Skip Links

Gearing up for the CISSP exam

A Certified Information Systems Security Professional shares study tips for obtaining the hot certification.

By Barton Mckinley, Network World
April 12, 2004 12:05 AM ET

Network World - I am now a Certified Information Systems Security Professional, although it took me awhile to become one. I thought about, debated, delayed and put off taking the exam for almost two years. Even when I finally did sign up for the test, I wondered if I had made a mistake.

Finding the time to study for the International Information Systems Security Certification Consortium  (ISC2)'s top-level certification was a challenge. When I hit the books, I jumped from topic to topic without much of a plan. This haphazard approach was perfect in generating anxiety, but was virtually useless in preparing for the exam.

Then about eight months ago, I became sick and had to postpone both work and studies. Ironically, this was a blessing. During the downtime I laid out a detailed CISSP study plan and found study materials. I studied in earnest and passed the exam in December.

Now that I've learned what works and what doesn't, I'd like to share some pointers for those of you who are beginning CISSP certification or thinking about taking the plunge.

Getting started

Before you decide to take the CISSP exam, go to the ISC2 Web site at to review the certification requirements. You don't want to prepare and then find out that, for whatever reason, you don't meet the criteria.

The CISSP Common Body of Knowledge (CBK) covers 10 domains (see graphic below), embracing approximately 120 sub-topics. That's a lot of material, even if you already know some of it.

Rate your level of knowledge of each domain. Examine them carefully because your idea of what fits into a domain may differ from the ISC2's. For example, I thought I knew all about security management , but much of what I thought was in that domain is actually covered as part of disaster recovery. I didn't allow enough study time and had to cram to catch up.

Sort the domains according to your knowledge level and assign estimated study times for each, factoring in scope and complexity. For example, the telecommunications and network security domain is considerably more detailed and encompasses more topics than the physical security domain.

Estimates vary widely as to how much time you will need to study. This is a personal decision based on your expertise, confidence and ability to learn. Several CISSP preparatory courses and books suggest that you can cram and pass, in as little as a week. It's probably more realistic to allow at least 150 hours, spread over three to four months. Add on a few days of studying time as a contingency.

Pick a comfortable, quiet area to use to study. Some people find it helps to join a study partner or group, either of which can be found through the Web. Try to stick to regular, focused study times, while allowing for more detailed research as needed.

Learn (and understand) the principles and terminologies addressed in each domain first rather than trying to learn all the details upfront. Then you can expand your knowledge of specific subjects or review domains as needed. For example, be sure you comprehend encryption concepts before you worry about DES modes.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News