I recently received a provisional passing score on the (ISC)² CISSP exam, and I thought I’d share what I learned.
About the exam
First off, the CISSP is a certification centered around IT security, and in touches on both management and engineering aspects of IT security. You can read more about what the CISSP entails here: https://www.isc2.org/Certifications/CISSP
One of the requirements of the CISSP certification is that you have at least five years experience in at least two of the eight domains.
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
You can also get a 1-year waiver if you have a 4-year degree, or an approved certification.
When I decided to go for the CISSP I already had 15 years experience, though most of it was on the network engineering side of things. Due to the breadth of material covered in the exam I easily spent more time preparing for this test than any other certification test I’ve taken.
How I prepared
As I mentioned, I’ve had 15 years experience, so I’m familiar with most network security concepts from an engineering standpoint. However, this exam goes into a lot more than just the technical side of cyber security. A lot of the legal frameworks were new to me, as well as the software development side.
I started off by reading the CISSP Exam Cram (4th Edition). That book is based on a previous CISSP exam, but the content is still relevant to the 2018 version of the test. I read this cover-to-cover, making a number of highlights along the way. I then went back through and went over those highlights again to really solidify what I read.
I also had the Sybex Official Study Guide and Practice Tests. This book is much bigger, and I thought it went into more detail than the Exam Cram. I mainly used to book as a reference for areas that I found I was weak in after taking the practice tests or concepts that I wasn’t confident in after finishing the Exam Cram.
To break up the monotony of reading I also watched the CISSP video series through Pluralsight. I found the videos informative, but after having done so much reading it was a bit difficult to stay focused when reviewing content I was already familiar with. I actually think the video series provides a great foundational level, and I would have been better off if I’d started with it before I did the reading.
Lastly, I also read the Eleventh Hour CISSP Study Guide. I got the Kindle version, and I read through it a couple times in the days before the test. This is a really condensed version of the material, but I thought it was a great refresher.
Personally, I’m a big fan of practice tests. I find that they often help highlight where my weaknesses are, so I can focus my studies more in those areas. For the CISSP exam I must have done over 800 practice questions. The exam covers a wide range of material, so I wanted to make sure I didn’t have any gaps.
The exam itself
Having taken exams for PearsonVue and Prometric in the past this exam really wasn’t much different. The testing center did palm scans, and they were a lot more controlled than other exams, but nothing to significant.
Not that this is unusual for certification exams, but the CISSP exam seems to take pleasure in using some tricky questions. Without getting into NDA space I’ll just use a very loose example-
Q: Which of these BEST describes what is needed for a sandwich
A: Peanut Butter
B: Mayo
C: Bread
D: Meat
Well, a sandwich could made with all of them (at the same time if your brave enough). The correct answer is C because a sandwich is (at least by definition) made with bread.
In the US the exam is adaptive, meaning there’s no Back button, so when you submit an answer you’d better be happy with what you selected. Read twice, click once. It also doesn’t tell you how many questions there are. It just stops abruptly somewhere between 100 and 150 questions. The screen doesn’t display a result either. You don’t find out if you passed or not until you get the score report. The score report should indicated if you passed or failed, and if you failed it should list the domains you were weak in. There’s also situations where a score isn’t immediately available.
After the exam
If you passed the exam you should get an email confirmation a couple days later with information on submitting an endorsement application. The process is pretty straightforward, but it can take upwards of eight weeks for everything to be approved before the certification is official.
Right now I’m still waiting for the official approval, so any addition details will come along when that’s complete.