Exam Profile: (ISC)2 Certified Information Systems Security Professional (CISSP)
Date: Apr 12, 2011
The CISSP certification is an advanced-level security certification security sponsored by International Information Systems Security Certification Consortium, Inc., or (ISC)2. It is considered by many to be the premier security certification. CISSP is often called “a mile wide and an inch deep”—indicating the wide breadth of knowledge (a mile wide) that the exam covers and that many questions don’t go into nitty-gritty details of the concepts (only an inch deep).
Don’t underestimate the difficulty of the questions though; some trainers change the saying to “a mile wide and two inches deep” to remind people that these questions do have some complexity. One of the challenges with the questions is that it’s common for more than one answer to be correct. You have to know which answer is more correct based on the context of the question. Using practice questions from reputable sources is a great way to gain a better understanding of what to expect. Also, the exam is a grueling endurance contest since you’ll be answering 250 questions in six hours without any scheduled breaks.
To achieve the CISSP certification, you have to complete several steps:
- Have five years of relevant security experience in two or more of the ten domains.
- A maximum of one year of experience can be waived for a college degree or various other certifications such as Security+, SSCP, MCSE, MCITP or others. This page lists all of the credentials that can be used for this waiver.
- Subscribe to the (ISC)2 Code of Ethics.
- Pass the exam with a score of at least 700.
- Be endorsed by an (ISC)2 certified member in good standing.
Exam Details
- Exam Type: Proctored
- This is a paper-based exam administered by proctors so you’ll be filling in little circles with an old-fashioned #2 pencil. It is often administered in a hotel conference room and if you take a review seminar, it is usually administered in the same location as the seminar. There will be several proctors walking around the room while you’re taking the test.
- Number of questions: 250
- Only 225 questions are graded. The other 25 questions are for research purposes but they are mixed into the entire 250 questions so you won’t know what questions are graded. You need to answer every question as if it’s graded.
- Type of Questions: Multiple choice
- The questions are basic multiple choice questions. You may have some scenario-based items where you’ll read a scenario and then answer two or more questions related to the scenario. You aren’t penalized for wrong answers, so make sure you answer each question.
- Passing score: 700/1000
- The questions are weighted, so a score of 700 doesn’t indicate that you need to get exactly 70 questions correct.
- Time limit: 6 hours
- You’re expected to arrive at 8 AM, instructions begin at 8:30, and the exam starts at 9. If you’re late, you probably won’t be allowed in. You’ll have until 3:00 PM to complete the exam.
- How to register:
- Registering for this exam is different than many other vendor exams such as CompTIA, Cisco, and Microsoft exams. You start the process from this page. After clicking on the link to register, you’ll be able to search for when the exam is administered in your area. There are a limited number of seats at each exam and they often sell out before the test day, so if one is in your area, sign up early. You’ll be prompted to agree to the Code of Ethics during the process. After registering, you’ll be emailed admission documents and you’ll need these documents on the day of the exam, along with a government-issued photo identification such as a driver’s license or passport.
- Exam price: $600.
- If you register at least 16 days early, you can get a $50 discount. In other words, you can take the exam for $550 instead of $600. However, if you have to reschedule, there’s a hefty rescheduling fee of $100.
- Time to get results: About 4 to 6 weeks
- Unlike many exams where you know right away whether you pass or not, you’ll need to wait for the CISSP results. (ISC)2 says you’ll get the results in your email about 4 to 6 weeks after taking the exam, but they often come a little earlier.
Trouble Spots
One of the most challenging aspects of this exam is the breadth of knowledge that it covers. The ten domains cover a wide assortment of job skills and it’s rare that any single person will have direct experience in all ten. Instead, you’ll find that two of the domains (possibly more) are very familiar to you, and you’ll have to spend time studying the remaining domains.
Additionally, answering 250 questions in a straight six-hour period can be exhausting. I remember walking out of the exam with my brain feeling like mush. Doing the math, you can see that you’ll have close to 1-1/2 minutes to complete each question (360 minutes / 250 questions = 1.44 minutes). If you find yourself spending more than a minute on an exam question, move on. You don’t want to run out of time. After you finish with the first pass through the questions, you can come back to the ones you weren’t sure about. You can also mark up the exam booklet so if you know an answer is incorrect, cross it out so it’s easier to focus on the other answers.
Recognizing the marathon nature of the exam, you can take some steps to prepare yourself:
- Get a good night’s sleep before the exam.
- If you’re driving from out of the area, consider driving the night before and staying in a hotel. The cost of the hotel is a lot cheaper than the cost of retaking the exam ($550 or $600).
- Eat a healthy breakfast.
- You know what food makes you feel good and what food weighs you down. Stay away from food that makes you tired and lethargic.
- Take breaks.
- Your mind will work better if you take a short break about once every 60 to 90 minutes. You can do something as simple as getting up, walking to the back of the room, and stretching.
- Bring something light to eat and drink.
- You’ll be able to place your food and drinks at the back of the room. When you want to take a break, it’ll be waiting for you. You won’t get extra time for any breaks, so the clock will still be ticking while you’re eating or drinking.
Preparation Hints
One of the first things to do when considering the CISSP exam is to download the Candidate Information Bulletin (CIB). It provides you with a significant amount of information about the exam, including details about the domains covered by the exam. You can retrieve a candidate information bulletin for the CISSP exam after providing some registration information about yourself.
The CISSP exam includes questions from ten domains:
- Access Control
- Application Development Security
- Business Continuity and Disaster Recovery Planning
- Cryptography
- Information Security Governance and Risk Management
- Legal, Regulations, Investigations and Compliance
- Operations Security
- Physical (Environmental) Security
- Security Architecture and Design
- Telecommunications and Network Security
This domain focuses on the concepts related to identification, authentication, authorization, and accounting. You should understand the different types (or factors) of authentication, different types of controls (such as corrective, detective, preventative, and so on), and various control techniques (such as mandatory, discretionary, and non-discretionary). You should also understand how logging and monitoring provides accounting, and be aware of common access control attacks.
You can expect questions related to the application life cycle, and the application development environment including different security controls. Several models and tools are available to assist the software life cycle such as the Systems Development Life Cycle (SDLC) and some maturity models. You should also be familiar with issues such as change management, configuration management, risk analysis, and database topics such as data warehousing and data mining.
These topics include Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs), and Business Impact Assessments (BIAs). You should be very familiar with the processes of conducting a BIA, developing a recovery strategy, disaster recovery steps, and how to test, update, assess, and maintain your plans.
Cryptography covers the various methods used to provide confidentiality and integrity for data at rest and in transit. You should be familiar with common symmetric and asymmetric encryption concepts used for confidentiality, as well as the use of message digests and hashing used for integrity, and the use of digital signatures for authentication and non-repudiation. You should have a basic understanding of cryptanalysis and common methods of cryptanalytic attacks. A solid understanding of a certificates and Public Key Infrastructure (PKI) is also needed for this domain.
This is a very broad topic that includes policies, standards, procedures, and guidelines and how they’re used to help protect the security triad of confidentiality, integrity, and availability. You’ll need to understand how organizations can apply security practices within the organization along with a basic understanding of risk, risk assessments, risk assignment, and the evaluation and use of countermeasures related to an overall risk management plan. This domain also includes objectives related to the (ISC)2 Code of Ethics that you must subscribe to before taking the CISSP exam.
In this domain, you’ll be tested on your knowledge of legal issues, investigations, forensic procedures, and compliance requirements and procedures. Some of these topics are international in nature such as computer crime and import/export issues, while other topics can delve into U.S. laws such as HIPAA.
This domain includes many common concepts such as need to know, least privilege, job rotation, and separation of duties and includes details of the five steps of incident response (detection, response, reporting, recovery, and remediation). You should also have a solid understanding of how to prevent and respond to attacks using common IT practices such as patch management, configuration management, and fault tolerance.
You should have a good understanding of the different threats and vulnerabilities related to physical security, and the methods used to protect both the IT resources, and the people within a facility. It can include physical controls such as locks, badges, guards, lights, and cameras. It also includes all the elements of facilities security such as different security zones for different IT equipment and data, HVAC, water issues, and fire prevention, detection and suppression.
In this domain, you’re expected to know many of the models used for security design such as the Common Criteria, and some specific guidelines such as the Payment Card Industry Data Security Standard (PCI DSS). You’re also expected to understand components of specific information systems such as a trusted platform module, vulnerabilities of security architectures like covert channels, and some of the vulnerabilities and threats to applications and systems such as those that exploit databases. Countermeasures mitigate risks and this domain expects you to understand some basic countermeasure principles such as defense-in-depth.
IT administrators will find a lot of familiar material in this domain such as the OSI and TCP/IP Models and basics of IP networking. This domain also includes an understanding of secure data communications, secure communication channels (such as VPNs), and secure network components such as routers, switches, firewalls, and proxy servers. You’re also expected to understand the different types of network attacks.
Recommended Study Resources
The CIB lists about 90 references that make up the common body of knowledge (CBK) for the CISSP exam. Exam questions are developed from the CBK, but it’s not feasible or even recommended to purchase and read all of these books. The (ISC)2 publishes a book known as the common body of knowledge (CBK) and there are several other excellent sources to choose from. Due to the breadth of knowledge, you should get a minimum of two study books.
Before sitting in the exam and answering the 250 actual exam questions, it’s a good idea to take some practice exams. (ISC)2 is constantly developing new questions, testing them, and rolling them into the test bank mix, so don’t expect any practice test questions to be repeated on the actual exam. However, exam questions from reputable sources cover the same content of what test takers will see on the exam and they’ll help you understand how (ISC)2 asks the questions. While many study books have practice questions, many people benefit from other sources that are focused on providing only practice questions.
The following list shows some study guides and practice question sources you can consider:
Study Guides
- CISSP All-in-One Exam Guide (ISBN-10: 0-0716-0217-8) by Shon Harris
- CISSP: Certified Information Systems Security Professional Study Guide (ISBN-10: 0-4709-4498-6) by James M. Stewart, Ed Tittel, and Mike Chapple
- CISSP Study Guide (ISBN-10: 1-5974-9563-8) by Eric Conrad, Seth Mesenar, and Joshua Feldman
Practice Questions
- CISSP Cert Flash Cards Online (ISBN-10: 0-7897-4035-4) by Shon Harris
- CISSP Practice Questions Exam Cram (ISBN-10: 0-7897-3806-6) by Michael Gregg
Forum
Additionally, there is an active forum on CISSP. Cccure.org has some free study guides for CISSP. You’ll need to create a profile on cccure.org. After logging in, search on “CISSP” or follow the menu for Certifications -> ISC2 Certifications -> CISSP. They have several free CISSP study guides but be aware that many of these are older. Some knowledge like the OSI model is timeless, but other topics like cryptography change frequently.
Where to Go From Here
Get the CIB. Read it and take notes to identify your weaknesses. Once you’ve identified your weaknesses, look for resources to increase your knowledge in those areas. Good luck!