TABLE OF CONTENTS
Preface......................................................................................................................................3 About the Author....................................................................................................................4 Part 1: Background.................................................................................................................5 Part 2: Preparation Tips....................................................................................................... 10 Part 3: CISSP Humor............................................................................................................ 19 Part 4: Test Taking Tips........................................................................................................ 28 Part 5: Resources................................................................................................................. 34 Conclusion............................................................................................................................ 35
CertBase.io
The Top 45 Tips to Crush the CISSP
2
PREFACE Welcome to The Top 45 Tips to Crush the CISSP. I’m so glad that you took time out of your day to stop by and take a look. This is a short eBook I put together to help Certified Information Systems Security Professional (CISSP) candidates prepare for and pass the CISSP exam. It is both a serious and lighthearted attempt to make sense of how to approach preparation and test-taking for this important certification. In Part I, you will find some general information about the exam, a little history about (ISC)2, some details on the process of becoming a CISSP, and what to expect once you have earned your certification. In Part II, you’ll learn the tips that can help you in your preparation and study. In Part III there is a set of funny CISSP illustrations that I hope you find enjoyable. Part IV is the second part of the tip list, this time focused on sitting for the exam. In Part V you’ll find out how to get a list of the top 40 most popular CISSP resources based on a survey I conducted of people who passed the exam. Hopefully you’ll find something new and useful in these pages that you can apply and benefit from during your CISSP journey. If that happens I’ll feel that I’ve accomplished my mission.
CertBase.io
The Top 45 Tips to Crush the CISSP
3
ABOUT THE AUTHOR I am a senior security analyst with over 12 years of experience in the information security field. The majority of that time I served as a penetration tester although I have been fortunate enough to gain experience in a number of areas of information security. I’ve also earned several InfoSec certifications over the years. An interest in certifications also led me to my latest project, CertBase.io, which is a web application for everything related to InfoSec certifications. When I’m not at work I can be found spending time out with my family in Tampa, FL or on my bike exploring the local trails. If at any point while you’re reading this guide you have any questions, or you would like to suggest a tip or resource that I can add to the next version of this eBook, please don’t hesitate to contact me. You can best reach me on Twitter @certbase_io or at https://certbase.io. Even if you don’t have any questions, I’d love you to stop by and say hello! If you want to reach me in private you can email me at
[email protected].
About the cover The “sunflower” notes from Maarten de Frankrijker, whose frequently cited and much used CISSP summary is coined for the beautiful sunflower image on the cover, inspired this cover. A thorny cactus bearing a lovely flower seemed appropriate for an exam that can be quite prickly in its own right.
CertBase.io
The Top 45 Tips to Crush the CISSP
4
1
PART
BACKGROUND So You Want To Be a CISSP? If you are reading this, the chances are that you are planning on taking the CISSP exam. Congratulations on your decision. For many, becoming a CISSP is a milestone in their professional career. It is an acknowledgement of your experience, understanding, and skill in the field of security validated by one of the largest and most respected security organizations in the world: (ISC)2. I also realize that there are many reasons for becoming a CISSP. Companies in the field often require the certification as a condition of employment. Perhaps you are looking to upgrade your career and want to apply for jobs that require a CISSP. Many see the CISSP as an important part of their professional development plan and want it in their email signature to showcase their security credentials. Regardless of your motivation, the decision to go for the CISSP should not be taken lightly. The preparation needed for this massive test is significant. Unlike some certifications, which may require little more than a quick crash course on the material, the CISSP requires an immense commitment of time and energy. The Core Body of Knowledge (CBK), from which the questions are derived, is like a Mount Everest of information and it can’t be scaled overnight. We are talking months as compared to days or weeks for some other certification exams. Unfortunately, there is no exam dump or cheat sheet that can reliably help you pass the CISSP. There are no shortcuts to becoming a CISSP, but focus, a solid strategy and sufficient, effective preparation all combine to make a critical difference. My hope is that this guide can be useful for you in this important challenge.
CISSP History 101 If there were an easy way to pass the CISSP, the certification would not be valued as much as it is today. (ISC)2 has kept careful guard of the exam’s reputation and integrity over the years. This is an organization that knows a thing or two about how to manage a certification program. The history of this non-profit goes back to 1989 when a group of organizations, looking for an approach for evaluating competence in the security field, came together to form (ISC)2 . In 1990 this new organization created the first content for the CBK and four years later, the first CISSP certifications started rolling off the presses.
CertBase.io
The Top 45 Tips to Crush the CISSP
5
Since those first CISSPs were issued in 1994, (ISC)2 has not looked back. The CISSP has gained worldwide recognition with nearly 110,000 members in 160 countries according to the (ISC)2 website. The CISSP has earned ANSI accreditation for ISO/IEC Standard 17024 and is listed as an approved certification for Department of Defense personnel who are required by DoD Directive 8570.1 to obtain a certification.
Job Opening! For employers and recruiters, the CISSP is the gold standard among security certifications. Many companies make CISSP certification a job requirement before hiring an employee. Our research has shown consistently that the CISSP is by far the top requested InfoSec certification among job posts, normally more than double that of the next closest certification. Several salary surveys have indicated that having a CISSP may increase your salary potential. Currently, the average salary of all jobs on Indeed. com that include CISSP as a keyword is $112,000. Generally, CISSP holders represent a wide range of experience and positions, from security analyst to CISO. According to Payscale.com, 46% of CISSP holders have 10-19 years of experience.
(ISC)2 Mad Scientists In order to sustain the industry leading position of the CISSP certification, (ISC)2 devotes a lot of time and energy into maintaining the high standards of the exam. A panel of subject matter experts (SMEs), the Board of Directors, and experts in psychometrics continually review and update the test and the pool of questions from which it is comprised. The SMEs conduct job task studies to confirm that the exam reflects the actual work that CISSP holders perform as professionals. They also ensure that even though each exam may have different questions, the level of difficulty remains comparable, and that once raw test scores are scaled, a score of 700 means that a candidate has passed regardless of the test version taken. With the CISSP, the experts at (ISC)2 have engineered a well-earned reputation for having created a challenging exam that strikes fear into the hearts of many test takers. Forums such as TechExams.net are full of candidates who had to sit the exam on multiple occasions in order to pass. Complaints about puzzling and perplexing questions are commonplace among forum members and only serve to add to the mystique (and frustration) of the test.
CertBase.io
The Top 45 Tips to Crush the CISSP
6
Help Is Available If the exam sounds intimidating to you, don’t worry because you are not alone in your endeavor. Fortunately for those who are preparing for the CISSP today, a whole industry has developed to support candidates in their quest to gain this certification. The popularity of the CISSP feeds an ecosystem of vendors, trainers, consultants, authors, and bloggers who make a living by helping people to pass the exam. Regardless of your preferred learning medium - be it books, videos, classroom training, practice exams, Facebook or LinkedIn groups – there is something out there for you. Although there are a lot of excellent free resources available such as TechExams.net and Cybrary.it to name a couple, you need to be prepared to spend some money (or your company’s money) during your CISSP journey. At a minimum, I recommend using one of the classic books such as The CISSP All-inOne Exam Guide by Shon Harris ($49) (which is becoming a little outdated but is still an important reference), the CISSP Study Guide by Eric Conrad ($57), or the CISSP: Certified Information Systems Security Professional Study Guide from Sybex ($46). Many successful candidates also purchase a subscription to a practice exam database such as CCCure.org (three-month access, $90), and some go for a classroom-based boot camp ($2000-$5000). Last, but not least, is the cost of the exam ($599) and its annual maintenance fee ($85), and if you factor in the required steady supply of caffeine from your local coffee shop, you can see that obtaining the CISSP will not be cheap.
Hunker Down Once you have purchased the study materials, you will need to set a schedule of consistent study and preparation. The CBK consists of eight domains of packed content that simply can’t be digested overnight. The (ISC)2-provided outline of the exam is 20 pages’ worth of high-level topics that need to be mastered. The Shon Harris CISSP All-in-One Guide, in which many of the details of these topics are covered, is a tome of 1456 pages. There is a reason that CCCure sells a year’s worth of access to their practice exams. They know as well as their customers that preparation for the CISSP is more like a marathon than a sprint. If you want to be successful, you will need to pace yourself and be consistent. Take too much time off and you will start forgetting material that you have worked so hard to learn.
CertBase.io
The Top 45 Tips to Crush the CISSP
7
Uh-Oh, Exam Day After your significant investment of time, energy and money, you will be rewarded with the arrival of the dreaded exam day. You can expect a grueling six-hour ordeal of staring at complex exam content that will test your confidence and make you shake your head at times. You will see questions that you have never seen before. There will be questions that make no sense and multiple answers that appear to be equally correct. This exam will test your patience and ability to focus over a long period. But hang in there. If you prepared sufficiently, you will make it through, and hopefully when you finish, there will be a passing score waiting for you when you leave.
Almost There Although the hardest part is now over, you are not yet officially CISSP certified. Don’t go running out to put CISSP on your resume just yet. The proper title at this phase is that you are an Associate of (ISC)2 (if you request (ISC)2 to initiate this status for you). Before granting you CISSP status, (ISC)2 requires you to submit your work history showing the requisite number of years of security experience (five years with the possibility of a year waived for education or certification qualifications). If you don’t meet the work experience requirements, you should go ahead and become an Associate of (ISC)2. It will demonstrate that you passed the exam and give you access to (ISC)2 resources. You also need to affirm that you will abide by the (ISC)2 Code of Ethics. Finally, an (ISC)2 certification holder in good standing must endorse you. Once this paperwork is submitted, you can expect to receive within four to six weeks that glorious note from (ISC)2 congratulating you on your new status as an official CISSP. You made it!
Life as a CISSP Will your life change significantly after becoming a CISSP? Not really. You will certainly be able to apply to more jobs if you are looking to change positions. Perhaps you will leverage the CISSP when negotiating a pay raise or bonus in your current job. Other perks include discounts at conferences, networking opportunities, and access to the (ISC)2 digital magazine. One change to expect after you become a CISSP is that you will start obsessing over meeting your annual Continuing Professional Education (CPE) requirements. Each time you participate in an educational activity, make sure you document it so that you can submit it as a CPE. The last thing you want is failing to meet CPE and annual payment requirements thus jeopardizing the certification you worked so hard to obtain. I am sad to say that this happened to me personally and now I regret it. That is why I don’t list CISSP on my LinkedIn profile anymore.
CertBase.io
The Top 45 Tips to Crush the CISSP
8
One final point is that you will have the satisfaction of knowing that your hard work paid off and you are a member of the exclusive CISSP club. It is a mostly an unspoken thing, but you’ll share it with other CISSPs who had to endure the same process as you in order to become certified. Others might downplay the significance of the CISSP or question its validity as a measure of competence and knowledge in the field of information security, but if they had the opportunity to put CISSP after their name, many would jump at the chance.
Show Time Now that you can visualize yourself as a CISSP, it is time to get to work and make it happen. This is where good tips, strategies and techniques really come into play. You will need to manage this undertaking in the most efficient and practical way possible and the right techniques can be helpful. There is no need to reinvent the wheel here. The exam is difficult, but many people have taken it and passed it. Why not learn from others who have succeeded in this challenge? Many of these tips and techniques come from my personal experience having prepared for, taken and passed the exam at the first attempt after a few months of study. Other tips were compiled from friends and colleagues, bloggers, discussions and other sources. The following is really a strategy guide; consider the tips contained within as a tactical playbook for improving your chances of passing the exam. I have tried to make the individual tactical tips useful and applicable, but their true power comes when they are applied in combination. I strongly believe the synergy between these techniques will give you a significant edge and improve your chances of passing the exam. So without further ado, let’s proceed to the tips.
CertBase.io
The Top 45 Tips to Crush the CISSP
9
2
PART
PREPARATION TIPS R2 SAYS THAT THE CHANCES OF SURVIVAL ARE 725 TO 1. ACTUALLY R2 HAS BEEN KNOWN TO MAKE MISTAKES... FROM TIME TO TIME... OH DEAR.... – C3P0
1
GAIN EXPERIENCE
2
PREPARE FAR IN ADVANCE
CertBase.io
Field experience helps in many certifications, but it provides a critical advantage in the CISSP. Firstly, (ISC)2 requires applicants to have five years of professional experience in at least two of the eight domains in the CBK. From a test-taking perspective, actual experience in the field will give you a valuable context in which to make sense of the conceptual and scenario-based questions in the exam.
The CISSP is not an exam to take lightly. Lift up a copy of The CISSP All-In-One Guide by Shon Harris in your hand and the weight alone tells you that there is a lot of material to cover. Unless you are a very experienced security professional, allow at least three to four months to prepare. You will need to read books, watch videos, maybe attend a boot camp, and pass practice exams during your journey to becoming a CISSP. For most people, this is not something that can be accomplished in a few weeks.
The Top 45 Tips to Crush the CISSP
10
3
FIND YOUR WEAKNESSES
4
MIND MAP IT
5
DON’T MEMORIZE QUESTIONS
CertBase.io
The most efficient approach to the CBK is to focus on the areas where you are the weakest. Most professionals in the security field will have some experience in at least one or two of the domains and will need less study time in these areas. If you have a CCNA and are an expert in networking, but have never been exposed to incident response or disaster recovery, it doesn’t make much sense to spend as much time in Communication and Network Security as in the Security Operations domain. Review the official exam outline, the table of contents in each book that you read, and the results of practice exams in order to identify your weak areas and focus your effort on them.
One great way to capture information during your CISSP studies is to use a mind map, which is a visual representation or diagram of words or concepts linked together, usually around a central theme. Mind maps are more fun to create than notecards and usually much more beneficial since they help to organize information as a whole. Consider creating a mind map for each domain and then use it to help you isolate areas were you need more study. Check out the tools available online from MindMeister or FreeMind.
For some certification exams, all you need to do is memorize a lot of material; however, the CISSP is not such an exam. Even if you take a thousand practice questions, it is highly unlikely that you will find an exact question from the actual exam. Rather than trying to memorize questions, use practice exams to become a better test taker by learning how to read questions carefully and how to eliminate incorrect answers. Practice exams are just as much about becoming a better test taker as they are about measuring your level of knowledge.
The Top 45 Tips to Crush the CISSP
11
6
OVER-PREPARE
NEVER TELL ME THE ODDS. – HAN SOLO
7
SAVE PRACTICE EXAMS FOR LATER
CertBase.io
You can get by reading a book, taking a couple of practice exams, and relying on your experience for some certifications, but the CISSP is not one of them. There are eight domains within the CBK, so most people simply don’t have experience in every area. You will not be able to skim this material or read it once. You will need to cover the CBK in depth using multiple resources in order to master the material. Over-preparing ensures that if you end up with more questions in one domain over the others, you will be able to hold your own.
Learn the content within the CBK before taking practice exams. Instead of using practice exams as a tool for learning, use them to measure your readiness and to improve your testtaking strategies. That is not to say that you can’t learn content from the practice exams - you definitely can. However, the real benefit from practice exams is twofold: First, you become a better test taker by learning how to answer questions more strategically. This includes eliminating answers and reading questions more carefully in order to identify key words and concepts. Second, practice exams let you know if you have mastered the material. If you are scoring 80-90% on a particular domain, you can be confident that you have mastered the material and are able to move on to other domains.
The Top 45 Tips to Crush the CISSP
12
8
GO ONE INCH DEEP
9
AVOID LAST MINUTE CRAMMING
10
BUILD YOUR CONFIDENCE
CertBase.io
The CISSP exam has long been described as being one inch deep and a mile wide. (ISC)2 is not interested in candidates memorizing every technical fact or detail. Instead you should strive to understand the key concepts across the domains and be able to apply them in different scenarios. For example, you want to know the basics about how TCP works such as the initial handshake and the flags it uses, but you wouldn’t want to get into the details of how the algorithms work for managing flow control. If you find yourself digging too deep into the technical details of a subject during your studies, back up and focus on the high-level concept.
Last minute cramming is usually not a good idea and the CISSP exam is no different. Avoid any cramming the night before or the morning of the test. If you don’t know the material by now, last minute cramming won’t help you. Cramming could even have a negative impact on your performance by tiring you out before the test or confusing you with concepts that you have not fully learned. Trust in the fact that you have fully prepared for the exam and go with what you know.
Slogging through an endless amount of CISSP material requires a certain level of motivation. At times you may feel your confidence dipping as you work through the CBK wondering if you can ever learn it all. One way to boost your confidence and increase your motivation is to take practice exams. Receiving positive feedback on domains you have studied lets you know that the work you are doing is paying off and is a big encouragement to help you keep pushing through the material. Also, keep a checklist of study tasks you want to complete and check them off as they are finished. A list of completed tasks can be very encouraging.
The Top 45 Tips to Crush the CISSP
13
11
LEARN FROM OTHERS You are not alone in your CISSP endeavor. Many other professionals have been down this road too and are willing to share their CISSP experiences. If you have a question about the test or the material, it has probably been asked and answered before. Spend time on forums like TechExams.net and you’ll find a plethora of posts from people who have lots of great advice to share.
12
FIND A STUDY PARTNER Becoming a CISSP is a tough enough journey. Why do it alone? Find a study partner who can help and support you along the way and vice versa. Obvious places to look are at work, among your colleagues, and online. There are plenty of social networking groups dedicated to the CISSP. You can find groups on LinkedIn, Facebook, and Meetup to name a few. Once you find someone, sign up to take the test together and then help keep each other on track during the process.
CertBase.io
I’D JUST AS SOON KISS A WOOKIEE. – PRINCESS LEIA
13
USE CURRENT MATERIALS In 2015, (ISC)2 refreshed the content of the CISSP. The number of domains was reduced from 10 to 8 and some areas were expanded while others were moved to different domains. Make sure that you include study materials that are current and have been updated with the (ISC)2 changes. The Shon Harris CISSP All-in-One Exam Guide is an example of a book based on the older CBK.
The Top 45 Tips to Crush the CISSP
14
14 PRACTICE YOUR SCENARIOS
15 EARN ANOTHER CERT FIRST
Be prepared for scenario-based questions. It is not enough simply to know a lot of facts; you must be able to apply them. For example, you may be asked to address scenarios dealing with response to security events involving an intrusion, a disaster, or a legal issue. Can you take in a lot of details and use them to apply a policy or process in order to come up with a solution? Can you put yourself in the shoes of an intrusion detection or business continuity manager in order to solve a question? This is another area where you can benefit by taking practice exams.
Consider obtaining an InfoSec certification with a lower degree of difficulty before jumping into the CISSP. The CISSP is quite a challenge for one’s first certification. Why not start with another certification such as Security+ or maybe even the Systems Security Certified Practitioner (SSCP) from (ISC)2? You’ll be learning content that may be useful for the CISSP, you’ll teach yourself how to study and prepare, and you’ll gain a lot of confidence when you pass that first exam.
I FIND YOUR LACK OF FAITH DISTURBING. – DARTH VADER
16 CREATE A SCHEDULE
CertBase.io
Preparation for the CISSP is a major project and it should be managed like one. If this were a project for your company, how would you approach it? I’m not saying you should use Microsoft Project to manage your schedule, but you should think systematically about how much time you have to prepare and how to break the work into manageable chunks. Think about the study activities you would like to accomplish and how long each will take. Make an outline and put some dates against specific activities, then stick to it.
The Top 45 Tips to Crush the CISSP
15
17 USE THE CORE MATERIALS
18
SCHEDULE IN ADVANCE
19
ANNOUNCE YOUR DATE
20
LEARN YOUR STYLE
CertBase.io
There is an endless number of materials available to help you prepare for the exam, with new materials being introduced daily. However, people consistently mention a few core materials that have helped in passing the test. Do the research and find out what people are mentioning in their study plans. The following is a short list: CISSP Study Guide by Eric Conrad, the CISSP All-In-One Guide by Shon Harris, CISSP: Certified Information Systems Security Professional Study Guide by Sybex, Official (ISC)2 Guide to the CISSP CBK, Fourth Edition by (ISC)2 , videos from Cybrary, and CCCure practice exams.
Do you want to light a motivational fire under yourself? Schedule a date for the exam in advance. There is nothing better for your motivation and sense of commitment than knowing you have paid for the exam and the date is set.
A second way to motivate yourself is to announce your test date. Once you schedule the exam, let people know about it publicly. Not only will you receive the support of friends and colleagues, you’ll be on the hook. Once others know you are taking the test, you’ll feel the pressure to keep up with your studies because you won’t want the embarrassment of telling people that you didn’t pass.
Figure out how you learn best and then design a study program that meets your needs. We all have different ways of learning, be they visual, auditory, kinesthetic, or a combination. For some people this might mean curling up at night with Shon Harris’ book, for others it may mean cranking up videos on Cybrary. Perhaps you need live instruction at a boot camp, or perhaps you prefer to take notes, create indexes, or make notecards. The key is to find out what works best for you and use that modality as your primary approach to learning.
The Top 45 Tips to Crush the CISSP
16
YOU NEED A TEACHER! I CAN SHOW YOU THE WAYS OF THE FORCE! – KYLO REN
21
RETEST SOON IF NEEDED
22
TAKE A BOOT CAMP EARLY
CertBase.io
It has been suggested that around 70% of test-takers pass the CISSP exam, which means that if you are unfortunate enough to be in the 30% group that does not pass, you need a strategy for retaking the exam. My suggestion is to reschedule another exam date within a short period of time. After all your hard work and preparation, you don’t want to lose momentum. If you schedule a retest too far in advance, you may be tempted to take a break from studying which means you will start to forget material. It may also be tough to jump back into studying after a break, so schedule the test immediately and try to keep your current study schedule in place. (ISC)2 allows you to retake the CISSP after 30 days if this is the first time you have not passed the test.
There is no doubt that a boot camp can help you pass the CISSP and many people opt for this route. If you do choose to do a boot camp, you need to decide when to schedule this activity. I suggest you take a boot camp in the initial part of your studies and use it to identify areas where you are weak and need additional work. Taking it early also gives you an in-depth overview (albeit compressed) of the CBK. As you continue your studies, you’ll be able to assimilate new material better having this mental map of the CBK in your head.
The Top 45 Tips to Crush the CISSP
17
23 KNOW THE CODE OF ETHICS
24
TRY A PODCAST
25
BEGIN WITH THE FOUNDATION
26
CONSISTENCY
27
MNEMONICS
CertBase.io
Since there may be questions that deal with the (ISC)2 code of ethics, it would benefit you to memorize it, because a condition of being awarded the CISSP is that you commit to the code as a certification holder. Learn the preamble and the four canons and you will be prepared for questions that may require an ethical perspective.
You need to take advantage of any free time to study. What about a podcast so that your time in the car or elsewhere can be put to good use? Two to try are recordings from Eric Conrad and CyberSecStudy.
Begin your studies with the Security and Risk Management domain. Here you will start with the security principles of confidentiality, integrity, and availability (CIA), which underlie much of what we do in security. If you build a solid foundation in this domain, other domains may make more sense, helping you to understand why certain security functions are important.
Consistency in your studies is essential. A little study or practice exam time every day will help you to learn and retain information better than cramming sessions with long periods of inactivity in between.
There are a few things you will want to commit to memory so why not use a mnemonic to help you. There is a bunch out there already but if you want, have fun and create your own. Some examples include: OSI model - (All People Seem To Need Data Processing), CMMI (I Really Defend My Opinion), and SDLC (Re Do Damn Test Right)
The Top 45 Tips to Crush the CISSP
18
3
PART
CISSP HUMOR You deserve a break. It’s time for some CISSP humor.
CertBase.io
The Top 45 Tips to Crush the CISSP
19
CertBase.io
The Top 45 Tips to Crush the CISSP
20
CertBase.io
The Top 45 Tips to Crush the CISSP
21
CertBase.io
The Top 45 Tips to Crush the CISSP
22
CertBase.io
The Top 45 Tips to Crush the CISSP
23
CertBase.io
The Top 45 Tips to Crush the CISSP
24
CertBase.io
The Top 45 Tips to Crush the CISSP
25
CertBase.io
The Top 45 Tips to Crush the CISSP
26
CertBase.io
The Top 45 Tips to Crush the CISSP
27
4
PART
TEST TAKING TIPS YOUR FOCUS DETERMINES YOUR REALITY – QUI-GON JINN
28
SLEEP WELL
29 EAT WELL
CertBase.io
This is a given but it must be mentioned. Give yourself the best chance of success by being fully rested at test time. Going to bed early will help you feel fresh in the morning and allow you to get up early enough to arrive in advance of the test. There is a significant amount of academic research showing that students with a full night’s rest perform better in exams than students who stay up the night before. Additionally, students who sleep more during the exam period gain higher grades, probably because quality sleep helps one to retain information. So make sleep a priority when preparing for the CISSP, especially the night before.
This is another given. There are two mistakes you could make in regards to eating prior to the test. If you skip a meal or eat too lite, your overworked brain will burn through calories too fast and you won’t have enough energy to finish. The other mistake is to eat too much or eat the wrong food. Your body will take away resources from your brain while trying to digest a difficult meal. The best option is somewhere in between the two extremes. Eat a healthy, balanced breakfast and then bring snacks to help you get through the test if needed.
The Top 45 Tips to Crush the CISSP
28
30
MARK QUESTIONS FOR REVIEW
IN MY EXPERIENCE, THERE IS NO SUCH THING AS LUCK. – OBI WAN KENOBI
31 ELIMINATE ANSWERS
32
CHOOSE THE BEST ANSWER
CertBase.io
Mark questions for review. If you are unsure about a question, mark it for review and move on. One benefit of this approach is that you won’t waste a lot of time on a question or raise your frustration level unnecessarily. If you have time at the end of the test, which you probably will, you can revisit these questions. Second, you may get clues from other questions that may help you answer previous questions. At a minimum, once you reach the final question you’ll have a better feel for how (ISC)2 asks questions and what they might be looking for in your answers. This may help you to tackle the questions you have marked for review.
Become an answer elimination expert. Eliminating answers is all about increasing the probability of a correct answer and the more correct answers, the better your chances are of passing. An answer chosen at random from four possible answers gives you a 25% probability of a correct choice. Eliminate two answers and the odds jump to 50%. Always make it a goal to eliminate at least two answers for each question. Answers that have nothing to do with the question are an obvious target for elimination. Answers that are too similar may also be candidates. Over time you’ll become better at eliminating answers and the best place to learn these strategies is in practice exams. One frustrating aspect for CISSP test takers is that often more than one of the answers appears to be correct. The key here is to pick the best answer by using the context of the question and by carefully reading what is being asked. Often there will be clues in the question that hint at the right answer. If more than one answer appears correct, go back and reread the question to find the clue that leads you to the right answer.
The Top 45 Tips to Crush the CISSP
29
33
THINK LIKE A MANAGER
34 HUMAN SAFETY
35
ARRIVE EARLY
CertBase.io
Although (ISC)2 wants to make sure you have a fundamental understanding of security, they are not testing deep technical knowledge. In that regard it is helpful to think from a manager’s perspective when taking the test. Unless the question clearly requires a straightforward technical answer (e.g., The size of a SHA-1 hash value has how many bits?), you should think about how a manager in the domain would answer it. What processes, standards, or policies would they follow when addressing the issue? How would they prioritize and what would they do first? How would they assess the risk of the issue or perform a cost/benefit analysis? Think from this perspective and you’ll have an advantage when taking the exam.
What good is security if we can’t protect human life? That might be obvious but it is one point that you don’t want to forget during the test. (ISC)2 emphasizes this in their Code of Ethics which has “the safety and welfare of society and the common good” as the first point in the preamble. In any question where the safety of people is involved, for example a disaster recovery plan, choose an answer that highlights the priority and importance of protecting the safety and welfare of others above all else.
You have spent months preparing for the test so why would you take any chances of arriving late on exam day? What if there is an accident on the way or an unusual amount of traffic? You are going to be stressed enough so there is no reason to add to your worry. On exam day, arrive with plenty of time to check in and get comfortable for the test. Consider driving to the exam location prior to the test to make sure you know the way.
The Top 45 Tips to Crush the CISSP
30
DO OR DO NOT, THERE IS NO TRY.
36
– YODA
IDENTIFY KEY WORDS Success on the CISSP requires that you read questions carefully. In particular, it means identifying the key words that help to determine the correct answer. Make sure to notice significant words like NOT, INCORRECT, MOST, LEAST, BEST, WORST, EXCEPT, just to name a few examples. If you miss a word such as “incorrect” you might end up choosing an answer that has an opposite meaning to the correct one. These words will often make it easier to eliminate answers. Also pay attention to the last word in a question. Sometimes the key word may be hidden at the very end.
37 TAKE YOUR TIME
38
TAKE BREAKS
CertBase.io
(ISC)2 gives you six hours for 250 questions, which is more than enough time. Rarely will you hear people say they needed more time. As a result, take your time. There is no need to hurry or put additional pressure on yourself to get through the test. At the same time, use the extra time you are likely to have at the end to your advantage to review marked and unanswered questions.
Six hours is too long for any person to focus. After a long period of concentration, the brain will begin losing focus and effectiveness. In order to stay as fresh as possible during the test, make sure you take breaks. Go to the bathroom, get a drink, eat a snack, and stretch. If anything, this will give you a minor mental boost as you return to the exam. Even though the clock doesn’t stop ticking while you are away, as we just mentioned you will likely have more than enough time to finish the exam.
The Top 45 Tips to Crush the CISSP
31
39
ANSWER EVERYTHING
40 MINI BRAIN DUMP
This is a simple tip - answer every question. There is no penalty for answering a question incorrectly so you might as well give it a shot. At the end of the test, review the questions to make sure that all of them have answers before submitting your test.
If you enter the exam with some test material in your head that you don’t want to forget, consider writing it down before you begin the test. For instance, let’s say you are afraid that you are going to forget the OSI model layers or private IP ranges. You may not encounter these on the test but if it will give you piece of mind, take a few minutes to write them down prior to starting the test so you won’t worry about forgetting them.
YOU’RE ALL CLEAR, KID! NOW LET’S BLOW THIS THING AND GO HOME! – HAN SOLO
41
USE DIFFERENT PERSPECTIVES Successfully analyzing CISSP questions is an important factor in your success. One way to go about this is to use various perspectives when reading the question. I have already mentioned this once regarding thinking like a manager, now let’s take it one step further. Try the perspective of the person who created the question. What were they trying to convey when they sat down to write it? What point about security do they want to make? This may give you insight into the answer they want you to select. Another perspective to use is that of someone who works in the specific domain. It does not have to be a manager; think about what an engineer, business analyst, or even a CISO would do in the same situation.
CertBase.io
The Top 45 Tips to Crush the CISSP
32
42
TAKE A SNEAK PEAK
43
DON’T PANIC
44
RE-READ THE QUESTION
45 DON’T GET STUCK
CertBase.io
To remove some of the suspense and stress of not knowing what to expect, consider flipping through the questions briefly at the beginning of the test to get an idea of what is coming. This will help set your expectations and allow you to know what you are up against versus being surprised or nervous with each new question.
Resist the urge to panic after the first 10-15 questions. It is easy to fall prey to anxiety once the test starts - you see how difficult real questions are, and you think about the stakes and what it would mean to fail. You need to be prepared for this feeling and put it out of your mind at the beginning of the test. Relax, take deep breaths, and reassure yourself. You have put in the work to learn the material, so you’ll be able to get through the test if you don’t let your nerves get the better of you.
Before you finalize an answer, always make sure you go back and re-read the question. If you fail to see the key word, get distracted by unnecessary words, or miss the main point, you might answer incorrectly. By re-reading, you assure yourself that you know exactly what is being asked. There is no need to rush through a question, so do yourself a favor, take the time to re-read and make sure you have interpreted the question correctly.
There may be a question(s) with content you have never seen or you haven’t a clue how to answer. Don’t let this frazzle you. You can fail many questions and still pass the test. Remember that there are new beta questions being introduced all the time and any one question may not even count toward your overall score. If you are totally stumped or frustrated, mark it for review or give it your best guess after eliminating as many answers as you can.
The Top 45 Tips to Crush the CISSP
33
5
PART
RESOURCES It can be difficult to figure out the resources that will help you the most on the CISSP exam. There are gazillions of types of products and services being promoted on the Internet and not all are of equal quality when it comes to preparing for the exam. To help cut through the noise, I used TechExams.net to find out what successful CISSPs had used in their preparation. I surveyed posts in the CISSP forum over the past year with the words “passed” in the title. These are postings where the individual lets the community know that they passed the test. Posters also normally use this opportunity to give something back to the community by sharing the resources they used during their studies. I recorded the resources identified in each post and kept counts for each. The list I created contains the 40 most cited resources. There were some of the old favorites in the list but a bunch of surprises as well. Everyone should be able to find some resource on this list that will work for his or her particular style of study. To receive this awesome list, all you need to do is sign up at http://certbase.io/cissp-resources.
CertBase.io
The Top 45 Tips to Crush the CISSP
34
CONCLUSION Hopefully you have found something worthwhile here that might benefit you come exam day. There are so many great CISSP resources out there; this can be another one in your arsenal. Ultimately, even with the best resources, you still have to invest the time and energy to make it happen. If you have made it this far in the eBook, I’m sure you have what it takes to go the distance in your preparations. Good luck. You can do this. Now go crush the CISSP!
Special thanks to Steve Witmer, Rafael Algara, and others for reviewing and providing valuable feedback and input and Theresa Ford for the lighthearted CISSP comics.
Disclaimer The information contained in this guide is for informational purposes only. The publication of this information does not guarantee success in the CISSP. It is simply a recommendation and an expression of my own opinion. No part of this publication shall be reproduced, transmitted, or sold in whole or in part in any form, without the prior written consent of the author. Users of this guide are advised to do their own due diligence when it comes to preparing for the CISSP exam. By reading this guide, you agree that CertBase is not responsible for the success or failure of your efforts to earn the CISSP certification.
CertBase.io
The Top 45 Tips to Crush the CISSP
35