CISSP (Certified Information Systems Security Professional) is a certification granted by the organization ISC2 (International Information System Security Certification Consortium).
This post explains how you can prepare the exam to apply for CISSP certification.
To find more information about the CISSP certification itself, please check the main post.
Frequently Asked Questions (FAQ) about the exam
How long do I need to prepare the exam?
It depends on how much you know about the topics, how many hours per week are you going to invest, how good or used you are to prepare this kind of exams, etc.
My guess is that the average would be between 3 and 6 months.
What is the recommended material for exam preparation?
Books
There are ISC2 official preparation books, that are also sold as a bundle:
- “CISSP Official Study Guide”, published by Sibex
- “CISSP Official (ISC)2 Practice Tests”, published by Sibex
The study guides summarizes the official CISSP CBK Reference, so you do NOT need to buy this official book to pass the exam:
- “The Official (ISC)2 Guide to the CISSP CBK Reference”, published by Sibex
In addition there are other unofficial study guides and practice tests, but I did not try them myself.
Examples of non-official books:
- “CISSP All-in-one Exam Guide”, by Fernando J. Maymi and Shon Harris, published by McGraw Hilll Education
Video
There are YouTube channels, like “Free Study CISSP Questions from the Day by IT Jojo“.
You can also attend preparation courses.
Do I need to memorize the studying material?
Most of the study guide is understanding a concept, and once is well understood and you learn the typical questions about these concepts, you do not need to review them anymore.
However, there are specific topics where you need to memorize some information.
Taking into account CISSP Official Study Guide, Ninth Edition (2021, Wiley) and corresponding CISSP Official Practice Tests (2021, Wiley), I would spend special attention to the following points:
Kim Cameron’s 7 laws of identity
- Chapter 1
- Differences between Due Diligence and Due Care (p. 23)
- Microsoft’s STRIDE acronym (p. 27)
- Seven steps of PASTA methodology
- Chapter 2
- Risk Management Model (RMM) levels (p. 78)
- NIST’s Risk Management Framework (RMF) phases (categorize, select, implement, assess, authorize, monitor)
- Chapter 3 “Business Continuity Plan”
- Project Scope and Planning parts (p. 115-120)
- Annual Rate of Occurrence (ARO) calculation (p. 125)
- Single Loss Expectancy (SLE), Annual Loss Expectancy (ALE) calculations (p. 127)
- BCP Documentation (Continuity Plan Guide, Statement of Importance, Statement of Priorities, Statement of Organizational Responsibility, Statement of Urgency and Timing, Risk Assessment, Risk Acceptance/Mitigation, Vital Records Program Emergency Response Guidelines, Maintenance, Testing and Exercises) (pp. 132-136)
- Chapter 4 “Laws, Regulations, and Compliance”
- Publication of laws (criminal+civil in US Code, administrative in Code of Federal Regulations, CFR)
- Computer Crime Laws (by its initials)
- Computer Fraud and Abuse Act (CFAA) (pp. 148-149)
- Comprehensive Crime Control Act (CCCA) (p. 148)
- Federal Sentencing Guidelines (p. 150)
- Federal Information Security Management Act (FISMA) (p. 150)
- Intellectual Property (IP) laws
- Copyright Law and Digital Millennium Copyright Act (DMCA) (pp. 152-154)
- Privacy Laws (by its initials)
- Communications Assistance for Law Enforment (CALEA) (p. 161)
- Health Insurance Portability and Accountability Act (HIPAA) (p. 161-162)
- Children’s Online Privacy Protection Act (COPPA) (p. 163)
- Gramm-Leach-Biley Act (p. 163)
- USA PATRIOT Act (pp. 163-164)
- Family Educational Rights and Privacy Act (FERPA) (p. 164)
- European Union General Data Protection Regulation (GDPR) (pp. 166-167)
- Canada’s Personal Information Protection and Electronic Document Act (PIPEDA) (pp. 167-168)
- Payment Card Industry Data Security Standard (PCI DSS) (pp. 169-170)
- Chapter 5
- Data Destruction Methods (erasing, clearing, purging, degaussing) (pp. 195-196)
- Data Roles (data owner, asset/system owner, business/mission owner, data processor, data controller, data custodian, administrator, user) (pp. 204-208) (check this post)
- Chapter 6
- (none)
- Chapter 7
- Certificate formats (p. 283)
- Symmetric Encryption Algorithms (pp. 251-252)
- Hash Algorithms Value Lengths (pp. 274)
- Chapter 8 “Principle of Security Models, Design, and Capabilities”
- Security Models (pp. 322-336)
- Common Criteria (CC) evaluation assurance levels (EALs) (pp. 338-339)
- Chapter 9 “Security Vulnerabilities, Threats, and Countermeasures”
- Seven principles of Privacy by Design (p. 319)
- Differences between multitasking, multicore, mutiltiprocessing, multiprogramming and multithreading (pp. 356-357)
- Concept of sanitizing (p. 367)
- ICS communication protocols in SCADA (DNP3, Modbus, IEC 61850) (pp. 378-380) (post)
- Serverless Architecture / FaaS (p. 406)
- Chapter 10
- Fire extinguisher classes (p. 473)
- Terms related to power issues (fault, blackout, sag, brownout, spike, surge, inrush, ground, noise)
- Elements of cable plan management policy (entrance facility, equipment room, backbone ditribution system, telecommunications rooms, and horizontal distribution system) (pp. 1069)
- Chapter 11
- Network container names: OSI layers 7-5 data stream, 4 segment (TCP) or datagram (UDP), 3 packet, 2 frame, 1 bit
- Routing protocols (p. 503) (post)
- Common Application Layer Protocols (pp. 506-507)
- DNS Security (DNSSEC, DNS over HTTPS) (p. 511) (post)
- Converged protocols: SAN, FCoE, MLPS, iSCSI (pp. 523-524)
- Voice over Internet Protocol (VoIP), Secure Real-time Transport Protocol (SRTP), Session Initialization Protocol Secure (SIPS) (pp. 525-526) (test 4.12)
- Content Distribution Networks (CDN) (p. 545)
- Spectrum-use techniques: FHSS, DSSS and OFDM (p. 537)
- Bluetooth Attacks (p. 537)
- Types of honeypots (low/high availability) (post)
- Chapter 12
- EAP examples (LEAP, PEAP, EAP-SIM, EAP-FAST, EAP-MD5, EAP-POTP, EAP-TLS, EAP-TTLS) (p. 584)
- Load balancing techniques (table 12.1)
- Means to coexist IPv4 and IPv6 (test question 3)
- IPv4 address classes and private, loopback and APIPA address ranges (see this post)
- Internet Procotol Security (IPsec) (p. 609)
- Chapter 13
- Concepts of FAR (False Aceptance Ratio), FRR (False Rejection Ratio) and CER (Crossover Error Rate)
- Chapter 14
- Differences between sharing login credentials methods (SAML, OAuth, OpenID and OIDC) (p. 694)
- Kerberos concept (pp. 695-697)
- Kerberos exploitation attacks (pp. 710-711)
- Chapter 15 “Security Assessment and Testing”
- Audit assessments and types (pp. 729-730)
- Security Content Automation Protocol (SCAP) and its components (CVE, CVSS, CCE, CPE, XCCDF, OVAL) (pp. 731-732)
- Network discovery scanner techniques (TCP SYN, TCP Connect, TCP ACK, UDP, Xmas) (p. 733)
- Test coverage analysis (p. 752)
- Chapter 16
- (none)
- Chapter 17 “Preventing and Responding to Incidents”
- 7 Incident management steps (Detection, Response, Mitigation, Report, Recovery, Remediation, Lessons Learned) (pp. 804-809)
- Attacks (SYN flood, smurf, fraggle, etc. attacks) (pp. 811-820)
- Security orchestration, automation and response (SOAR), playbook and runbook (pp. 845-846)
- Cyber Kill Chain framework (pp. 847-848)
- Chapter 18
- IDS types (knowledge-based vs behavior-based)
- RAID types (0, 1, 5, 6 and 10) (p. 876)
- Database Recovery methods (electronic vaulting, remote journaling, remote mirroring) (p. 888)
- Backup types (full, incremental and differential) (p. 893)
- Tape Rotation Strategy (Grandfather-Father-Son GFS, Tower of Hanoi, Six Cartridge Weekly Backup) (p. 896)
- DRP test types (checklist tests/read-through, structured walk-through, simulation, parallel and full interruption) (p. 899)
- Chapter 19
- Investigation Types (and standards of evidence) (p. 910-912)
- EDRM (Electronic Discovery Reference Model) 9 aspects (Information Governance, Identification, Preservation, Collection, Processing, Review, Analysis, Production, Presentation) (link) (p. 912)
- Admissible evidence (relevant, material, competent) (p. 913)
- Types of evidence (real, documentary, testimonial, demonstrative) (pp. 913-916)
- (ISC)2 Code of Ethics canons and who can report them (pp. 930-931)
- Chapter 20
- SW-CMM/CMMI 5 stages (initial, repeatable, defined, managed, optimizing) (pp. 960-961)
- IDEAL (p. 961)
- Software Assurance Maturity Model (SAMM) functions & activities (pp. 961-962)
- Relational database transaction characteristics (atomicity, consistency, isolation, durability) (p. 978)
- Database Concurrency (lost updates, dirty reads) (p. 979)
- Chapter 21
- (none)
Also you must have a look at the list of TCP and UDP ports.
This list can be used as a review checklist.
How do I get support during exam preparation?
You can access the (ISC)2 Community on this external link.
There is one specific discussion in (ISC)2 Community about exam preparation.
How is the place where I perform the exam?
Exam is on site on a testing center that is chosen by the candidate among those offered. The exam is computer-based, using a computer provided by the testing center to access Pearson VUE website.
You can see some pictures of a testing center on this external link.
You can test a Pearson VUE generic test (not CISSP) on this external link.
How is the exam?
There are two types of exam:
- Computer adaptive testing (CAT)
- Linear testing
Candidates doing exam in English will do the CAT, while those doing it in a different language (French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese and Korean) will do the linear testing.
CAT exam lasts a maximum of 3 hours and contains between 100 and 150 questions. You cannot go back to review them. Questions are chosen on the fly based on the previous answer you provided, so the better you do it, the more complicated next questions will be.
There are three types of CAT questions:
- Four-option multiple-choice single-answer. The most common by far.
- Four-option multiple-choice multiple-answer
- Advanced innovative questions. For example, drag-and-drop and hotspot questions with only one possible answer
In my experience, all questions were multi-choice single answer.
Linear testing exam lasts a maximum of 6 hours and includes 250 multi choice questions. It means that you have an average of 1,44 minutes (or 86,4 seconds) per question, so you need to answer them fast. All questions are preset before starting the exam and questions can be reviewed. You need to achieve a score of at least 700 out of 1,000 points to pass the exam. Questions are scaled, so not all questions score the same.
As a practical rule, you need to set your goal to answer a 70% of correct questions when practicing the exams.
I would recommend not to worry on the scoring system and focus on preparing the exam itself.
How do I rehearse exam question?
To rehearse the exam questions, you can use any of the Practice Tests books available in the bookstores, like the CISSP’s official recommended in Preparation Material section of this post.
If you acquired Sybex Practice Test book, you have the right to use Sybex interactive online study tool during a year, that should be time enough to prepare and pass the exam.
You can request access to Sybex online study tool through this link (take note that in my case it worked only on Chrome browser and not Firefox):
http://www.wiley.com/go/sybextestprep
During the registration process, it may ask you one word in the text of one of the captions in the book; by caption, it means “figure”.
Once you are registered, you will receive an e-mail with a PIN.
Register to Wiley Efficient Learning on this address, using the given PIN:
Then you will have the 1-year access to the CISSP test bank through Wiley’s Efficient Learning site.
How do I register for CISSP exam?
There are two options to register for CISSP exam:
- Buy a voucher and redeem later
- Register directly for a specific exam date
How do I buy a voucher?
You can buy a Pearson VUE voucher for (ISC)2 from this external link.
Check the next question to see how to redeem this voucher.
How do I register for a CISSP exam date?
You need to be registered on Pearson VUE web to apply for CISSP exam. Pearson VUE is the only administrator of (ISC)2 exams.
If you need to register for Pearson VUE, go to the link and click on “Create account”. Follow the steps to complete registration.
Once you are registered, go to the link, click on “View exam”. On the search box, type “CISSP”, select it in the list and click on “Go”. Read the (ISC)2 policies and click on “Agree”. Select your language and click “Next”. Enter your personal data and click “Next”. Select the place where you want to take the exam. Finally, proceed to checkout. Enter any voucher/promotion code you have in payment screen, if applies. Enter payment data and accept, if applies.
What do I need to take to the exam?
To take the exam, you need to show two valid IDs (e.g., your national ID and your passport) on the testing center. Ensure you have them and that they are not outdated a few weeks before taking the exam.
What happens if I failed the exam?
You can retake the exam under some conditions:
- You can take the CISSP exam a maximum of 4 times in a 12-month period
- You must wait 30 days after your first attempt before trying a second time
- You must wait an additional 60 days after your second attempt before trying a third time
- You must wait an additional 90 days after your third or subsequent attempts before trying again
You can find the official policy on this external link.
What do I do after passing the exam?
If you passed the exam, first of all congratulations! Now, keep reading the post “how to get CISSP Certification” to know the next steps.
You might also be interested in…
External References
- “What You Can Expect from Your Exam“; (ISC)2
- “How I passed CISSP: my three-month study plan“; Ammar Hayassen
[…] it is just one of the many requirements to get the CISSP certification) have been written on a different post in this […]