By Tony Vizza, CISSP, CCSP, Director for Cyber Security Advocacy - APAC at (ISC)²
If you are reading this article, it is likely that you have made a conscious decision to do so. Congratulations on taking this step in furthering your career, skills and knowledge. You have made the decision to demonstrate to the wider world your hard-gained experience, knowledge and skills in cybersecurity and to prove to yourself that you have what it takes to become certified.
The most recognised and most valuable cyber security certifications in the world today are (ISC)² certifications. However, becoming (ISC)² certified is not easy, nor is it meant to be. The certifications are prized and valued by employers across the globe precisely because they take hard work, dedication and perseverance to achieve.
Becoming certified means that obstacles need to be overcome. Experience needs to be gained; knowledge needs to be acquired, processed and stored; commitments need to be made and endorsement needs to be sought.
The famous American pioneer aviation pilot Amelia Earhart once said that “the most difficult thing is the decision to act, the rest is merely tenacity”.
Starting the Journey: Work Experience.
Before starting your study preparations, you should begin by considering the experience requirements for the certification that you are seeking to achieve. As (ISC)² certifications are ANSI/ISO/IEC 17024 accredited, it is necessary to demonstrate an appropriate level of paid and relevant work experience depending on what certification you are seeking to achieve.
The work experience requirements for each certification are as follows:
If you do not have the pre-requisite experience levels yet, never fear. Upon passing the exam, you are able to gain the Associate of (ISC)2 designation, awarded to candidates who pass the certification exam but are unable to demonstrate the work experience. This also allows the candidate to become a fully certified once they demonstrate the necessary work experience.
Studying for the Exam: Using the Technique that Works for You
While gaining experience is the most time-consuming aspect of becoming certified, the most challenging aspect of certification will be the study requirements needed to ensure you have achieved a level of knowledge that is appropriate in order to attempt the exam.
There are numerous ways to train for the exam and different methods will suit different personality types. The most popular types of training techniques are:
- Classroom-based Training:This is live training performed in a physical classroom by an (ISC)² authorised instructor. Students are supplied with a physical handbook and courseware and obtain access to flashcards and instructor support. Classroom-based training is open to anyone.
- Private On-Site Training:Similar to classroom-based training, this is live training performed in a physical classroom by an (ISC)² authorised instructor. Students are supplied with a physical handbook and courseware and obtain access to flashcards and instructor support. Typically, Private training is organised for multiple (usually ten or more) team members of one organisation.
- Online Instructor-Led:Once again, similar to classroom-based training, this is online training performed in an online classroom by an (ISC)² authorised instructor. Students are supplied with an electronic handbook and courseware and obtain access to flashcards and instructor support. The benefit to this form of training is that it can be performed from anywhere with an internet connection.
- Online Self-Paced: this innovative way of studying offers you access to instructional videos that are created by (ISC)² to help you understand course concepts. Students are also supplied with an electronic handbook and courseware and obtain access to flashcards. This form of training allows you ultimate flexibility – study when and where it suits you!
Important Training and Study Considerations
When deciding on which approach is best for you, you should be mindful of a number of considerations when deciding the appropriate method of study.
Always use (ISC)² accredited and official training providers.
All (ISC)² certifications are regularly updated. The Common Body of Knowledge (CBK) for each certification is continually updated with new and relevant content. In order to ensure that what you are learning is current, up to date and relevant to the certification that you are choosing to achieve, always ensure that you are using official (ISC)² accredited training providers.
Official (ISC)² training is always delivered by an (ISC)² Authorised Instructor who is certified to teach the certification. Authorised instructors use proven training techniques that help you understand the course content, focusing on real-world learning activities to help you apply the content to practical situations. There are three accredited and official training provider classifications:
- (ISC)2 Official Training Providers uses official (ISC)² courseware developed directly by (ISC)² and delivered by an official training provider that has achieved an intense training and authorisation process with (ISC)2 to teach the content. Instructors are verified security experts.
- (ISC)2 Direct uses official courseware that is developed directly by (ISC)² and is delivered directly by (ISC)².
- (ISC)2 Approved Training Providers use their own courseware, reviewed and approved by (ISC)² to ensure that you receive relevant and up-to-date content. Instructors are verified security experts.
A full list of official and authorised training providers can be found at www.isc2.org.
Unauthorised Training Providers: Use Them at Your Own Peril
(ISC)2 certifications are regarded as the gold standard of cyber security certifications and are popular around the world. Because of their ensuring popularity, a number of unauthorised training organisations have sprung up offering CISSP “preparation” courses to candidates.
Candidates can be induced by the cheaper cost of these unauthorised courses and by so-called “exam pass guarantees” that are claimed by the unauthorised providers. Candidates can often be duped into thinking that these unauthorised providers are legitimate, through clever use of (ISC)² trademarks when mentioning specific certifications to avoid legal ramifications. Some unauthorised training providers, in fact, will even request Pearson Vue login details from candidates in order to issue an “exam voucher”.
Every day, (ISC)² receives complaints from candidates who have paid for training provided by an unauthorised training provider. The vast majority of complaints relate to:
- out-of-date course content
- the lack of training experience by the unauthorised instructor
- failing the exam because the content taught did not reflect the actual exam
- concerns relating to not receiving what the candidate paid for.
An additional issue for the candidate is that many governments around the world do not offer consumer protections on education and training courses. In most cases, the candidate is left without any legal recourse should they have been “duped”.
The time-honoured axiom that “you get what you pay for” is particularly true for training. If you are in any doubt, please contact (ISC)² directly for clarification.
Out of Date, Poorly Delivered Content
Using unauthorised training providers places your ability to attain an (ISC)² certification at some degree of risk. As trends in cybersecurity evolve, the official (ISC)² certification CBK and courseware will change to reflect this. These changes are then reflected in the official training materials that are provided by (ISC)² and its authorised training providers.
Unauthorised training providers do not have access to the official certification CBK. As such, they lack the ability to train you using the most accurate, current and relevant content. In addition, unauthorised training providers are not answerable to (ISC)² for content they teach, and very often, (ISC)² receive complaints from students who use an unauthorised training provider to claim that the content they were taught was “old” and irrelevant.
The Quality of the Instructor
Many unauthorised training providers employ instructors who are not adequately trained to teach the course content. (ISC)² authorised training providers employ certified (ISC)² members who hold the certification that they teach. These instructors must complete a rigorous instructor onboarding process and need to demonstrate at least five years of training and teaching experience. In fact, the average instructor holds between 15-20 years of real-world security experience.
So-called “Pass Rate Guarantees”
(ISC)2 do not publish or disclose exam pass rates. (ISC)², nor its authorised training providers, will ever claim an examination pass rate guarantee on their training courses. It is misleading and disingenuous for any organisation to publish an exam pass rate for students taking their courses.
Examination Vouchers and Pearson Vue
Only (ISC)² authorised training providers are able to issue you with a certification exam voucher. Authorised training providers will never ask you for your Pearson Vue testing site login details. In fact, providing your Pearson Vue login details to any entity places you at risk of violating the (ISC)² Non-Disclosure Agreement, potentially placing your ability to take the certification exam at risk and possibly even jeopardising your certification.
(ISC)2 Audits and Supervises Authorised Training Providers
Authorised Training Providers must undergo a rigorous initial onboarding program, including instructor accreditation, as well as regular audits by (ISC)² to ensure that the training delivered by them meets the high standards expected by (ISC)² and offers candidates the best possible learning outcomes and experience. Feedback is always sought from candidates at the conclusion of each training session. In the unlikely event that a candidate has an adverse experience with an Authorised Training Provider, (ISC)² can advise and assist the candidate rectify the situation. These safeguards simply do not exist with unauthorised training providers.
Using Official (ISC)2 Study Materials
Training seminars are an invaluable way of learning the core concepts associated with the certification that you are seeking to attain. In addition to formal training, it is imperative that to maximise your chances of successfully passing the certification exam, you undergo a period of study and revision to prepare for the exams.
Study aids are a crucial component of successful study and revision. In doing so, it is highly recommended that you use official and up-to-date (ISC)² study materials to revise for your certification.
There are a number of official study materials available depending on the certification that you are aiming to achieve:
- Official (ISC)² Study Guides drill down into each Certification Domain area in detail and ensure that you have in-depth knowledge of the subject matter. Official Study Guides include tips, scenarios, notes and exam essentials that you need to know to help you pass the exam. Each chapter will typically include written lab questions as well as review questions.
- Official (ISC)² Guide to the CBK provides a comprehensive study of the domains of your chosen certification. The CBK is the most complete and comprehensive reference guide available and features illustrates examples and practice exercises to demonstrate concepts and real-life scenarios.
- Official (ISC)² Practice Tests provide you with hundreds of unique practice questions covering all domains of the certification you have chosen and provides answers will full explanations to help you understand the reasoning and approach for each. Testing your level of understanding before undertaking the Certification exam is essential and the Official (ISC)² Practice Tests guide ensures that you are ready for the big day.
- (ISC)² Approved Dummies Guides offer you a friendly and accessible handbook to help you study. All certification domains are covered. The guide offers expert advice and key information to help you pass the exam and you will get tips on setting up study plans, exam day times and gain access to an online test bank of questions.
- Official (ISC)² Flash Cards allow you to study for your chosen certification anytime, anywhere. Flash cards are a unique and interactive way of testing your knowledge of industry terms while providing you with immediate feedback on how you have performed.
Why using unofficial study materials can be an unwise choice
There is a plethora of unofficial study material available. While there is no doubt that much of it is of reasonable quality, only by using current and official (ISC)² study material will you ensure that you have access to the appropriate and up-to-date information, explained in a manner that helps you maximise your chances of passing the certification exam.
Official (ISC)² study materials are updated regularly to ensure that they most accurately reflect the certification domain areas, and as such, the corresponding examination. It is always recommended that you use official (ISC)² study materials.
Support and Mentorship: Where to Turn to For Help
Deciding to undertake a certification and subsequently completing training and study can be a daunting and time-consuming prospect. It is always important to remember that the certification road has been walked my many before you. In fact, (ISC)² has over 138,000 members across the world. Always remember that there is support available to you during these challenging times to help you achieve your certification.
(ISC)² Chapters and Affiliated Partner Bodies
There are (ISC)² Chapters located in cities all across the globe. These chapters are made up of (ISC)² certified members. A significant part of the Chapters core duties is to assist non-credential holders to become certified through mentorship, support, assistance and knowledge. A list of (ISC)²s chapters can be found on the (ISC)² website.
In addition, a number of affiliated bodies and associations work closely with (ISC)² to promote cyber security as a vocation. These include PISA in Hong Kong and AISA in Australia.
(ISC)² Online Community
There is a vibrant and active community of both (ISC)2 members and cyber security enthusiasts that regularly contribute to the (ISC)² Online Community, available at https://community.isc2.org. The Community is an invaluable resource for those looking for assistance trying to understand difficult certification concepts, have questions related to certification or have questions they would like assistance with.
How Much Study Do You Need?
This is a good question and there are varying opinions on how much study is the right amount of study.
The only certainty is that it is absolutely essential that you revise and study prior to attempting the exam. The level of detail covered in each certification is extensive and regular revision and study will place you in an advantageous position when attempting the exam.
Some candidates feel that once they have undertaken the certification training, they should be ready to sit the exam. This perception is an unwise one. The certification training courses are held over a number of successive days. As such, it is practically impossible for the human brain to absorb all of this information instantaneously. A period of revision is essential in order to maximise the potential to pass the certification exam.
As noted earlier, the certification and exams assume that you have attained practical, hands-on experience spanning a significant period of time. As such, study and revision will be far more successful if you have the prerequisite experience than if you have limited or no experience in the certification you are seeking to attain.
You should revise and study insofar as you feel confident that you understand the subject matter well enough to attain a passing score. If you don’t feel confident that you will succeed in the exam, it is advised that you keep studying, revising and attempting practice questions until you are confident that you understand the subject matter intricately.
Booking the Examination
Once you are ready to book the exam, this must be booked through the (ISC)² portal at Pearson Vue (www.pearsonvue.com/isc2). You will need your Pearson Vue login details. If you do not have these details, you will be able to register on the Pearson Vue website.
Once you have logged in, you will be required to select the certification that you would like to sit the examination for. You will then choose a testing centre convenient to attend, then book a time at the testing centre to present for the exam. Following this, you will need to pay for the exam, or, if you have been supplied with an Examination Voucher provided to you by the Authorised Training Provider, enter the details. Once a time and location has been confirmed, you will receive a confirmation email with the examination details included.
The Examination Experience
It is recommended that you arrive at the testing centre ten minutes early so you can familiarise yourself with the location and be at ease. You will need to sign in at reception and a photograph will be taken of you. Following this, all of your belongings must be placed in a locker that will be provided to you. You will need to lock all items including telephones, watches, backpacks, hats, food and bottles of drink. You will be unable to access the locker for the duration of the examination.
You are unable to bring food and water into the examination room. It is advised that as part of your preparations before the exam that you have a meal prior to the examination so that you are not hungry or thirsty during the exam. This will also assist you in your mental preparations for the examination, after all, who wants to sit a lengthy exam on an empty stomach!
All (ISC)² examinations are fully proctored. You will be monitored during the exam by Pearson Vue staff and you will be recorded via video.
A note on cheating
Cheating in the examination is not tolerated. (ISC)² does not tolerate any form of cheating and instances of cheating are severely punished. Persons found cheating can and have been banned from becoming an (ISC)² member for life.
The Examination Result
Upon completion of the examination, you will be advised by a Pearson Vue staff member whether you have provisionally passed the examination of if you have failed the examination.
If you have been notified that you have provisionally passed the examination, congratulations! This indicates that you have achieved a passing grade in your certification examination. Scores are not issued to those who provisionally pass. Scores are then sent to (ISC)² and the next stage of the certification process, submitting a statement of experience, endorsement by an (ISC)²member and agreeing to adhere to the (ISC)² Code of Ethics, begins.
If you have been notified that you have failed the examination, keep your head up high. (ISC)² examinations are difficult. This is why the certification is so prized and valued. It can seem disappointing to you at this time, but you will bounce back. You will revise again, take more practice questions and in time, your tenacity will see you succeed.
Undertaking an (ISC)²certification will open countless doors for you and your career. It is one of the most rewarding professional accomplishments that you can experience, and it will prove to you and the wider world that you truly are an experienced, valuable and certified cyber security professional. It is hard work, but it will be worth all of it in the end.