What is a CISSP and why would you want to become one?
CISSP stands for Certified Information Systems Security Professional. It’s a professional certification from (ISC)2 designed to affirm that a security professional has learned a significant amount about cyber security and/or has gained experience in the field.
Becoming a CISSP requires a minimum of five years of paid work experience in two or more of the eight domains of the CISSP CBK, or can be satisfied with an additional credential from the (ISC)2 approved list and a four year college degree. To prepare for the exam, candidates typically use books, practice exams, and review course slides. The exam consists of 250 multiple choice questions which must be completed within 6 hours. Candidates must earn 700 points from a possible 1000 to pass the exam.
The benefits of the CISSP show that the holder of the certification has an assured knowledge of cyber security and is keeping that knowledge current (by getting CPEs – more on that later).
Employers often look for CISSPs when they need to fill cyber security positions. In addition to its benefits for potential employers, the CISSP also brings recognition from peers and colleagues, opportunities for career advancement and higher salaries.
Studying for the CISSP
The study path to CISSP usually begins with a Boot Camp course based around the study guide by Shon Harris. The book is a heavyweight and covers the domains of the CISSP. It’s not the most exciting read but it really does bring the topic to the reader and it is something that most will read, at least in part.
Typically, the Boot Camp will prepare the candidate for the journey they are about to take to the exam.
Other resources to recommend are the CISSP Practice Questions Exam Cram, which typically comes with a PDF that is useful when studying on the move (for example with a tablet); the Boson Practice Exams and other CISSP Certification Practice Exams and Tests.
The aim with the practice exams and tests is actually to be able to print the questions that you get wrong to PDF so you can revise those weak spots before taking the exam. It also helps you start to understand how the questions are written and how the responses should be formed.
That, for me, was the most important aspect of my preparation as I was able to reduce the errors I was making, become familiar with the testing methodology and constantly improve.
The Exam: Linear
The linear exam (paper-based) is what I took and passed many years ago. It consists of 250 questions to be answered in 6 hours (less than 90 seconds per question!) and may be the preferred option for some.
The advantages include:
- having paper that you can mark – such as to eliminate answers
- highlight the questions you are not sure about
- allowing you to cross-reference some questions (I found some questions overlapped and made answering the questions easier).
The exam is longer – 6 hours is a long time – and you cannot eat, leave, smoke, anything! Also if you’re not a native English speaker, be careful of any dictionary you take in to the test as technical reference dictionaries will not be allowed.
For my test, I managed to do all 250 questions in 3 hours and then spent a further 2 hours repeating the questions, doubting myself and double-checking my answers. All-in-all, I changed around 15 answers in my second pass. And then I left.
The Exam: Computer-Based Test
The Computer-Based Test (CBT) is adaptive and will ask you between 125 and 175 questions over 4 hours.
Benefit from my Experience
I did the Boot Camp around 18 months before doing the exam. I revisited the slides I got from the course together with the Shon Harris book, the exam prep book and the exams that I could repeat and repeat.
The most important thing you can ever do with the CISSP questions is to understand them; I found ringing the key phrases in the question was a recipe for success as I could focus on what was being asked of me. I also found out that doing this on the test exams resulted in my success rate for the questions going from 70% to 90%. In the case where you do the CBT, I do assume you can take some blank notepaper into the room to make notes – they will check the paper thoroughly.
Acronyms…..at the last minute, I built acronyms for the ISO models and other things. ARO, SLE, ALE – get that clear in your head. Cyphers – block and stream, get those clear, get the strengths right. And do remember that there is more to certain domains in the test than others – the weighting of the domains can be found on the (ISC)2 website.
During the exam, as well as circling the key text in the question, I put a percentage of how certain I was as to my answer. This helped me on my second pass through the questions.
You can pass
The pass mark is 700 from 1000 possible points. You can pass…you will pass.
Continuing Professional Education (CPEs)
Possibly my biggest worry with the CISSP was keeping it; you need CPEs and they seemed really hard to get. I was quite scared about what I might be able to do to keep the CISSP – after all, so much effort was invested in getting the certification.
Worry not, the (ISC)2 has modernised over the years and recognise Podcasts as methods to get CPEs. It’s not only vendor presentations and conferences that get you them but you can consume news, opinion, reportage and more to get your CPEs.
Some recommendations:
- The Security Now Podcast with Steve Gibson
- Smashing Security Podcast with Graham Cluely and Carole Theriault
- Jamie Bartlett’s The Missing Crytoqueen Podcast covering Ruja Ignatova and OneCoin
Having been audited many years ago before the (ISC)2 added Podcasts as a category, I can safely say they recognise these methods of keeping oneself current and CPE goals are absolutely achievable.