Hi, I'm Sasha, Director of Methodology, Cybersecurity and Risk Management, CISSP Certified Specialist. After getting certified, I get asked these two questions most often:
- was it difficult to pass the exam?
- how much did you prepare?
And so, answering once again, I decided to share with you my experience of preparing and passing the exam. Moreover, the most recent article about CISSP in Russian is dated back to 2018, and during this time a lot has already changed. In the best traditions of foreign colleagues, at the end of the post, I left a list of materials for which I prepared and received the coveted certificate, as well as a block of my personal recommendations.
Why get a CISSP certificate?
I will not talk for a long time about what CISSP is and why it is needed. Since you are reading this, then you are in the subject. But if you suddenly still doubt whether you should get involved in this business at all, I will say - you definitely should! The preparation for the exam itself perfectly expands your horizons and pumps your skills, especially in those areas of information security in which you may not have had to work yet.
In addition to successfully passing the exam and obtaining a certificate, you can become an anniversary member! In July 2020, there were 230 specialists with CISSP in Russia, while in 2006 there were only 78. Well, just for comparison: in the USA in July 2020, 89,880 people were registered with CISSP ...
Nice bonus, which I found out only after passing the exam. Together with the certificate, you also get the opportunity to create an electronic badge. It can be shared via a link, added to social media profiles, and to an email signature.
It looks like this And the link when you click on it leads to the site with a confirmation:
What's new in preparation and delivery?
The format of the exam has changed, but as for me, it only got better. Previously, it lasted 6 hours and consisted of 250 questions. Now they have reduced both the time of delivery and the volume - in 3 hours it is necessary to have time to answer 150 questions.
Another innovation: the exam is now a computerized adaptive testing, that is, the next question depends on your answers to the previous ones. Such a mechanism allows you to complete the exam with a hundred correct answers.
If you are just planning to receive a certificate, then it is important to take into account that the weight of some domains will change from May 1, 2021. For clarity, I made a comparison table:
Convenient portal of the ISC2 Association and simple verification
When I was just about to take the exam, I was very worried about some of the mandatory requirements. Various questions were spinning in my head:
- – ?
- , e-mail ?
- CISSP ?
- , , , ?
- CISSP , ?
But I gathered my thoughts and just decided to act in two stages:
stage 1. It is normal to prepare and pass the exam.
Stage 2. Breathe calmly after delivery and sort out the remaining questions. After all, they will no longer be so significant if the first stage is completed successfully!
For those who nevertheless decide to receive CISSP, I suggest doing the same: at the beginning, do not bother everyone in a row, but concentrate on the exam itself. But, looking ahead, I will say that the second stage was not so difficult.
On the official website isc2.orgyou can describe your work experience in a free format (of course, in English). The system will then ask you to enter the last name and ID number of the current member who verifies your profile. After that, the organization within 4-6 weeks checks the completeness and compliance of the specified work experience with the required. That's all! I was very happy with such a simple procedure! And I didn't even have to find a common language with an expert from Asia.
Most Valuable: Sources
I started preparing for the exam in April 2018. In total, it took me 2 years from the start of preparation to passing the exam. Why is it taking so long, you ask? The answer is simple: I took breaks, went on long vacations, was distracted by family affairs, urgent work issues ... and, of course, I used to be lazy. But in the end he pulled himself together and finished what he started.
Below are all the sources that I used while preparing for the exam. For convenience, I ranked them by importance and started with the most useful.
Official Study Guide “(ISC) 2. Certified Information Systems Security Professional "(authors - Mike Chapple, James Michael Stewart, Darril Gibson)
The book is voluminous, in electronic format, almost 1500 pages in English. The information in the chapters (there are as many as 21 of them in the book!) May relate to several domains at once. Therefore, so that readers do not get confused, at the beginning of each chapter it is immediately indicated what it will be about.
For example, Chapter 6, "Cryptography and Symmetric Key Algorithms," contains information on the second and third domains - "Asset Security" and "Security Architecture and Engineering". From my own experience I can say that using only this manual, you can prepare for the exam by about 65%.
Just take off an important question: no, I have not read Shon Harris's book, which is often mentioned in the posts of other certified experts. Practice shows that you can qualitatively prepare for the exam with the help of the official manual from the consortium :)
Study guide outline
I not only studied the book from cover to cover, but also made a summary of 140 A4 sheets. This is not necessary, I just learned the material better.
During the two years that I devoted to preparing for the exam, I completely reread my notes 4-5 times. I could always update in my head the information on the quantitative risk calculation methodology (ARO, SLE, EV, etc.) or the sequence of levels in the maturity model of SW-CMM development processes. There was no need to go into the manual every time, look for the necessary section and re-read it again. I advise!
Official test guide “(ISC) 2. Certified Information Systems Security Professional. Official practice tests "by Mike Chapple and David Seidl
It contains about 1300 questions divided by domains. A huge plus is that it has 4 full-fledged tests that are as close as possible to a real exam. And at the end of the book there are answers to all questions with detailed explanations. This helps to solidify the main points of the book in your head.
Other tests from the Internet on the topic
I myself found about 1000 more questions. Over the years, they were posted on the network of companies that prepare specialists for the CISSP exam. With the help of these tests, I found out what tasks were on the tests of the past years, and solved them. So I got an additional optional load, which went to my advantage.
"The Memory Palace - A Quick Refresher For Your CISSP Exam!" (by Prashant Mohan)
A small (only 125 pages!) but informative synopsis, with which you can quickly brush up on the main content of the domains. Main advantage: structured material flow. All information follows the sequence of domains, so there is no confusion like the official manual.
Book "Eleventh Hour CISSP" (by Eric Conrad, Seth Misenar, Joshua Feldman)
I read this book in the last weeks before the exam, when I got tired of repeating previous materials. Plus the books, as in the previous source, - the chapters correspond to the domain numbers and are presented in order.
CISSP summary brochure by Maarten de Frankrijker
This brochure summarizes the most important of the official training manual. The main advantages are that there are only 36 sheets in it, and all the material is collected in the form of cards. This small but handy book will help you to refresh your knowledge and consolidate basic concepts in a short time. A great option for reviewing material on the eve of the exam.
Specialized forum on reddit.com
When I needed additional motivation, I started reading the posts published on this forum, in particular, here: www.reddit.com/r/cissp . Users tell their success stories there, advise what to look for, recommend sources for preparation. Each time I was inspired and again went to study the books.
Youtube
The most useful channel was ITDojo . In short videos of 6-10 minutes, two random questions from different domains are sorted out and a detailed explanation is given why only one of the four correct answers is correct for a particular case. To be honest, it was not always possible to perceive the author's speech by ear, so I turned on subtitles.
Personal recommendations
If you think you are not strong enough in English, do not worry. This was the main obstacle preventing me from starting to prepare for the exam: at that time I could easily confuse the meaning of the words deterrent and detection ... Regular reading in English will help you . For example, I started reading 7 pages daily and within three months increased their number to 12.
Be sure to solve the tests . And the more there are, the better. This will kill three birds with one stone:
- stop confusing the concepts of decrease and increase, as well as most and least;
- improve the speed of answering questions. I already said that the test is adaptive and you can solve it by answering the first 100 questions. But if it does not work out, you will have to answer everything, while the time allotted for the exam will remain the same. My goal was 1.5 minutes per question;
- . , – : , , . . , , .
Learn concepts that you haven't worked with before, either didn't know, or are used to using them in a different way. For example, the order of actions in the event of an incident in different companies may differ, but the exam must be answered exactly in the sequence indicated in their methodological base: detection, response, mitigation, reporting, recovery, remediation, lessons learned. But I hasten to reassure you - there are few such moments.
That's all. If you have any questions about this article or preparing for the exam, I will be glad to help! Good luck!
Alexander Larichev, Director for Cybersecurity Methodology and Control and Risk Management, Rambler Group