CISSP Study Guide

Posted on by Debbie Hartman

The goal of every certification preparation book is to help the reader pass the exam, which is a noble goal.  Evaluating the actually efficacy of a specific certification book is a challenge, if not an impossibility. 

As to the CISSP exam; a statistical approach would be to take two sample groups using two different CISSP prep guides, using the same study methods, and then judge the outcome.  The group with the higher pass rate could in part be attributed to the better study guide.  Practically, such an approach is unachievable given the myriad difference in people, their study habits, and many other factors. 

The best article about the exam is Andy Briney’s Certifiable - A newly minted CISSP gives you the inside scoop on infosecurity’s most coveted—and controversial—certification.  Briney sums it up best when he notes that “the exam is best characterized as an inch deep and a mile wide. Whether this makes it easy or difficult is a matter of perspective”. Part of the challenge that Briney (who passed the exam) and every other CISSP candidate have is the anxiety over just how much material to study.

With that, the CISSP Study Guide does a good job of helping the reader prepare for the CISSP exam.  The authors write in the introduction that they wanted to find a happy medium between mega-CISSP prep guides at over 1,000 pages; with endless minutiae, and those that are far too concise and don’t provide enough background.  At 440 pages, the book does achieve the goal of depth of subject, without killing too many trees.  The authors attempt to include content that is only relevant to passing the CISSP exam, and don’t want to write an infosec encyclopedia.  

One of the challenges any CISSP has in writing an exam prep guide is that they are bound by a non-disclosure agreement with ISC2.  Prior to starting the CISSP exam, all candidates are presented with a non-disclosure agreement and are required to accept the agreement or they can’t take the exam.  Any CISSP author must straddle a fine line in ensuring they don’t break the NDA. 

The book does a good job of providing the reader with a thorough overview of the many elements of the Common Body of Knowledge (CBK).  The book, like every CISSP prep guide is written around the CBK.    Each chapter of the book has the same style, where it opens with the unique terms and definitions of each CBK module, and then goes into the various component parts.  Each chapter closes with a 15 question self-test. 

For most people, the most challenging CBK domain is that of cryptography.  At 37 pages, chapter 4 on cryptography provides the reader with enough details to alleviate their fears of concepts such as symmetric encryption, cryptographic algorithms, and much more.

The appendix contains the same self-tests of each CBK domain, with the addition of an explanation of why each answer was correct, and the other answers incorrect.  

The book also provides access to a web-site with two practice exams that one can take online.  It is debatable whether such tests are of value, given the creators often lack the skill required to create effective tests.  Most of these tests are created by those without any experience in psychometrics, while most of the exams themselves have been thoroughly vetted by psychometricians.  

Also included on the web site is ten podcasts (one for each domain) to aid the reader in studying for the CISSP exam. 

The common wisdom is to choose two study guides when preparing for the CISSP exam.  For those that are serious about passing, the CISSP Study Guide should be one of them. 

In conclusion, for those who have a decent background in information security, and don’t need a five-pound tome to lug around, the CISSP Study Guide is a quality reference guide that can assist them in studying for the exam. 

Debbie Hartman

, RSA Independant Contractor

data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs