As promised, I’ll tell you how I prepared for my CISSP exam. Of course, this is no recommendation for a guaranteed path to success, your results may vary. For example, I studied the Common Body of Knowledge on my own, I didn’t take a CBK Review Seminar and I didn’t join a study group. Self-study works great for me (I like reading books in my easy chair), but it may not for you.
I spend about one year (elapsed time) preparing for the exam. My original planning was 6 months, from fall 2005 until spring 2006. Unfortunately, this time there was no spring exam in Belgium, so I had to wait for the fall exam. It allowed me to take a break of several months. I cannot tell you how many man-days I spend, but it must be at least a man-month.
The “Official (ISC)² ® Guide to the CISSP Exam” was the first book I started reading. To wet my appetite, I didn’t start reading the book from the first chapter, but I started with a fun chapter: cryptography (well, I consider it to be a fun read, you may think otherwise). But the official guide turned out to be quite terse prose, so I looked for other books. Shon Harris’ “CISSP All-in-One Exam Guide” popped up a lot in my search results, so I gave it a try. And it turned out to be an excellent study guide. I read it from cover to cover, and occasionally referred to the official guide for more reading material, when I wasn’t so familiar with a particular domain. The chapter about the exam itself is also very good, Shon gives a lot of good tips.
I would read a chapter, and then I would take the quiz at the end of the chapter. This is quite a strict procedure I follow (I also did this for my other certs): I write down my answers in a spreadsheet, with a special mark if I feel uncertain about my answer, and only after answering each question, I’ll look up the answers. If I answered incorrectly or if I marked a correct answer as “uncertain”, I would carefully read the explanation. If it turned out I misread the question, and would otherwise have answered correctly, I just moved on. For example, it happens that I misread a “not”: it reads “what does not apply” and I read “what does apply” …
However, if I didn’t misread the question, I reviewed the sections of the chapter pertaining to this particular question until I understood what the correct answer was.
It turned out that I would always answer 80% or more of the questions correctly.
For many domains I consulted extra information on the Internet (Wikipedia is a good source for technical information), and I also tried to find practical uses for the concepts I was learning. For example, I applied cryptography in my tool ZIPEncryptFTP. I can also recommend CrypTool to study crypto algorithms.
After studying all the domains and feeling confident, I rehearsed the exam itself: I answered all questions of the trial exam provides in Shon’s book in one go and timed myself. This took me several hours. Although I had about 73% correct answers, I still I reviewed the wrong answers (several of them were of the “not”-type).
I also took a trial exam with all the questions of the official guide.
Finally I took a few days before the exam to cram. There is always stuff you need to memorize unless you’ve a lot of experience in the domain. For example, I had to memorize the list of the different types of glass and how they compared to each other for their impact-resistance.
An upcoming post is about the exam taking strategy I followed.
Didier Stevens 