I got the letter this week. The one from (ISC)². If the first word is “congratulations,” it means you passed. If the first two words are “thank you,” you didn’t.
Mine said congratulations. Now, after a vetting period that can take six weeks, I’ll get a cerficiate in the mail and I can start signing off with a “, CISSP” after my name.
It was a long road. Here’s how I did it.
(ISC)^2 publishes a book called the CISSP Common Book of Knowledge. I bought it. I read the whole thing. It’s anything but wonderful. Given the choice between reading the CBK cover-to-cover or reading the Christian Bible cover-to-cover (which I’ve done twice), I’ll take the Bible. It’s much more interesting and much easier to understand.
But I do recommend the CBK. It’s hard to get through, has a lot of material in it that you won’t see on your test (and that probably no one else in the room will see on theirs) and there will be material on your test that isn’t in the book, but since it’s written by the same people who wrote the test, you’d be silly not to read it. And besides, once you get the certification, it’s a reasonably good reference book. (The index is terrible, and that’s what keeps it from being an outstanding reference book.)
I also borrowed one of Shon Harris’ CISSP books. It’s about 200 pages longer than the CBK, much easier to understand, but contains a lot of fluff. Depending on your background, the fluff might help you understand the material. The problem is, I’ve spent 17 years in the trenches and she spent most of her career in management, so it’s like hearing war stories from my boss, or a former boss. I’d rather hear the war stories from the people she was managing. Try to find it in a library, or borrow a copy from a CISSP, before you buy it because you’re either going to really like that book, or really dislike it, and it all depends on how well you relate to her. Even if all you can get is an old edition, check it out, then buy the current edition if you like it.
The third book I used was CISSP for Dummies, and, as crazy as that sounds, it helped. When I needed to find an answer to a single question, I was more likely to find it in that, or at least find it quickly, than in either of the other two books. I don’t recommend relying solely on it, nor do I recommend keeping it on a shelf in your office where people can see it, but I’m pretty comfortable saying it ought to be the second or third book you buy, and the second one you read.
My employer bought access to a Carnegie-Melon CBT course for the CISSP. It helped me a lot. After reading the books, I still didn’t understand the Bell-LaPadula model (which will be on your test, I guarantee) but the Carnegie-Melon five-minute explanation made it click. Some type of CBT would be a good idea, especially if someone else is willing to pay for it. A CBT is like going to class; the books are like reading textbooks. Chances are you’ll need both.
I also did tons of study questions. For about a week, I did 1,000 questions per day, then backed off to 300 per day for another four weeks. One of my mentors told me that cccure.org has the closest test questions to the real thing that he’s ever found, and I agree. Nothing there is going to appear on the test verbatim, but people who work for (ISC)^2 contribute questions there. Had I not passed, my plan of action was to schedule another test date sometime in March, then log on to cccure.org every night until then and take a 250-question test.
I found a collection of more than 2,000 study questions on a flash-card site. I didn’t save the URL. But searching for it, I found other collections of essentially the same study questions online. CISSPs and CISSP candidates have been passing around a subset of those questions for years at the company I work for. They’re helpful, but not as close to the real thing as the cccure questions are. I went through about 300 of them a day for a few weeks and it helped, but those collections really were only representative of maybe 10-25 questions on the real thing. The questions on the real test tend to be deeper than that.
A favorite expression of one CISSP I know is “connect the dots.” And that’s what the CISSP test is. You won’t see any of those sample questions on the test, but you’ll find most of the questions break down into 3, 4, maybe 5 of those sample questions.
Studying a few hundred questions a day does two things. You learn a lot of material, stuff you’ll need in order to be able to connect those dots. But it also trains your brain for the grueling six-hour exam. Find a way to spend a few hours a day, every day, going through those questions, and you’ll find it much easier to get through those 250 questions on your test day. I didn’t have a headache or feel light-headed at the end of the test, and I guarantee that’s why. But the week after Christmas, when I first started that routine? I had headaches all the time and on a couple of occasions dropped the glass when I was trying to take a drink. It’s better to be that way a few weeks before the test, instead of the day of the test. And the timing worked out for me. I was a zombie at work, but nobody expects much of you at work that week between Christmas and New Year’s Day.
Actually there’s a third thing it does. Trying to determine why the answer to those questions is what it is helps. The sample question almost certainly won’t be on the exam, but in searching for the answer to that question, you’ll run across material that will help you on the exam. Notice I didn’t say that material will be on the test either, but it’ll be one of those dots.
One of my coworkers loaned me an audio CD titled Pass For Sure. You should be skeptical of anything CISSP-related with the words “for sure” in it. There’s no way two hours of audio lecture can tell you all you need to know to pass the CISSP–for example, I don’t think it even mentioned Bell-LaPadula–but it’s a reasonable review. When you get to the point where you can listen to a 2-hour lecture and there’s little to nothing in it that you don’t know, you’re close to being ready.
I’m also highly skeptical of bootcamps. I’m sure a bootcamp can help you, but you’re not going to cover all of the material in a 1,000-page book in a week. One of the guys who took the test with me said he’d been to a bootcamp, and he said he had no clue on half the questions on his exam.
I think a bootcamp can be helpful, just like I found that CBT helpful, but you’ll still need a few weeks of taking sample tests.
There’s one last thing you’re going to need, and you can’t buy it. You’re going to need the support of your family and those around you. Spending every spare moment immersed in this stuff is the best way to get through it, and that’s going to take a toll on everyone. You’ll learn what kind of family and coworkers you have by going through the process. Hopefully like me you’ll learn yours are top-notch.
Tomorrow, I’ll talk about strategies for Test Day.