Let me throw in an tweaked quote from a movie... since you have 60 days until you write it again.

"You got to put the past exam behind you before you can move on."

Believe me when I say the CBK was brutal enough, once through, twice through and I might consider bad things for myself.  I recognized last week what part of my issue was, I am used to being in the weeds.  Engineering from the EC Council side is primarily for entry level software and systems engineers, versus giving the 10,000 foot view - it is systematically from the roots up. This threw me off quite a bit, but I realized it last week when I taught the CASE.net for the State of Texas.

Their first two -three chapters were an excellent overview of engineering (straight out of the ISO's, NIST frameworks, etc.), something we tend to try to strap together they have as an integral part.  We actually do a better job of teaching the high level content, they do a better job of teaching in the weeds. 

Our CSSLP and CGRC are very relevant, if we can break the direct linkage between the software and systems (for CSSLP) and show a better relationship between policy and systems (for CGRC).  Even the SSCP and CISSP have some relevance when you get down to it.

@hrod3112002   I passed mine using NIST documents.  I have a CGRC and experience as well.  I was very familiar with the most important ones and read the ones that was not familiar with.  I did read the CBK but was only good from a historical perspective and knew that none of it would be testable because know its history with the NSA.  If you are not familiar with the NIST documents, this will be what you need to know: isc2.org/certifications/references#ISSEP  I passed mine a few years ago; the exam objectives changed August 1, but the reference list seems to be the same.  Make sure that you know the exam objectives.  I keep them with me and review periodically to make sure am on track.  Best wishes.  

@nkeaton thank you so much. I will definitely do my research. Any other tips please feel free to pass them along.

Many thanks,

Rod

Mango,

I hope all is well.  I am getting ready for another attempt at the ISSEP.  Wondering if you are doing the same?  I'm combing back through the different posting - just grabbed IATF 3.1 Chapter 3 and Appendix J., wondering if I missed anything else?

Thank you sir.

Ervin

@nkeaton, Oddly enough going through the official practice exams, I began to notice something.  This may be the one I do not get done, I noticed something strange - which goes against almost everything I do.  I began to notice many of the answers involved bypassing talking to a user, instead go straight to documentation.  It is something I am currently writing about in other articles, we are having a crisis within academia as this got mentality became prevalent - skip the end user and just design the solution space.  I realize it "eliminates" the end user helping to "design the solution" space.  Unfortunately, the perspective has continuously endangered our population.  Effectively, many times we design a solution that fits to our best effort to our best understanding - but fails to address how the end user will use it.  

Oddly the end-user was never really trained to use the solution as we (engineers) designed it.  We train the first iteration which then passes most of the information to the second generation of etc., this occurs again between the second and third generation, etc.  This process is called job crafting, I only pass on the information I want to pass on, any information not aligning with my preferred tasking is overlooked by each training generation.  This process becomes the basis for hybridization and ultimately organizational hierarchy (senior engineers, management, etc.).

For instance, I am a technical trainer for other certifying bodies (EC Council, CompTIA, Cisco, etc) - and I teach perspectives.  So a thought, if I design a solution without sufficient user input (as a PM or as an ISSE) I can draw it as a process start and a feedback loop with the DevOps engineer.  The missing component is no matter how much documentation I have in hand the end-user will seldom see or use it.  As engineers we tend to look at how we see the problem, which is exactly what academia tells us to do - our end users neither see the problem as we see it nor do they engage with it as we engage with it.  I realize the ISSEP is about engineering, but I am having a crisis as I am told to disregard the end-user over and over again.

If in doubt think about the last time you cracked open the engineering notes for Office 365?

Suggestions on overcoming this mindset?

@ervinfrenzel   That is an interesting observation.  I took the exam in 2023 before the latest exam objectives change.  I also did not use any real practice questions for mine to compare my impressions of them.  The ISSEP does lean towards governance and frameworks, and the questions in their training are most likely written by completely different people than the people that develop the actual exam questions.   I can tell you that I did not notice any questions where the user was not part of the conversations.  I already had the CAP (now CGRC) which probably helped a lot in the mindset needed to answer correctly.  I did not read the IATF.  It was the basis of this exam long ago when NSA used that document but is definitely not in the resources now:  https://www.isc2.org/certifications/references#ISSEP  I used the NIST documents.  Most of them I am very familiar with and read the ones that was not familiar with.  I kind of know how you feel.  I am having trouble thinking like ISC2 wants an architect to think.  The way of thinking for ISSEP and ISSMP seemed pretty natural for me.  Hopefully we both figure that out.