The ISC2 Certified Information Systems Security Professional (CISSP) was a challenging certification covering a great deal of subject domains. This is how I approached it and what I found helpful should it be of use to someone else.
What is it and do I need it?
Will be be useful career wise? The CISSP is a theory based, all rounded , vendor neutral, security certification. It is one of the most globally recognised standard of achievement in the industry. Career wise I found this as a great cert to achieve. There are many sites that break down the benefits of obtaining this cert (here, here)
How much the exam and training would cost? At the time I did the training and exam back in 2015, its very different to what it is now. The 5 day training was about $3k AUD directly through ISC2 – this was around the time the exam format and domains were updated. I personally found the teacher and class made the training, the actual course content was pretty average.
The exam was about $600 AUD back in 2015.
Its worth noting, to be eligible for the CISSP exam “you must have a minimum of 5 years cumulative, paid, full-time work experience in two or more of the eight domains of the CISSP Common Body of Knowledge (CBK)” – usually letters from past employees proving your experience. You must also be endorsed by someone else who is also a CISSP. The teacher from the training endorsed me.
Do I need to renew it each year and whats involved? Yes. The CISSP requires a yearly renewal ~$85 USD plus achieving 120 Continuing Professional Education (CPE) credits (over 3 years, 40pa).
I started my CISSP study in late 2014 while changing jobs – which didn’t leave much time for study. Luckily I was involved in a international tender at work which required a cyber security focus and I was able to get training approved to fast track this.
While not working on this full time, it probably took a good part of a year to prepare, attend training, prepare endorsement, exam prep then actual sit the exam.
For a better goal setting example see my CEH path.
Below are the materials I used to prepare for the exam and the order I used them:
Exam Blueprint – First downloading the exam blue print allows you to know exactly what topics will be in the exam and what percentages are allocated to each topic. From memory this also included a few sample questions.
Read other CISSP blogs – there are many people that have taken this exam and some (like me) have put up some suggestions what got them through. Read a few and get some study ideas what works for you. Also check out CISSP study groups or online forums.
CBT Nuggets CISSP videos – I’m a big fan of CBT Nuggets and find their videos very easy to watch and to the point. This is more for an overview on course and security domains. If you get stuck on a specific topic, be sure to research it more on YouTube. If you are not sure about presueing the CISSP, this gives a great overview.
Skillset online training– back when this was free, I found this very helpful. It was building up skills in each security domains and help in repeating terms so they are drilled into your memory. There were also practice tests.
Various books – if you look around there are sometimes e-book bundles from sites such as humblebundle where you can get a boat load of security books for next to nothing (worth signing up). If you are more comfortable with paper, sites like amazon also sell used books for half the price. Make sure you read the the book reviews first, some are great but some are a waste of paper (*cough* official ISC2 guide). I didn’t have time to read them all but used more as references – each book will explain a concept differentely.
- Eleventh Hour CISSP Study Guide 2nd edition
- CISSP Study Guide- Sybex Sixth Edition
- CISSP All-in-One Exam Guide, 7th Edition – Shon Harris
- CISSP For Dummies by Lawrence C. Miller 5th Edition
Official Practice Tests – I used a few. Note below are quiet old now. Also don’t use exam dumps you find online, its cheating and devalues the exam.
Android/Playstore apps – some of the best time to do on the go study is with your phone. Instead of looking at ultimate fail videos on Facebook, spend 5-10 minutes doing some study instead. When studying in the past I have removed tempting games and social apps from my phone so the only option is study. Doing a search for CISSP study brings up too many options – try the free ones.
- CISSP Pocket Prep – This is a great platform which you can buy multiple subjects/exams for. From memory to buy it was $6 AUD or something silly.
Leading up to the exam I changed my exam date a few times. So long as you give enough notice (dependant on exam centre) there is no fee.
While you only need 70% to pass (700/1000), in your practice tests aim for slightly higher like 80%. Once you are consistently hitting this you know you are ready.
At least once try to do a full practice exam all in the one sitting with the time constraints and no breaks.
Due to the cost and length of the exam, you want to be 100% confident before attempting this. As from memory there are no retake vouchers, so if you fail you (or your work) is up for the full fee again.
Day of the Exam
Back in 2015 you had 6 hours and 250 multiple choice questions. Now it appears you have 3 hours and 150 questions.
Make sure you are well rested and relaxed. I suggest you take the entire day off work or even the day before.
Make sure you read the questions carefully. Many of the answers will be correct, but you will sometimes need to pick the most correct.
If you do fail, don’t be discouraged to sit this again. There is a lot of content to remember. Learn from your mistakes and when ready, sit this again.
Once you have passed the focus is then on maintaining CPE’s. There are many categories you can earn credits in but a few below to get you started. Do a search for “CISSP CPE free” and prepare to be overwhelmed.
- ISC Blog – has some resources and free magazines
- Varonis – Big list of free resources
- IronGeek – Big list of free resources
- Computer based training – there are loads of free resources online that offer certificates for completing security related small courses such as https://www.cybrary.it/ .
- Podcasts – Again so many resources out there on this. I listen to a few on the way in to work eg: http://podcast.wh1t3rabbit.net/ and maintain a register in excel as proof.