Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How does one properly prepare for the CISSP examination?
Preparing for the CISSP.
After passing this grueling exam on the first try and successfully passing the audit, I will shed some light on what to expect, and what the entire process from beginning to end is like. The first thing I need to point out and the one fact that's often overlooked is the fact that the requirements to sit for the exam and the requirements to actually be awarded the certification are not the same. You can actually take the exam and pass and still not be a CISSP. If for some reason you end up in this situation, you will be recognized as an ISC2 Associate until you meet the requirements to actually be awarded the CISSP certification. First let's look at the requirements to take the exam. They are listed below.
Requirements to sit for the CISSP Exam.
Applicants must have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)¦ CISSP« CBK« or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP« CBK« with a four-year college degree. Additionally, a Master's Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement
1. Professional Experience Requirements.
* Work requiring special education or intellectual attainment, usually including a liberal education or college degree.
* Work requiring habitual memory of a body of knowledge shared with others doing similar work.
* Management of projects and/or other employees.
* Supervision of the work of others while working with a minimum of supervision of one's self.
* Work requiring the exercise of judgment, management decision-making, and discretion.
* Work requiring the exercise of ethical judgment (as opposed to ethical behavior).
* Creative writing and oral communication.
* Teaching, instructing, training and the mentoring of others.
* Research and development.
* The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does not include the mere operation of these controls).
Ok, so if you meet these requirments, you're set to register, get approved, and take the exam. Now let's move on to the actual certification.
Requirements to become certified
To be initially certified as a CISSP, a candidate must:
Have the required number of years of professional experience, Pass the test with a scaled score of 700 points or greater, Submit a properly completed and executed endorsement form, Successfully clear the audit of his/her experience assertions, and Subscribe to the (ISC)¦ Code of Ethics.
The certification requirement is usually the part where most get hung up. I've had several students to come through one of the classes I've taught who registered, and was not able to pass the experience audit. Needless to say they were upset, but at the same time, they weren't totally honest on their experience statement. Here are some facts that are often overlooked. First of all, the CISSP exam is pulled from a pool of 8000 or so questions. These questions are almost 100% submitted by CISSP's in good standing (I've submitted quiet a few myself
). Also, when you go through the audit process, the person performing the audit and making the calls to check your references and experiences statements will likely also be a CISSP in good standing. So again, it's advisable not to try and pull a fast one by fudging your resume.
Now to the last part of the process. Which happens to be the endorsement.
Endorsement.
Passing candidates receive a blank endorsement form in the mail with their pass letter. The form must be completed and signed by an endorsing party. The endorsing party is someone who (a) is able to attest to candidate's professional experience and (b) is an active CISSP in good standing.
ISC2 is not flexible at all regarding this. Without an endorsement, you typically get nothing. I've helped/seen more than a few people actually make it through the entire certification process, and endorsement is absolutely the most sacred and un-bending part.
Now that you know how complex the process is for actually becoming eligible, let's move on to the really fun part. Passing the exam!!!!!!!!!
First of all let's take a look at the 10 CBK (Common Bodies of Knowledge) you have to master for the exam. They are....
Access Control Systems and Methodology
Applications and Systems Development Security
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
Cryptography
Law, Investigation and Ethics
Operations Security
Physical Security
Security Architecture and Models
Security Management Practices
Telecommunications and Network Security
As you can see, this is an extremely broad range of topics. I've often heard people give advice like, "get this exam prep book and you will pass, etc etc etc." My advice is this. First of all, get the official study guide from the ISC2 website. You will find many topics there that are not covered in some of the more popular books like the Shon Harris Official Guide. The Harris books are better put together, and a much easier read, but you do really need both of these resources. Now with that being said, this is not all you will need. Go ahead and read both of these (the Harris and the ISC2 official guide). Then go back, make a list of all the domains, you're weak in. After doing this, get ready to do some serious googling, and trips to the bookstore of your choice. Why? Because for the domains you're weak in, you really need to seek more resources. Because these books are simply study guides and frames of reference, they basically tell you what you need to master. This is not the same as actually giving you the background and needed reading to actually master these things. Personally, I struggled some with Cryptography, and Applications and Systems Development Security. So to make up for the gaps in understanding I bought basic books, like Cryptography Decrypted and other relavent titles to these two domains. In all I prepared for a total of 9 months (it's easy to need this much time if you work full-time). But when exam day came, I felt confident, and as the exam went on, I felt more confident. Because of the sheer strangeness of the questions, I still had a little bit of the notorious "don't know if I passed or failed" syndrome that all CISSP test takers feel post exam time. So to end I'll give a list of the exam prep books I've read and thought were really relavent to the exam material.
The Official All-In-One Guide by Shon Harris (2nd and 3rd edition)
The Advanced CISSP Guide by Russell Vines and Ronald Krutz
The Official ISC2 CISSP Guide (found on the ISC2 Website bookstore).
The Information Security Management Handbook by Hal Tipton
These books should be enough for general exam prep, but again I stress, go get other literature if you're somewhat weak in any of the domains. Feel free to post questions and comments in the Security forum or the CISSP forum here on tek-tips and I'll gladly respond and help however I can.
Good luck and Happy Studying.
KL Evans, CISSP.MCT.MCSE.C|EH.Security+.Network+.A+.MOS
Requirements to sit for the CISSP Exam.
Applicants must have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)¦ CISSP« CBK« or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP« CBK« with a four-year college degree. Additionally, a Master's Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement
1. Professional Experience Requirements.
* Work requiring special education or intellectual attainment, usually including a liberal education or college degree.
* Work requiring habitual memory of a body of knowledge shared with others doing similar work.
* Management of projects and/or other employees.
* Supervision of the work of others while working with a minimum of supervision of one's self.
* Work requiring the exercise of judgment, management decision-making, and discretion.
* Work requiring the exercise of ethical judgment (as opposed to ethical behavior).
* Creative writing and oral communication.
* Teaching, instructing, training and the mentoring of others.
* Research and development.
* The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does not include the mere operation of these controls).
Ok, so if you meet these requirments, you're set to register, get approved, and take the exam. Now let's move on to the actual certification.
Requirements to become certified
To be initially certified as a CISSP, a candidate must:
Have the required number of years of professional experience, Pass the test with a scaled score of 700 points or greater, Submit a properly completed and executed endorsement form, Successfully clear the audit of his/her experience assertions, and Subscribe to the (ISC)¦ Code of Ethics.
The certification requirement is usually the part where most get hung up. I've had several students to come through one of the classes I've taught who registered, and was not able to pass the experience audit. Needless to say they were upset, but at the same time, they weren't totally honest on their experience statement. Here are some facts that are often overlooked. First of all, the CISSP exam is pulled from a pool of 8000 or so questions. These questions are almost 100% submitted by CISSP's in good standing (I've submitted quiet a few myself
). Also, when you go through the audit process, the person performing the audit and making the calls to check your references and experiences statements will likely also be a CISSP in good standing. So again, it's advisable not to try and pull a fast one by fudging your resume.Now to the last part of the process. Which happens to be the endorsement.
Endorsement.
Passing candidates receive a blank endorsement form in the mail with their pass letter. The form must be completed and signed by an endorsing party. The endorsing party is someone who (a) is able to attest to candidate's professional experience and (b) is an active CISSP in good standing.
ISC2 is not flexible at all regarding this. Without an endorsement, you typically get nothing. I've helped/seen more than a few people actually make it through the entire certification process, and endorsement is absolutely the most sacred and un-bending part.
Now that you know how complex the process is for actually becoming eligible, let's move on to the really fun part. Passing the exam!!!!!!!!!
First of all let's take a look at the 10 CBK (Common Bodies of Knowledge) you have to master for the exam. They are....
Access Control Systems and Methodology
Applications and Systems Development Security
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
Cryptography
Law, Investigation and Ethics
Operations Security
Physical Security
Security Architecture and Models
Security Management Practices
Telecommunications and Network Security
As you can see, this is an extremely broad range of topics. I've often heard people give advice like, "get this exam prep book and you will pass, etc etc etc." My advice is this. First of all, get the official study guide from the ISC2 website. You will find many topics there that are not covered in some of the more popular books like the Shon Harris Official Guide. The Harris books are better put together, and a much easier read, but you do really need both of these resources. Now with that being said, this is not all you will need. Go ahead and read both of these (the Harris and the ISC2 official guide). Then go back, make a list of all the domains, you're weak in. After doing this, get ready to do some serious googling, and trips to the bookstore of your choice. Why? Because for the domains you're weak in, you really need to seek more resources. Because these books are simply study guides and frames of reference, they basically tell you what you need to master. This is not the same as actually giving you the background and needed reading to actually master these things. Personally, I struggled some with Cryptography, and Applications and Systems Development Security. So to make up for the gaps in understanding I bought basic books, like Cryptography Decrypted and other relavent titles to these two domains. In all I prepared for a total of 9 months (it's easy to need this much time if you work full-time). But when exam day came, I felt confident, and as the exam went on, I felt more confident. Because of the sheer strangeness of the questions, I still had a little bit of the notorious "don't know if I passed or failed" syndrome that all CISSP test takers feel post exam time. So to end I'll give a list of the exam prep books I've read and thought were really relavent to the exam material.
The Official All-In-One Guide by Shon Harris (2nd and 3rd edition)
The Advanced CISSP Guide by Russell Vines and Ronald Krutz
The Official ISC2 CISSP Guide (found on the ISC2 Website bookstore).
The Information Security Management Handbook by Hal Tipton
These books should be enough for general exam prep, but again I stress, go get other literature if you're somewhat weak in any of the domains. Feel free to post questions and comments in the Security forum or the CISSP forum here on tek-tips and I'll gladly respond and help however I can.
Good luck and Happy Studying.
KL Evans, CISSP.MCT.MCSE.C|EH.Security+.Network+.A+.MOS