About the Exam

The ISSEP exam is made up of 150 questions and has a four hour time limit. Like other ISC2 test, 25 of these questions are used for research purposes only and are not counted when determining your grade. You need a 700/1000 to pass the exam. The domains and questions were developed by ISC2 in conjunction with the U.S. National Security Agency (NSA). Because of the NSA’s participation in question development, you may notice a different style and tone between ISSEP and CISSP questions.

Who Should Take it

I took the ISSEP exam twice because I was caught up in ISC2 erroneous grading debacle. I would highly recommend the certification to anyone performing Information Assurance for the U.S. Defense Department or a national security system. The exam is also applicable to anyone working in non-defense Federal Agencies, but less so. Although some ISSEP material is relevant to the commercial segment, most isn’t. If you don’t work for the U.S. Government, I’d recommend you pass on the ISSEP.

Think You’re Ready?

Want to see how much you may need to study prior to taking the test? Try taking our free CISSP-ISSEP practice test.  Use the results to focus your study plan toward areas where you didn’t do so well.

Study Material

The only book available for the ISSEP is Official (ISC)2 Guide to the CISSP-ISSEP CBK ((ISC)2 Press), by Susan Hansche. Its a hefty 993 pages long but certainly covers all of the material. I found the book almost impossible to read from start to end. During my study period I grew increasingly frustrated at the focus on regulations. There are simply to many policies, procedures, directives, and laws, to gain an educated understanding of each. For the most part, you only need to have a basic understanding of each. However, some areas such as DOD Instruction 8510 and IATF Chapter 3 deserver a more detailed understanding. In fact, Susan’s mentions the following in the preface:

One of the most important and most daunting challenges for an ISSEP lies in having a basic familiarity with the various sets of USG regulations. Because of this, you will find that more than on-half of this book is devoted to providing an in-depth overview of some USG policies and procedures. About half way through my research for this book, I began to tire of reading policies and regulations and, no doubt, you will too.

System Security Engineering (SSE)

This domain is focused on the Information Assurance Technical Framework (IATF), notably chapter 3. The IATF was jointly developed by NSA and the NIST. Unfortunately, it hasn’t been maintained or updated since 2002. Despite this, the concepts are still applicable and worth understanding. I also assume that the SSE process contained within the IATF will be carried forward within different guidance in the future. The SSE domain is made up of the following concepts:

• Chapter 3 of the IATF
• Understand the relationship between security engineering and System Engineering
• Discover Information Protection needs
• Define system security requirements
• Design system security architecture
• Develop detailed security design
• Implement system security

Certification and Accreditation

This domain focuses mostly on NIST 800-37 and the DOD Information Assurance Certification and Accreditation Process (DIACAP) which is outlined in DoD 8510. Note that Susan’s book covers DIACAP’s predecessor, DITSCAP. However the actual test covers the newer DIACAP. Also, ISC2′s Certified Authorization Professional (CAP) includes almost the same content as this domain. It may be a good idea to schedule the CAP just before or after the ISSEP so that you can re-use this information for both certifications.  The rest of this domain is made up of:

• Understand the US Gov C&A process
• Understant the roles and responsabilites of stakeholders in the C&A process
• Understand Risk Management
• Integrate C&A with system engineering

Technical Management

I think this domain could be more appropriately called “IA Project Management”. I was lacking formal project management skills so was very happy have an excuse to review the topics. This domain focuses on controlling the Time, Cost, and Quality of projects. The sections include:

• Understand and support the acquisition process
• Initiate the technical effort
• Plan the technical effort
• Implment and manage the technical effort
• Close the technical effort

U.S. Government IA Rules and Regulations

This domain is long, boring, and difficult to read from start to finish. However, I think that the information I learned here was more applicable to my job than any other domain. Even policy wonks like me will learn a great deal. Understanding the “big picture” and being able to track requirements back to their original source can help you connect the dots with many compliance activities. This domain focuses on:

• Understanding National Laws and Policies
• Understanding Civil Agency policies and guidelines
• Understanding DOD policies and guidelines
• Understanding International standards

Image courtesy ISC2

• Attending educational courses or seminars
• Attending security conferences
• Being a member of an association chapter and attending meetings
• Serving on the board for a professional security organization
• Volunteering for a government, public sector and other charitable organizations, including (ISC)2 volunteer committees
• Completing higher academic courses
• Providing security training
• Publishing security articles or books
• Participating in self-study courses, computer-based training or Web casts
• Reading an information security book or subscribing to an information security magazine

There are a few rules to remember about CPE’s. First, you have to have at least 20 CPE’s per year to stay in “good standing”. At the end of three years you must have at least 80 group A CPE’s, and 120 CPE’s total when you include your group B.

1. Get a Degree

I know…  college isn’t free.  But I wanted to include it because getting CPE’s is just a free benefit of getting a degree that are were already pursuing. Going to College will quickly get you all the CPE’s you need. My school recommends full time students put in 36 hours per week. This includes study, reading, and class work. I don’t spend that much time on schoolwork so usually log 25 CPE’s per week. The best part of this is that you can take an information security related class for class A CPE, or another type of class for group B CPE’s.

2. Watch Videos at The Academy Pro

Videos at The Academy Pro are free as long as you register. The only problem I see with this site is that there isn’t a good way to store proof that you watched the videos in case your CPE’s get audited. There is a screen that shows you a list of “watched videos.” I would suggest you take screen shots of this page when you watch new videos. Also, some of the videos are very short and not worth an entire CPE. I would use common sense when recording the number of CPE’s here.

3. Watch a SANS Webcast

The webcast are free as long as you register for a SANS Portal account. You can view live or archived webcasts. You can also easily view your attendance history, and save a handy little certificate that shows the title, date, and number of CPE’s the webcast is worth. Update, while SANS no longer provides certificates, they still qualify as CPE’s.

4. Listen to Cyberspeak Podcasts

Interesting podcast that you can listen to even when you need a break from serious study. They don’t retain a record of which podcast you listen to, so make sure to take a screen shot of the description. Most of the podcasts will count as 1 CPE.

5. Listen to Manager Tools Podcast

The Manager Tools Podcast offers advice on management and career that you can listen to and get CPE’s for.  Aside from CPEs the site also has great book reviews and forums. Its free and doesn’t require registration.  A one hour show for 1 CPE each episode. They don’t track what podcast you have listened to, so make sure to grab a screen shot in case you get audited.

6. Speaking of Podcasts

Check out GetMon.com, Podcasts for IT Security Professionals.  GetMon maintains up to date lists of lots of different security podcasts, current and archives.  They even posted a nice reminder that “If you are a CISSP, remember to keep a log of the podcasts you listen to so you can earn a few CPEs”.  Make sure you keep track of the podcasts in case you get audited.

7. Work for the Federal Government?

Software Engineering Institute’s Virtual Training Environment (VTE) has a ton of free online training programs (including one for the CISSP). Access is free as long as you meet their eligibility requirements.  Generally, this means a .gov or .mil email address.  I can’t say enough about the VTE.  Its easy to navigate, includes videos, tests, slides, and labs. It tracks your courses and certificates of completion.

8. Try DHS/FEMA State Cybersecurity Training

I don’t have an account here, but I’ve heard great things about this training.  Their description says, “The Adaptive Cyber-Security Training Online (ACT-Online) courses are now available on the TEEX Domestic Preparedness Campus. This DHS/FEMA Certified Cyber-Security Training is designed to ensure that the privacy, reliability, and integrity of the information systems that power our global economy remain intact and secure.The 10 courses are offered through three discipline-specific tracks targeting everyday non-technical computer users, technical IT professionals, and business managers and professionals.These courses are offered at no cost and students earn a DHS/FEMA Certificate of completion along with Continuing Education Units (CEU) at the completion of each course. ”

9. Browse Security Now Videos and Podcasts

I stumbled across this site while researching this post.  I’ve glad I found it.  297 episodes and growing, very high quality audio and video.  Free and without registration.  Some sample topics include, SSL And Epsilon Breaches,  Stuxnet, and hacking Bluetooth.  Their description says, “Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. Winner of the 2009 and 2007 people’s choice award for best Technology/Science podcast.”

10. Last But Not Least, Volunteer

If you’ve read this far, it’s because you have one of the most sought after certifications in the security industry. There may be more left for you to accomplish in life, but you are already more successful than many. At this point in your life, take some time to share your success with others.

Call your local police, schools and non-profits and ask about volunteer opportunities to educate the public about security. Join local business clubs, chambers of commerce, Rotary Club, and Toastmasters. Take advantage of speaking opportunities to educate small business owners and others about information security. Call on charitable organizations and volunteer to audit or maintain their networks, improve their network security, and help with other IT security issues.

Do you know about other Free CPE Opportunities?  Let me know by commenting below and I’ll add them to the post.

1. Bring food and water

The CISSP exam can last 6 hours. Thats an eternity to sit at a desk reading frustrating questions. You don’t want the added aggravation of being hungry or thirsty. Not only is it distracting but can have a negative effect on your comprehension and patience. I know people that suggest gimmicky food or drinks.

My advice is to take whatever you usually eat or drink. Test day is no time to explore new food groups that help concentration. Different proctors have slightly different rules, but usually you can keep a drink on or under your desk. And you will usually have to keep food at the back of the room. Walking back to get a snack is also a good time to stretch and get your blood circulating.

2. Bring two #2 pencils and a pencil sharpener

You shouldn’t need to do this, the proctors usually bring pencils for you and they are usually sharp. They key word is usually. In one of my exams the pencil sharpener that they used to sharpen all the pencils before the exam was dysfunctional. All of the pencils were sharpened slightly off center, which caused the wood to extend down the length of the graphite. In order to use them, you had to hold the pencil at a specific angle. This doesn’t sound like a big deal, but it grows frustrating to color in 250 scantron bubbles with a bad pencil. Take a few pencils and one of those small sharpeners with you just in case.

3. Bring a print out of your admission document

ISC2 tells you to bring a copy of your admission document with you. But for whatever reason not everyone does this. If you don’t show up with a printout of your admission document, then you are at the mercy of the proctor. Some of them don’t make a big deal out of this, after all, they have a list of people, and you can show your photo I.D. to prove that you are on that list. Whats the big deal? The other scenario I see is people holding out their iPhone to the proctor. I’ve never heard of anyone getting turned down for doing this, but it always generates a few minutes of nervous talking about whether or not it should be accepted. Just like the pencil, why take this chance? You want to eliminate any additional stress from your test day. Bring an old fashioned printed copy of the admission document that was e-mailed to you.

4. Get lots of sleep, and get there early

I took one of my Exams in Chicago, a three hour drive from where I live in Michigan. This was a very bad decision. The morning traffic was worse than I expected, there was road construction going over a bridge that caused a minor traffic jam, and I was depending on a printed map to find a location that I had never been to before. Half way there I admitted to myself that I wasn’t going to make it in time, I would have to reschedule the exam and lose the money I paid. Luckily, I had forgotten about the time change. I arrived just in time, even through it took me an hour longer than I planned. This is not the state of mind you want to be in when you begin the test.

Unless you live in a large city or are very flexible about when you schedule the exam, you will probably have a long commute to an exam that starts early in the morning. If at all possible, get a hotel near the exam site the night before. Many exams are inside a hotel. This will let you get a good night sleep and cut down on the stress of finding the location the morning of the exam.

5. Don’t study the night before or morning of the exam

Any benefit of  memorizing the last little bit of knowledge just before the exam is not worth the risk of burnout and stress produced from cramming just prior to test time. If you are depending on last minute studying to pass, its too late. This isn’t to say that you can’t glance through your material. If you have had trouble remembering the order of the OSI layers, then it may be a good idea to read over them one last time. Then you can transfer the order onto your scrap paper when the test begins (so that you don’t forget it again). Glancing at notes is fine, but don’t cram at the last minute.

6. Eat breakfast

Earlier I mentioned the importance of bringing food to the exam location. Time spent filling in scantron bubbles for CISSP questions is like dog years, 6 hours feels like 6 days. If you don’t normally eat breakfast then don’t go all out and eat a heavy meal, but eat something. You don’t want to lose energy or have your stomach growling as you busily color in answer bubbles.

7. Take your time

Plan on using all six hours to complete the test. Its very easy to get in a hurry and start glancing through questions and picking answers quickly. An hour into the test you may see people finishing and leaving. Don’t freak out and think that you are going to slow. The exams encompass all of ISC2 tests, including the SSCP, CAP, ISSEP, ISSAP, and ISSMP. These are all shorter than the CISSP. If you see someone completing their test faster than you expect, they are probably taking one of these shorter tests, or failing the CISSP.

8. Read the question, then read all of the answers

Sounds simple enough. But this can get difficult five hours into the exam. The wording on the test is notorious for its use of double negatives and confusingly similar answers.  Read the entire questions, rephrase in your head if necessary. If the question asks, “Which is not an incorrect OSI layer”, you should turn this into “Which is a correct layer”.

9. Leave time to transfer answers from the answer book to the score sheet

The format of the test involves reading the questions from an exam booklet, then recording the answers in a separate bubble sheet. Most people prefer to answer the questions inside the booklet, then transfer these over to the bubble sheet when they are complete. Personally, I like to use the bubble sheet as I go. I don’t see a benefit either way, it depends on your personal choice. If you do need to transfer answers, then leave plenty of time to do this, it will take longer than you might think.

10. Make good guesses

You are going to run across hard questions where you can’t eliminate all of the wrong answers. The one thing that is certain is that you are going to have to make guesses. When this happens, follow a three step process. First, if one of the answers comes to mind right away, but can’t explain why, then pick that answer. Mental cobwebs may be preventing you  from remembering the reason why the answer is correct. You are subconsciously remembering something. If none of the answers stand out to you then skip the question. As you answer questions later on in the test you may be able to come back and narrow down your choices.

Finally… If you are absolutely stumped. Pick the longest answer. When the folks at ISC2 make test questions they find it easy to come up with the wrong answers. Who’s going to disagree that an answer is wrong? However, the process they use to decide on a correct answer isn’t as easy. Many times the only way they can agree on a correct answer is to make it more detailed and specific. This means there is a small chance that the longest answer will be the correct one.

Image courtesy skippyjon

Will a CISSP in West Virginia make the same salary as a CISSP that lives in Chicago? Of course not. If you are a new security analyst that just obtained a CISSP, you probably won’t make as much money as a senior CISO that has had the CISSP for years. Likewise, some consulting businesses offer high reward salaries, while also offering high risk (and more travel). Will a high school dropout make as much as a CISSP with a doctorate? You can see how these wildly different scenarios make for a wildly inaccurate salary survey.

Another variable that isn’t reflected in salary surveys is the fact that some certifications are becoming a minimum baseline. Do a job search and look through all of the positions that interest you. If the majority of these jobs ask for a CISSP then you should get a CISSP, period. These positions don’t pay a higher salary because you have a CISSP. Having a CISSP is a baseline, without it you won’t get hired to begin with. Over time, if more companies start requiring a certification then supply and demand will cause the average salary of the certification holders to go up. But this average will always lag behind the true “need” for the certification.

Salary surveys aren’t all bad. They do a reasonably good job at showing trends about the one variable they analyze. For example, in 2005 CertMag published a salary survey that said CISSP’s make and average of $94,070 per year. Should you expect this salary after passing the CISSP? Maybe, maybe not. The survey just isn’t helpful in that regard.

What the survey can do is compare this one variable (certifications) against one another to develop trends. Using this survey we can see that the CISSP, CISM, and CISA are among the highest trending security surveys. The ISSMP and ISSAP concentrations throw a different wrench into the analysis because you can’t obtain those without first getting the CISSP. Here is a short list of comparable certification from that survey:

1. CISSP-ISSAP $114,210
2. CISM $112,490
3. CISSP-ISSMP $111,280
4. CISA $99,040
5. CISSP $94,070
6. SSCP $78,430
7. Security+ $68,280

You shouldn’t have unrealistic expectations about your salary based on a salary survey. However, the CISSP is regularly among the top of the list among certifications on any salary survey and its commonly listed as a requirement or “good to have” in job postings.

Image courtesy sushiina

It’s easy to get caught up on details, especially memorizing facts. While the CISSP does have detailed answers that depend on you knowing facts, it’s much more important to understand concepts. Don’t get me wrong, you have to put in the effort required to memorize terms and concepts, but you can’t rely on this to pass the exam.

We all know that many of the questions are difficult. You will either immediately know the answer or you won’t. When you don’t know the answer you have to count on your understanding of the concept to help you pick the most likely answer based on the intent of the question.

2. Studying for the CISSP is like learning to subnet

Remember when you learned to subnet? At first it seemed like voodoo black magic that inexplicably produced answers that couldn’t be explained. That’s because you need to apply multiple concepts at one time in order to subnet. As you learn to subnet, you first learn one of the concepts. This creates the strange sensation of learning something, yet not getting any closer to understanding it. After you learn all of the basic concepts then you suddenly have an “ah ha” moment and understand the entire process. The CISSP is the same way.

Many times, more than one answer is correct and you have to choose the “most correct” answer based on the importance of competing concepts. If you don’t understand all of the concepts at work on the questions, then the answers seem frustrating and random.

3. Learning is not incremental

This importance of coordinating competing concept creates a situation where your study plan starts off slow and speeds up as you progress. At first, this is frustrating because you question your ability to comprehend the information. You are comprehending things just fine, you just can’t put these competing concepts into perspective until you have a firm understanding of all the topics.

Think of it this way. You may only get 10% of the answers correct after you’ve studied 25% of the material. Likewise, you will get 90% of the answers correct after you’ve studied 75% of the material.

4. Think like a manager

Management is ultimately responsible for security. As such, a CISSP candidate should either be acting as management, or advising management on correct decisions. This point can’t be emphasized enough. The exam is based on the point of view of management. Often when you see multiple answers that seem correct, you should choose the one that a manager should choose. Choose the one with the highest level of perspective within the organization.

5. Don’t count on a boot camp to pass the exam

The CISSP exam is an inch deep and a mile wide, meaning you don’t have to be an expert on anything, but you need a basic understanding of lots of things. You may have to answer a question about the history of cryptology then make a sharp mental left turn to answer a question about the type of fire extinguisher used to put out electrical fires.

Boot camps are great for saturating you with information about a particular technology or function. But their format makes it cumbersome to cover a lot of separate topics in a classroom setting. Inevitably the class will spend more time than necessary on a topic that one or two students have questions about. Also, the sheer volume of information needed to pass the CISSP just can’t be communicated to the average person during the course of a single training session unless you combine it with a self-paced study plan, or knowledge gained from previous experience.

This doesn’t mean that a boot camp isn’t helpful, or that you shouldn’t use them. It means that you shouldn’t count on them as your sole mechanism for study.

Image courtesy woodleywonderworks

The OSI model is an ISO standard. Contrary to the acronym, ISO stands for International Organization of Standardization, not International Standards Organizations.

From bottom the layers and their Protocol Data Unit (PDU) are:

1. Physical – Bits
2. Data Link – Frame
3. Network – Packet
4. Transport – Segment
5. Session – Data
6. Presentation – Data
7. Application – Data

A handy way to remember the order is to remember the phrase “Please Do Not Throw Sausage Pizza Away”. When you come across the first OSI question on the exam, use this phrase to write down the order and layers on your scrap paper, then refer to that for any future questions.

Encapsulation

Encapsulation is an important concept with the OSI model. It is the process by which data moves between different PDU types. Each layer (or protocol) accepts a message from a layer (or protocol) above it and places its own header. Encapsulation occurs as data moves from higher to lower layers.

Data > Segments > Packets > Frames > Bits

Decapsulation is the reverse of encapsulation and occurs as data moves from the lower to higher layers.

Bits > Frames > Packets > Segments > Data

Layer 1 – Physical

This layer deals with the hardware and raw bit stream. It puts data onto the network media and takes it back off.  The Protocol Data Unit (PDU) of this layer is bits.

The physical layer moves the final completed frame from the computer’s memory location to the network transmission medium. It is not involved with any further packaging operations on the packet such as headers and control fields. Physical later protocols only deal with the mechanical, electrical, functional, and procedural aspects of this process.

If the network goes down because rats chewed through a cable, then this would be a “layer 1″ problem. Ethernet, ISDN, connectors, voltage, multiplexers, repeaters, and cable are terms associated with the physical layer.

Layer 2 – Data Link

The Data Link Layer is responsible for physically passing data from one node to another. The Protocol Data Unit (PDU) of this layer is the frame. The Data Link layer performs flow control, error detection, and control. This layer has two sub-layers, Media Access Control (MAC) and Logical Link Control (LLC).

The Data Link layer is the last layer in the protocol suite that treats the data as a logical data string held in the computer’s main memory and processed by the communications software. Final sequence numbering, addressing data, and the primary error control data must be provided before data can be passed to the Physical layer for actual transmission.

MAC address, ARP, RARP, PPP, and SLIP are terms associated with the Data Link layer.

Layer 3 – Network

The network layer performs addressing and routing. It defines the functions necessary to support communication between indirectly connected entities. It has the ability of forwarding messages from one Layer 3 entity to another, hop-by-hop, until the final destination is reached. It does this by routing data from one node to another. The Protocol Data Unit (PDU) of this layer is packet.

IP, OSPF, RIP, IGMP are terms associated with the Network Layer.

Layer 4 – Transport

The Transport Layer is concerned with getting layer 4 messages from source to destination in a reliable manner. This is an end-to-end communication, unlike the hop-by-hop communicaiton at layer 3. The Transport Layer is responsible for end-to-end integrity of data transmission. The Protocol Data Unit (PDU) of this layer is segment.

The Transport Layer provides the interface between the lower level physical networking controls and the higher levels that are concerned with logical application data handling. If the message is long, it may be partitioned into a series of smaller message usits.

TCP, UDP, and SPX are terms associated with the Transport Layer.

Layer 5 – Session

The Session Layer controls communication between applications on hosts. Synchronization of communicating applications comes into play when coordinating timing of corresponding events at the end points is important, such as in financial transactions. This layer is responsible for establishing and maintaining communications channels. The Protocol Data Unit (PDU) of this layer is data.

The Session Layer provides control over the orderly exchange of data during the period when the sender and receiver are communicating. Login passwords and the exchange of user IDs may be handled at the Session layer. Accounting operations, as well as aspects of flow control, may also be determined at this layer.

NFS, SQL, RPC, and NetBIOS are terms associated with the Session Layer.

Layer 6 – Presentation

The presentation layer performs any necessary data transformations or formatting required by the end applications, it provides control over the way the data will be encoded to allow proper handling when it is presented to the receiver’s application. Encryption, Data compression, and file formatting are performed at this layer. This layer is responsible for establishing and maintaining communications channels. The Protocol Data Unit (PDU) of this layer is data. The Presentation Layer

MPEG, ASCII, GIF, TIFF, and JPEG are terms associated with the Presentation Layer.

Layer 7 – Application

The Application Layer provides network services that directly support an application running on a host. This layer is closest to the end user and is responsible for program to program communication. The Protocol Data Unit (PDU) of this layer is data. The Application Layer is the layer that the end user sees and is familiar with.

FTP, TFTP, Telnet, SNMP, BOOTP, SMTP, and MIME are terms associated with the Application Layer.

Image courtesy Andrea Beggi

Unclassified < Confidential < Secret < Top Secret

In a nutshell, the Bell-LaPadula model prevents a user with a Secret clearance from viewing a Top Secret document (no read up). It also prevents a user from putting Top Secret information within a Secret document (no write down). In this model, the entities are divided into subjects and objects. Think of subjects as users and objects as computers or documents. To determine whether access is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode.

No read up

Fred wants to read a document. Using the Bell-LaPadula model, we’d first determine the classification of the document (the object). Then we’d determine the clearance of Fred (the subject). If the document is classified as Top Secret, but Fred only has a Secret clearance, then we wouldn’t let Fred read it. If Fred had a clearance that was equal to or higher than the document, like Top Secret, then we’d allow this. Similarly, if the document had a classification that was equal to or lower than Fred’s clearance, then we’d also allow it.

No write down

Fred would like to add a page to the document. First we’d first determine the classification of the page he wants to add. Then we’d determine the classification of the document. If the page that Fred wants to add is classified as Top Secret, and the document he wants to add it to is classified Secret, then we’d tell Fred “no”, and send him on his way. If Fred wanted to add a page that was equal to, or lower classification level than the book, then we’d allow this. Likewise, if the book had a classification that was equal or higher than the classification of the page Fred wants to add, then this would be fine.

Image courtesy Ninja M.

Doing this creates stress. In the post “How I failed the CISSP“, I talked about how stress is a great motivation. If you don’t have a healthy amount of anxiety then you will be less likely to put in the hard work.

First, if you fail the test you will loose the money you spent on it. ISC2 doesn’t give refunds for failed test. I know this from personal experience. Second, its very embarrassing to admit to your friends and coworkers that you failed the test. Especially if they have already have the CISSP certification. I also know this from personal experience.

What if I’m not ready to take it?

Doesn’t matter. In fact, its even better to schedule the exam before you are ready. This is a sure fire way to stay on track with your study plan. You have two choices.

1. Work your butt off and follow your study plan
2. Look like an idiot to your coworkers and loose out on $450

Scheduling the exam helps you stick with a study plan. Whether you’re taking the exam in 8 weeks or 6 months you can plan out a solid study schedule to make sure you cover all of the material in time. If you get ahead or behind in your schedule you can make adjustments and get back on track.

If you haven’t scheduled the exam then you aren’t going to make adjustments to your study plan, instead you’ll make adjustment to the date you “plan on” taking the exam. This is a trap that many people fall into. They plan on taking the exam in 6 months, but “something” comes up.

This something may be new responsibilities at work, joining  a softball team, or getting a new pet. You name it, and the excuse has been used. The excuses are the result not deciding to take the test. If you plan on taking the test, then you are still just thinking about it. Any excuse will cause you to adjust these plans. After you exam is scheduled and you’ve told all you’re friends, you’re commited.

The CISSP exam is like a wall that seems too high to climb over. At first glance, its not worth the effort to even attempt. Throw your hat over the wall. Then you won’t have a choice but to succeed.

Image courtesy At Home in Scottsdale

In 2001 I took my first IT certification test- Cisco’s CCNA. I had heard this was a difficult exam but didn’t have an opportunity to actually talk to someone who had taken it. Because it was my first cert, I was very scared and nervous. I had absolutely zero confidence in my ability to pass it. Fortunately, I was also leaving the Marine Corps and was even more scared about being unemployed.

I paid a friend cash and he let me use his credit card to order a CCNA book and register or the exam. I studied for about a month, going through what I would describe as an “academic fight or flight” scenario. I was reading the book every chance I got, more than was probably healthy. I could do hexadecimal conversions in my sleep and subnet during breakfast.

When the big day came to take the exam I felt reasonable confident. The exam was schedule to last 90 minutes, I finished in 17. Passed with flying colors. Either the test was much easier than I expected or I simply over studied for it. I assumed the latter and chalked it up as a learning experience.

Over the next few years I took a number of other test. The CCDA, CCNP, CCDP, Network+, and CCSA. Although I passed them all, my scores were going down with each new test. I was putting in just enough effort to be reasonably sure I would pass, without putting in so much effort that I was over studying.

Fast forward to 2003 and the CISSP. The book was bigger than the other exams but I wasn’t worried. I was smart, why should I worry? Don’t get me wrong, I studied hard, usually reading every day. I planned a study schedule so that I would be finished reading the book about a week before I took the exam. My friends were putting in more work than I was, but they didn’t have the experience acing test like I did.

On the day of the test, I finished in a little more than two hours, that’s faster than most people. I was reasonably sure that I passed. Why wouldn’t I? I had never failed before, it just wasn’t something that I thought about. Two week later my two friends got the “Congratulations” e-mail, and I got the “Thank you” e-mail. I was devastated. Not only had I failed, but my two friends both passed. I learned a few things from that experience.

1. Understanding concepts is more important than memorizing facts that you assume will be on the test
2. You can’t over study for the CISSP, the more you study, the more you will be able to apply the concepts
3. Your can’t plan on studying “just enough to pass”

I rescheduled the exam and started over. The healthy dose of embarrassment from failing gave me the motivation to buckle down and really start learning the concepts.

Image courtesy Zach Klein

Unless you live in a really big city it’s best to only select your Country/State, and then just scroll through the options for city and date. The examination locations are usually either an educational institution or a hotel. I’ve taken test in both and prefer hotels. For me, the examinations are usually a long drive and early in the morning. So I prefer to stay in the hotel, get  a good nights sleep, and wake up to a nice breakfast.

If you’re taking the exam following training then the vendor will set up the exam for you, all you will have to do is fax them paperwork.

How much does it cost?

If you register at least 16 days before the exam (and you really should) then the cost is $549. If you procrastinate then it will cost you $599. The prices is higher than many other certification tests for a few reasons.

• ISC2 proctors the exams directly, they don’t use an authorized testing provider
• The test are completed by filling out scantron bubbles on answer sheets, these have to be transmitted to and from the testing location
• The test last for 6 hours and involves multiple proctors

The CISSP consistently ranks among the most sought after security certification. So the registration cost is definitely is more than made up by having a beefed up resume.

Image courtesy Photojonny