I'd like to share with you a detailed post I've written after passing CISSP last March. Hope it helps. The original will be hosted at securityartwork.es. I hope you'll find it useful.
In yesterday's post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let's get started.
Is the exam difficult?
If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no "example" questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.
In this respect, bearing in mind that I am not a native English speaker, the complexity of the questions from a linguistic point of view seemed quite correct to me. One- or two-sentence questions, without any special issues. I don't remember an abuse of double negatives or complex grammatical structures. From a global point of view the questions are also not tremendously difficult, although it is necessary to know the material and think the answers, avoiding to jump directly to the first one that sounds good or familiar. Usually you will be able to discard two of the answers easily, leaving two that both seem to be valid. As I point in the tips section at the end of the post, it is essential to search the key concepts of the question and the answers, read them at least a couple of times slowly and don't forget that risk management is almost always the first step for everything.
When talking about how hard is the exam, your experience is undoubtedly relevant. It will allow you to respond more or less naturally to the questions. In my case, I am CISA and CRISC, I have three years of experience as a systems administrator (from a fairly broad point of view), another three years as a security technician, in fields more related to IT security: event management, vulnerability management, monitoring, implementation of controls, etc., and finally, twelve years as GRC consultant focused on risk analysis and management, security assessments, ISMS, business continuity, privacy, policies and procedures, compliance, and so on. In total, with the exception of specific parts of some domains (specific security models, for example), my experience provided me with a good starting point for a large part of the CISSP contents.
So, is the examination difficult? In my opinion, it has an intermediate level of hardness, but that will depend a lot on each person's study methodology, knowledge and experience. In any case, it is an exam that can be passed with a reasonable amount of effort.
Does the exam reflect professional practice?
One of the criticisms made to the CISSP as well as to the CISM, of which I will speak in the next post, is that they do not reflect the professional practice, but to pass you have to apply the (ISC)2 or ISACA way of thinking, respectively. I do not agree, and I need to mention another of the things that are said about CISSP: think like a manager. You are not the system administrator responsible for server patching, but the manager in charge of supervising that the whole patching process is done correctly (which includes change management). Yes, maybe your daily tasks in the real world include patching servers, that's perfect, but that's not the point when studying or doing the CISSP examination. Let's see a rather obvious example question.
Recently a 0-day vulnerability that affects a critical web server of the company has been discovered, and for which the manufacturer has not yet issued a patch. What is the first action to take?
a) Stop the service and wait for the manufacturer to generate a patch.
b) Evaluate the risk associated with the vulnerability.
c) Manually change the version of the web server to reduce the possibility of an attack.
d) Call the CEO to inform her of the vulnerability.
For most people, it should be clear that the right choice is b). Stopping a business-critical service will not, in any case, be the first thing to do. Perhaps it will be stopped later, but first you will have to evaluate the risk (for which you have to talk to the business), decide on risk management options and consider potential compensatory measures, if appropriate. Manually changing the server version isn't either the first thing you would do, because that skips the whole configuration management, with implications, for example, in the case of a potential contingency or the updating process. Finally, the CEO may want to be informed (we don't really know, but that's really irrelevant), but without evaluating how serious the problem is, it would be a waste of her time. Maybe it's a 0-day that can only be exploited internally, or the vulnerability affects functionality not enabled on our server; are you really going to inform the CEO without having reliable information on the vulnerability impact?
As I said before, perhaps stopping services or changing the configuration of a web server is part of your daily tasks, but the point is that for CISSP you don't occupy that role. You are a manager, which basically means that any action must start from a risk assessment on the business, who has the last word for almost everything. This does not imply that in every adverse situation a formal risk analysis must be carried out over several months and a report presented to senior management. It means assessing vulnerability, exposure, probability of exploitation, impact on the business, motivation of the attacker, legal aspects, risk management options and mitigation cost, among others. And then decide what to do. And all that can be decided in a half-hour meeting between IT staff, affected business staff, the CISO and any other relevant role for the decision (compliance, for example).
We should also bear in mind that the CISSP assumes that the organization, unless otherwise stated, follows best practices in IT and information security management and governance. This implies that in general, it can be assumed that change management, configuration management, a business continuity plan, a defined IT organizational structure, etc. are in place. Maybe your current organization doesn't have that level of maturity and you are responsible for assessing the risk and also applying the necessary actions, but even then, you are implicitly assessing the risk. And finally, if you change a web server configuration or stop a critical-business service without thinking or taking into account the business, you are working badly and soon or later you will have serious problems.
One last thing. It is not true that there are two valid answers to the same question, nor that the exam questions are light years away from the CISSP study material. Yes, it may be not as simple as adding 2 + 2 and maybe it seems like there are more than one right answer, but at the end there is only one correct option.
There are countless materials available to prepare for the CISSP, and with the necessary effort and time, it is difficult not to pass the exam, whether in one, two or three tries. In any case, if that is your situation (three tries), you should consider that you may be doing something wrong. Maybe you're not entering the exam with the right mindset, maybe you are focused on memorizing the technical details or the answers to the tests you've done, maybe you're not managing the exam time well, and so on. Among the existing materials, we can highlight some.
First of all, there is the specific book of the CBK, although according to the opinion of many people, it is hard/tough/dry to read and does not provide any relevant improvement to other alternatives with a more "pleasant" approach. There are several alternative materials, such as the study guide and official questions, the CISSP All-in-ONE (AIO) by Shon Harris, the Eleventh Hour CISSP Study Guide, Cybrary's free courses by the fantastic Kelly Handerhan, as well as multiple websites and applications to practice tests (Boson, CCCure, Skillset, Simplilearn, CISSP Pocket Prep App, etc.) and YouTube videos of exam preparation, example questions, etc.
The materials I used and some comments on them are the following (needless to say, I am not at all related to any of the authors) :
Finally, the day before the exam I saw a video by Kelly Handerhan on ten key aspects to take into account when facing the exam, where she talks about the importance of risk, the business goals priority, the non-technical approach or the necessary balance between asset protection and value, among other points. It is absolutely recommended.
Apart from these, the opinions that can be read in the forums is that the CISSP AIO is good, but perhaps goes too much into technical details. A resource that receives excellent reviews are Kelly Handerhan's videos on Cybrary.it, in which she reviews, in 13 hours (if I recall correctly), the eight domains of the CISSP. I don't know if it has subtitles, but with an intermediate level of English you can probably follow it without many problems. On the other hand, the Pocket Prep application was very useful to me to pass the CISM exam a couple of weeks later, but I didn't use it for the CISSP, so I can't give my opinion in this case, although in general the reviews I've read are good.
After a global review of the examination and certification, let's end with some advice, which I provide entirely on a personal basis:
Finally, don't be discouraged by what you read on the Internet. The CISSP is a passable exam with a reasonable degree of effort, which in general will be inversely proportional to the professional experience you have in the eight domains of the CISSP.
Thank you for the two additional resources.
When talking about "example" questions, I was referring not to questions on the line of the exam ones, on what there are some good resources, but questions that have *really* appeared on an exam. There are not, as long as I know, any resources containing those questions due to the NDA every CISSP candidate must adhere to, what gives the exam candidate a feeling of insecurity and uncertainty about what to expect. I think that is one of the main psychological challenges of the CISSP exam (and I do not think that is bad, btw).
Ok, let's address this, because this is something I hear with a lot of certification tests, and something that many don't get.
This is part of being ANSI certified for their certifications, which most other certifying bodies (ISACA, EC-Council, CompTIA, etc) follow.
The test bank can NOT be made available to people. Period.
Most groups will have available a set of sample test questions. ISC2 has that with their publications. ISACA has a set of QAE (Questions, Answers, Explanations) for all their certs. Not sure on other groups. With these groups, due to the rules for being ANSI-certified certs, the people who develop the test questions are separate from the people who develop the sample/QAE questions. The sample can't be retired questions, either. Ideally both these questions should be created in-line with the CBK.
Funny thing is, I took a membership exam from another organization which has a set of certifications. The actually bank of questions for these was made available to people to study from. But the idea was you need to understand the questions, not memorize them, because, for instance, the membership exam was 100 questions from a bank of 1000. Good luck memorizing that. I think things will change with their certification as they are seeking ANSI-certification for it.
ANSI requires stuff like separation between the testing & certifying group. SANS has separated GIAC from them, tho this isn't required. Hence the separation between the people creating the test questions from the sample questions, etc.
Others, feel free to add to or correct what I say here.