There appears to be a major flaw in the way (ISC)2 releases major updates to certification exams. There are multiple threads in the community asking for updated CBK books to match the already announced updated exams. In several instances the (ISC)2 staff cannot even provide a release date for the new book.
Simple logic suggests that the standard order of release to the public should be as follows.
1. Announce major CBK review for the certification.
2. Announce completion of the CBK review, with tentative release schedule for new CBK book andd exam.
3. Release the FAQ and summary of the new CBK, with tentative release dates for the new CBK book and the exam.
4. Publish the complete updated CBK book with release dates for training courses and exam, set as three months after publication of the book.
5. Release the updated training course.
6. Implement the updated exam, based on the new CBK.
During the period between completion of the new CBK analysis and implementation of the updated exam, review every question in the exam question pool to ensure that each one is covered within the new CBK objectives and domains, and that the question and answer set are consistent with the new CBK. This 100% review will ensure that out-of-date content is not inadvertently carried over from the old pool to the new one.
The current practice of not releasing updated CBK books and courses until after implementation of the new exam is causing tremendous frustration to aspirants for multiple certifications.
Good morning, Craig,
I totally agree with the logical steps you have listed. They make sense.
I would add one more step, which is to allow a transition period of six months like all other certification bodies does. This way people that have studied most of the old CBK domains don't have to start over again, don't need to buy new resources, etc...
The last update that came out in April 2018 was more a minor revision than anything else. There were very very minimal changes and I don't understand WHY it is taking so long for the official book and other resources to catch up. The competing commercial resources have been updated within a very short time frame.
In fact, it seems like the update was done to manage customer perception of the value of the CISSP. After three years without any updates, a certification is usually due for a major update. So the pressure was on to manage that expectation on the marketing side. I am hoping the next revision will be more thorough.
I would like to pile on and agree with Dr. Shelton. My company wants me to get the CISSP-ISSEP. It is my understanding that the exam was recently updated and that the training material is in the process of being updated. The new CBK has not been released.
I have spent the $1995 to purchase the ISC2 self paced training for ISSEP. I find that it is poorly written. The videos are short 3-5 minute videos that are very high level. I doubt their training is designed with the Adult Learning Model in mind. It is poorly organized and so fragmented that it is difficult to follow along with any consistency. So without a CBK to back it up I feel that I will be poorly prepared for the exam.
When working toward my CISSP I was able to lean on books like the Shon Harris Book, the ISC2 CBK, and other 3rd party books. With ISSEP and the recent changes there really is no respectable study material available.
I recommend that ISC2 consider Dr. Shelton's update process and make sure that the training material is released and closely corresponds to the test material.
The exam and study doesn't need to be easy but in my opinion to be credible the CBK is as important as the test.
Jeffrey Ketts, CISSP
I completely agree about the ISSEP training. FYI, I took the ISSEP exam after preparing extensively using the training materials and failed due to the fact that only about 5% of the content on the exam had anything at all to do with the content in the ISSEP training. 100% waste of money and unfortunately there are no other preparation materials available due to the fact that the CBK has not been released, as Jeffrey @Eagle85 mentioned.
After three years without any updates, a certification is usually due for a major update.
I just encountered confirmation of a three year cycle in "Inside the (ISC)² Certification Exams" (InfoSecurity Professional Nov/Dec 2018, page 8).
6. Implement the updated exam, based on the new CBK.
I suspect that this is not implementable due to an ISO-17024 requirement:
Offering both training and certification is a threat to impartiality. Offering training and certification in the same body increases the possibility that instructors will” teach to the test” or try to influence the content of the exam. If the certification body offers training and certification, the certification body must demonstrate the independence of certification activities from training activities to ensure that confidentiality, information security and impartiality are not compromised. This includes not requiring a candidate take the certification body training if an acceptable alternatives are available and not allowing trainers to participate as examiners for two years.
It would not surprise me to learn that the Candidate Information Bulletin (i.e. topics and references) is the only thing shared between the two teams. After all, maintaining their ISO-17024 accreditation is probably (ISC)²'s numero uno priority.
To Follow up. I recently sat for and provisionally passed the CISSP-ISSEP exam 3/2019.
I paid for and took the ISC2 ISSEP Self Paced Training.
1) This course is very fragmented and difficult to go through. 5 minute videos not linked. Independent reading that requires access to Govt. Websites. Broken links and more.
2) This course does not relate well to the questions on the test.
3) My opinion is ISC2 should not be in the training business.
I looked at an a copy of the ISC2 ISSEP CBK. This is an outdated resource.
I took the FedVTE ISSEP online training. This was pretty good material and covered the concepts addressed in the test. I think this was helpful.
I read through (not study) all of the of the NIST 800 series, and the FIPS 199, 200, and 140-2, DoD 5000.1. I also read through many of the CNSSI and OMB documents. I was very familiar with Clinger Cohen Act and FISMA.
Despite all of the study and reading I did what I felt was the most helpful in passing this exam was life experience. Having worked as a System Engineer, Quality Control, as a build manager, and even some time in acquisition all played into how I answered the questions.
This was a difficult exam because it is application of the CISSP in an engineering environment.
Your training is not valuable and costs way to much for the value added. It is my recommendation that you outsource training to experts in this field. I recommend that you update the CBK to reflect the material and resources that are the basis for your questions. It should focus on the SDLC and the Systems Engineering V and the application of the regulations to these things. If you update the test you should update the training material.
FOR THOSE TESTING:
Read all of the NIST and DOD documents that you use to do Authentication and understand the Systems Engineering V. Also the software development lifecycle and how to apply security to it. If you have the life experience as an SSE or Systems Engineer you should be able to pass this.
Wishing you great success on your exam. May you all pass the first time.
Jeffrey Ketts, CISSP, Security+ CE, CMSP
Congratulations and welcome to the most exclusive ISC2 certification club! (Not including the regional certifications no longer offered by ISC2.)
I was told by someone apparently in the know that only 30% of ISSEP exam attempts result in a pass, so you should feel very proud of your achievement!