Thursday 10 April 2014

Preparing for and taking the CISSP exam.

The Certified Information Systems Security Professional (CISSP) examination from the (ISC)2 is consider by many to be one of the certifications an information security professional should have. Many of the employment positions for information security professionals list it as a required certification. However it is not an easy certification to gain; although a professional may have more in depth knowledge of a few of the domains, it is unlikely there have the required depth of knowledge across all 10 of the domains without studying.

I have been a CISSP for many years and into my third cycle of accreditation and I have been involved in getting other professionals ready to take the certification. The following is based on my experiences. Not all the tips may suit you but they could help and give you some ideas about preparing for and take the certification.

Taking the CISSP certification.


My first tip is to book the exam giving yourself a reasonable amount of time to prepare; not too short, or too long. I would say between 2 weeks and 2 months would be suitable, dependent on your existing knowledge and the amount of time you can give over to revising and preparing. It is not a certification to be taken lightly and you must set aside time to prepare, some domains of the common body of knowledge (CBK) you will be familiar with, but others you may have no experience of. Setting a realistic deadline gives you a target; if you wait until you think you are ready you may never take the exam.

I would obtain good study material, the official (ISC)2 guide to the CISSP CBK is a good starting point, along with downloading the current Candidate Information Bulletin (CIB) from the (ISC)2 website. There are other study guides available, if you go for these guides review the comments on sites such as Amazon where reviewers will leave their opinion of the material.

The CIB will give guidance and the current focus of the exam and it is often updated every few months. By looking at the overview and the key areas of knowledge for each domain you can determine focus areas to concentrate on. It also gives tips on the exam and advance knowledge of changes in format etc. In addition to reading the CIB and the guide to the CBK, I would recommend following all the suggested reading under the “more to know” section at the end of domain in the guide. The (ISC)2 recommend that you should have 5 years’ experience or about 10,000 hours to pass the exam, however being widely ‘read’ will help in understanding all the domains. My recommendation is to follow some of the many InfoSec blogs, you will soon realise which are the ones who are knowledgeable and should be followed. I would also recommend reading some of the good information security website and journals that are available. If you can tell the good ones apart from the bad, you are well on the way to becoming a CISSP.

So you have read the 10 domains in the guide, and the additional reading material, but did you understand what the guide was trying to get you to learn. My recommendation is to read up on terms you don’t understand and look at references to standards. Once you have completed your initial read of the material, you are ready to start preparing for the exam.


Preparing for the exam


The exam is 6 hours and 250 questions and not very cheap, it is a daunting task. I will be discus strategies for doing the exam a bit later. However, you have done the initial read through and a have reasonable amount of time before the exam day. My advice is to concentrate on your weaker domains, do the questions at the end of each of the domains in the guide, if you can correctly answer the questions, you understand the concepts, concentrate on the domains where you under performed.

It will become apparent the questions in the guide are not enough and you need more practice questions, to get you more comfortable with the wording and help identify where the gaps are in your knowledge of the CBK. I recommend the official (ISC)2 questions, you can purchase 3 sets of 100 questions from their studISCope web site, or get an app for the iPhone from the iStore or via link on their main website. In fact their guide is available in electronic format as well as in print. On their website there is a guide to study resources, I recommend you review these and decide if you need to use them. Some of the good 3rd party study guides that are available will have electronic practise question guides to help test your knowledge.

Repeating the test and concentrating on your weaker domains will build up your knowledge. The exam is marked out of 1000 and you need to obtain a score better than 700 (70%), the actual weighting of questions and the number of questions from each domain is not generally knowing, what is known that 25 questions are test ones and don’t count to your final pass/fail
I would say that if you search for study guides and cheat sheets on Google, you may find some and you may find lists of questions purporting to be actual exam questions, take these with a very large pinch of salt, there are very unlikely to be the exam questions and likely to contain mistakes that can mislead. The good exam guides and websites which are highly rated, will have questions to test you, however the most pertinent ones are those from the (ISC)2.

Some strategies to follow when preparing for the exam is to consider the exam environment, most people when recalling information do so when the environment we are recalling it in, is similar to the one we gained the information in. The exam environment is quiet, bit not nicely silent, so preparing in a quiet environment it will help. You will not have time for a lot of coffee or energy drinks etc. during the exam, so don’t go overboard on this during the studying. You are not going to do the exam in you pyjamas, so don’t revise in them, additional you are not going to sit in a formal suit either, pick comfortable clothes, and as physical stimuli can keep recall information it needs to be clothing similar to what you will wear in the exam.

Also we don’t often concentrate for 6 hours, whilst I’m not recommending doing 6 hour long revision sessions I will recommend revising for several hours at a time and building up you concentration skills.

The technique I recommend is doing a practice exam, identify you worst domain, re-read the domain, research the topics online and read around the subject. Retake the practices exam and repeat. Don’t forget to read widely about and research the topics. You should as you get nearer the exam date, score evenly across all the domains, but don’t panic if you have a blind spot for one of the domains.

So you have done the revision, you have done the practise questions you score highly in these; you are ready for the exam.


Taking the exam.


For the exam itself, there are some strategies that can help. The most important is to stay calm and manage your time. Once you start the exam you will have 360 mins to do the 250 questions, approximately 1.26mins per question. I am not saying this to panic you but to give you sense of how must manage your time, especially if you have to take a comfort break or two during the exam.
Out of the 250 questions, 25 are ‘research’ questions that don’t count; however you don’t know which ones there are as you take the exam. Every question should be answered as if it counts, don’t leave any unanswered questions. If you are running out of time, answer all the questions by guessing, at the best it could be your lucky day, you have not lost anything just by answering them.

My tip for the exam is to go through the questions and answer those you know immediately, if you have to think about a question move on to the next. Don’t get disheartened if you don’t know the answer for the first 25 questions off the top pf your head or you go through sequences of questions without knowing the answer. You can go back and answer the ones you skip, once you have done the first run through, hopefully you have done close to half the questions. What you will find is that you now have more time for the remaining questions as you likely answered the questions you know in under a minute per question. You can now do the remaining questions and you will have more time to do so.

For each question, read the question, read the answer, read the question and answers again before you answer it. It is very easy to assume you know the answer because you recognised keywords rather than understanding the question.

For each question there are four answers, you need to select the best answer, if you not sure which one is best, examine each answer in turn and eliminate the obviously wrong ones, at the best you will go from a 1 in 4 guess to a 1 in 2 guess. However I would recommend if you are having problems proceed to the next question and come back to the question later. Often a word in another question or answer to another question will trigger the memory that will enable you to answer a difficult question.

If you have time, you may want to review your answers, however bear in mind that often first instinct is the right one, only change an answer if you are confident you know the answer.

In terms of comfort breaks, don’t skip drinking water, you brain needs it, but don’t overdo it and end up spending precious time by making yourself more comfortable rather than answering the question.

Hopefully I have given you some tips and thought on how to prepare for the CISSP exam, gaining the certification can widen you knowledge of security issues and open doors in your career. Good luck

References

https://www.isc2.org/CISSP/Default.aspx
https://www.isc2.org/practice-tests-app/Default.aspx
https://www.expresscertifications.com/ISC2/Catalog.aspx

No comments:

Post a Comment