Saturday, 11 June 2011

CISSP exam, materials, preparation and experience

Update 02/08/2011: This post tends to receive spam in the comments. I am sorry about that and I try to remove it as soon as I see it. You can read about where the spam is coming from here.


I recently got word that I passed the CISSP exam. It took exactly 1 month and 7 days of waiting to know the result since I took the exam, (ISC)2 say it may take up to 6 weeks for them to let you know about the result.

In order to prepare for the exam I used the following training materials:
- CISSP Exam Prep 800+ practice questions with detailed solutions - by Shon Harris
- CISSP All in One Guide - by Shon Harris
- CISSP mp3s by Shon Harris
- CISSP Study Guide - by Eric Conrad, Seth Misenar and Joshua Feldman

To prepare for the exam I used my "spare time" after work, weekends, etc during a bit less than 2 months, this was a bit daring of me but worked in my case, personal experience plus trying to catch up with security news and security podcasts for a few years proved helpful probably :).

I took the bilingual version of the exam, I was advised that by a friend since we are both Spanish-speaking people and he told me he found that option useful for him during the exam.

A bit more depth:


Q: What is the CISSP certification about?
A: This is like CompTIA Security+ but on steroids, basically you have to prove a wide security knowledge on a range of security topics which (ISC)2 call the 10 Common Body of Knowledge (CBK) Domains, these are:

Domain 1: Information security governance and risk management
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Physical (Environmental) Security
Domain 5: Security architecture and design
Domain 6: Business Continuity and disaster recovery planning
Domain 7: Telecommunications and network security
Domain 8: Application development security
Domain 9: Operations security
Domain 10: Legal regulations, investigations and compliance

Because of the similarity with CompTIA Security+ if you plan to take the CISSP I would suggest to "warm up" with the CompTIA Security+ certification first and then, shortly after, go straight for the CISSP. This will definitely improve your odds of passing the test. I took the CompTIA Security+ exam more than 3 years before the CISSP but even then, many concepts repeat since both certifications have a broad security background focus.

The CISSP is a management-like exam and covers a wide body of knowledge, therefore it is unlikely for anybody to know all the material just from experience, you will have to learn something new to pass this certification even if you have been in the security industry for a good few years.

Material Review

- CISSP Exam Prep 800+ practice questions with detailed solutions - by Shon Harris

This was really useful. I hated the kind of questions in this book: they are so vague that you will feel really angry at times. Other times you will double-check things in the study guide thinking "that can't be right", etc. There are some slight mistakes but for the most part the answers seemed correct to me.

What is particularly useful about this book is that in the exam you will find (extremely) vague questions, questions you have to read again just to figure out what the question is, although the questions in the book are definitely not the same as in the exam, the nasty way in which they are written warms you up for what you will find in the exam.

As other tests, the benefit of this is also the obvious highlight of your weakest areas: the ones that you should review prior to the exam. For example, if you always fail the business continuity plan questions, then you know you should review that harder than other sections you tend to get questions right on.

- CISSP All in One Guide - by Shon Harris

I have mixed feelings about this book: The book goes in circles to explain basic concepts that you already know and skims through important details you may not know. The book is big (1144 pages) but if you take the fluff away it could be 500-600 pages or less. The biggest problem is that it is hard to use this book to review concepts because you have to dive into big chunks of text to find what you care about (which might only be a yes/no question).

Because of all the circles to explain simple concepts, longer than necessary explanations and unnecessary repetition, this book is not the fastest way to prepare for the CISSP exam.

That being said, this book goes into more depth on many topics (it is not only bigger because of the fluff) and sometimes was the only source where I could double-check certain questions from the 800+ question exam prep book (perhaps because it is also by Shon Harris).

Another area this book is superior on is the questions at the end of each chapter, I found these questions more relevant to the exam style than the Eric Conrad book.

Finally, there is something were this book really shines: The 2-3 chapter summary review pages, those pages are invaluable to quickly review all the contents for a given Chapter and there is nothing like this on the Eric Conrad book (discussed below). In addition to this, it would be unfair not to mention the great number of cool diagrams and notes/reminders/schematics to facilitate the review of important concepts.

The only problem I found on the chapter summary reviews at the end of each chapter is that sometimes the acronyms are not spelled out, which defeats the purpose of the review in my opinion.

- CISSP mp3s by Shon Harris

As a security podcast adict, I love to listen to security stuff on the go, when I have to prepare food, drive or whatever and I cannot otherwise read.

For this reason, the mp3s seemed an attractive idea to me, just to reinforce the concepts as quickly as possible I stopped all other listening during the exam preparation and only listened to Shon Harris for almost 2 months!

Although I would consider this very helpful, it is not enough, you need to see some things to understand them properly and the true power of these mp3s is unleashed when you only use them to reinforce what you studied, hammer the concepts again and again in your brain so that they stick for as long as possible in there.

Finally the mp3s are great but they repeat the All-in-One book biggest sin: Emphasis on the basics you know and skimming through the important stuff you may have trouble remembering. Therefore they are useful, but not as useful or efficient as they could be.

- CISSP Study Guide - by Eric Conrad, Seth Misenar and Joshua Feldman

This was the book that "saved by butt" and I particularly loved it. The book is only 436 pages long! (almost 3 times shorter than the All-in-One book by Shon Harris) this made it really tempting from the start to me... :)

The thing is I started to prepare using the All-in-One book from Shon Harris and was desperate at my poor progress (was around page 600 almost 1 month before the exam roughly), my original plan was to read the All-in-One, then the CISSP Study guide and then take exam preparation tests and review 2 weeks prior to the exam.

Because I was running out of time I dropped the All-in-One book and only used it for looking up some concepts eventually.

The CISSP Study Guide by Eric Conrad was my new friend: I was sold in the intro when I read: "We know what is important and we will not waste your time". That is exactly what I needed: to use my time effectively!

The book lives up to what it promises, it is really concise and perhaps only the legal chapter, which seemed to me like a bit rushed, might need to be tidied up (Some concepts are a bit shuffled and unstructured in the legal chapter in a similar fashion to the All-in-One book and unlike other CISSP Study Guide chapters)

The book also goes in incredibly deeper depth than Shon's book on the Crypto chapter, which was cool from a learning perspective but at the same time made me wonder if Crypto was really one of my strongest domains :).

In a similar fashion to the All-in-One book the CISSP Study Guide book contains questions at the end of each chapter, however there are two problems with this:

1 - There are less questions per chapter: 13 questions is not enough, the All-in-One book contains more than 20 questions per chapter on average.
2 - The questions are cool but less relevant for the question-style found in the exam.
The book also comes with "mp3s" that you have to be online to listen to (which defeats the purpose of
the mp3 in my opinion). The "online book podcast" is only a rough introduction and does not attempt to cover all the ground covered in the book: it just emphasises the most important concepts for each chapter, they are a useful complement to the book and could be listened to before and/or after studying each chapter.

Where this book really shines, apart from its truly concise and clear explanation of the concepts (night and day from the All-in-One book) is that 2 online exams are offered for free as part of the book. I found these tests much better than the questions in the book but many questions had obviously a different style than the common uncomfortable vagueness found in the exam.

It is important to note that the time it takes you to take the online exam can be misleading because it took me around 45 minutes to draw up the circles in the actual exam: A computer exam is much faster to do than a manual exam! (more on this later)

Overall material opinion:

If I had to take the CISSP again and decide on what materials to purchase I would get the Eric Conrad book (CISSP Study Guide) and the 800+ questions by Shon Harris, that gives you the best of both worlds:

- Clear and efficient explanations from the Eric Conrad book to learn
- Ultra-vague questions that resemble the style in the exam from the 800+ questions by Shon Harris

If you combine those two resources you have more than 1300 questions to practice, 800+ from Shon Harris and 500 + 130 from Eric Conrad and company, which I believe is a good mix in style, not only to pass but also to learn cool stuff.

The Shon Harris mp3's definitely help but I would consider them optional if you are on a tight budget.

Suggested preparation strategy:

1 - If you can take CompTIA Security+ first, this will help you (a lot) to get more background prior to the CISSP
2 - Then go through the Eric Conrad book, it is shorter, so you can truly hammer each line trying to understand everything as deeply as you can. Don't skim through it, make sure you understand everything!. Right after studying each chapter take the test for it and note your results: this will help you to prioritise what to review based on your results.
3 - Before starting the test preparation itself I would suggest to, if you have time, review the weaker domains again, at least a quick read through the domain again on Eric's book.
4 - Now I would suggest you leave 3-4 weeks to truly hammer the exam preparation/test taking skills before the exam: First take 1/2 of Shon's 800+ book questions, then maybe the 2 exams for the Eric Conrad book, and then the rest of Shon's book.
5 - Write down all your mistakes AND questions you were not sure about, go back to the book (and sometimes, yes, Google) and make sure you understand why each answer was the right one.
6 - Steps 4 and 5 can be alternated as you feel more useful to you. But write everything down and then REVIEW THAT. Review what you were not sure about, what you got wrong, etc. Write down the concepts you had trouble to remember and put all that in a review excel file or whatever, then try to review that a few times and particularly right before the exam. The day before the exam you should have a list of the concepts you have the most trouble with for review, this recommendation is on Eric's book and was truly valuable for me too.

Q: How long do I need to prepare for this exam?
A: If you follow the suggested strategy above and you have a full-time job I would allow for at least 3 months if you have a few years of security experience and maybe 6 if you are fairly new in the industry (this is a very rough estimate, of course!). If you have 2 months completely off-work and you can dedicate all your time for this then exam preparation could be shorter but I would recommend a slower approach so that the concepts "settle in" your brain: you wouldn't want to pass the test and then forget everything 2 months after, right?

Taking the exam

Ok, As I mentioned before, and unlike what other people may say: The exam is not easy, some questions are easier than others but there is a group of questions that I call "the shades of gray", these are extremely uncomfortable to answer (at least to me) because there is no clear "black and white" answer to choose from and instead you have to choose from "a shade of gray", in other words: The least bad from the bad or the best from the poor/decent.

I suppose the vague nature of these questions stems from the fact that in a business-level certification like the CISSP the successful applicant should demonstrate to be able to take correct decisions even when not enough information is present or even take the best option from a range of poor choices.

To cope with this vagueness you can warm up with Shon's 800+ question book, that is the one that resembles those tough questions the best in my opinion.

Another thing to take into account is that this exam is NOT a computer-based exam, you have to physically write stuff in an answer sheet! For a person like me that signs stuff very occasionally and perhaps writes a couple of weekly shopping lines here and there, this was a bit of a shocker. Remember:

The time to fill out the answer sheet is NOT zero, there are 250 circles to fill out and they should be filled out as perfectly as possible (which takes a few seconds), if you add "double-checking that the question in the answer sheet is the one I am looking at on the booklet" a good few seconds fly by with each question you answer. As a reference, it took me roughly 45 minutes to answer all 250 questions and double-check they were correct as I flicked through the pages (I know this because I mistakenly did it at the end)
I made the mistake of leaving all the answer sheet circles to be filled out at the end and this was a time management disaster that forced me to answer many questions with my first guy feeling or almost completely randomly in the last few minutes!

Another issue is the bilingual exam, if you go for the bilingual exam you will have a side by side exam in both English and your language. In my case this was English and Spanish.

I only went for this option because a friend suggested it to me arguing that some of those super-vague questions were a bit clearer in the translation. To me personally going for the bilingual exam was a big disadvantage:
- Twice as many pages to go through (for a person with fat fingers like me this is a problem!)
- The questions I was unsure about did not clarify anything: They were exactly as vague in the translation as in the original English question, which I used most of the time. (I studied in English so to answer in English was more natural to me)
- I even got distracted by my natural tendency to analyse the accuracy of the translation! (It happened to me a couple of times)
- Basically I wasted time reading some questions in two languages and having to pass twice as many pages in a 250 question exam


- Avoid the bilingual option, even if it is available in your language: You will be studying in English, therefore you will answer quicker in English, you are allowed to bring a dictionary to the exam for the rare situation in which you may not know a word (did not happen to me and my English is not that brilliant!). With the standard exam (i.e. not bilingual) you will have to pass half as many pages, which is a lot in this exam.
- Answer as much as you can on each pass: The exam is 6 hours long but you do not have a lot of time to answer each question (there are 250 questions, you do the math): I would recommend to answer as many questions as you can in the first pass (i.e. only skip what you truly have no idea about, which should be 1 in 10 or less) and then complete the test in a second pass for the truly tough ones. If you do more passes or skip questions randomly your time management will be bad and you may run into problems wasting time on flicking through pages back and forth. I did more passes than necessary and this was a waste of time!
- Do NOT waste time writing on the booklet: Write directly on the answer sheet instead! (verify each answer is the best you can answer as you go). This was another mistake I made, I wrote on the booklet and left the answer sheet to "verify the questions at the end" but I ran out of time and there was no time to verify anything! :). So I would suggest that you write directly on the answer sheet, this accomplishes two goals:
1 - You waste absolutely no time, you draw directly on the answer sheet
2 - You will monitor the remaining time more accurately: As you monitor how much time you have left, since you are including the time to circle each answer the time left to finish the exam is more accurate. Because I did not fill out any circle until the end I completely underestimated how long that would take!
- Have a good night of sleep before the exam: I slept badly and had a 10 hour train trip right before the exam and my performance was really affected, do not do the same mistake!. The exam is 6 hours long, make sure you are at 100% of your capacity, the last thing you want to happen is to crash in the middle of the exam!
- Get your caffeine dosage right! :). If you have been taking caffeine before the exam and you are like me, chances are the same dosage will do little for you on the exam: Shoot a bit higher for the exam so that the caffeine effect lasts for as many of those 6 hours as possible!. Basically your body gets used to it so the more you use it the least it will help unless you crank up the dosage. I used a similar dosage and crashed in the middle of the exam, do not make the same mistake!

I hope this helps someone in their CISSP efforts.
If you are trying to take this or other tests in the near future: Good luck to you! :)