Material and Resources pursing CISSP Certification (updated July 2023)
This is my compilation of resources, study materials, notes, and advice I have gathered, working towards certification. No compilation is exhaustive, but my goal is to put together information that will be useful and encouraging to others undertaking this effort.
Feel free to share this repo or any of the resources if you find them useful. Tell me about mistakes or improvements you think should be made! Connect with me on LinkedIn
- Overview of CISSP exam and content
- Reference Material including books, articles, recommended courses, and guides
- My Study Guides built as I'm progressing through the reference material
There is a ton of information on the CISSP exam available, including from (ISC)², associated & third-party instructors and authors, as well as guides put together by those in preparation. Many have noted that the most appropriate frame of reference is that of a of a manager, and not a technician. Try to understand the process, and why any technology would be used. As Lance puts it, try to answer these questions for basic topics:
- Why technology is needed?
- What is the process for making a pro or con decision?
- When would it be needed, and under what circumstances?
- Who makes the decision?
- Who will be operating it, and what access controls need to be implemented? How are they defined? What are the steps involved?
- Who will be auditing usage? Internal vs external and why?
- Who will create relevant policies for it?
- Who implements it, and what are the steps in doing so?
- What are the risks, and who evaluates,quantifies,and accepts (or rejects) them?
- What are the implications for architecture, for structure, for costs?
- What are the privacy ramifications?
Focus on understanding the topics, and the analysis process. You have to analyze scope, time, and cost for most questions. Your goal is to reduce risk.
Test Process:
-
Read the question and answers twice: skim the question and answers,then go back and read through the question carefully. Argue with each of the answers. Does an answer meet all requirements in the question? Are any other answers more efficient for time and cost?
-
If you have no idea what the answer is, you can generally eliminate at least two answers by thinking about the language used in the question. For instance, the question could be asking for a technology, and two of the answers are about process.
-
The first priority for any incident is saving human life.
-
Think before you act:
- Understand business objectives
- Review current security state
- Interview stakeholders
- Identify owners/assets/values
- Assess current controls
- Analyze impact/exposure/alternatives
- Verify/confirm reports
-
Take practice tests (see references below), and time yourself. You should get comfortable with the process, and the test's proclivities (e.g. you can't skip and go back to a question, so answer and move on).
-
Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required experience. Education credit will only satisfy one year of experience. Pursue associate if you have less than that.
-
The test is 3 hours, 100-150 multiple choice questions, 70% required to pass. All domains 10-15% of score.
-
You can pass and complete or fail in first 100 questions. If you go beyond 100, you are somewhere in between.
- Certified Information Systems Security Professional, Official Study Guide (using Ninth Edition) - this is the baseline text and from what I've seen,usually the starting point for study
- CISSP Official Practice Tests (I have third edition)
- This course has been highly recommended by several people: CISSP Overview by Kelly Handerhan (Note: I have yet to take it!)
- Thor Teaches:
- Understand Bloom's Taxonomy - a framework used by educators and exam creators to guide learning or exam objectives. Cross-reference words used in the exam objectives with the framework to understand the specific meaning, and to guide the level of study required to master.
- Head over to the Certstation for support and communion with fellow travelers
Note: these are my notes and resources I've found helpful in my study so far. You are advised to do your own analysis to determine what will be helpful to you in your study. There are no guarantees, implied or othewise that these notes are complete or will meet your needs to pass the CISSP certification.