View RSS Feed

JDMurray's Blog at www.TechExams.Net

The CISSP Certification Experience: My Study Plan

Rating: 3 votes, 5.00 average.
by , 01-27-2009 at 04:10 PM (114167 Views)
Candidates on the journey to pass the (ISC)˛ CISSP exam are constantly looking for recommendations of the best study resources to use, the most efficient ways of learning the material, and how to survive taking the exam itself. Although the CISSP journey is different for everyone, some wisdom and confidence surely can be gained by reading the recommendations of others who have already reached their CISSP-certified destination.

OK, OK, here's the stuff you want to know…

To pass the CISSP exam, you must know and understand the CISSP Common Body of Knowledge (CBK). There is no single text that codifies the entire CBK. Instead, the CBK is a collection of knowledge and wisdom from many fields of Information Security and derived from many resources, some of which have been specifically created to help candidates pass the CISSP exam.

Quite a few choices of CISSP CBK study materials do exist. There are many exam preparation books, standards documents, multimedia materials, practice exams, and Web sites, some of which are quite popular and highly recommended. There are also many commercial study aides, with candidates wanting to know if they are worth the money to purchase. And a few candidates are looking just for the “tricks” of correctly taking the exam, or for a single resource that's guaranteed to get them a pass.

How to study for the CISSP exam is another matter entirely. Everyone studies differently. Some people are good readers, while other are better at listening. Some need to write and memorize a lot of notes, while others prefer to pace in circles lecturing to themselves. If you don't know how you yourself best studies academic material by now, you will know by the time you cover the vast expanse of material that is the CISSP CBK.

Finally, there is a candidate's a posteriori knowledge in the domains of Information Security. For the CISSP exam, the candidate must have knowledge and wisdom derived through the experience of working in one or more fields of Information Security (although the more the better). The ability use the concepts of the CBK and apply reasoning for solving problems–and not just memorize rote facts–is necessary for passing the CISSP exam.

CISSP CBK Study Resources

The following section contain appraisals of study resources that I used, and a few descriptions of some I didn't use, but you may want to check out anyway.

The standard CISSP CBK reference is the Official (ISC)˛ Guide to the CISSP CBK (2007) (a.k.a., OIG) by Tipton and Henry. This book is a collection of chapters on the domains of the CISSP CBK written by several different subject matter experts. Because of the differencing writing styles of the many authors, some people have found the OIG to be a difficult read. However, the information is very good, and the OIG is likely a primary source of information for the CISSP exam items. I also found the computer-based practice exams included with the OIG to be very helpful with learning the CISSP CBK material. I do highly recommend using it, but be sure to check the OIG errata.

The most popular CISSP exam reference is CISSP Certification All-in-One Exam Guide, 4th edition (a.k.a., AIO) by Shon Harris. This is the book most recommended by CISSP exam candidates. Depending on your current knowledge and experience in Information Security, this book may have up to 90% of the information that you will need to pass the CISSP exam. I used the 3rd edition of AIO and found it quite relevant to the 2008 CISSP exam. But I do encourage you to buy the 4th edition, or wait for the 5th edition to be released sometime in 2009. The practice exams included with the AIO are helpful, but not essential, for learning the material.

In my opinion, the best CISSP CBK study reference that few people know about is Security in Computing, 4th Edition by Pfleeger and Pfleeger. Every page of this book contains information relevant to the CISSP CBK. This is the only book that I found which had a detailed explanation of quantum cryptography that I could understand. I primarily used a copy of the 3rd edition for my CISSP studies, but the fourth edition is even better. It's an expensive college text book, so buy it used if you can.

And probably the best CISSP study reference that no one buys is the Information Security Management Handbook, 6th edition by Tipton and Krause. This vast (and expensive) tome contains 227 chapters of InfoSec knowledge spread over 3231 very thin pages. Each chapter has a different author, so the writing styles vary considerably, but the information is still quite good. If you get a copy, I recommend reading the chapters which discuss only the basics of the CISSP CBK (e.g., security policies, cryptography, security models, legal issues, BCP/BIA/DRP). Save the rest of the book for reading after the exam.

There are many other books for the CISSP exam that I have not read, but do have good recommendations from other people, such as CISSP for Dummies. Rob Slade's Reference books for the CISSP CBK domains Web page is also a good place to find reviews and recommendations of CISSP study resources. And check the CISSP forums at and for more recommendations of books that people found useful when studying for the CISSP exam.

But before you buy any books, sites like Scribd and Google Book Search contains the text of many CISSP books available for public perusal.

Standards Documents

A foundation of the modern CISSP CBK is the ten Information Security domains found in BS7799, (a.k.a, ISO/IEC 17799 and ISO/IEC 27001:2005). If you can get a hold of them, have a look at BS7799, BS7799-2, and BS7799-3, or ISO 27001 (formerly ISO 17799) and ISO 27002. You don't need to read these standard to pass the exam, but doing so will help you become a more well-rounded Information Security professional.

The National Institute of Standards and Technology (NIST) is an excellent source of freely available InfoSec guidelines and best-practices. The NIST Special Publication documents that seem especially relevant to the CISSP CBK are:

SP 800-12 An Introduction to Computer Security
SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
SP 800-30 Risk Management
SP 800-34 Contingency Planning Guide for Information Technology Systems
SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
SP 800-100 Information Security Handbook: A Guide for Managers
SP 800-115 Information Security Testing and Assessment

NIST documents can be large and complex, but they are a surprisingly easy read. The major problem is the volume of information and material that they contain. When studying for an exam, it is nice to have the information you need to know boiled-down into an annotated overview format which provides guidance in learning the material. The NIST publications can leave you constantly asking yourself, “Do I really need to know all this for the CISSP exam?” The answer is, of course, “no,” but is can be difficult to filter-out the “inch deep” that you do need to know.

And last but not least, Request for Comments (RFC) are an important source of information for anything related to the technical aspects of the Internet. Although you probably won't see any exam items that reference specific RFCs, topics that you will need to know for the exam, such as the operations of many network and authentication protocols and cryptographic algorithms, are painfully detailed in the RFCs And although published way back in 1997, the information in RFC 2196 – Site Security Handbook, is still surprisingly relevant today.

Audio/Visual Training

If you are not into reading heavy books, CISSP CBK study material is available in audio/visual form too. Even if reading books is your thing, listening to someone talk about the topics of the CISSP CBK while you are commuting to/from work, lounging at a coffee house, or sitting at your computer pretending to be productive, is an excellent study aide too.

Test preparation vendors, like PrepLogic and TestOut, have computer-based preparation training courses for the CISSP exam. These courses feature a lecturer with slides, animations, whiteboards, and sometimes computer-based demonstrations. They may also include practice exams, labs, and additional reading material.

Probably the most highly recommended DVD-based CISSP CBK training series is from Shon Harris, and is available at her Web site Logical Security. This expansive DVD series contains many hours of lectures and video presentations on the ten domains of the CISSP CBK. Shon also has a set of free CISSP certification training videos available at SearchSecurity.

There are also quite a few Information Security-related training videos freely available on the Web, such as: The Academy Home, Veridion, SearchSecurity, and even at Metacafe and YouTube. And I don't know how much material you will find at the DEFCON Media Archives that is directly related to the CISSP CBK, but many of the presentations are definitely very important for the understanding of Information Security.

Practice Exams

Practice exams (a.k.a., exam simulators) are used by IT certification candidates to both study for certification exams and to test their knowledge and understanding of the certification material. For studying the CISSP CBK, practice exams offer an excellent educational diversion from reading study books and watching test preparation videos.

Commercial CISSP practice exams are produced by test preparation vendors including, Trancender, MeasureUp, and PrepLogic. (Please read my review of PrepLogic's CISSP practice exams. ) The (ISC)˛ also offers studISCope Self Assessment Tests for CISSP and SSCP candidates. Rumor has it that these tests are made from retired CISSP and SSCP exam items, but they are more likely items that were never added to the exams, or were written specifically for studISCope.

Free Information Security certification practice exams are available at the Web sites, SearchSecurity, and Exam simulators are also found on the CDs accompanying some CISSP study books, including the AIO and OIG. And discussions of practice exam questions can be found on CISSP mailing lists and in the CISSP CBK discussions forum at

Practice exams should be used for learning factual information and to discover the areas of CISSP CBK in which you need more study. They are also useful for mentally conditioning yourself for taking a very lengthy, multiple choice exam by simulating an entire 250-item exam. Note I said simulating , as no practice exam can give you the same experience as taking the CISSP exam itself.

CISSP Training Classes

If the idea of self-study is not your thing, face-to-face training classes are probably your best alternative. Consider taking a CISSP training class from an organization that is an education affiliate of the (ISC)˛. Some non-affiliates, such as the SANS Institute, also come very highly recommended for CISSP preparation training. Before spending good money on any classes, always get references from people who already have attended the training.

If you are looking to save a lot of money, check the schedules of your local community colleges and universities to see if they offer a CISSP training course. A college class will take longer to complete than a five-day CISSP “boot camp,” but you may just learn a lot more by taking in the material a lot more slowly.

Other Online Resources

I can't imagine studying for the CISSP exam without the Internet. Having only bookstores, libraries, and in-person study groups seems too intellectually confining in this modern age. The Internet is the optimal place not only to store and retrieve CBK information, but also to find people worldwide who have passed the CISSP exam and ask them how they did it.

You can find numerous posting from people detailing their IT certification exam experiences and study plans in the discussion forums of Web sites such as and Articles written on the same can be found at sites like SearchSecurity and the blog at And the CISSP Training and Studying Materials group on is not only a very useful resource, but is managed by Shon Harris herself.

Discussion forums, blogs, and mailing lists on the Internet abound with opinions and advice on how to study for the CISSP exam. CISSP candidates may also post their own study reference material on their own Web sites (such as CISSP/Security Bookmarks ), which can be found using Google. And try Googling for passed CISSP and see what that gets you.

Information Security organizations, such as the Information Systems Security Association ( ISSA ) and the Information Systems Audit and Control Association ( ISACA ), may offer free certification training classes for their members and have training materials on their Web sites. If your local chapter does not offer training classes, being a member may still get you a sizeable discount on classes offered by affiliated training companies.

And finally, the SANS Information Security Reading Room is an archive of many reports and papers written by SANS-certified professionals that contains detailed information on topics from all ten CISSP CBK domains. I could spend the rest of my career reading these papers.

Studying the CISSP CBK

You will probably find that what you study for the CISSP exam is not nearly as important as how you study for it. Many people study using the most recommended materials and still fail the exam. I can only suggest that the effort needed to comprehend the material is often much greater than what a typical candidate anticipates. Don't underestimate the effort you will need to invest in studying for the CISSP exam.

What to Study

Correctly answering CISSP exam items depends more on your understanding the CISSP CBK material rather than your ability to memorize rote facts. You cannot possibly memorize all the information you might be tested on in the CISSP exam; however, with a proper understanding of the CBK concepts, you can better interpret the exam items, and even make more successful guesses when needed (which is a very handy skill in real-life too).

Don't use CISSP study materials over three years old as your primary source of information. It's not that the information is no longer relevant. Rather, older CISSP study material will not contain information on topics added in more recent revisions of the CISSP exam. It is worth the investment to purchase the latest releases and editions of materials for your study. (I find it astonishing how many people publically release CISSP study guides that do not contain a date.)

If a topic is only briefly covered in an CISSP study guide, do not assume that you only need to know just a little bit about it for the exam. For example, if the CISSP study guide you are using only has a very small section on ISDN, EAP, or Clark-Wilson, do not assume that those are the only details that will be covered on the exam. Always research each subject to a greater degree than what is presented in popular CISSP study materials. Use as a starting point for finding more information and references about each CISSP CBK topic.

Once you are familiar with the topics of the CISSP CBK domains, read the relevant articles at the Wikipedia Computer Security portal. Although Wikipedia articles may contain omissions and occasional inaccuracies, the information in Wikipedia is generally very good, and is usually at a greater depth than what you will need to know to pass the CISSP exam. Wikipedia articles often contain references of the same topic elsewhere on the Internet.

People often speculate that there is an uneven coverage of all ten CISSP CBK domains on the CISSP exam. Candidates report seeing more items from domains like Telecom/Network Security, BGP/DRP, and Risk Management, and fewer items from domains like Law/Ethics, Application Security, and Physical Security. This is often taken as a pattern for what (and what not) to heavily study for the exam.

After taking the exam myself, I believe that people tend to most remember the items that they had a difficult time in solving. This skews many candidate's perception of the exam's content, causing them to report an unevenness in the frequency of questions between domains. Don't allow such observations to influence the degree to which you study specific CBK domains. My recommendation is to plan on there being 25 questions from each CISSP CBK domain on your exam, and to study the information for all of the domains thoroughly.

While studying for the CISSP online, you will occasionally read the advice, “The CISSP is a managerial exam; think like a manger when you take it.” To me, the CISSP CBK contains more knowledge about business and business processes than it does managerial aspects of information security. Understanding the business perspectives of a CEO, CIO, CFO, CSO, and corporate lawyer are essential for solving many of the exam's items. If you go into the CISSP exam thinking only like an engineer or technician, I don't give much for your chances of passing.

How to Study

Only you know how you study best. At, I often see questions from members asking how long it will take them to study for a specific IT certification exam. They might receive a response like, “Read this book for 2-3 hours per day for two months and you should know everything you need to know to pass.” But realistically, no one can really say how much time it will take anyone to convert enough information from knowledge to understanding to pass an exam. The best I can do is give you a few tactics to try and to avoid.

Understand under what circumstances you do not study well and avoid those situations. For example, I do not attempt to study within sight of a live television, or while listening to music containing intelligible, spoken words. I also know that I will have less quality study time in a busy coffee house than I will in a quiet library. And studying using a computer with an active Internet connection, while necessary, is a constant invitation for distraction to me.

You should take your own notes as you study and not only rely on reading the many homemade study guides prepared by other CISSP candidates. Writing helps you memorize; you will need your notes as exam day grows near and you put down your books and only review your notes to keep the concepts you've learned fresh in you mind.

Learn to recognize when you are stalled in your studying. If you are finding it difficult to concentrate, switch to another domain that you find more interesting, or another method of study (reading, practice exams, writing notes, skimming study sheets or PowerPoint slides, etc.) If you can't find a way to motivate yourself, consider that you perhaps need a day or two away from studying altogether.

Do not study for the exam as if you are only trying to get the minimal passing score. There is no way to know where the passing mark is on the exam. Attempting to reduce your study time by guessing what might not be on your exam is only asking for failure. Instead, study as if you are trying for a score of 100 percent. Remember, you are not putting yourself through this experience just to pass the CISSP exam, but also to become a better Information Security professional.

Practice Exams

Practice exams are such a popular topic at they they, above all other study materials, really deserve a section of their own.

Practice exams are an excellent way to learn CISSP CBK material and to determining what CISSP CBK topics you do not yet understand. They can be used like electronic flash cards for a quick study of a specific topic, or as a test of your mental stamina by answering 100-250 questions in a limited amount of time.

When taking a practice exam, you should regard each item individually, asking yourself if you really understand what the question is asking. Also explain to yourself why each of the answers is either correct or incorrect. This is your time to learn; don't guess quickly and haphazardly just because it's for practice.

After finishing a practice exam, it is common for the student to only study the exam items that were answered incorrectly. Study the practice items that you answered correctly too. Answering an item correctly doesn't mean that you really understand the information in the item. Sometimes you'll answer an item correctly, but it was just a good guess or just by pure luck. Review all your practice items and make sure you really understand the information they contain. You are just cheating yourself otherwise.

Practice exams are often unjustifiably maligned because they do not present items in the same format and detail as on the actual CISSP exam. No practice exam is an accurate emulation of the CISSP exam, so do not expect them to be so. In the same way, the questions at the end of a chapter in a CISSP study guide are only there to test your understanding of the information in the chapter that you just read, and not to be a simulation of actual questions you might see on your exam. Do not expect chapter test questions to be what they are not designed to be either.

Finally, no practice exam is an accurate indication of how well prepared you are to take the actual CISSP exam. You may read the advice, “After you are able to consistently score 80% or higher on a specific set of practice exams, you will then be able to pass the CISSP exam.” This is dangerous advice, as it gives candidates a false sense of security on their level of preparedness.

The more times you take the same practice exam the more likely you are to memorize the correct answers and score higher. The score you get after completing every practice exam is not an accurate indicator of anything useful at all. If you feel that you are ready to take the CISSP exam because you are getting good scores on practice exams, you are likely deceiving yourself. A better indication that you are ready for the exam is when you can give a 30-second speech on each topic in each domain of the CISSP CBK.

CISSP Exam-taking Tips

Having now been through two (ISC)˛ exam experiences, I have a few bits of advice about taking (sitting/writing/whatever) the exam itself:

Arrive early at the testing location. The sooner everyone arrives the sooner the exams can begin and the sooner the testing will be over that day. Arriving early is especially recommended if you have never been to the testing center before and you (foolishly) have complete confidence in accuracy of the turn-by-turn directions available from online map services.

You are given six hours to complete the exam; plan on using all six hours. Don't create some artificial deadline to finished at a certain time. That will only inflict more stress on you than you already have. And don't mind the people who turn in their exam after only three hours or less. They might be either genius-freaks or are simply giving up, but more likely they are only taking the 3-hour SSCP exam.

Move calmly, carefully, and deliberately as your take the exam. Keep your mind focused in the present and on one item at a time. Try and disregard any feeling you may have of being overwhelmed. This will only lead to anxiety and possibly panic. With the CISSP exam, slow and steady wins the race.

Pay attention to the wording of the question and answers in each item. Circle or underline words that are comparatives (e.g., “better”, “worse”, “more”, “less”), superlatives (e.g., “best”, “worst”, “most”, “least”), prepositions (e.g., “only”, “without”), and negatives (e.g., “not”, “never”, “nor”). These words change the meaning of a sentence, and not noticing them will mean misinterpreting an item's question or answers.

Do not read information into an exam item that isn't there. For example, if wireless networking isn't mentioned in the question, don't consider it when choosing the answer. Everything you will need to choose the correct answer is contained within the item. Adding additional information to the question may make you more susceptible to the distracters.

If you know the correct answer, you should be able to complete the item in 20 seconds or less (unless its a long question or you are a slow reader). For the items whose answer is not obvious to you, the process of elimination will usually rule out two of the possible answers. Do this by asking yourself why each answer can or cannot be the correct answer (or incorrect answer, if that's what is asked for in the question).

Don't second-guess yourself and start changing your answers unless you have clear evidence that an answer you've marked is wrong. If you've noticed that second-guessing yourself on practice exams often causes you to pick incorrectly, it will happen to you on the real exam too. If you don't know which of two answers is correct, follow your gut.

Don't wait until you have answered all of the questions in the exam book before marking your Scantron answer sheet. Write your answer selections in the exam book and fill in part of the sheet each time you complete a block of 50-75 questions. Periodically marking the answer sheet actually gives your brain a little rest from pondering exam items.

Don't plan on being able to identify the 25 research items that don't count towards your final score. You can't know just from the look and feel of the items. If an item contains references to a topic that you did not study, don't assume it probably won't count. Always believe that you can reasonably deduce the correct answer of any item.

And please, don't plan on using unethical tactics, like taking a bathroom break every hour to review the notes you have stuffed in your sock while sitting in a bathroom stall. All of those high school testing cheats are known and watched for by the proctors. If you need to do stuff like that then you are not ready to take the CISSP exam—or to be an Information Security professional.

My CISSP Study Plan

And I mean my CISSP study plan and not necessarily yours.

I primarily used the following study materials described in this article:
  • CISSP EXAM Preparation and Overview
  • OIG 2007, including the practice exams on the accompanying CD
  • AIO 3rd edition, including the practice exams on the accompanying CD
  • PrepLogic CISSP practice exams
  • The CISSP exams at
  • NIST documents SP 800-12, -14, -30, -34, -86, -100, and –115
  • A few computer security text books (by Stallings, Tipton, and Pfleeger)
  • Assorted free CISSP online study materials (videos, PDF, and PP slides)
  • Reading as many posts in the CISSP forums as possible
My way of learning something in detail is through prolonged intellectual obsession. I often wish that I could lock myself away in an isolated monastery somewhere and just read, think, draw on the walls, and babble to myself all day long. However, like most people with a job and family, this wasn't an option.

By making my living as a software engineer, my brain is pretty much spent by the time I get home each night, so weekends are the most valuable study time for me. This was my time to be a monk with my CISSP books and papers. This also worked out very well with my wife's schedule. And suddenly finding unemployment about a month before my exam left me with even more time to study (note: I don't recommend this).

I studied by starting from the very board and general and ending up in the narrow and specific. I would read about a specific domain and attempt to understand the general concepts. I would then re-read the materials and begin to high-light (yes, in the books themselves) to learn specific details. After another pass, I would start to write notes of the detailed information. And finally, I would only study from my notes. I ended up practically writing a CISSP CBK book just from taking study notes.

As with many CISSP candidates, my Information Security background is mostly technical. Telecom/NetSec, AppSec, Crypto, and Access Control were my favorite and most familiar domains. I had the usual troubles with the “soft” domains, like BGP/DRP and Legal/Compliance. I also had to be careful not to disregard the domains OpSec and PhySec as being too simplistic and not giving them enough study time too.

In addition to my choice of study materials and methods, having both the experience of passing the SSCP exam and a Masters of Science in Information Security from Capella University were also major factors in my passing the CISSP exam.

In Conclusion…

I began my quest for the CISSP certification because that's what people who make a career of Information Security are suppose to do. Because the CISSP is oriented more towards business rather than technical processes, I often wondered if I would even bother to get this certification if it weren't such a gem often sought by human resources people on resumes. In reflection, I think, “Yes, I would.”

Getting the CISSP certification is very difficult. It is a trial-by-fire that can be very invasive and take quite a bit of time away from your personal life. Achieving any (ISC)˛ certification is not just another reason to buy a picture frame, nor is it a quick-ticket to a six-figure job. A better part of its value is in gaining membership into an important Information Security organization, and becoming a colleague to thousands of InfoSec professionals that share the same code of conduct and ethics as yourself. Your motivation for getting the CISSP must be as much for your own personal growth as it is for your professional standing.

If I have omitted something that you think or feel is important to this topic, then please let me know about it in the comments.



Total Trackbacks 0
Trackback URL: