I just purchased the ISSEP CBK. (pub September 29, 2005)
I had considered getting the certification a few years ago, but held up due to the age of the study materials.
Is this book current enough to support passing the exam?
Does anyont that recently passed the exam have additional study reccomendations?
I was already planning on reading Security Engineering by Ross Anderson again as well as the CBK, and will likely use the cccure.org test engine.
Other than that I'm at a bit of a loss.
What did you use for study materials?
I used a host of material, but I found the CBK Fourth addition book to be really handy. I coupled the reading with the CyberSecStudy podcast which is dictated directly from the CBK. The last week I used CCCure for practice tests. I would advise waiting to pass the full exam with at least an 85% at least 4 times before attempting the real deal. I passed the exam the first time in 2 hours and 40 minutes. The real test is close to the CCCure material.
Hi, it's been about 3 years since I passed the exam. I found the 2005 ISSEP CBK woefully out of date. I ended up taking the ISC2 training course (the week long in-person version). While that was ok, additional review of the NIST 800 series pubs (800-53 series) and the ISSEP Candidate Information Bulletin (CIB) are in order. The CIB, in particular, will fill you in on the current publications that the exam points back to. That's what you want to review. Realize some of those pubs may be out of date or no longer active, but you may still find them important to getting through the exam.
Hope that helps and Good Luck!
Checking out the NIST docs and ISSEP Candidate Information Bulletin (CIB) now.
I've been looking into it. It's relevant to what I want to focus on in my career. However, the exam outlines and study materials seem a bit out of date. For instance, it is my understanding that DIACAP has been superseded by a new RMF for DoD IT which is NIST RMF aligned. I don't have direct DOD experience, though I've done a bunch of FIPS, Common Criteria and CSfC stuff. I just don't know if it is worth doing a concentration which is so focused on standards and compliance if the standards are out of date -- anyone know if/when the material might be getting a refresh?
While there is some focus on DoD processes (reflects this concentration was established with help from NSA), the processes in the NIST 800 series apply across the US Government. I believe there was a move to update the concentration area a year or two ago, but it was delayed. I'm guessing that is because the NIST guidance was still being finalized and revised, so rather than update and have to immediately update again, a pause was in order.
While DoD experience is helpful, I didn't feel like my personal DoD experience was essential to doing well on the exam. Information System Security Engineering knowledge is not just government specific. While the current test may need revision, I think the intention is to demonstration you know the ISSE Process, and you understand where supporting government standards and frameworks come from.
Thanks, that's a good response. I know it isn't all government -- I've worked for a number of security product vendors in engineering roles, in addition to doing both conformance and efficacy testing. It's stuff I like much better than the DFIR work that I've done in the past. A few months ago I left a CC/FIPS lab to move to Texas to take a job testing breach prevention systems for efficacy. It's interesting to say the least, but I suspect that in a few years we'll move back to the DC area and I'd like to go full govt, or do contracting. With a CISSP and CSSLP I'd be elligable for IASAE II. I need the ISSEP for level III positions.
It's on my roadmap regardless (will be doing the OSCP here shortly, since I still touch a lot of red team type stuff while doing efficacy testing of security solutions), but I'm just interested in whether there will be a refresh in, say, a year or whether it will be a ways off to determine what my actual timeline is.