I had been waiting for this moment since past few months and it happened yesterday, I passed the CISSP Certification exam in first attempt. Yay!
Before I write further, I would like to thank my ex-colleagues and friends who guided me and patiently answered my endless barrage of questions regarding the certification process.
Given the value that CISSP Certification holds, I would like to share my experience (as much as I can without violating the NDA) . I hope that those of you who are currently preparing for it or wish to pursue it in future may find something to take away from this article. For the benefit of the readers who have just started their careers in or are planning to enter the Information Security field I’ll start with a brief introduction of the Certification.
About the CISSP Certification
Certified Information Systems Security Professional (CISSP), is one of the most essential credentials for people working in the Information Security industry. It is conducted by the International Information Systems Security Certification Consortium, Inc. (ISC)2, a global non-profit organization, leader in educating and certifying information security professionals throughout their careers. The CISSP Certification credential provides it’s holders with several benefits such as enhanced knowledge and understanding of Information Security field, competitive advantage, better salary etc. Most organizations hiring Information Security professionals prefer candidates holding the CISSP certification over those who don’t. You can learn more about the certification here.
What does it cover?
The current Common Body of Knowledge (CBK) is divided into eight domains. It used to be 10 domains earlier but the recent revision (effective April 15, 2015) to the CBK has re-arranged the content to fit it into eight domains. Content-wise there is negligible difference between the old CBK and the new CBK. Only 4-5% new content was added in the new CBK. Currently, the Official (ISC)2 guide to the CISSP, Fourth Editon, is the only book available with updated content. However, I am sure that other resources are being revised as per the new CBK and should be available soon. Having said that, the old resources are still as much relevant and can be used to prepare for the exam. Please refer to this link to understand how the new CBK maps to the old CBK.
What’s the Exam like?
CISSP is a paperless exam meaning that it is conducted online at certain centers as designated by (ISC)2. In India, (ISC)2 has partnered with Pearson VUE to conduct the CISSP exam. Another good thing about the exam is the scheduling flexibility i.e. one can choose a time, date and location as per their convenience. Candidates can reschedule the exam 24 hours before the current exam date at a cost of USD 50.
The price of the exam is USD 549 (approx. INR 35,000 @ INR 63/USD). It’s a six hour examination during which a candidate has to answer 250 questions. Candidates must score 700 or above (out of 1000) in order to pass the examination. The examination mostly consists of multiple-choice questions with only one correct answer. In addition, (ISC)2 has introduced a new format of questions called Drag-and-Drop and Hotspot, in the new exam. Here’s a sample. There’s no negative marking so candidates should try to answer all the questions. Interested candidates can start the registration process from here. Do note that the exam doesn’t test a candidate’s memorization skills. It tests their understanding of concepts. Unless the concepts aren’t clear, candidates will find it extremely hard to choose the correct answers, especially for the scenario based questions.
How to prepare for the Exam?
The approach to prepare depends heavily on one’s preferred method of study. For example, some people study better with notes whereas for some reading the material is enough. Also, when it comes to resources there are many available out there. Candidates should choose the one that suits their aptitude. Following are some recommended resources:
1. CISSP All-in-One Exam Guide by Shon Harris – This book helped me immensely in understanding various concepts. It’s easy to read and explanations are very good with lots of analogies and examples. However, it’s a heavy book with 1400+ pages so touch it only if you have enough patience and curiosity to go through it. People with some experience on their hands may find it a bit mundane. This book comes with additional resources (audio lectures & practice questions) which can be accessed online.
2. CISSP Study Guide by Eric Conard – This is an excellent resource for experienced professionals. It’s less than half the size of AIO at 598 pages and covers about 95% of the content from CBK. Beginners can use this book as a revision material after having gone through AIO thoroughly.
3. Official (ISC)2Guide to the CISSP CBK – The fourth edition of this CBK guide contains the updated content as per the recent revision. It’s a bit dry to read but covers all the necessary concepts.
4. Eleventh Hour CISSP: Study Guide by Eric Conard – A great book for last minute revision. Complements the CISSP Study Guide by Eric Conard.
5. CISSP Video Course by Shon Harris – Combine it with AIO for best results.
6. ISC2 CISSP CBT Nuggets by Keith Barker – Another great resource for revision purpose. The explanation of concepts is crisp and clear. However, this shouldn’t be relied on as the primary or the only resource for preparation.
7. CISSP Practice Exams by Shon Harris – The practice questions in this book are excellent, especially the scenario based questions.
8. CCCURE Quiz Engine – A must use resource for CISSP aspirants. CCCure database contains 1400+ questions and new questions are being added on regular basis. It provides two modes, practice and study. It helps candidates track their study progress and provides them with insightful statistics (e.g. weak topics, weak domains etc.). However, do note that questions do not portray the exam as closely.
What’s next after clearing the exam?
Once a candidate clears the exam, (ISC)2 requires him/her to fill out an endorsement form and send it to them in order to claim the certificate. In the endorsement form candidates need to list relevant experience (min. 5 years in two or more domains of the CBK) and get an existing CISSP credential holder to vouch for them. Certain experience waivers can be used to waive a maximum of one year. If candidates do not meet the experience requirements, they can become The Associate of (ISC)2 for CISSP by passing the exam. This gives them six years from the date of passing the exam to gain the relevant experience.
In order to maintain the certification both, Certification Holders and Associates, must earn and submit certain number of CPE points annually and every three years. In addition to CPEs, Annual Maintenance Fees also needs to paid annually. Learn more about the credential maintenance requirements here.
If I have left out anything or if readers have any additional queries please leave them in the comments below. Please note that questions regarding sharing and distribution of pre-owned material will not be entertained as it amounts to piracy.
Disclaimer: The CISSP logo used in the Featured Image is the Copyright of (ISC)2
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.