Professional Documents
Culture Documents
Preface......................................................................................................................................3
Part 1: Background.................................................................................................................5
Part 5: Resources................................................................................................................. 34
Conclusion............................................................................................................................ 35
Welcome to The Top 45 Tips to Crush the CISSP. Im so glad that you took time out of
your day to stop by and take a look. This is a short eBook I put together to help Certified
Information Systems Security Professional (CISSP) candidates prepare for and pass the
CISSP exam. It is both a serious and lighthearted attempt to make sense of how to
approach preparation and test-taking for this important certification. In Part I, you will
find some general information about the exam, a little history about (ISC)2, some details
on the process of becoming a CISSP, and what to expect once you have earned your
certification. In Part II, youll learn the tips that can help you in your preparation and
study. In Part III there is a set of funny CISSP illustrations that I hope you find enjoyable.
Part IV is the second part of the tip list, this time focused on sitting for the exam. In Part
V youll find out how to get a list of the top 40 most popular CISSP resources based on
a survey I conducted of people who passed the exam. Hopefully youll find something
new and useful in these pages that you can apply and benefit from during your CISSP
journey. If that happens Ill feel that Ive accomplished my mission.
I am a senior security analyst with over 12 years of experience in the information security
field. The majority of that time I served as a penetration tester although I have been
fortunate enough to gain experience in a number of areas of information security. Ive
also earned several InfoSec certifications over the years. An interest in certifications
also led me to my latest project, CertBase.io, which is a web application for everything
related to InfoSec certifications. When Im not at work I can be found spending time out
with my family in Tampa, FL or on my bike exploring the local trails.
If at any point while youre reading this guide you have any questions, or you would
like to suggest a tip or resource that I can add to the next version of this eBook, please
dont hesitate to contact me. You can best reach me on Twitter @certbase_io or at
https://certbase.io. Even if you dont have any questions, Id love you to stop by and say
hello! If you want to reach me in private you can email me at dennis.bailey@certbase.io.
BACKGROUND
I also realize that there are many reasons for becoming a CISSP. Companies in the field
often require the certification as a condition of employment. Perhaps you are looking
to upgrade your career and want to apply for jobs that require a CISSP. Many see the
CISSP as an important part of their professional development plan and want it in their
email signature to showcase their security credentials.
Regardless of your motivation, the decision to go for the CISSP should not be taken
lightly. The preparation needed for this massive test is significant. Unlike some
certifications, which may require little more than a quick crash course on the material,
the CISSP requires an immense commitment of time and energy.
The Core Body of Knowledge (CBK), from which the questions are derived, is like a
Mount Everest of information and it cant be scaled overnight. We are talking months
as compared to days or weeks for some other certification exams.
Unfortunately, there is no exam dump or cheat sheet that can reliably help you pass
the CISSP. There are no shortcuts to becoming a CISSP, but focus, a solid strategy and
sufficient, effective preparation all combine to make a critical difference. My hope is
that this guide can be useful for you in this important challenge.
Job Opening!
For employers and recruiters, the CISSP is the gold standard among security
certifications. Many companies make CISSP certification a job requirement before
hiring an employee. Our research has shown consistently that the CISSP is by far the
top requested InfoSec certification among job posts, normally more than double that of
the next closest certification. Several salary surveys have indicated that having a CISSP
may increase your salary potential. Currently, the average salary of all jobs on Indeed.
com that include CISSP as a keyword is $112,000. Generally, CISSP holders represent
a wide range of experience and positions, from security analyst to CISO. According to
Payscale.com, 46% of CISSP holders have 10-19 years of experience.
With the CISSP, the experts at (ISC)2 have engineered a well-earned reputation for
having created a challenging exam that strikes fear into the hearts of many test takers.
Forums such as TechExams.net are full of candidates who had to sit the exam on multiple
occasions in order to pass. Complaints about puzzling and perplexing questions are
commonplace among forum members and only serve to add to the mystique (and
frustration) of the test.
Although there are a lot of excellent free resources available such as TechExams.net
and Cybrary.it to name a couple, you need to be prepared to spend some money (or
your companys money) during your CISSP journey.
At a minimum, I recommend using one of the classic books such as The CISSP All-in-
One Exam Guide by Shon Harris ($49) (which is becoming a little outdated but is still
an important reference), the CISSP Study Guide by Eric Conrad ($57), or the CISSP:
Certified Information Systems Security Professional Study Guide from Sybex ($46).
Last, but not least, is the cost of the exam ($599) and its annual maintenance fee ($85),
and if you factor in the required steady supply of caffeine from your local coffee shop,
you can see that obtaining the CISSP will not be cheap.
Hunker Down
Once you have purchased the study materials, you will need to set a schedule of
consistent study and preparation. The CBK consists of eight domains of packed content
that simply cant be digested overnight. The (ISC)2-provided outline of the exam is 20
pages worth of high-level topics that need to be mastered. The Shon Harris CISSP
All-in-One Guide, in which many of the details of these topics are covered, is a tome
of 1456 pages. There is a reason that CCCure sells a years worth of access to their
practice exams. They know as well as their customers that preparation for the CISSP is
more like a marathon than a sprint. If you want to be successful, you will need to pace
yourself and be consistent. Take too much time off and you will start forgetting material
that you have worked so hard to learn.
Almost There
Although the hardest part is now over, you are not yet officially CISSP certified. Dont go
running out to put CISSP on your resume just yet. The proper title at this phase is that
you are an Associate of (ISC)2 (if you request (ISC)2 to initiate this status for you). Before
granting you CISSP status, (ISC)2 requires you to submit your work history showing
the requisite number of years of security experience (five years with the possibility of
a year waived for education or certification qualifications). If you dont meet the work
experience requirements, you should go ahead and become an Associate of (ISC)2. It
will demonstrate that you passed the exam and give you access to (ISC)2 resources.
You also need to affirm that you will abide by the (ISC)2 Code of Ethics. Finally, an
(ISC)2 certification holder in good standing must endorse you. Once this paperwork is
submitted, you can expect to receive within four to six weeks that glorious note from
(ISC)2 congratulating you on your new status as an official CISSP. You made it!
Life as a CISSP
Will your life change significantly after becoming a CISSP? Not really. You will certainly
be able to apply to more jobs if you are looking to change positions. Perhaps you will
leverage the CISSP when negotiating a pay raise or bonus in your current job. Other
perks include discounts at conferences, networking opportunities, and access to the
(ISC)2 digital magazine.
One change to expect after you become a CISSP is that you will start obsessing over
meeting your annual Continuing Professional Education (CPE) requirements. Each time
you participate in an educational activity, make sure you document it so that you can
submit it as a CPE. The last thing you want is failing to meet CPE and annual payment
requirements thus jeopardizing the certification you worked so hard to obtain. I am sad
to say that this happened to me personally and now I regret it. That is why I dont list
CISSP on my LinkedIn profile anymore.
Show Time
Now that you can visualize yourself as a CISSP, it is time to get to work and make it
happen. This is where good tips, strategies and techniques really come into play. You
will need to manage this undertaking in the most efficient and practical way possible
and the right techniques can be helpful. There is no need to reinvent the wheel here.
The exam is difficult, but many people have taken it and passed it. Why not learn from
others who have succeeded in this challenge? Many of these tips and techniques come
from my personal experience having prepared for, taken and passed the exam at the
first attempt after a few months of study. Other tips were compiled from friends and
colleagues, bloggers, discussions and other sources.
The following is really a strategy guide; consider the tips contained within as a tactical
playbook for improving your chances of passing the exam. I have tried to make the
individual tactical tips useful and applicable, but their true power comes when they are
applied in combination. I strongly believe the synergy between these techniques will
give you a significant edge and improve your chances of passing the exam. So without
further ado, lets proceed to the tips.
PREPARATION TIPS
1
Field experience helps in many certifications, but it provides a
critical advantage in the CISSP. Firstly, (ISC)2 requires applicants
to have five years of professional experience in at least two of
the eight domains in the CBK. From a test-taking perspective,
GAIN actual experience in the field will give you a valuable context
EXPERIENCE in which to make sense of the conceptual and scenario-based
questions in the exam.
2
The CISSP is not an exam to take lightly. Lift up a copy of The
CISSP All-In-One Guide by Shon Harris in your hand and the
weight alone tells you that there is a lot of material to cover.
Unless you are a very experienced security professional, allow
PREPARE FAR at least three to four months to prepare. You will need to read
IN ADVANCE books, watch videos, maybe attend a boot camp, and pass
practice exams during your journey to becoming a CISSP. For
most people, this is not something that can be accomplished
in a few weeks.
4
One great way to capture information during your CISSP
studies is to use a mind map, which is a visual representation
or diagram of words or concepts linked together, usually
around a central theme. Mind maps are more fun to create
MIND MAP IT than notecards and usually much more beneficial since they
help to organize information as a whole. Consider creating a
mind map for each domain and then use it to help you isolate
areas were you need more study. Check out the tools available
online from MindMeister or FreeMind.
5
For some certification exams, all you need to do is memorize
a lot of material; however, the CISSP is not such an exam.
Even if you take a thousand practice questions, it is highly
unlikely that you will find an exact question from the actual
DONT exam. Rather than trying to memorize questions, use practice
MEMORIZE exams to become a better test taker by learning how to read
QUESTIONS questions carefully and how to eliminate incorrect answers.
Practice exams are just as much about becoming a better test
taker as they are about measuring your level of knowledge.
7
Learn the content within the CBK before taking practice
exams. Instead of using practice exams as a tool for learning,
use them to measure your readiness and to improve your test-
taking strategies. That is not to say that you cant learn content
SAVE from the practice exams - you definitely can. However, the real
PRACTICE benefit from practice exams is twofold: First, you become a
EXAMS better test taker by learning how to answer questions more
FOR LATER strategically. This includes eliminating answers and reading
questions more carefully in order to identify key words and
concepts. Second, practice exams let you know if you have
mastered the material. If you are scoring 80-90% on a particular
domain, you can be confident that you have mastered the
material and are able to move on to other domains.
9
Last minute cramming is usually not a good idea and the CISSP
exam is no different. Avoid any cramming the night before or
the morning of the test. If you dont know the material by now,
last minute cramming wont help you. Cramming could even
AVOID LAST have a negative impact on your performance by tiring you out
MINUTE before the test or confusing you with concepts that you have
CRAMMING not fully learned. Trust in the fact that you have fully prepared
for the exam and go with what you know.
10
Slogging through an endless amount of CISSP material
requires a certain level of motivation. At times you may
feel your confidence dipping as you work through the CBK
wondering if you can ever learn it all. One way to boost your
BUILD YOUR confidence and increase your motivation is to take practice
CONFIDENCE exams. Receiving positive feedback on domains you have
studied lets you know that the work you are doing is paying
off and is a big encouragement to help you keep pushing
through the material. Also, keep a checklist of study tasks you
want to complete and check them off as they are finished. A
list of completed tasks can be very encouraging.
12
13
FIND A STUDY PARTNER
Becoming a CISSP is a tough enough
journey. Why do it alone? Find a study
partner who can help and support USE CURRENT MATERIALS
you along the way and vice versa.
In 2015, (ISC)2 refreshed the content of
Obvious places to look are at work,
the CISSP. The number of domains was
among your colleagues, and online.
reduced from 10 to 8 and some areas
There are plenty of social networking
were expanded while others were moved
groups dedicated to the CISSP.
to different domains. Make sure that you
You can find groups on LinkedIn,
include study materials that are current
Facebook, and Meetup to name a
and have been updated with the (ISC)2
few. Once you find someone, sign
changes. The Shon Harris CISSP All-in-One
up to take the test together and then
Exam Guide is an example of a book based
help keep each other on track during
on the older CBK.
the process.
15
Consider obtaining an InfoSec certification with a lower
degree of difficulty before jumping into the CISSP. The CISSP
is quite a challenge for ones first certification. Why not start
with another certification such as Security+ or maybe even
EARN the Systems Security Certified Practitioner (SSCP) from (ISC)2?
ANOTHER Youll be learning content that may be useful for the CISSP,
CERT FIRST youll teach yourself how to study and prepare, and youll gain
a lot of confidence when you pass that first exam.
16
Preparation for the CISSP is a major project and it should be
managed like one. If this were a project for your company,
how would you approach it? Im not saying you should use
Microsoft Project to manage your schedule, but you should
CREATE A think systematically about how much time you have to prepare
SCHEDULE and how to break the work into manageable chunks. Think
about the study activities you would like to accomplish and
how long each will take. Make an outline and put some dates
against specific activities, then stick to it.
18
SCHEDULE IN
Do you want to light a motivational fire under yourself?
Schedule a date for the exam in advance. There is nothing
better for your motivation and sense of commitment than
knowing you have paid for the exam and the date is set.
ADVANCE
19
A second way to motivate yourself is to announce your test
date. Once you schedule the exam, let people know about it
publicly. Not only will you receive the support of friends and
colleagues, youll be on the hook. Once others know you are
ANNOUNCE taking the test, youll feel the pressure to keep up with your
YOUR DATE studies because you wont want the embarrassment of telling
people that you didnt pass.
20
Figure out how you learn best and then design a study program
that meets your needs. We all have different ways of learning,
be they visual, auditory, kinesthetic, or a combination. For
some people this might mean curling up at night with Shon
LEARN YOUR Harris book, for others it may mean cranking up videos on
STYLE Cybrary. Perhaps you need live instruction at a boot camp,
or perhaps you prefer to take notes, create indexes, or make
notecards. The key is to find out what works best for you and
use that modality as your primary approach to learning.
21
CISSP exam, which means that if you are unfortunate enough
to be in the 30% group that does not pass, you need a strategy
for retaking the exam. My suggestion is to reschedule another
exam date within a short period of time. After all your hard
RETEST SOON work and preparation, you dont want to lose momentum. If
IF NEEDED you schedule a retest too far in advance, you may be tempted
to take a break from studying which means you will start
to forget material. It may also be tough to jump back into
studying after a break, so schedule the test immediately and
try to keep your current study schedule in place. (ISC)2 allows
you to retake the CISSP after 30 days if this is the first time you
have not passed the test.
22
There is no doubt that a boot camp can help you pass the
CISSP and many people opt for this route. If you do choose
to do a boot camp, you need to decide when to schedule this
activity. I suggest you take a boot camp in the initial part of
TAKE A BOOT your studies and use it to identify areas where you are weak
CAMP EARLY and need additional work. Taking it early also gives you an
in-depth overview (albeit compressed) of the CBK. As you
continue your studies, youll be able to assimilate new material
better having this mental map of the CBK in your head.
24
You need to take advantage of any free time to study. What
about a podcast so that your time in the car or elsewhere
can be put to good use? Two to try are recordings from Eric
Conrad and CyberSecStudy.
TRY A PODCAST
25
Begin your studies with the Security and Risk Management
domain. Here you will start with the security principles of
confidentiality, integrity, and availability (CIA), which underlie
much of what we do in security. If you build a solid foundation
BEGIN WITH THE in this domain, other domains may make more sense, helping
FOUNDATION you to understand why certain security functions are important.
26
Consistency in your studies is essential. A little study or
practice exam time every day will help you to learn and retain
information better than cramming sessions with long periods
of inactivity in between.
CONSISTENCY
27
There are a few things you will want to commit to memory so
why not use a mnemonic to help you. There is a bunch out
there already but if you want, have fun and create your own.
Some examples include: OSI model - (All People Seem To
MNEMONICS Need Data Processing), CMMI (I Really Defend My Opinion),
and SDLC (Re Do Damn Test Right)
CISSP HUMOR
28
This is a given but it must be mentioned. Give yourself the best
chance of success by being fully rested at test time. Going to
bed early will help you feel fresh in the morning and allow
you to get up early enough to arrive in advance of the test.
SLEEP WELL There is a significant amount of academic research showing
that students with a full nights rest perform better in exams
than students who stay up the night before. Additionally,
students who sleep more during the exam period gain higher
grades, probably because quality sleep helps one to retain
information. So make sleep a priority when preparing for the
CISSP, especially the night before.
29
This is another given. There are two mistakes you could make
in regards to eating prior to the test. If you skip a meal or eat
too lite, your overworked brain will burn through calories too
fast and you wont have enough energy to finish. The other
EAT WELL
mistake is to eat too much or eat the wrong food. Your body
will take away resources from your brain while trying to digest
a difficult meal. The best option is somewhere in between
the two extremes. Eat a healthy, balanced breakfast and then
bring snacks to help you get through the test if needed.
31
Become an answer elimination expert. Eliminating answers is
all about increasing the probability of a correct answer and the
more correct answers, the better your chances are of passing.
An answer chosen at random from four possible answers
ELIMINATE gives you a 25% probability of a correct choice. Eliminate two
ANSWERS answers and the odds jump to 50%. Always make it a goal
to eliminate at least two answers for each question. Answers
that have nothing to do with the question are an obvious
target for elimination. Answers that are too similar may also
be candidates. Over time youll become better at eliminating
answers and the best place to learn these strategies is in
practice exams.
32
One frustrating aspect for CISSP test takers is that often more
than one of the answers appears to be correct. The key here
is to pick the best answer by using the context of the question
and by carefully reading what is being asked. Often there will
CHOOSE THE be clues in the question that hint at the right answer. If more
BEST ANSWER than one answer appears correct, go back and reread the
question to find the clue that leads you to the right answer.
34
What good is security if we cant protect human life? That
might be obvious but it is one point that you dont want to
forget during the test. (ISC)2 emphasizes this in their Code
of Ethics which has the safety and welfare of society and
HUMAN the common good as the first point in the preamble. In any
SAFETY question where the safety of people is involved, for example
a disaster recovery plan, choose an answer that highlights the
priority and importance of protecting the safety and welfare
of others above all else.
35
You have spent months preparing for the test so why would
you take any chances of arriving late on exam day? What
if there is an accident on the way or an unusual amount of
traffic? You are going to be stressed enough so there is no
ARRIVE EARLY reason to add to your worry. On exam day, arrive with plenty
of time to check in and get comfortable for the test. Consider
driving to the exam location prior to the test to make sure you
know the way.
36
IDENTIFY KEY
WORDS
Success on the CISSP requires that you read questions carefully. In particular, it means
identifying the key words that help to determine the correct answer. Make sure to
notice significant words like NOT, INCORRECT, MOST, LEAST, BEST, WORST, EXCEPT,
just to name a few examples. If you miss a word such as incorrect you might end up
choosing an answer that has an opposite meaning to the correct one. These words
will often make it easier to eliminate answers. Also pay attention to the last word in a
question. Sometimes the key word may be hidden at the very end.
37
(ISC)2 gives you six hours for 250 questions, which is more than
enough time. Rarely will you hear people say they needed
more time. As a result, take your time. There is no need to
hurry or put additional pressure on yourself to get through
TAKE YOUR the test. At the same time, use the extra time you are likely
TIME to have at the end to your advantage to review marked and
unanswered questions.
38
Six hours is too long for any person to focus. After a long
period of concentration, the brain will begin losing focus and
effectiveness. In order to stay as fresh as possible during the
test, make sure you take breaks. Go to the bathroom, get a
TAKE BREAKS drink, eat a snack, and stretch. If anything, this will give you a
minor mental boost as you return to the exam. Even though
the clock doesnt stop ticking while you are away, as we just
mentioned you will likely have more than enough time to
finish the exam.
40
If you enter the exam with some test material in your head that
you dont want to forget, consider writing it down before you
begin the test. For instance, lets say you are afraid that you
are going to forget the OSI model layers or private IP ranges.
MINI BRAIN You may not encounter these on the test but if it will give you
DUMP piece of mind, take a few minutes to write them down prior
to starting the test so you wont worry about forgetting them.
41
USE DIFFERENT
PERSPECTIVES
Successfully analyzing CISSP questions is an important factor in your success. One
way to go about this is to use various perspectives when reading the question. I have
already mentioned this once regarding thinking like a manager, now lets take it one
step further. Try the perspective of the person who created the question. What were
they trying to convey when they sat down to write it? What point about security do
they want to make? This may give you insight into the answer they want you to select.
Another perspective to use is that of someone who works in the specific domain. It
does not have to be a manager; think about what an engineer, business analyst, or
even a CISO would do in the same situation.
43
Resist the urge to panic after the first 10-15 questions. It is
easy to fall prey to anxiety once the test starts - you see how
difficult real questions are, and you think about the stakes and
what it would mean to fail. You need to be prepared for this
DONT PANIC feeling and put it out of your mind at the beginning of the
test. Relax, take deep breaths, and reassure yourself. You have
put in the work to learn the material, so youll be able to get
through the test if you dont let your nerves get the better of
you.
44
Before you finalize an answer, always make sure you go back
and re-read the question. If you fail to see the key word, get
distracted by unnecessary words, or miss the main point, you
might answer incorrectly. By re-reading, you assure yourself
RE-READ THE that you know exactly what is being asked. There is no need to
QUESTION rush through a question, so do yourself a favor, take the time
to re-read and make sure you have interpreted the question
correctly.
45
There may be a question(s) with content you have never seen
or you havent a clue how to answer. Dont let this frazzle you.
You can fail many questions and still pass the test. Remember
that there are new beta questions being introduced all the
DONT GET time and any one question may not even count toward your
STUCK overall score. If you are totally stumped or frustrated, mark it
for review or give it your best guess after eliminating as many
answers as you can.
RESOURCES
It can be difficult to figure out the resources that will help you the most on the CISSP
exam. There are gazillions of types of products and services being promoted on the
Internet and not all are of equal quality when it comes to preparing for the exam. To
help cut through the noise, I used TechExams.net to find out what successful CISSPs
had used in their preparation. I surveyed posts in the CISSP forum over the past year
with the words passed in the title. These are postings where the individual lets the
community know that they passed the test. Posters also normally use this opportunity
to give something back to the community by sharing the resources they used during
their studies. I recorded the resources identified in each post and kept counts for each.
The list I created contains the 40 most cited resources. There were some of the old
favorites in the list but a bunch of surprises as well. Everyone should be able to find
some resource on this list that will work for his or her particular style of study.
Special thanks to Steve Witmer, Rafael Algara, and others for reviewing and providing
valuable feedback and input and Theresa Ford for the lighthearted CISSP comics.
Disclaimer
The information contained in this guide is for informational purposes only. The
publication of this information does not guarantee success in the CISSP. It is simply
a recommendation and an expression of my own opinion. No part of this publication
shall be reproduced, transmitted, or sold in whole or in part in any form, without the
prior written consent of the author. Users of this guide are advised to do their own due
diligence when it comes to preparing for the CISSP exam. By reading this guide, you
agree that CertBase is not responsible for the success or failure of your efforts to earn
the CISSP certification.