How to Prepare for the CISSP Exam

Hi, Everyone,

My name is Simon Di Nucci and I've just passed the new CISSP exam; for those of you that don't know what that is, that's the Certified Information Systems Security professional. It's new because, the exams have been around a long time, but the syllabus and the exam itself have undergone a significant change as of the 1st of May this year. I’m probably one of the first people to pass the new exam, which I have to tell you was a great relief because it was really it was a tough exam and it was tough preparing for it.

It was a big mountain to climb. I am very, very relieved to have passed. Now, I hope to share some lessons with you. When I mentioned that I passed on the cybersecurity groups on Facebook and LinkedIn, I got a huge response from people who appreciated how difficult it is to do this and also lots of questions. And whilst I can't talk about the specifics of the exam, that's not allowed, I can share some really useful lessons learned from my journey.

Introduction.  So I'm going to be talking about what I did:

1. The Official Course, and the Student Guide;

2. How I took stock at the start of the revision process;

3. How I revised using the practice questions and the Study Guide;

4. Something about the exam itself; and

5. Lessons learned.

So those are the five topics that I'm going to be talking about.

The Official Course

So let's get on with it. My journey was that two, three years ago, the firm that I worked for decided that they wanted me to take the CISSP exam in order to improve our credibility when doing cybersecurity and my credibility.

And I was sent on a five-day course where which was very intense and it was the official is the book.is the Official ISC2 Course. And that was several hundred slides a day for five days. It was very intense. And as you can see, the guy that you get with a pretty hefty eight hundred pages of closely packed and high-quality material. I’m taught by someone who was clearly a very experienced expert in the field.

It was a good quality course. It cost about $3,700 (Australian). I think that's about $2,500 (US). In terms of the investment, I think it was worth it because it covered a lot of ground and I was very rusty on a lot of this stuff. It was a useful 'crammer' to get back into this stuff. As I said, [the Study Guide is] 800 pages long. I've done a lot of revising!

Taking Stock

Going back to January 2021, I started off by getting out the Official Practice Tests. Fortunately, my firm bought this book and the Study Guide, which we will come on to in a minute. This [the Official Practice Tests book] is $40 (US) and it's worth its weight in gold because here there are 1,175 practice questions. There are 100 questions for all eight of the domains. Plus there are three practice papers of 125 questions each, a total of 1,175 questions.

It was very, very useful to me because out of the eight domains, I had some background in four, but not in the other four. Just to let you know, I did 20 years in the Air Force. I worked in software maintenance. In my day job, I'm a safety risk assessor, so I’m pretty good at risk assessment and governance.

So domain Number One, Security and Risk Management. There are a lot of similarities with safety. I had a lot of experience of security in the forces, I was pretty good on Number One. Domain Number Two, Asset Security. Again, I was used to working in an area where we were protecting a lot of classified material. I had a strong background in that. And then jumping to the end, Domain Number Seven, Security Operations: physical security, disaster recovery, that kind of stuff.

Again, I've got a lot of background there. And then finally, Software Development Security. I hadn't been involved in the development of secure software, but I've been involved in software development on a massive scale as well as in maintenance for military systems, which was done in a secure environment. I had a pretty strong background in those four domains in Numbers One and Two And Seven And Eight.

However, the middle four domains I was quite weak on. So Security, Architecture and Engineering, all the networking type stuff, Communications and Network Security, Identity and Access Management (IAM), and Security Assessment and Testing – I had not really been involved in that stuff much at all. I was quite weak in those areas.

Practice Questions

I looked at the practice questions. Unfortunately, one of the things that I learned while doing the practice questions was that a lot of questions were testing knowledge that I had not been taught in the course. I looked at a total of about 400 questions and I found that the amount of material that was not talked about in the Official Course was about 20 percent overall (I would say in some domains it was lower).

So Domain One, I reckoned about 14 percent of the questions were on untaught material, and in Domain Three, it was about 16 percent. But actually, you know, that varied through Domain Four where about one-third of the questions tested knowledge that wasn't taught in the course, and Domain Six, went up as high as 45 percent. On average, maybe twenty to twenty-five percent of the material in the practice questions had was not covered in the green and white Student Guide that I showed you.

So that was a bit of a shocker, to be honest. I was horrified about that. But it did spur me to go and learn a whole bunch of other stuff, and fortunately, almost everything that was missing from the Student Guide (the green and white book) was in this [book]. I refer to this as the black book because it's got a black spine. It’s got a black and white cover. This is the Official Study Guide.

Doing the Exam

I took the exam in English, which is a computer-based test. There are up to, I think, 125 multiple-choice questions. There are four potential answers for each question, but the Computer Adaptive Testing (CAT) takes account of how well you do the questions, and you don't necessarily get to answer all 125. The exam stops when it's ready when the computer has assessed whether you've passed or failed.

So a quick word about going to the exam. It was a very professional set-up. I went to a centre in the centre of Adelaide where I live. Do read very carefully the information they give you about what you need. You need to take two forms of I.D. and to wear a face mask. Even though we’re very relaxed here about COVID, I still had to wear a face mask. You've got to submit to palm scan (an ID scan), and put all your stuff in a locker.

They check you very thoroughly to make sure you're not cheating in any way and that security all takes time. You’ve got to arrive half an hour early. Do arrive early. Do look up all the information about what you need before you turn up. Here in Australia, wearing face masks is not very common because we have no community transmission, so it was a surprise to some people when they rocked up to the exam centre and got told you have to wear a mask. Wherever you are, do look up what you've got to do, because obviously nobody wants to be rushing around trying to get a face mask at the last minute. That's just not what you need when you've got to take a big exam.

Lessons Learned

What lessons did I learn from all of this? I would say, first of all, if you can get on a course, either face to face or online, I would say that it is worth it. I had learned a lot of the [taught] information before and I learned to program computers decades ago. I learned a lot about security. I'd learned a lot of technical stuff in the early part of my career. As I said before, I was strong on four out of eight of the domains, but I was still pretty rusty in a lot of subjects and there is a lot of information to cram in. I think probably going on a course helps you cramming that information.

But the course itself is not going to be enough. I do think you need to do the practice questions. You need to take stock and get a realistic picture of what you know and what you don't know. Then there are usually quite detailed answers in [the book] as to why one answer is correct and the other three are not correct. It’s worth reading those carefully and making further notes.

It's worth [mentioning], while we're referring to the study guide, one of the areas that the original course did not cover very well at all. There was very little on attacks and defenses. There wasn't a lot about different types of cyber-attack and how you defend against them. And, you know, different architectures are vulnerable to this kind of attack and other architectures are vulnerable to a different kind of attack. And what's the best way to defend? There was almost nothing about that. There's some stuff about it in the practice questions. There's more stuff about it in here in Chapter 21 [of the Study Guide], especially, as that's all about different attacks.