Gearing up for the CISSP exam

A Certified Information Systems Security Professional shares study tips for obtaining the hot certification.

I am now a Certified Information Systems Security Professional, although it took me awhile to become one. I thought about, debated, delayed and put off taking the exam for almost two years. Even when I finally did sign up for the test, I wondered if I had made a mistake.

Finding the time to study for the International Information Systems Security Certification Consortium  (ISC2)’s top-level certification was a challenge. When I hit the books, I jumped from topic to topic without much of a plan. This haphazard approach was perfect in generating anxiety, but was virtually useless in preparing for the exam.

Then about eight months ago, I became sick and had to postpone both work and studies. Ironically, this was a blessing. During the downtime I laid out a detailed CISSP study plan and found study materials. I studied in earnest and passed the exam in December.

Now that I’ve learned what works and what doesn’t, I’d like to share some pointers for those of you who are beginning CISSP certification or thinking about taking the plunge.

Getting started

Before you decide to take the CISSP exam, go to the ISC2 Web site at www.isc2.org to review the certification requirements. You don’t want to prepare and then find out that, for whatever reason, you don’t meet the criteria.

The CISSP Common Body of Knowledge (CBK) covers 10 domains (see graphic below), embracing approximately 120 sub-topics. That’s a lot of material, even if you already know some of it.

Rate your level of knowledge of each domain. Examine them carefully because your idea of what fits into a domain may differ from the ISC2’s. For example, I thought I knew all about security management , but much of what I thought was in that domain is actually covered as part of disaster recovery. I didn’t allow enough study time and had to cram to catch up.

Sort the domains according to your knowledge level and assign estimated study times for each, factoring in scope and complexity. For example, the telecommunications and network security domain is considerably more detailed and encompasses more topics than the physical security domain.

Estimates vary widely as to how much time you will need to study. This is a personal decision based on your expertise, confidence and ability to learn. Several CISSP preparatory courses and books suggest that you can cram and pass, in as little as a week. It’s probably more realistic to allow at least 150 hours, spread over three to four months. Add on a few days of studying time as a contingency.

Pick a comfortable, quiet area to use to study. Some people find it helps to join a study partner or group, either of which can be found through the Web. Try to stick to regular, focused study times, while allowing for more detailed research as needed.

Learn (and understand) the principles and terminologies addressed in each domain first rather than trying to learn all the details upfront. Then you can expand your knowledge of specific subjects or review domains as needed. For example, be sure you comprehend encryption concepts before you worry about DES modes.

Choosing study materials

Now you need to select some study resources such as books, Web sites or courses. Many CISSP candidates prefer to take a course, and there are many to choose from including topic and domain-specific classes, official ISC2 CBK review seminars and exam preparation seminars.

I decided to prepare by reading a few study guides along with related books and articles followed by practice online. As you accumulate materials, organize them by domain (for paper and electronic copy) so that you can find the right resource when you need it.

Consider downloading one of the various free study guides to use as a framework for note-taking. Collect acronyms and term definitions, along with any formulae or standards references. For example, you’ll need to know the definition of the Bell LaPadula model, when a Class C fire extinguisher is needed and what the common criteria are. These notes will prove useful during your final pre-exam review.

The ISC2 uses several different exams, so practice exams or rumors about the content or difficulty of the exam may not be accurate. My practice exam was barely similar to the exam I took. Still, it was helpful to review material in a question-and-answer style.

When you’re ready, register with ISC2 to take the written exam. The exam will set you back $499 if you register early, or $599 two weeks before the exam date. An additional $100 rescheduling fee applies if you postpone the exam. Be sure to register well in advance, though, as dates often fill up quickly. Exams are taken in person at an ISC2 facility or another approved location.

As exam day approaches, allow yourself time for review and at least a day of rest. It’s critical to get a good night of sleep the day before the exam. I made the tremendous mistake of taking the exam with only four hours of sleep. I passed, but by half-way through I was miserable. Other test-takers confessed that they had been up all night cramming and expected to fail.

You might need the entire allotted time of six hours to complete the grueling exam, which consists of 250 multiple-choice questions. The registration process is supposed to take 30 minutes, but in my experience, registration took more than an hour.

An ISC2 designate and volunteer proctors administer the exam. You will not be allowed to bring any reference materials or electronic devices to the table with you, except for a paper dictionary to use in language translation. You will, however, be allowed to bring a lunch and any necessary medication and you can take a quick break to eat, stretch or be escorted to the restroom whenever you want.

You will need to get a scaled score of 700 points to pass the exam. The rumor is that this works out to a grade of about 80%, although the ISC2 uses a confidential method for scoring the exams and doesn’t publish or provide a grade.

You should get your exam results four to six weeks after you take the test. Unfortunately, due to the no-grade policy, you will only learn if you passed or failed. If you pass, you’ll then receive an endorsement form from the ISC2 that must be signed by an existing CISSP. After the ISC2 receives the completed form, the organization will mail your official CISSP certificate and lapel pin in the mail and the celebrations can begin!