How I Prepared and Passed CISSP

I locked myself in for 2 months to prepare for the CISSP (Certified Information System Security Professional) exam, and now I’m back triumphant to tell the story. Yes, I just received the Congratulations email from ISC2. I’m sharing my experience here with a hope that it might be helpful to anyone who’s preparing to take the exam. There’s no doubt that it was THE MOST difficult exam I’ve ever taken.

Let me give you a general idea about this certification. CISSP is a security certification carried out by (ISC)², which is a globally recognized, vendor neutral organization for certifying information security professionals. To pass the CISSP exam you’ll have to be competent in 10 Domains of the Common Body of Knowledge (CBK):

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

To qualify to sit for the exams you need to:

Subscribe to the (ISC)² Code of Ethics.
Have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK® or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a Master’s Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.

Update: Effective 1 October 2007, professional work experience requirements for the CISSP will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP CBK domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP, or SSCP exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.

The exam itself is 6 hours long, with 250 questions based on the 10 domains. 25 out of 250 questions are for research, but you’ll have to answer all of them, and there’s no way of knowing which one is which. So, 225 questions will be scored, and you’ll have to get 700 out of a possible 1000 points on the grading scale to pass. Different questions carry different weight (marks) and there’s no way to know which question carries how much marks. As of writing this, the exam costs US$ 499 if you register 16 days ahead of exam date or US$ 599 if you register later.

My Recommendation

The best book you can buy for your preparation is CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris. The most helpful place, with a lot of useful resources is CCCure.org web site. You can ask questions on the Forum or search for anything that you want to know about the exam. The forum is very lively, with a lot of CISSPs replying to your queries promptly. The Quizzer is another valuable tool to check yourself on where you stand, before starting the preparation and taking the exam. The quiz gives you a general idea about which domains or topics you’re weak in, this way you can devote more time to strengthen you weak areas. If you’re taking a self study route, you should view the flash based Exam Introduction and Overview by Clement, which provides a thorough overview of the CISSP Exam, with tips on how to prepare, how to study, what resources to use, and a whole lot more. I found it extremely useful.

How I prepared for the Exam

I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies. Even with these precautions, there’re times when mind goes wild and body aches like hell :).

Because of my experience at work and previous studies, I was already familiar with most of the topics in Telecommunications and Networking, Cryptography, Operations Security, and Security Architecture and Design. I was ok with remaining domains but the Physical Security and Legal, Regulations, Compliance and Investigations were quite new to me.

My Study Materials
1. CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris
2. Mike Meyers’ CISSP(R) Certification Passport by Shon Harris
3. CCCure.Org (Quiz, Forum, and Summarized Concept)

Phase 1 (approx. 20 days)
I read CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris page by page first, then took the practice questions at the end of each chapter to see how I retained the material. As I was progressing, I had a feeling that I was forgetting the earlier chapters.

Phase 2 (1 day)
Took 250 questions quiz from CCCure Quizzer (select all 10 domains, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results of the quiz gave me a clear indication on which domain I was weak. I saved the results in Google Docs, so that I would be able to refer back to it later. I scored 76%.

Phase 3 (approx. 15 days)
Based on the results of the quiz, I prioritized to review the domains, starting with the one that I scored least. In this phase I read All-in-One book page by page for the second time, and after completing each chapter I took the CCCure Quizzer, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results suggested me which topics I needed to review within each domain. I saved each quiz results in Google Docs, so that I would be able to refer back to it later. I was scoring over 80% in each of the 10 domains.

Phase 4 (approx. 10 days)
For each domain I reviewed the questions and answers that I got incorrect. I narrowed down my preparation and zoomed down to the individual topics from the incorrect answers. After revising all the topics across all 10 domains that needed attention, I took the same quiz, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). By now I was scoring above 90% in each of the 10 domains.

Phase 5 (approx. 15 days)
The CD included in All-in-One book has a Total Tester Software with a lot of questions (60 to 100+ per domain). Took test for each domain. After taking the test from CD, read All-in-One book for the third time, but this time I just read the headings, subheadings, flipping, and skipping the pages, only stopped to read the topics which pulled my attention. When there were 2 days left for the exam, I started reading Mike Meyers’ CISSP(R) Certification Passport, it’s a very well summarized book which contains most of the concepts necessary for the exams. I highly recommend this book at the end of your preparation. On the last night before I went to bed I read the study guide (cram) that was produced by Michael Overley and improved by Jane E. Murley.

The Exam day

I was quite satisfied with my overall preparation, but that couldn’t help me with the anxiety and anticipation. I’d read a lot of horror stories at CCCure Forum about the exam questions. I went to bed early the night before exam, but found it quite difficult to fall asleep, anyway got around 5 hours of sleep. Woke up early on the exam day, did 45 minutes yoga, and had a heavy breakfast. I went to the exam center with some energy bars, a bottle of water, a pack of HB No. 2 pencils, a sharpener and an eraser. 2 pencils are provided by the ISC2 but aren’t that good, so I highly recommend you to take your own pencil, eraser and sharpener. I had brought a jacket with me and put it on throughout the exam. It was quite cold. You should be prepared for warm or cold condition.

The exam was physical, mental as well as English test. After 3 hours of sitting, my neck was like one big knot. I ate one energy bar, around half a liter of water, and went to toilet twice. Some questions didn’t make any sense at all.

If I had to break the questions, it would be something like this:

• Around 5% were straight forward. One line question and very obvious answer.
• 20 – 25% of the questions were very tricky, not difficult but needed to watch the keywords like NOT, WORST, BEST, etc. The practice quiz helped me a lot on watching the keywords.
• 20% either didn’t make any sense to me in English or were like questions from another subject. Maybe they were the research questions.
• 50 to 60% of the questions were similar to the CCCure quiz and All-in-One CD questions. They were just similar in construction and difficulty, but none were exactly the same.

All 100% of the 250 questions were the ones I saw for the first time. I’d never seen any of those questions in the quiz or practice questions. I circled the answers to my first 125 questions in the question booklet in around 2 hours. Then I copied (marked) those answers to the answer sheet, which took around half an hour. After that I started marking the answers directly to the answer sheet. I think marking directly to the answer sheet is a better idea, it’ll save you some time. It took me 5 hours to finish all 250 questions. Initially I’d put a question mark in the question booklet at those questions which I was not sure of. So, came back and reviewed the answers of those not-sure questions, ended up changing 8 answers. I didn’t have time to review all the questions, and may be that was a good thing :). I was quite sure that I got around 50 to 60% correct, but came out exhausted, and was not sure if I would pass.

Post Exam

The wait after the exam is even worse than the preparation or taking the exam. In some cases the results are emailed as early as 5 days. So, after 5 days I kept on checking my email every few minutes, hoping to see the results. Also visited the Forum to see if anyone would post anything about the exam in Hong Kong on 22 April. Finally the results came in, exactly after 10 days, I opened the email and saw the word Congratulations!, That’s it. I felt like I’d let go of 100 pound weight from my shoulder, and felt as if my body had melted on the chair I was seating. A very pleasant feeling followed and I thought the time, effort and money spent were worth it.

After getting the results you need to get an endorser to sign the endorsement form and send it to ISC2 together with your resume. The endorser must be either one of the certificates holder, such as CISSP, GIAC, MCSE, MCDBA, CISM, CISA or company’s CEO, CIO, Managing Director, Executive Director or Managing Partner. I’ve already sent the signed endorsement with my resume and am now waiting for the official certificate.

Conclusions

The CISSP Exam is all about concepts. If you know the concepts well, you can pass, but don’t underestimate it, there’re a hell lot of concepts to remember. I think you need to have some experience in the field, otherwise it would be too difficult to just study and remember the concepts. Make a study plan and follow it. Read each and every page of the All-in-One book. Do as many as possible practice questions and quiz as you can. The preparation and exam both are physical as well as mental challenges so, take care of your body and mind too.