CISSP Exam - Preparation Tips and Study material



Certified Information Systems Security Professional (CISSP) is an information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)². CISSP exam is supposed to be the gold standard in InfoSec certifications. On the job experience is crucial for both the exam and the certification process. To pass the CISSP Exam  you need to get a a minimum score of 700 out of 1,000. The exam is 6 hours long and includes a mix of 250 multiple-choice, drag-and-drop and hotspot questions. It currently costs $599.  To qualify for this cybersecurity certification, you must have: At least least five years of cumulative, paid, full-time work experience in two or more of the eight domains of the (ISC)2 CISSP Common Body of Knowledge (CBK)

From 2015, the CISSP curriculum is divided into eight domains:

  • Security and Risk Management.
  • Asset Security.
  • Security Engineering.
  • Communications and Network Security.
  • Identity and Access Management.
  • Security Assessment and Testing.
  • Security Operations.
  • Software Development Security.

In this article I will describe my journey of preparation, exam learnings after having successfully cleared the exam on 23 May 2017 at Prometric Centre , Ansal University Gurgaon. The exam is conducted over 6 hours with 250 multiple choice questions testing your knowledge in 8 domains of Information Security. It can be booked online and can be attempted at Prometric centres across India all through the year. What makes the test difficult is that the scope of the test is very broad and requires test takers to cover large number of areas.

Preparation times for the exam ranges from few months to a year depending on the expertise and previous knowledge in Information Security domain. My total time to prepare for the exam was 3 - 4 months spread over an year.

I will try and cover the important test preparation material as well a suggested methodology for clearing the exam.

Study material
First the material. The main books for exam study which I used and are common across most test takers are
  1. ISC2 Official Study Guide by Sybex - My main reference guide which covers all the material and is easy to read and should serve as the main document for exam preparation.
  2. ISC2 CISSP Common Body of Knowledge - The main body of knowledge covering all the domain. I did not find it very well written making it difficult to read. I used it only to browse through to check if I had not missed any topics.
  3. CISSP All in One Guide by Shon Harris - A voluminous book with over 1000 pages which used to be considered the bible for this exam. It is a bit outdated now but has very good explanation of some topics. I attempted it but too could not  sustain the effort.
  4. CISSP Sybex  ISC2 Official Guide Practice sets - Very useful chapter wise tests for revising the course.
  5. 11th Hour CISSP Guide by Eric Conrad  It is a good condensed form of the CISSP CBK and helpful for preparing in the last week.
    1. Too big to be called a quick read
    2. Missing words, disconnected
    3. There is too much information making it redundant as a quick read.
    4. It needs to be edited professionally else not very useful
  7. Tutorials
  8. Practice Questions
  9. Online Course
    1. IT Masters CISSP Course It is from 2013 with 10 domains but is still relevant with good learnings.
You will learn more than just the syllabus

Useful Tips

  • It is very necessary to schedule the exam first  - two to three or two months in advance else you will keep studying endlessly for the exam.
  • Start with ISC2 Official Study Guide by Sybex. Read all the chapters once  - underline the important parts  and use internet and other book to clarify concepts which you have not understood.
  • Read a chapter from the book and answer  the Chapter wise questions atleast 100 of them.
  • After this start attempting 50 -100 questions daily. It is important to try Scenario questions which are only available in a few practice tests.  There are few CISSP Android apps which give daily questions.
  • After a week give a major practice test.Review weak areas and answer mixed questions
  • Read the sunflower guide in entirety once a fortnight to review all the areas.
  • Give atleast 5 -7 full length practice tests before the exam . If you are securing above 80% you are ready for the exam.
  • Certain difficult areas
  • Information Security models - Bell Lapudla BIBa , TCSEC, Common Criteria
  • Physical Security models
  • Software Security
  • Domain 6 is not covered well in the study guide and you need to do practice questions and additional reading to understand testing better.
  • You may need to remember the well know ports to answer a few questions

Review of Practice tests and 11th hour guide
  1. CCCure CISSP tests
    1. Poorly structured questions, old and incorrect terms and terminologies, incorrect English, questions and topics not relevant ,
    2. Scenario and normal questions not given together, no dedicated practice tests covering all domains,
    3. Terms and topics not related with new CISSP CBK
    4. Good explanations of each question

  1. CISSP Practice test Sybex
    1. Best question bank with number of scenario questions
    2. Good quality questions with nice question formulation and related answers
    3. Drawback explanation only for correct answers
    4. No drag and drop questions
    5. Software neatly played and and user friendly
    6. But prone to faults and hangs in between tests forcing restarts

  1. 11th Hour CISSP - Eric Conrad
    1. A good condensed form of the CISSP CBK and helpful for preparing in the last week.
    2. Excellent references at end of every chapter for further reading
    3. Five tough questions to test knowledge of difficult topics
    4. Excellent explanation of tough concepts with proper real examples
    5. Eg Examples of referential , Semantic and Entity integrity violations

What I learned from CISSP

  1. Good overview of Access control concepts and technologies
  2. Awareness of software testing methods and techniques
  3. Nice overview of identity management including SSO, SAML, federation, Kerberos
  4. Boring but useful reading of security models
  5. It requires you to be current with modern security threats and concepts  - Ransomware etc
  6. Web vulnerabilities and mobile security are not covered in detail.
  7. IOT , SCADA , Cloud Security given a miss
  8. Requirement of domain on latest security technologies covering all of the above with an online wiki on ISC2 website

Usefulness of CISSP
  1. It is  a prerequisite for most senior Cyber Security jobs and is an indicator that you have a general understanding of Cyber Security concepts.
  2. It will not teach you practical concepts of Cyber Security as also tasks you need to do daily in such roles such as Security assessments , Writing Cyber Security policies , procedures and standards.
  3. It does not address the latest tools and technologies being used in the industry such as SIEM, DLP, IRM, SOC, Threat Hunting, Sandboxing etc..  ( I will leave you to figure these out from Google )

Strategy for Armed Forces Officers
  1. It depends entirely on your prior experience in this field. If you have limited or nil experience in these fields, I suggest to start from COMPTIA Security + certification coupled with COMPTIA Network +. Also explore Cybrary website which has a host of Introductory courses on Cyber Security.
  2. If you have decent experience do CISSP but couple it with practical courses online and attending relevant conferences to understand what is being talked about in Industry. This will help you connect the concepts and terminologies with  the tools and technologies being used.
  3. Information Security is a vast field  and a senior position requires you to have experience and knowledge of various domains  with specialisation in a few chosen areas. There are number of  Army and Naval Officers who are doing very well in these fields. Unfortunately very few are on Forces Network.  

Do write to me for further queries and advice.

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more