topic Re: Is the Official (ISC)2 Guide to the CBK Authoritative? in Member Support

Is the Official (ISC)2 Guide to the CBK Authoritative?

rtalexander — Thu, 14 Jun 2018 20:25:19 GMT

The title of the Official (ISC)2 Guide to the CISSP CBK (OCBK) suggests that the book is the authoritative and exhaustive source for knowledge (topics) that are covered by the exam itself. One interpretation of this might be that every topic you need to know is in the OCBK—or putting it another way, if it's not in the OCBK, then you do not need to know it. I have my doubts that either of these is true, but I would like to know for sure (to the degree possible). The reason I think this is that the CISSP (ISC) 2 Certified Information Systems Security Professional Official Study Guide, 7e contains topics that are NOT in the OCBK (fourth edition). This would seem to support my assertion that the OCBK is not exhaustive in its coverage of topics that may be encountered on the exam. Is my assertion correct?

My reason for seeking clarity on this matter is that I am a member of my employer's committee on internal training for the CISSP. At present, the common belief among other members is that if a topic/subject/fact is not stated in the OCBK, then it is not relevant to the exam, and thus can be omitted from a study syllabus.

Re: Is the Official (ISC)2 Guide to the CBK Authoritative?

Chuxing — Fri, 15 Jun 2018 13:18:45 GMT

My PERSONAL experiences: NO, it is NOT.

Way back when I was studying my CISSP, the version I used was not all inclusive of all tested topics. In it of itself, it is not necessarily a negative factor, but compounded with too many typographical errors, and one chapter was not even formatted correctly (no space between words), made it impossible to rely on as an authoritative source for studying.

Having said that, CBK is still a useful reference book in your studying library.

Clear as mud?

Re: Is the Official (ISC)2 Guide to the CBK Authoritative?

rslade — Sat, 16 Jun 2018 18:42:20 GMT

Questions like this make researching quantum computing seem easy by comparison.

I haven't talked to the exam committee people for a while, but, in the old days, study guides, any study guides, did not qualify as sources references for exam questions. (In the old days, every exam question had to be backed up by at least two references from source security literature. Study guides were never considered source security literature.)

But that's only partly related to your question, which is about the range of topics. And, in terms of range, yes, the "Official Guide" should be authoritative. After all, it's based on the same CBK that the exam committee uses when creating exam questions. (Although the authors of training and study materials are not allowed to discuss their respective content with each other. The ISO 17024 standard for certifications mandates this so that we aren't just "teaching to the exam.") So, yes, if the topic is on the exam, it should be in the book.

But that tends to get a but subjective at times. I'd be interested in hearing what topics you have identified that are in the study guide, but not in the book.

Re: Is the Official (ISC)2 Guide to the CBK Authoritative?

rtalexander — Tue, 19 Jun 2018 21:08:29 GMT

Thanks for the response. I should have clarified that I myself am a CISSP. The motivation behind my question has to do with an internal study program thay my company is setting up. It seemed to us that the correct thing to do is limit the topics we teach to those specifically included in the official (ISC)2 guide to the CBK for the very reason that it is endorsed by (ISC)2. However, we have found discrepancies between the guide to the CBK and the CISDP official study guide that is also endorsed by (ISC)2 (we have also discovered errors in both works).

Re: Is the Official (ISC)2 Guide to the CBK Authoritative?

rslade — Wed, 20 Jun 2018 01:03:02 GMT

@rtalexander wrote:
(we have also discovered errors in both works).

Oh, pray tell me it isn't true! You are destroying my faith!

Although I've found the "official" guides to be more accurate than others, over a number of years, I'm sure they aren't perfect. (Of the "All-in-One" guide, when I was teaching, I used to tell the seminars that it was the most readable, but that I refused to answer any question that started out "Shon Harris says ...")

Re: Is the Official (ISC)2 Guide to the CBK Authoritative?

denbesten — Wed, 20 Jun 2018 17:31:19 GMT

@rtalexander wrote:
... limit the topics we teach to those specifically included in the official (ISC)2 guide to the CBK ...

That is a completely different question. Yes, (ISC)² does publish an official list of topics in the CISSP Exam Outline.

As you well know, there is no "authoritative source" for the CISSP exam.... at least in the sense we learned in college. College exams are generally built exclusively from the lectures and the reading materials, often word-for-word. CISSP adds personal experience and intuition to the mix.

Re: Is the Official (ISC)2 Guide to the CBK Authoritative?

rtalexander — Wed, 20 Jun 2018 20:12:02 GMT

Thanks for the response, but I don't quite follow what you mean by "That is a completely different question." My question pertains directly to the authority of of the CBK book from the perspective of the breadth of topics it covers (not their depth). And by the use of the term "authority", I am trying to determine what the endorsement of that book by (ISC)2 actually means. Putting it differently, are there security topics not contained in the book that are nonetheless covered by the exam. If so, it means that my company's internal training program needs to expand its scope.

Yes, (ISC)² does publish an official list of topics in the CISSP Exam Outline.

I am aware of this, and have compared the 2015 outline to the table of contents of the fourth edition of the CBK book (the fifth edition, of course, not being available yet). And I am convinced that the CBK book is consistent with the outline. Of course the CBK goes to much greater depth that the outline. Again, my question is does the CBK book cover all the knowledge required to pass the exam? I realize that the intent of the exam is that it can not be passed solely on knowledge—that experience is required. However, I do have three colleagues that have recently managed to pass the exam on the first attempt, and with a single day of security experience. Hmm...

Re: Is the Official (ISC)2 Guide to the CBK Authoritative?

denbesten — Wed, 20 Jun 2018 22:45:16 GMT

My interpretation of your second post is that you would like a complete list of topics to align your training with the exam. The CISSP Exam Outline is the most authoritative source for that. So much so that is is basically the table of contents for each of the prep books. Your first email sounds much closer to "are the answers to all the test questions found in the CBK?", which others have answered.

Given that it now sounds as if you wish to ensure your training program is comprehensive, you might work with (ISC)² to become an "(ISC)² Approved Training Provider". In addition to (ISC)² reviewing your training materials, it would give you cred with your internal customers.

It sounds as if your three colleagues are confusing job title with "experience". If they have been in IT long enough for it to give them grey hair, it does not surprise me that they were able to pass the exam.