I'd like to share with you a detailed post I've written after passing CISSP last March. Hope it helps. The original will be hosted at securityartwork.es. I hope you'll find it useful.

Thank you.

--

In yesterday's post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let's get started.

Is the exam difficult?

If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no "example" questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.

In this respect, bearing in mind that I am not a native English speaker, the complexity of the questions from a linguistic point of view seemed quite correct to me. One- or two-sentence questions, without any special issues. I don't remember an abuse of double negatives or complex grammatical structures. From a global point of view the questions are also not tremendously difficult, although it is necessary to know the material and think the answers, avoiding to jump directly to the first one that sounds good or familiar. Usually you will be able to discard two of the answers easily, leaving two that both seem to be valid. As I point in the tips section at the end of the post, it is essential to search the key concepts of the question and the answers, read them at least a couple of times slowly and don't forget that risk management is almost always the first step for everything.

When talking about how hard is the exam, your experience is undoubtedly relevant. It will allow you to respond more or less naturally to the questions. In my case, I am CISA and CRISC, I have three years of experience as a systems administrator (from a fairly broad point of view), another three years as a security technician, in fields more related to IT security: event management, vulnerability management, monitoring, implementation of controls, etc., and finally, twelve years as GRC consultant focused on risk analysis and management, security assessments, ISMS, business continuity, privacy, policies and procedures, compliance, and so on. In total, with the exception of specific parts of some domains (specific security models, for example), my experience provided me with a good starting point for a large part of the CISSP contents.

So, is the examination difficult? In my opinion, it has an intermediate level of hardness, but that will depend a lot on each person's study methodology, knowledge and experience. In any case, it is an exam that can be passed with a reasonable amount of effort.

Does the exam reflect professional practice?

One of the criticisms made to the CISSP as well as to the CISM, of which I will speak in the next post, is that they do not reflect the professional practice, but to pass you have to apply the (ISC)2 or ISACA way of thinking, respectively. I do not agree, and I need to mention another of the things that are said about CISSP: think like a manager. You are not the system administrator responsible for server patching, but the manager in charge of supervising that the whole patching process is done correctly (which includes change management). Yes, maybe your daily tasks in the real world include patching servers, that's perfect, but that's not the point when studying or doing the CISSP examination. Let's see a rather obvious example question.

Recently a 0-day vulnerability that affects a critical web server of the company has been discovered, and for which the manufacturer has not yet issued a patch. What is the first action to take?

a) Stop the service and wait for the manufacturer to generate a patch.

b) Evaluate the risk associated with the vulnerability.

c) Manually change the version of the web server to reduce the possibility of an attack.

d) Call the CEO to inform her of the vulnerability.

For most people, it should be clear that the right choice is b). Stopping a business-critical service will not, in any case, be the first thing to do. Perhaps it will be stopped later, but first you will have to evaluate the risk (for which you have to talk to the business), decide on risk management options and consider potential compensatory measures, if appropriate. Manually changing the server version isn't either the first thing you would do, because that skips the whole configuration management, with implications, for example, in the case of a potential contingency or the updating process. Finally, the CEO may want to be informed (we don't really know, but that's really irrelevant), but without evaluating how serious the problem is, it would be a waste of her time. Maybe it's a 0-day that can only be exploited internally, or the vulnerability affects functionality not enabled on our server; are you really going to inform the CEO without having reliable information on the vulnerability impact?

As I said before, perhaps stopping services or changing the configuration of a web server is part of your daily tasks, but the point is that for CISSP you don't occupy that role. You are a manager, which basically means that any action must start from a risk assessment on the business, who has the last word for almost everything. This does not imply that in every adverse situation a formal risk analysis must be carried out over several months and a report presented to senior management. It means assessing vulnerability, exposure, probability of exploitation, impact on the business, motivation of the attacker, legal aspects, risk management options and mitigation cost, among others. And then decide what to do. And all that can be decided in a half-hour meeting between IT staff, affected business staff, the CISO and any other relevant role for the decision (compliance, for example).

We should also bear in mind that the CISSP assumes that the organization, unless otherwise stated, follows best practices in IT and information security management and governance. This implies that in general, it can be assumed that change management, configuration management, a business continuity plan, a defined IT organizational structure, etc. are in place. Maybe your current organization doesn't have that level of maturity and you are responsible for assessing the risk and also applying the necessary actions, but even then, you are implicitly assessing the risk. And finally, if you change a web server configuration or stop a critical-business service without thinking or taking into account the business, you are working badly and soon or later you will have serious problems.

One last thing. It is not true that there are two valid answers to the same question, nor that the exam questions are light years away from the CISSP study material. Yes, it may be not as simple as adding 2 + 2 and maybe it seems like there are more than one right answer, but at the end there is only one correct option.

Study materials

There are countless materials available to prepare for the CISSP, and with the necessary effort and time, it is difficult not to pass the exam, whether in one, two or three tries. In any case, if that is your situation (three tries), you should consider that you may be doing something wrong. Maybe you're not entering the exam with the right mindset, maybe you are focused on memorizing the technical details or the answers to the tests you've done, maybe you're not managing the exam time well, and so on. Among the existing materials, we can highlight some.

First of all, there is the specific book of the CBK, although according to the opinion of many people, it is hard/tough/dry to read and does not provide any relevant improvement to other alternatives with a more "pleasant" approach. There are several alternative materials, such as the study guide and official questions, the CISSP All-in-ONE (AIO) by Shon Harris, the Eleventh Hour CISSP Study Guide, Cybrary's free courses by the fantastic Kelly Handerhan, as well as multiple websites and applications to practice tests (Boson, CCCure, Skillset, Simplilearn, CISSP Pocket Prep App, etc.) and YouTube videos of exam preparation, example questions, etc.

The materials I used and some comments on them are the following (needless to say, I am not at all related to any of the authors) :

• CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition (9/10). To me, this was the primary study resource. Although it is about 1000 pages, it is a book well written and probably I would not say that it is a pleasant reading, but you can go through it with some ease.
• Sybex CISSP Official (ISC)2 Practice Tests, 2nd edition (9/10). As a companion to the previous one, we have the official test material, which contains eight tests of approximately 100 questions each, one for each domain, plus four global tests of 125 questions. In total, about 1300 questions.
• 11th hour CISSP (8/10). This book, significantly shorter than the official study guide, allows for a quick review of all the concepts of the CISSP, in a a concise and direct way. It is a good book to give a quick review, although I barely gave time to it.
• Boson CISSP tests (10/10). To me, Boson's tests were the main resource for exam preparation, after reading the official book and the 11th hour CISSP. With five exams of 150 questions each, there are a total of 750 questions, with a very similar approach to the ones you will find in the exam, both in writing and toughness. The two main advantages of these tests are that they ease you to enter that "management role" I talked about earlier, and they provide very useful information about why one answer is the right one and the rest is not.
• Simplilearn CISSP free practice test (8/10). This test, which is freely available on the Internet, is composed of 250 questions maybe not as close to the test as in the case of Boson, but they are also near and are useful to detect weak points.

Finally, the day before the exam I saw a video by Kelly Handerhan on ten key aspects to take into account when facing the exam, where she talks about the importance of risk, the business goals priority, the non-technical approach or the necessary balance between asset protection and value, among other points. It is absolutely recommended.

Apart from these, the opinions that can be read in the forums is that the CISSP AIO is good, but perhaps goes too much into technical details. A resource that receives excellent reviews are Kelly Handerhan's videos on Cybrary.it, in which she reviews, in 13 hours (if I recall correctly), the eight domains of the CISSP. I don't know if it has subtitles, but with an intermediate level of English you can probably follow it without many problems. On the other hand, the Pocket Prep application was very useful to me to pass the CISM exam a couple of weeks later, but I didn't use it for the CISSP, so I can't give my opinion in this case, although in general the reviews I've read are good.

Final Tips

After a global review of the examination and certification, let's end with some advice, which I provide entirely on a personal basis:

• Unless you have a lot of problems with English (in which case it's difficult to prepare for the exam due to the lack of study materials, at least in Spanish), choose the exam in English. An exam of 250 questions and six hours is an important challenge, in which you will have to fight not only with the exam, but also with your motivation and the fatigue accumulated during the preparation and the day of the exam (before which you will foreseeably have had little sleep). On the contrary, in the adaptive version you will have a maximum of 150 questions to answer in three hours, and if you are lucky and prepared enough, in 100 questions you will be done, as was my case. The adaptive version doesn't allow you to go back to review previous questions, and that's something to keep in mind, so you'll have to devote a little more time to each question. In the worst case, you'll have about 1m15s per question, more than enough.
• Don't forget that you're not a technician. You are a manager and as such, your role is related to risk assessment and business goals. And this applies to CISSP and CISM. I insist, the first action to be taken will usually never be technical. Before shutting down a server, changing a rule in the firewall, updating a service, always, ALWAYS, there will be someone who, at least in his head, has assessed the risk and the implications for the business.
• Read the question two, three, or four times, slowly. Do the same with the answers. Look for the keywords and consider if it is asking you the first action, the best option, the most effective, the most efficient, and so on.
• Control the time but do not rush if it is not necessary. Do not jump quickly to give an answer if you are not sure (or even if you think you are right after the first reading). However, don't be discouraged if you have no idea of the answer to a question, and don't waste fifteen minutes on it, especially at the beginning of the exam. Reason the answer, eliminate potential wrong options, choose the option that sounds better to you and move forward.
• Although you already know that in the CISSP exam you are a manager, it should not be ruled out that you encounter some more direct questions with slightly "technical" details. As far as possible, memorize part of the material (that for which there is no other option than memorization) to get those sure points.
• Do a lot of tests. Repeat them, even if you have memorized the answer. Pay attention to explanations and understand why that is the right answer. Even though none of the questions from those tests will appear in the exam, not even those from the official materials, they will help you greatly to see your mistakes and teach you, above all, to analyze the question and the answers in the right way. Don't obsess about getting 70% or 80% in the practice tests, because ultimately you'll memorize the answers and the percentage ends up going up.
• Use common sense to discard options. For example, you may not remember at what stage of incident management the root cause is being searched for, but it is certainly not in detection, where we don't even know if it's a real incident or a false positive, nor in containment phase, which is when we are most focused on containing the impact (and don't have time for forensics or deep investigation).
• Identify concepts in the questions and answers that can provide you with information about the right option. For example, perhaps instead of "VPN" you see "secure remote access", or maybe there is no mention to "digital signature" but instead it mentions a "non-repudiation e-mail mechanism".

Finally, don't be discouraged by what you read on the Internet. The CISSP is a passable exam with a reasonable degree of effort, which in general will be inversely proportional to the professional experience you have in the eight domains of the CISSP.

Good luck.