of answering questions on the exam. It talks about how the exam is not technical and to think like a manager. Really good.
- I spent 2.5hrs taking practice tests in the Pocket Prep app, which is a mobile app that supports multiple tests. My average score across those 2.5hrs was 85%. This would end up being my most significant and useful study tool.
- I skimmed a couple chapters of the Sybex official study guide, but just couldn’t make myself read it. Its super boring.
- I bought the Boson practice tests, but I didn’t like it as much as Pocket Prep, so I didn’t really use the boson for this exam. I’ve used Boson for other exams with good results though.
Give yourself extra time at the exam center before your exam. There are more hurdles since the last time I took a proctored exam in person. The test center took palm prints of both hands, pictures, pat down, etc. Took them a solid 20 minutes to get me checked in. Since the CISSP exam has such a long window, there will only be 2 seatings per day at most test centers. This means that you end up going to the test site as soon as they open, and it takes those proctors a while to get going in the morning.
Click through the questions and answer them, one at a time. You cannot go back to revisit questions, so you have to get them right the first time. Keep clicking the correct answers until it says that you are done! If I remember correctly, it didn’t say if I passed or not on the screen. You walk over to the proctor to get your printout and thats where it says your results.
If you found any of this information useful or recently took the exam yourself, please let me know in the comments below!