What is the CISSP?
It is the Certified Information Systems Security Professional certification. It's generally the most widely-recognized, broad certification within information security. Essentially it's an inch deep and a mile wide - a HUGE amount of information grouped into 8 domains:
- Domain 1. Security and Risk Management (15%)
- Domain 2. Asset Security (10%)
- Domain 3. Security Architecture and Engineering (13%)
- Domain 4. Communication and Network Security (14%)
- Domain 5. Identity and Access Management (IAM) (13%)
- Domain 6. Security Assessment and Testing (12%)
- Domain 7. Security Operations (13%)
- Domain 8. Software Development Security (10%)
If you're only going to get one information security certification, this is the one. It's by far the most widely accepted and recognized.
Should you get it?
....maybe. It depends on what you want. In general, certifications are useful for entry level folks who are looking to get a foot in the door, or to understand the lexicon and framework with which people talk about security.
They can also be helpful at getting your resume past an initial screening, look impressive to future employers, and potentially add credence to your experience (even better if you don't have much experience!).
It does not mean that you are a 'cybersecurity' expert, and most folks won't see it as that. This particular certification is aimed more at managers than hands-on keyboard folks. This test won't teach you how to operate as a hands-on keyboard SOC (security operations center) analyst. But it will give you some exposure to a broad list of basic concepts.
Let's talk details.
In order to get the certification, you need at least 5 years of work experience in two or more of the domains. You can substitute a four year college degree or certain certifications from ISC2 for one year of work experience (details here).
If you don't have the required years of work experience, you can still take the test and become an associate of ISC2. You then have 6 years to gain the required 5 years of work experience.
The English version of the test is a 'computer adaptive testing' exam which means you can receive 100-150 questions during the test based on your performance. Computer adaptive testing (CAT) testing means that the test automatically adjusts the questions based on your performance.
So, for example, if you get a question wrong, the computer will then give you a slightly easier question. If you get a question right, the next question will probably be more difficult. The computer will continue giving you questions until it is able to confidently assess your level of knowledge and terminate the test. This type of testing thus takes fewer questions to confidently assess your level of knowledge.
The non-english version is fixed and has 250 questions. You get a maximum of 3 hours for the english test (and 6 hours for the non-english version).
The test is available in English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese, Korean, and Visually impaired. The test is offered by Pearson VUE and is administered by their proctors.
The cost is $699 and you need 700/1000 to pass the exam. You can register for the exam on the Pearson VUE website here.
After you pass the exam, you have 9 months to complete the 'endorsement process', (unless you're applying for an 'associate of ISC2) which involves getting someone who is an ISC2 certified professional (someone who has an ISC2 credential in good standing, and can attest to your professional experience) to certify that your professional experience claims are true.
If you don't know someone who fits this category, you can ask ISC2 to serve as your 'endorser'. Then, your certification is good for life, as long as you pay an annual maintenance fee (currently set at $125 for certificate holders, and $50 for associates) and complete your required continuing professional education credits (CPE).
CISSP certification holders are required to submit 120 credits, while associates are required to submit 15 each year.
You can get CPE credits for a variety of activities, such as taking an academic course (1 hour of instruction in a domain = 1 CPE, up to 40), reading a book (5 CPEs per book, with a 250 word description), magazine (5 CPEs per magazine issue, with a 250 word description), or whitepaper (1 CPE with a 250 word description), or attending ISC ^2 events and webinars.
You can find more details on the CPE process here.
What was my experience?
The test took me about 80 minutes and I went through 100 questions before I passed.
In order to prepare, I did the following over a period of roughly 2+ years. I would study for a week or so, then forget about it for a few months, then come back to it as I had time.
I probably only intensely studied for about a month (meaning I was spending a couple hours on weekdays studying and closer to 6 hours on the weekends). I also knew almost nothing (and had no degree or experience) when I started studying. I initially started studying in the hope it would help give me a framework to understand corporate security - which it did (though I'm not sure it was the best option for that).
If you have several years experience working in information security, you could probably just read the 11th hour book a couple weeks before the exam, brush up on unfamiliar topics, try some practice questions, and take the test. I've rated the resources I used out of 10 based on their usefulness in preparing.
- Read the ISC2 Official Study Guide (yeah, the entire thing. Probably don't do that. It's definitely more information than you actually have to know.) 6/10
- Kelly Handerhan videos (I watched the old ones, then when she released updated content, I watched the new ones. These are solid, though they're not as in-depth as the exam can be.) 7/10
- 11th Hour CISSP guide (like three times). 8/10
- IT Dojo Daily CISSP Question Videos (I watched all of them. Some of them more than once. The guy who runs the series has a really great way of explaining complicated concepts, but I don't think the questions were reflective of the exam questions.) 6/10
- Made a million (probably around 1000) flashcards whenever I got a question wrong or ran into difficult concepts. Studied them. Made more (every time I ran into something I didn't know). Studied them again. 10/10
- Used the Shon Harris book to research specific topics I didn't understand. And asked other people, googled the topics, read blogs, watched youtube videos, etc. 9/10
- Watched this video, this video, and this video on testing mindset. Several times. 10/10
- Took all the practice questions in the ISC2 Practice Test book (twice - same link as the study guide). The questions were good, but not necessarily reflective of what the exam questions look like. 7/10
- Took all the Boson practice Qs. Took them again and read all of the explanations. These were the single most useful resource. The explanations were great, though the questions were more technical than the exam was. 10/10
None of the practice questions were perfect representations of the test, but Boson seemed the closest.
The best piece of advice I received before taking it was to look at the answers, and if any of the answers told me to do something (take a system off a network, change a password, perform an account lockout, etc.), to skip it in favor of an answer which involved documenting, instructing someone else, etc.
Getting in the 'CISSP' mindset is key to passing the test. Imagine, for each question, that you're running the security team while it's handling the situation described in the question.
What would you do (or what would you tell your team to do)? Turns out I was way, way, way over prepared for the technical concepts (though I was still (mostly) glad I learned the information!).
Eventually, you just need to book the test - I don't think anyone feels ready when they're preparing (and definitely not when they're taking the test!), but at some point you have to accept that you've done as much as you can. Happy studying!