What is CISSP ?
People planning for a CISSP certification will have all the necessary information, but I have come across people who ask me what it is. Well CISSP stands for Certified Information Systems Security Professional. It is an independent information security certification governed by the not-for-profit International Information Systems Security Certification Consortium, commonly known as (ISC)².
The CISSP examination is based on what (ISC)² terms the Common Body of Knowledge (or CBK). CISSP covers ten domains based on CIA (confidentiality, integrity and availability) triad.
Business Continuity and Disaster Recovery Planning
Information Security Governance and Risk Management
Legal, Regulations, Investigations and Compliance
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security
Requirements to sit for a CISSP exam
Possess a minimum of five years of direct full-time security work experience in two or more of the ten (ISC)² domains.
One year may be waived for having either a four-year college degree, a Master’s degree, or for possessing one of a number of other certifications from other organizations
A candidate not possessing the necessary five years of experience may earn the Associate of (ISC)² designation. The Associate of (ISC)² for CISSP designation is valid for a maximum of six years, and during these six years candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP.
Once you decide to give the exam you will need to register for the exam in the (ISC)² website. You should meet the above requirements and answer some questions in the regirstration form. The fee for the exam, as of June 2011, is $549.
You have 6 hours for 250 questions or 360 minutes for 250 questions or about 1.4 minutes per question, to complete the exam. It is not an online exam, but you will be given an answer sheet where you will use a pencil to fill in answer bubbles . One question will have four options. Don’t read too much into the questions because multiple answers are usually “right”. You should select the best answer.
These are the resoures that I went through to pass this exam.
All In One (AIO) CISSP 5th Edition by Shon Harris
This is one of the best book for someone planning pass CISSP. This book is well written and covers all the domains in the manner that is necessary for the exam. Shon Harris has tried to add humor, but I found it bit annoying at times. According to me this is one book that you should have. Buy the book, contents of the CD will help you with practice questions.
The CISSP Prep Guide by Ronald L Krutz and Russell Dean Vines
I used this book as a second resource, but to be frank have not read the full book. Certain topics are explained well in this book.
Official Guide to CISSP CBK by (ISC)²
Well, this is the official book for CISSP by (ISC)², and I feel the least popular. There are known errors in the 1st edition of the book. I felt that this book is bit too complicated and bit difficult to understand. The latest edition seems to better.
Exam Cram Practice Questions by Michael Gregg
This book has helped me during my last minute/end of domain preparation. Highly recommend this book.
The most important part of preparing for the exam is joining the CCCURE website. Register and make use of tons of materials and information about going about preparing for the exam. CCCURE also has a quiz portal. It used to be free before, but now its paid, but if you want to go in with the free version, you will be limited to only 25 questions per exam. This is a very good portal to test your acquired knowledge. I had not gone for the paid version, but it is well worth the money.
Give as many practice exams as you can, dont leave even the ones at the end of a domain. All the four answers in the options will seem to be correct, but there is only one correct answer. Try to eliminate one option at a time and you will then be able to pin-point the correct answer.
My study Plan.
5 Months prior to the exam, on weekdays I spent about 2-3 hours, on weekends spent about 5-6 hrs. As the exam date came near, increased the time spent studying. Took a week off a week before the exam and reviewed all doamins. Some domains were still like new to me.
Read cccure.org forum posts, questions & responses.
Viewed some of Shon Harris CBT/DVD, kind of felt sleepy while seeing the video. Never completed it.
Read Shon Harris AIO 4th edition, went throught the corresponding chapters in CISSP Prep Guide.
Took notes as I read along
Completed Q&A at the end of each AIO Chapter
Gave Quiz from CCCURE for the completed chapter
Went through the Exam Cram Book
Completed all domains and sat for a 6 hr exam
Did all questions from Exam Cram.
# Be mentally prepared before you begin preparation.
# Share your plan with your family or friends or both. It is extremely important to keep yourself motivated to go on.
# Book the exam after 2 weeks of preparation. This will help you understand what you have to complete & how long can it take for you to prepare.
# Complete all domains. No matter how many years you have been in the industry, you should always complete all the domains, even the Law domain.
# Think from the Management perspective. Remember this is not a 100% technical exam. You need to know technical stuff but it tests your decision-making using your knowledge of technical concepts.
# Do quizzes from different sources. And know the reason why the correct answer is correct & the incorrect answer is incorrect.
# Use Google & Wikipedia for reading on topics.
# Use CCCure.org CISSP forum and its free Quiz.
Day of Exam
# Attempt All Questions. There is no negative marking.
# Eliminate the choices & then apply the concepts on the final 2 choices – from the Management perspective.
# Once you have completed 10-20 questions, start filling in the bubbles on the answer sheet.
# Be very careful while filling in the answer sheet. Your fingers will start aching if you decide to fill in 50/100 questions in one go. So choose to complete 25/30 questions in one go or one by one as you complete a question.
# Mark the questions you are unsure of, or finding tough to answer or taking too long to answer. Come back to them once you are done with all other questions.
# After you have completed all questions including marked ones, it’s time to review. Start reviewing each question one-by-one.Check if you have filled in the correct bubbles.
After the Exam
Relax and enjoy. After about 6 – 7 days you will keep checking your mailbox every 10 mins, even if you know that its night in the US of A.
After Exam – The Wait Period
I passed CISSP on the second attempt; and I got the failed notification when I was confident that I will pass the exam. But normal feeling after the exam is that of uncertainty. You will not know how good or bad the exam was. After my April 16th exam, I was not confident about clearing it, but …..
Results will usually take about 4-6 weeks. But I have observed that pass results come in about 10-15 days. There have been cases where people have got their pass mail at the end of 6th week.
If you pass you get a mail from (ISC)² saying “Congratulations! We are pleased to inform you that you have passed the…..”. This mail will not contain any information about how you fared in the exam. Once you get this most awaited mail, you will need to send them an endorsement and your resume.
Endorsement:- Endorsement us usually done by another CISSP, who can validate your employer details and your background. If you don’t have anyone to endorse you, you can write to (ISC)² to do your endorsement for you.
Resume:- You will need to format your CV to the reflect the jobs that you have done, with information like your designation, employer address, period of employment and the job responsibility based on the CBK domains.
Example as how to format your CV is like below. After the basic resume details, format your roles and resposibilities part
Telecommunications and Network Security (21 Months):
• Responsible for the deployment, configuration, security, and maintenance network and security devices.
• Responsible for the configuration, monitoring, and security of security devices like SSL VPN, Proxy etc
Access Control (18 Months):
• Responsible for assigning device and user access through the management of Remote Authentication Dial-in User Service
• Responsible for the monitoring and auditing of a IPS/IDS devices.
Cryptography (21 months)
• Responsible for configuring Site-to-Site / Client-to-Site VPNs.
• Responsible for creating digital signatures.
If you are unlucky enough to get the fail mail, then this mail will contain details on how you fared in your exam with information about which was your best scored domain and least scored domain. This will help to prepare better for your next attempt.
The mail will have content like,
“Thank you for sitting for the Certified Information Systems …..To help you understand how you performed on the examination, the content areas that are tested in the exam are listed below…..
Security Governance and Risk Management (2)
Application Security (6)
Security Architecture & Design (1)
Operations Security (6) ….
where 1 indicates the higest scoring domain and 10 the least scoring domain.
If you fail with a score of 69X/700 or so, or if you are confident that you should have passed, you can contact (ISC)² and request them to do a re-check of your answer sheet. This comes with a fee of $50, and will be returned if you pass the exam after the re-check.
(ISC)² randomly audits and verifies a certain number of certification applications. So if you are audited, then you will need to sign a Consent & Release Form that states that you allow (ISC)² to do an audit on you. You will need to send your resume again with your employer contact details like email ID and mobile number. (ISC)² will sent your employer a pdf asking them to verify if you have worked in the organization, your designation and the period of employment.
Mail will have content like
(ISC)2 randomly audits and verifies a certain number of certification applications. The purpose of this letter is to inform you that your certification application has been selected for audit and verification.
It will be better to notify your employer that they will get a mail from (ISC)² for the employment verification.
I was kind of unlucky as (ISC)² had misspelled email ID of two of my ex-employers. I was lucky to notice it as I happened to see the mail (ISC)² sent to my employer. I wrote back to (ISC)² and they send mail to correct email ID and my audit was completed in about 7 days. The only delay that you may face is in your employer replying back to (ISC)².
At the end of all this you get a mail from (ISC)² saying
“Congratulations! It gives me great pleasure to be the first to address you with the Certified Information Systems Security Professional (CISSP®) designation!”.
Well it has quiet been a journey. Well, the journey does not end here.
Maintaining Your Credential in “Good Standing”
This certificate is valid for 3 years and to renew it you need to submit Continuing Professional Education (CPE) credits. There are policies defined on how to get these CPEs. You are required to pay an Annual Maintenance Fee (AMF) of US$85 at the end of each year that you are certified.
To renew your certification beyond the current certification cycle, you must earn at least 120 CPE credits before the end of the certification cycle. At the end of each three-year certification cycle, if you have submitted the required number of CPE credits and paid all AMFs in full, your CISSP will be renewed for another three year certification cycle.