Executive Summary:

The CISSP is a six-hour, 250-question exam that requires careful preparation and the proper tools. I found two books and one boot camp as well as additional Web resources that helped me. Plus I used tried-and-true test preparation strategies, from setting up a regular study program to visiting the testing room the day before the exam. Studying for the Certified Information Systems Security Professional exam is a journey I recommend to all security professionals.

This month's Toolbox dives into the tools that can help you prepare for the Certified Information Systems Security Professional (CISSP) exam, the highly regarded certification program for security professionals. Other competing certifications have sprung up over the past few years, but search a job board such as Monster using the keyword CISSP, and you’ll see the value prospective employers place on the CISSP certification. The governing body, Information Systems Security Certification Consortium—(ISC) ²—strictly controls the administration and integrity of the exam, and the six-hour, 250-question exam is tough. Recently, I went through the process of qualifying and preparing for the CISSP exam, and I discovered some tips and tools that might help you.

Qualifying to Take the CISSP Exam
The first step to becoming CISSP certified is to research the qualifications necessary to take the exam by going to the organization's Web site at iisc2.org. The standard registration fee is $599 (but register early and you'll save $100). As of October 2007, to qualify for the exam, you must have five years of professional experience in the information security field or three years of experience plus a college degree. Additionally, another (ISC) ² credential holder needs to vouch for your experience.

The realm of information about a subject is often referred to as the common body of knowledge (CBK). The CISSP CBK spans 10 domains: Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal, Regulations, Compliance and Investigations, Operations Security, Physical (Environmental) Security, Security Architecture and Design, and Telecommunications and Network Security.

You must have a solid understanding of each of these 10 domains and be able to jump from one domain to another throughout the exam. For example, one question might involve comparing the configuration options for a successful Closed Circuit Television (CCTV) camera installation, and the next might ask you to compare the strength and applicability of various encryption algorithms.

Many different tools can help you prepare for the exam. First, you must recognize and understand your methods for successfully remembering (and recalling) many technical facts and detailed processes, and then find the study aids that work most effectively for you. Below you'll find the approach I took toward becoming a CISSP.

Boot Camps and Review Courses
A boot camp is a fast-paced course aimed at covering all 10 domains in about a week's time. I attended the SANS Institute's SANS +S Training Program for the CISSP Certification Exam: Management 414. This intense six-day course began each day at 8 A.M. and ended at 5 P.M., and was followed by a two-hour evening study session for questions and answers. Boot camp was my first step toward the CISSP exam—for me, it framed the relevant material in a convenient package that I later used to plan my subsequent studies. In hindsight, I would probably read a CISSP textbook before attending a boot camp.

Reading Materials
Many books can help you study for and pass the CISSP exam. I recommend searching Amazon.com and reading the book reviews—often they give you good information about the author’s style, accuracy of information, and even general tips on taking the CISSP exam. One comment seemed generally agreed upon—don’t look for a “brain dump” or other type of exam simulator from which to memorize questions to pass the exam. Memorization is important in passing the exam (e.g., can you list all of the popular asymmetric and symmetric ciphers and the pros and cons of each?), but it’s more about memorizing the material instead of memorizing exam questions. One fact is certain: You'll understand information security better after studying for the CISSP exam.

I used two popular books: CISSP All-in-One Exam Guide, Third Edition by Shon Harris (McGraw-Hill Osborne Media, 2005); and Official (ISC) ² Guide to the CISSP Exam by Susan Hansche, John Berti, and Chris Hare (Auerbach Publications, Div. of CRC Press, 2003). Both books are just shy of 1000 pages and do a good job covering the 10 domains. Both also offer practice questions at the end of each chapter and include a computer-based practice exam containing hundreds of questions.

The books' styles, however, are different. I enjoyed the author’s witty style in the CISSP All-In-One Exam Guide. The CISSP CBK can be fairly dry, but Shon Harris spices it up with anecdotes and dry humor. Some might find her style distracting, but it helped keep my interest high during my late-night study sessions. The Official (ISC) ² Guide is academic and reads more like a college textbook. I recommend it because it’s published by (ISC) ², and it seemed to me the content would have a higher likelihood of matching the actual content on the exam. During my boot camp training, I heard several comments to the effect that passing the CISSP exam means you know how to answer the questions as (ISC) ² would answer the questions, which might be different from real life. This is another reason why I recommend using study materials from the same source as the exam.

Practice Exams
Take as many practice exams as you can find. Practice exams ensure that you have a good understanding of the material that might be covered on the exam. However, be skeptical of claims that a practice exam is just like the CISSP exam—I didn’t feel that any of the practice exams I took matched the actual exam. You can get official (ISC) ² recommendations of online study material at its Web site.

Online Assistance
A few Web sites offer study assistance for the CISSP exam, including practice exams and forums for candidates to ask questions or talk with one another. CCCure.org is a popular site, but I didn’t spend much time there. As I said earlier, it’s important to find your own “success factor” in studying for an exam, and mine never included strong participation in study groups. But if you thrive in a collaborative study environment, then I suggest looking for a Web forum where you can bounce comments and questions off others.

The Day Before the Test
As I studied, I got a refresher lesson in how to increase your chances of passing a long multiple-choice exam. The idea is to minimize any potential last-minute distractions that could affect your performance. I read the (ISC) ² guidelines several times to ensure I brought the proper things: extra pencils, erasers, earplugs, layered clothing, a snack, and a bottle of water. I took my exam in a different city, so I drove there the day before and checked into the hotel hosting the exam. I walked to the exam site and even sat in the exam room the night before to get its “feel.” It wasn’t unlike a recon mission prior to a complex operation: Preparing for any sort of environment—hot, cold, noisy—helps offset possible distractions.

Mission Accomplished
The exam is daunting but not impossible. The key is to understand how you best study for and pass exams and then map a study program that accentuates your strengths and takes advantage of the best tools.