CISSP
- Thread starter Ev0
- Start date
Soldato
I passed it about 2 years ago, I studied 90% from Shon Harris' book and then used the official one to go over any trickier areas. The official book is very very dry, Show Harris has a better style but it's certainly worth picking up both just to get full coverage.
From memory, the exam was about 3 hours long, all multiple choice and it wasn't as hard as I expected and there was nothing that wasn't covered between the two books.
There are quite a few different areas that are covered, if you haven't already done Security+ then it's worth doing that first as there is some overlap (albeit Sec+ is lower level) and it's a good introduction to the type of stuff you will just need to learn parrot-fashion (port numbers, etc).
I had been working in IT Security for a few years so had covered about 60% of the CISSP syllabus, of the remaining 40%, only about 10% was tricky and if you find Security interesting then you should find it fairly enjoyable to learn about the ins and outs of some areas like encryption.
You do need to go through each area as there are some parts where they give an opinion you need to remember (even if you disagree with it for your day to day job). Broadly speaking though it is 90% just a memory dump exam, not much thinking required, just cramming up on facts, port numbers, types of encryption, common attacks, etc etc.
The CISA I did a few months after was quite a bit harder, mostly because it deals with opinions much more than facts and is aimed at enterprise level whereas I worked almost exclusively in SMB.
Another point, to get certified you will need to find another CISSP who can sign to confirm your experience (or at least that was the case when I checked about a year ago). It's also worth booking your exam ASAP as they only run them every so often and it gives you a date to work towards. I spent about 2 weeks of evenings and weekends studying but I am pretty lucky in that I have a very good short-medium term memory for exams, depending on how good yours is, you might want to give yourself a month or two (or less if you have a photographic memory).
My email address is in Trust so feel free to drop me a line with any questions. I'm living in New Zealand now so there might be a bit of a delay
From memory, the exam was about 3 hours long, all multiple choice and it wasn't as hard as I expected and there was nothing that wasn't covered between the two books.
There are quite a few different areas that are covered, if you haven't already done Security+ then it's worth doing that first as there is some overlap (albeit Sec+ is lower level) and it's a good introduction to the type of stuff you will just need to learn parrot-fashion (port numbers, etc).
I had been working in IT Security for a few years so had covered about 60% of the CISSP syllabus, of the remaining 40%, only about 10% was tricky and if you find Security interesting then you should find it fairly enjoyable to learn about the ins and outs of some areas like encryption.
You do need to go through each area as there are some parts where they give an opinion you need to remember (even if you disagree with it for your day to day job). Broadly speaking though it is 90% just a memory dump exam, not much thinking required, just cramming up on facts, port numbers, types of encryption, common attacks, etc etc.
The CISA I did a few months after was quite a bit harder, mostly because it deals with opinions much more than facts and is aimed at enterprise level whereas I worked almost exclusively in SMB.
Another point, to get certified you will need to find another CISSP who can sign to confirm your experience (or at least that was the case when I checked about a year ago). It's also worth booking your exam ASAP as they only run them every so often and it gives you a date to work towards. I spent about 2 weeks of evenings and weekends studying but I am pretty lucky in that I have a very good short-medium term memory for exams, depending on how good yours is, you might want to give yourself a month or two (or less if you have a photographic memory).
My email address is in Trust so feel free to drop me a line with any questions. I'm living in New Zealand now so there might be a bit of a delay
A good friend and ex colleague is already certified and I'm on a course currently, was just seeing if anyone else here had done it and could offer up any info on their experience.
I'm finding quite a lot of the content I've either had experience with or know a bit about anyway which is helping.
Ended up doing Sec+ last year (long story short company had some training credits that needed using up) and was a laugh, instructor was great.
This is now 6 hours and 250 questions, joy.
I'm finding quite a lot of the content I've either had experience with or know a bit about anyway which is helping.
Ended up doing Sec+ last year (long story short company had some training credits that needed using up) and was a laugh, instructor was great.
This is now 6 hours and 250 questions, joy.
Soldato
You won't need anything like 6 hours I promise you that 
a lot of the questions are lifted almost direct from the books so will take 10 seconds max. There isn't much thought involved, in 80% of cases it is a simple memory test so you either know it or you don't.
By the sounds of it you are already well on your way, I would still recommend the Shon Harris book if you don't already have it. It's much more readable than the other books.
If you haven't already found it then the cccure website is a great resource, has lots of practice questions that are pretty close to what you will get and a forum where people post feedback.
a lot of the questions are lifted almost direct from the books so will take 10 seconds max. There isn't much thought involved, in 80% of cases it is a simple memory test so you either know it or you don't.By the sounds of it you are already well on your way, I would still recommend the Shon Harris book if you don't already have it. It's much more readable than the other books.
If you haven't already found it then the cccure website is a great resource, has lots of practice questions that are pretty close to what you will get and a forum where people post feedback.
I've been hitting cccure each night as there are only a few questions at the end of each cbk in the book (we're using the isc2 review book).
Just thought I'd ask to see if things like those types of questins are indicitive of the style/difficulty on the actual exam.
Interesting you've done the CISA, I'm very tempted to get into audit as I seem to do a lot of it at the mo and thinking it'd be better being on the other side
Just thought I'd ask to see if things like those types of questins are indicitive of the style/difficulty on the actual exam.
Interesting you've done the CISA, I'm very tempted to get into audit as I seem to do a lot of it at the mo and thinking it'd be better being on the other side
Last edited:
Soldato
They were very indicative for me, some almost word for word. The questions aren't difficult, there is no context given, it's just "Which of these is a Symmetric encryption algorithm?" for example.
I found the CISA pretty dull, I did a bit of ISO27001 and PCI-DSS work but preferred being able to get into more of the technical detail. Again, that was probably linked to the fact I mainly dealt with SMB companies, so trying to explain the concepts behind corporate governance, due diligence, etc was pretty painful.
I enjoyed the technical audit aspects but the "fluffy" stuff bored me and to be honest, the sort of people who I spoke to who worked in the process/procedure auditing side of things seemed to enjoy the sound of their own voice too much and didn't seem to have much grasp of the reality of running a company. I went as far as reducing ISO27001 down into a SMB version that picked out just the most relevant parts, that way we could do a basic audit in a day or two and give some broad guidance about potential problem areas which the company could then focus in on.
If you like the auditing then go for it, personally I got much more satisfaction from pursuing Check Point certifications and getting stuck into their high end virtualisation technology but I'm also the sort of person who enjoys breaking stuff just to see how it fits together.
I should add that I now work for a SaaS company providing Project Management software in a mix of support and development so haven't been in the Security game for about a year. I've never been happier but that is more down to living in New Zealand and working for a relaxed company, if I could work in Security I would but there are very few jobs in the South Island so I've had to leave that life behind for now!
Good luck dude
I found the CISA pretty dull, I did a bit of ISO27001 and PCI-DSS work but preferred being able to get into more of the technical detail. Again, that was probably linked to the fact I mainly dealt with SMB companies, so trying to explain the concepts behind corporate governance, due diligence, etc was pretty painful.
I enjoyed the technical audit aspects but the "fluffy" stuff bored me and to be honest, the sort of people who I spoke to who worked in the process/procedure auditing side of things seemed to enjoy the sound of their own voice too much and didn't seem to have much grasp of the reality of running a company. I went as far as reducing ISO27001 down into a SMB version that picked out just the most relevant parts, that way we could do a basic audit in a day or two and give some broad guidance about potential problem areas which the company could then focus in on.
If you like the auditing then go for it, personally I got much more satisfaction from pursuing Check Point certifications and getting stuck into their high end virtualisation technology but I'm also the sort of person who enjoys breaking stuff just to see how it fits together.
I should add that I now work for a SaaS company providing Project Management software in a mix of support and development so haven't been in the Security game for about a year. I've never been happier but that is more down to living in New Zealand and working for a relaxed company, if I could work in Security I would but there are very few jobs in the South Island so I've had to leave that life behind for now!
Good luck dude
The CISSP material I found rather out of touch and fairly irrelevant. The technical questions are fairly easy, but I found that a lot of the topics relied too much on you exactly following their term definitions, rather than those that might be more commonly in use. Disister recovery I remember being a module where they have a lot of specific definitions around "hot standby", "warm standby" and "cold standby", which actually differs quite significantly from my experience.
In the end, I couldn't be arsed so did the CSSLP instead. This is much more recent, therefore the content is more relevant. I've a developer background, so this was much more suitable too.
In the end, I couldn't be arsed so did the CSSLP instead. This is much more recent, therefore the content is more relevant. I've a developer background, so this was much more suitable too.
Well just got to wait for the results now :/
Exam itself wasn't as bad as everyone made out on the course, the fact it was a bit long etc didn't make much difference.
Couldn't say which way it went on the day so will wait and see.
As for being relevant, it's not a technical exam it's a management exam really and the techy stuff it did have was really just the fundementals.
I really enjoyed the course though, but not enough I want to have to go do it again
Exam itself wasn't as bad as everyone made out on the course, the fact it was a bit long etc didn't make much difference.
Couldn't say which way it went on the day so will wait and see.
As for being relevant, it's not a technical exam it's a management exam really and the techy stuff it did have was really just the fundementals.
I really enjoyed the course though, but not enough I want to have to go do it again
Associate
- Joined
- 8 May 2009
- Posts
- 296
Considering doing the CISSP as my company may pay for me to do it. This involves an intensive 6 day course, and then the 7th day is the exam.
I'm quite new to IT Security, and have in the past done more web development, linux stuff, some digital forensics too.
I'm willing to put the work in through:
- Reading the recommended books
- online videos
- podcasts
Although I am concerned about how hard it may be. Someone did recommend CISM as a stepping stone but having looked it's more management of IT rather than hands on, and I'd be less likely to have that course authorised by work.
Any thoughts on this?
I'm quite new to IT Security, and have in the past done more web development, linux stuff, some digital forensics too.
I'm willing to put the work in through:
- Reading the recommended books
- online videos
- podcasts
Although I am concerned about how hard it may be. Someone did recommend CISM as a stepping stone but having looked it's more management of IT rather than hands on, and I'd be less likely to have that course authorised by work.
Any thoughts on this?
Soldato
If you're new to security then you might struggle with the professional experience requirements unless they have relaxed a bit.
The actual exam isn't that bad so I'm sure you'd have a good shot after a boot camp. I did a full MCSE in 2 weeks in an intensive camp. I passed the exams but I don't know how much of it stuck after a month.
That said, if your company will pay then go for it. If you pass the exam then you can work towards the other requirements afterwards
The actual exam isn't that bad so I'm sure you'd have a good shot after a boot camp. I did a full MCSE in 2 weeks in an intensive camp. I passed the exams but I don't know how much of it stuck after a month.
That said, if your company will pay then go for it. If you pass the exam then you can work towards the other requirements afterwards
Associate
- Joined
- 8 May 2009
- Posts
- 296
If you're new to security then you might struggle with the professional experience requirements unless they have relaxed a bit.
The actual exam isn't that bad so I'm sure you'd have a good shot after a boot camp. I did a full MCSE in 2 weeks in an intensive camp. I passed the exams but I don't know how much of it stuck after a month.
That said, if your company will pay then go for it. If you pass the exam then you can work towards the other requirements afterwards
Yea I'd definitely not be fully "certified", I would be an "associate member" which I've read is when you don't meet the industry experience criteria, but you eventually will and you're still considered "part of the club"
Will ask my employer about the qualification although it's quite expensive with the course.
Other options are:
Security+ or CISM
I already have courses lined up in Forensic investigation specialist and ISO 27001.
Associate
- Joined
- 8 May 2009
- Posts
- 296
Good news - my direct line manager is supportive and has agreed to put it to the overall head boss (that's the difficult bit!).
Soldato
Good to hear!
Security+ is okay but really is quite lightweight so it doesn't hurt to have it but it's not on a par with CISSP in terms of "value".
I did the CISA but not CISM, I think both are useful in larger/corporate environments but seemed quite out of date in some areas but a lot of InfoSec can feel like that sometimes.
It's a very interesting area, heaps of scope to go uber-technical or more down the social engineering or policy-making routes or any other avenue.
I used the Shon Harris book for the CISSP and found it very good, there are a lot of online practice tests that were very close to the real thing (identical in some cases).
Security+ is okay but really is quite lightweight so it doesn't hurt to have it but it's not on a par with CISSP in terms of "value".
I did the CISA but not CISM, I think both are useful in larger/corporate environments but seemed quite out of date in some areas but a lot of InfoSec can feel like that sometimes.
It's a very interesting area, heaps of scope to go uber-technical or more down the social engineering or policy-making routes or any other avenue.
I used the Shon Harris book for the CISSP and found it very good, there are a lot of online practice tests that were very close to the real thing (identical in some cases).
Associate
- Joined
- 8 May 2009
- Posts
- 296
Thanks!
As work are paying I will hopefully do the CISSP and at some point later on the CISM too. No harm in having both, especially as it's essentially free and could come in handy for when I go job hunting in the next 1-2 years.
The other thing I'm doing is topping up my HND to an IT degree which takes 2 years. Doesn't look too tough on paper, so hopefully should be able to do that fairly easily.
I've heard numerous people now say that the Shon Harris book is thebest. I've also had it recommended to use the podcasts online and numerous video series online - like at Cybrary.
I'm going to buy the Shon Harris book as soon as my place on the CISSP 7 day course is confirmed. It's likely to be around April/May time. I will then try to go through each part of the book over 6-8 weeks and try to learn as much as I can before the course just so I'm ahead a bit.