As exam time approaches, everyone feels anxious about whether they’re ready to take the exam and to pass and thus to receive the CISSP certification. For a lot of people, achieving this milestone in their career means verification of the knowledge they possess. To some it means meeting the minimum requirements to stay in the job they already have. And in this economy, keeping your job is sometimes more important than getting promoted or getting a pay raise.
Anxiety takes on many forms, but mostly centers around whether or not you’ve done the necessary preparation; answered enough questions; bought and memorized the “right” preparation material and so on. Believe me, there is a plethora of material out there to be used to study for the CISSP exam. I will not tell you what to use or what not to use. What I will tell you is what worked for me and the methodology that I tell all of my students to use.
So here’s the methodology, timeline, schedule, whatever you want to call it.
Step #1 – go to the ISC2 website http://www.isc2.org/ and get the listing of the CISSP examinations for your location. If you are going to be taking the CBT version via PearsonVue, then pick an exam date that is immediately after the bootcamp. Leave this up on the screen and open a second browser window and look at the InfoSec website http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
Step #2 - select a CISSP boot camp course that is at least 60 days in the future and select an examination date that is immediately after the boot camp (this may not always be possible, it just means you’ll have to fit my timeline described below into a smaller timeframe). By immediate I mean the very next day. Typically the boot camp runs for 7 days with day 7 being the examination.
Step #3 – sign up and pay for both. Now you’ve committed your money and yourself to achieving the CISSP certification. When you pay InfoSec Institute, ask them to ship the pre-course and course study material to you as soon as possible. This material should arrive within 5-7 business days.
Step #4 – while you still have the ISC2 website up, order the CISSP CBK 2nd Ed. text. This you will have to pay for on your own. This should arrive within 10 business days.
Step #5 –Print off a copy of the calendar pages from Outlook or whichever calendar you happen to be using for the month of the exam (let’s say October) and the immediate two preceding months (which would be August and September).
Step #6 – From the first day of the boot camp, count backwards 50 days, numbering the calendar as you go. So let’s say your exam date is October 9th and the boot camp you selected was the one that starts on October 3rd in New York. Counting back from October 3rd, (with October 2nd being labeled as “1”) that would make August 14th the 50th day “50”). Which means you should have registered for the course and the boot camp somewhere around the 1st of August in order to have the material on hand by August 14th.
Step #7 – The CISSP material is organized into 10 domains, which means over the course of 50 days, you will spend 5 days per domain. So for each 5 day cycle here’s what you will do. On day 1 and day 2 you will work on a domain in the Shon Harris book using the following logical approach (if the time to test is shorter, you’ll have to fit 2 or 3 days within my suggested 5 days…possible, but get reading!):
Shon Harris 5th ed. on page 474 question #1 reads:
1. What is the first step that should be taken when a fire has been detected?
A. Turn off the HVAC system and activate fire door releases.
B. Determine which type of fire it is.
C. Advise individuals within the building to leave.
D. Activate the fire suppression system.
Here is the logical approach to studying that I want you to use:
- Look at the answer on page 478, it reads “C. Human life takes precedence. Although the other answers are important steps in this type of situation, the first step is to warn others and save as many lives as possible.” Go back to the question on page 474 and highlight answer C with a green highlighter.
- Find the answer in the chapter which supports “C” and in this case the answer is on page 403 and is in the last paragraph which reads, “In all situations, the primary consideration, above all else, is that nothing should impede life safety goals. When we discuss life safety, protecting human life is the first priority….”
- Highlight this paragraph again with the green highlighter, then put a post-it flag on the side of page 403 and write “#1″ on the post-it flag.
- Go back to page 474 and write “Page 403″ next to question #1.
- For the rest of the answers “A”, “B”, and “D” make a written note next to each why they are less important. In this example it’s easy because you would simply write next to each of them, “individuals might not be able to escape in the event of a fire.” which you will notice is the last sentence on page 403.
On day 3, repeat the same process as outlined above only using the CISSP CBK. Do the same domain as you did on day 1 and 2.
On day 4 & 5, repeat the same process as outlined above using the practice questions from Book 4 of 4 of the InfoSec supplied training materials and put the post-it flag on the appropriate slide in either Book 1, Book or Book 3 of the training material. You will begin to notice that some of the questions are repetitious. Do not be alarmed and don’t think you can skip them. You need to repeat the process.
Step #8 – so here’s the timeline which you will need to write down on the calendar sheets and then check them off as you complete each. Again, adjust the timeline appropriately based on how much time you have until your exam date. While 50 is ideal, you can do it in less with discipline. Conversely, I wouldn’t recommend making the length any longer than 50 days.
- Day 50 – 46 – Domain 1 Information Security and Risk Management (calendar entry example in day 50 write “50 SH Dom1″, in day 49 write “49 SH Dom1″ in day 48 write “CBK Dom 1″, in day 47 write “47 INF Dom 1 and in day 46 write “46 INF Dom 1) repeat this throughout your 50 day cycle.
- Day 45 – 41 – Domain 2 Security Architecture and Design (calendar entry example in day 45 write “45 SH Dom2″, in day 44 write “44 SH Dom2″ in day 43 write “CBK Dom 2″, in day 42 write “42 INF Dom 2 and in day 41write “41 INF Dom 2) repeat this throughout your 50 day cycle.
- Day 40 – 36 – Domain 3 Access Control
- Day 35 – 31 – Domain 4 Physical Security
- Day 30 – 26 – Domain 5 Cryptography
- Day 25 – 21 – Domain 6 Telecommunications and Network Security
- Day 20 – 16 – Domain 7 Application Security
- Day 15 – 11 – Domain 8 Operations Security
- Day 10 – 6 - Domain 9 Business Continuity and Disaster Recovery Planning
- Day 5 – 1 – Domain 10 Legal, Regulations, Compliance and Investigation
Step #9 – which will be Day 0 and the first day of your boot camp you should plan on being in class a few minutes early so that you can get a seat close to the front of the room. You’ve got your InfoSec material and it’s full of post-it flags. Speaking of which, I personally prefer that you use green and red post-it flags. You would use green for everything you were able to find and for everything that you could explain why the other three answers weren’t the right answer. You would use RED if there was something you just didn’t understand. When I stand in front of the class and I see some red post-it flags in the Shon Harris book or the CISSP CBK or the course material, I know that you are having a problem with a particular topic. As an instructor, I like to know which slides are giving you trouble and want to make sure to cover those topics sufficiently to help you get a clear understanding of the question.
Final thoughts or why this will help relieve anxiety. You have applied a sound educational methodology to learning each of the 10 domains. You will have looked at in excess of 850 questions, you will have answered these 850 questions correctly, identified supporting material in the reference texts and the course material; and you will have justified why the other answers were not the best answer. In short, you will have covered about 85 topic areas within each domain and you will be able to look at a question and know which answer is correct and which answers are not, in short you will have learned the information security material necessary to pass the CISSP certification exam.
I fully realize there are other approaches to learning; this one has worked well for me and for my students. I hope it will work as well for you. Good luck on your pursuit of the CISSP certification and I hope to see you in class one day.
J Kenneth Magee