CISSP study guide

pass your CISSP first time

from cyberonthewire.com
CISSP Study Guide from cyberonthewire.com

contents
1. What is CISSP?
2. Planning for certification
3. Study options
4. Planning your CISSP study
5. Note taking
6. Flashcards
7. How to revise
8. How to know when you're ready
9. 24hrs to go...
10. My top 5 CISSP exam tips
11. Passed? - now get certified
12. Thanks for reading (and where you can get more)
13. Appendix A Didnt quite make it first time? Dont give up!
14. Appendix B - List of study resources
15. Disclaimer

Get more study resources at: cyberonthewire.com/resources

1. what is CISSP?
CISSP stands for Certified Information Systems Security Professional
and is an industry recognized certification run by an organization
called (ISC). The official description provided for CISSP is:The
vendor-neutral CISSP certification is the ideal credential for those
with proven deep technical and managerial competence, skills,
experience, and credibility to design, engineer, implement, and
manage their overall information security program to protect
organizations from growing sophisticated attacks ((ISC) accessed
January 2017). The most important things to know about the
certification are:

its aimed at managers

you will need to have
several years of paid
relevant experience in
order to become certified
(more on this later)
it covers a (very) broad
range of subjects
there are ongoing annual
requirements to remain
certified
In my opinion, the reference to deep technical should not be
misinterpreted as suggesting that you have to be able to
program/conduct hands on analysis of network vulnerabilities or
conduct forensic recovery of digital media, rather it refers to being
able to manage and have a working knowledge/understanding of all the
parts of an organizations security program. For example you may not
have to physically set up an IDS but you will certainly need to know
what it is and what it should do. Note also that its not a
certification that you are awarded by passing an exam alone. In order
to be awarded the full CISSP certification you must have 4-5 years
(depending on whether you can waive a year) of paid, relevant
experience. The subject matter that you have to study ranges from
CISSP Study Guide from cyberonthewire.com

high level governance topics to being able to provide the result of

XORing two sets of binary values and everything in between. Its the
sheer scale and variety of the exam material which makes it difficult
and even once youre certified you still need to provide evidence of
professional development each year. So, why would you want to get
certified?

why would I want to sit the CISSP exam?

Well the answer is clearly because
you want to get certified but why
might you choose this certification
over others? And for that matter why
would you bother going through the
study and expense to get any
certification? Well for most people
the short answer is because it helps
you to secure a new job. You can
find lots of lively discussion about
whether this is the case (both in
terms of certifications in general
and the CISSP) but here is my view
on it: it cant do any harm. If you
have a wealth of experience you may
be able to secure a role based
solely on that and you may not need
a certification, however there are
plenty of jobs which list being
CISSP certified as either essential
or desirable criteria (a quick
search on indeed.com at the time of
writing brought back over 11,000 jobs mentioning CISSP).
This may mean that although you are perfectly capable of doing the
job, those sifting applications will sift you out simply because
there are other candidates who are certified. Additionally if you are
very experienced you may well find that there is less for you to
learn because you already know much of the material from your
experience, making studying for the exam easier. Remember that those

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

doing the initial sift of applications may not be people who are
knowledgeable about the role, they may have a massive stack of
applications which theyve been told to whittle down to 20 if CISSP
is desirable criteria they may well simply dump all those who dont
have it even if the person doing the sifting doesnt know what
CISSP is!
However, what if you dont have a great deal of experience? Well
academic qualifications aside, having a certification will help mark
you out as having demonstrated that you at least have the relevant
knowledge for a role even if your experience is limited. Note that if
you have no paid experience you cannot be CISSP certified, you can
however become an Associate of (ISC)2. If you put yourself in the
position of someone recruiting for a role and you have two resumes in
front of you, both with limited experience but one has a relevant
certification which one would you choose? In addition to these two
points I would also suggest that you will learn things which improve
your general knowledge and understanding making you better at your
job. You may even find some of it interesting!

why choose CISSP over another certification?

This is another topic on which you can find
many a flame war with people making wild
claims that the CISSP is the only cert
worth having while others say its
worthless and that there are others much
more worthy of your time. From what Ive
seen, the CISSP is still the most sought
after, desirable certification to have on
your resume if you are interested in roles
relating to information security, especially
if you want a role in management. The CISSP
is not practical, you wont learn how to
conduct penetration testing, or how to
assess a network for weaknesses. If thats
more your thing then I would agree that you should be looking
elsewhere, but if you are looking for something at the management

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

level or above, then this is still one of the most sought after
certifications in terms of job adverts.

The other point that Id like to make about the CISSP is that because
it covers such a wide range of topics it doesnt tie you to a
specific field. (ISC)2 state in their description of the
certification that CISSP is ideal for the following roles:

Security Consultant

Security Manager

IT Director/Manager

Security Auditor

Security Architect

Security Analyst

Security Systems Engineer

Chief Information Security

Officer

Director of Security

Network Architect
(source: (ISC)2 February 2017)

So, for my money, unless you arent interested in management and/or

there is a specific role/field you want to work in you should be
considering CISSP as your primary certification.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

2. planning for certification

This chapter discusses the various options for getting CISSP
certified and answers some of the common questions that arise. The
bottom line in terms of getting certified is that there are two
primary hurdles: you must pass the CISSP exam:
you must pass the CISSP exam
you must have 5 (or in some circumstances 4) years of relevant
experience

Although you may have your sights set on the exam and are
concentrating on that being the challenge, its important that you
consider the experience requirement carefully. From the point that
you pass the exam, you start a timer which gives you 6 years to
certify. If you dont manage this, you have to take the exam again
(which no one wants to have to do, believe me, once is enough). This
6 year window gives you time to build up your experience in order to
get certified but what sort of experience do you require?

experience requirement
The first thing you need to know, is how much experience is required.
You may have noticed that in the bullet points above I referred to
either 5 or 4 years being required. This depends on whether you can
waive a year by having a relevant qualification or certification. The
(ISC)2 guidelines state that:

A candidate shall be permitted a waiver of one year experience if:

Based on a candidates education
Candidates can substitute a maximum of one year of
direct full-time security professional work
experience described above if they have a four-year
college degree or regional equivalent or an advanced
degree in information security from the U.S. National
Center of Academic Excellence in Information
Assurance Education (CAE/IAE).
OR

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

For holding an additional credential on the (ISC)

approved list below
Valid experience includes information systems
security-related work performed as a practitioner,
auditor, consultant, investigator, or instructor that
requires information security knowledge and involves
the direct application of that knowledge. The five
years of experience must be the equivalent of actual
full-time information security work (not just
information security responsibilities for a five-year
period); this requirement is cumulative, however, and
may have been accrued over a much longer period of
time.
(source: (ISC)2 February 2017)

So, if you want to use 4 rather than 5 years, you either need an
undergraduate degree (or the alternative listed above) or you need a
credential from the approved list. In addition the work must be paid
and cover at least two of the 8 domains from the Common Body of
Knowledge. The best source that Ive found to decide whether your
experience is sufficient, is to use the exam outline provided by
(ISC)2 because it breaks down each domain into sub topics, which make
it much easier to gauge your level of relevant experience.

planning when to take the exam

By now you should have noticed that
this decision is dictated largely
by how you intend to fulfil the
experience requirement. If you
already have the 4/5 years of
experience then it doesnt matter
when you pass. If youre looking to
change careers and feel being
certified would be of benefit, or
if you have a significant period of
free time in which to study, then
of course these factors will affect
your decision of when to take the

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

exam, but having the experience already makes the tactical decision
of when to study for/take the exam moot.

You can pass the exam without the experience and become an Associate
of (ISC)2. This effectively means that you get to bank your exam for
6 years, at the end of which you must have your 4/5 years of
experience in order to certify as a full CISSP. You can call yourself
an Associate of (ISC)2 but cannot call yourself CISSP, or imply that
you are certified in any way while you are an associate. This 6 year
timer can give you a good idea of how to plan your certification if
you dont yet have the required amount of experience. There are a
number of situations you may find yourself in which I have laid out
below:
1. you have no relevant experience and are not in a job that will
give you that experience
2. you have no relevant experience but have started a permanent
full time job that will give you the relevant experience (in 2+
domains)
3. you have some years of relevant experience but are short of the
required 4-5 years
If you fall into scenario 1 you may wish to think twice about whether
you really want to study for the exam just yet. If you pass, you then
have the pressure of finding the relevant 4-5 years of experience
when dont yet even have a job that will give you that experience. My
recommendation in this case is to wait until you are in a relevant
role.

For those of you who are in scenario 2 theres nothing stopping you
taking the exam and becoming an Associate of (ISC)2 until you have
accrued the relevant experience. Your timing in this case will
probably depend on when you have the time to study (e.g. if youre
planning on having children in the next couple of years then now
might be a better time to hit the books!). The 3rd scenario is
similar but gives you a little more of a cushion in that you can
already knock some time of the 4/5 year requirement.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

3. study options
This chapter introduces the various study options available to you
when you prepare for the CISSP exam. As with most exams there are a
variety of study options available to you, which you decide to choose
will likely depend on a number of factors including:
money
time
location
how you absorb and assimilate information
The options available to you broadly fit into three categories:
self study with the Official (ISC)2 Study Guide, other books and
free online resources
take a paid online course
take physical location based training
of course you can mix and match and do a combination of these
options.

self study
This is the cheapest option as
you can technically buy only
the Official Study Guide and
use this to study for the
exam, however its also the
hardest. It will be down to
you to work out how to plan
your study and incorporate
effective revision. The
material that the CISSP exam
covers is very broad which means that its hard to keep your
knowledge fresh for every area and if you arent used to studying you
might find the whole thing too daunting and never get started in the
first place.

The important thing about self-study is to have a plan, the old adage
of fail to prepare prepare to fail fits well and if you simply

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

read the book without studying then you are unlikely to fare well.
The other benefit of self study is that you can fit it around your
life. If you have downtime or commute time you can fit some study in.
This isnt something that you can do with physically delivered
courses.

Other resources you may wish to make use of are YouTube videos, other
study guides and online searches. I would recommend that you
structure your study plan with the Official Guide at the center, it
is, after all, the official guide which should give you a strong
foundation for your test. I used YouTube videos and online searches
mostly to clarify things that I had read in the guide but didnt
properly understand.

Any additional study materials that you might use will depend on how
you learn best. For example you may not learn particularly well
through reading but find that you do learn well from videos or audio.
Even if you do learn well through reading, you may find that
supplementing this with video or audio helps to cement the
information in your mind.

paid online courses

This option is of course more expensive that just studying on your
own with books and free resources but online courses are a way to get
yourself onto a program of study that doesnt require you to do the
planning thats done for you.

If you are considering taking a paid online course there are a few
things that you will want to know before you fork over your hard
earned cash. Firstly, is it a course which you can do whenever you
want or does it consist of live webinars that require you to be
available at a specific time? The former is clearly more convenient
and you can go at your own pace, but the live option may be easier
from the point of view of being able to ask questions to clarify
whats being taught at in a live classroom style environment. You
will want to know what options you have to ask questions about the
material as this could range from real time (phone/chat) to none.
Youll also want to know what materials are included in terms of
video, online written material, material that you can download or in

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

some cases hard copies of materials that can be posted to you. You
should also have the opportunity to see samples of the materials
before you buy a course as well being clear on what the money-back
guarantee is.

physical location based training

This is the most
expensive option
(typically well
over 1000 USD)
and the most
traditional in
the sense that
it is
effectively
classroom
teaching. The
benefits of this
are that as with
any other
classroom
training you can
ask questions of
your teacher and get an immediate response. Similarly if something
isnt clear you can ask for clarification. The drawbacks are that you
cannot set your own pace, so if you already work as a network
engineer for example but have knowledge gaps in other areas you still
have to sit through the section on what IP and MAC addresses are
time which you could have better spent on another topic. The courses
tend to be intensive (e.g. a week) which may not be the best way to
absorb so much information. If you do decide to take a course I would
recommend doing so only after youve read the book. At least that way
you will be familiar with the material and can treat the course as a
revision tool prior to the exam.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

4. planning your CISSP study

This chapter is about how you actually plan your studies, including
the techniques I used to study for and pass the CISSP exam. We will
cover:
study techniques and styles
timescales and setting goals
resources
study techniques and styles
The first thing to realize is that not everyone learns most
efficiently in the same way. Although there are plenty of resources
which go into great depth on this topic, I will use the three broad
categories that feature on the wikiHow page on learning:
visual
aural
kinesthetic
Visual is fairly self explanatory you learn well through the use of
images, diagrams, colors and perhaps through (reading) text. Aural is
learning through listening, this would include listening to podcasts
or other recordings, or perhaps through someone speaking on a video
or in person. Kinesthetic or tactile learners learn primarily through
doing or touch. Its not important to get too tied up with the
details of exactly which category you fall into, but what is
important is to be willing to try more than one technique in your
learning especially if you havent studied for a long time.

For example I know that I learn better by not only reading material,
but by writing notes as well (even if I dont use them to revise
later). To me this suggests that there is an element of the
kinesthetic learner in me the action of writing helps me to
remember. However Im also highly visual in that diagrams or pictures
are something that I can easily remember I can then remember the
facts that are associated with them. If those images werent there
then I would struggle to remember the words on their own. Another
technique that I find very helpful is using and visualizing examples;

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

particularly where there are abstract theories involved. Again, for

me this suggests that I learn best through visualizing the example
(visual type learning) and through acting out the example in my
mind (kinesthetic type learning).

The reason this is important, is that generally everyones initial

study starts off with buying the Official Study Guide a text book.
I would recommend that you at least experiment with other study
techniques, other than simply reading, to work out how you learn
best.

timescales and setting goals

One of the hardest things when studying on your own is pacing
yourself and setting goals. This is what you should be doing in your
planning phase before you even start your study. That way, even when
youre up to your armpits in governance or malware, the end is always
in sight! I recommend that you base your planning on the Official
Study Guide.

My study technique is simple, structured and is made up of two

phases:
studying initial learning of material and making your own
revision materials as you go
revising revisiting key material, refreshing your memory and
testing yourself
studying
In terms of studying this is how I recommend that you structure it,
working from the Official Study Guide:
1.work through the book chapter by chapter
2.as you read make your own notes or flashcards
3.use the end of chapter activities and revision questions to refresh
your knowledge
The chapters do vary in length, however I strongly recommend setting
a goal for your study dependent on how much free time you are willing
to dedicate. For example you might decide to aim to do one chapter
every 2 days which would give you a total time of six weeks to
complete the book. You will have a better idea of how long you need

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

once youve done the first couple of chapters, but by having a goal
like this at least the end is in sight! You can look at your diary
and say: well at least Ill have finished the book by such-and-such
a date. This really helps with motivation and I also found that when
I didnt study, I felt a bit guilty because I wasnt keeping up with
the schedule I had set. If I hadnt set one, then I wouldnt have
minded so much because I wouldnt have been off schedule there
wouldnt have been one!

While were on the topic of pacing, its worth being wary of the
dangers of either rushing through the material too quickly or being
overly slow. If you rush through the material at breakneck speed you
might find that you struggle to retain the knowledge because youre
simply cramming information into your mind at a speed that you cant
keep up with your mind does need some time in order to process what
youre learning. Conversely, if you only read a page a day it would
take you so long to finish the book that by the time you finished you
probably wouldnt remember much of what was at the beginning of the
chapter, let alone the beginning of the book. This makes revision
even harder because you dont have much of a foundation to build on.

To set your own schedule for completing the book I suggest that you
time yourself to see how long you need to complete the first chapter
then establish how much time youre likely to have day-to-day over
the coming weeks so that you can set your own goals in terms of how
long you will give yourself to complete a chapter. My overall study
time was around 3 months.

revising
The revision phase is where youve completed your initial
study/learning of the material and youre now trying to refresh that
knowledge to a point where you can use it in the exam. If youve been
through the chapters in order, by the time youve finished chapter 21
on Malicious Code you will probably have forgotten much of the
material in chapter 1 Security Governance. This is where your
revision notes/flashcards become particularly valuable. Because
youve distilled the essential keywords and facts and cut out all the
explanation you can quickly refresh your knowledge without getting

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

bogged down. I wrote flashcards rather than notes which meant that I
had questions that I had written myself on one side with the answers
on the other. One of the benefits of this, was that it exercised the
recall part of memory, forcing me to access the knowledge, rather
than just repeatedly reading facts.

Once youre comfortable with the knowledge on your flash cards its
time to try some of the Sybex online practice tests that come free
with your Official Study Guide. When you get questions wrong, its
important to consider whether they are pointing to a specific
weakness in your knowledge and if so, revisit the relevant section of
the book. For example, I found that I was getting quite a few
questions wrong which were about the Governance topic so I decided to
go back and re-read the relevant sections of the book.

resources
The resources that you will need to prepare for the CISSP exam are,
in my view, separated into the must have and could have
categories. The Official Study Guide is a must-have along with the
online resources that come with it. Either making your own
notes/flashcards as you go along or having someone elses are another
must-have. Other resources depend a bit on your learning style. If
you find them helpful, then look into what audio/video resources
there are as well as other companion books. But remember that a
companion book is just
another book to read and
you might find that youre
adding to your workload
without a great deal of
benefit. I would also
suggest that you dont
solely use videos or audio
guides for your study but
rather use them to
supplement your study of
the book. In short:
Must have:

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Official Study Guide (with accompanying online resources)

Either your own notes/flashcards or someone elses (that you

trust)
Could have:
Videos (free or paid)
Audio/podcast
Companion books
Online or in person delivered training course

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

5. note taking
The purpose of this chapter is to cover how you actually study
(rather than just read) a section of the CISSP study guide and how to
take notes. We will work through an example of text from the study
guide which I break down into sections and discuss my decision
process on which material to note down and which to leave out.

youre studying, not reading

The first thing thats important to remember is that you are
studying. This is different to just reading a book. If youre reading
for pleasure it doesnt really matter how hard youre concentrating
or whether you actually retain much of what youre reading. Studying
is reading with a purpose! Youre looking for key points within the
text that you think are something that is testable. Generally with
a text book you will have a number of these facts/theories along with
a load of explanatory text. The aim is to be able to pick out these
facts and base your notes/flash cards on them. Below I use an example
from the study guide about the Bell-LaPadula model to demonstrate
what I mean.

The US Department of Defense (DoD) developed the Bell-

LaPadula model in the 1970s to address concerns about
protecting classified information. The DoD manages multiple
levels of classified resources, and the Bell-LaPadula
multilevel model was derived from the DoDs multilevel
security policies. The classifications the DoD uses are
numerous; however, discussions of classifications within the
CISSP CBK are usually limited to unclassified, sensitive but
unclassified, confidential, secret, and top secret. The
multilevel security policy states that a subject with any
level of clearance can access resources at or below its
clearance level. However, within the higher clearance levels,
access is granted only on a need-to-know basis. In other
words, access to a specific object is granted to the
classified levels only if a specific work task requires such
access. For example, any person with a secret security
clearance can access secret, confidential, sensitive but

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

unclassified, and unclassified documents but not top-secret

documents. Also, to access a document within the secret level,
the person seeking access must also have a need to know for
that document. By design, the Bell-LaPadula model prevents the
leaking or transfer of classified information to less secure
clearance levels. This is accomplished by blocking lower-
classified subjects from accessing higher-classified objects.
With these restrictions, the Bell-LaPadula model is focused on
maintaining the confidentiality of objects. Thus, the
complexities involved in ensuring the confidentiality of
documents are addressed in the Bell-LaPadula model. However,
Bell-LaPadula does not address the aspects of integrity or
availability for objects. Bell-LaPadula is also the first
mathematical model of a multilevel security policy.

This model is built on a state machine concept and the

information flow model. It also employs mandatory access
controls and the lattice concept. The lattice tiers are the
classification levels used by the security policy of the
organization. The state machine supports multiple states with
explicit transitions between any two states; this concept is
used because the correctness of the machine, and guarantees of
document confidentiality, can be proven mathematically. There
are three basic properties of this state machine:

The Simple Security Property states that a subject may not

read information at a higher sensitivity level (no read up).

The * (star) Security Property states that a subject may not

write information to an object at a lower sensitivity level
(no write down). This is also known as the Confinement
Property.

The Discretionary Security Property states that the system

uses an access matrix to enforce discretionary access control.

These first two properties define the states into which the
system can transition. No other transitions are allowed. All
states accessible through these two rules are secure states.
Thus, Bell-LaPadulamodeled systems offer state machine model
security.The Bell-LaPadula properties are in place to protect
data confidentiality. A subject cannot read an object that is

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

classified at a higher level than the subject is cleared for.

Because objects at one level have data that is more sensitive
or secret than data in objects at a lower level, a subject
(who is not a trusted subject) cannot write data from one
level to an object at a lower level. That action would be
similar to pasting a top-secret memo into an unclassified
document file. The third property enforces a subjects need to
know in order to access an object. The Bell-LaPadula model
addresses only the confidentiality of data. It does not
address its integrity or availability. Because it was designed
in the 1970s, it does not support many operations that are
common today, such as file sharing and networking. It also
assumes secure transitions between security layers and does
not address covert channels (covered in Chapter 9, Security
Vulnerabilities, Threats, and Countermeasures). Bell-LaPadula
does handle confidentiality well, so it is often used in
combination with other models that provide mechanisms to
handle integrity and availability. (Stewart, JM, Chapple, M,
Gibson, D, 2015, Certified Information Systems Security
Professional Study Guide Seventh Edition, Hoboken, Sybex, pp
282-283)
Wow! Even looking at this small section is daunting! Lets have a look
at what we can distil from this in terms of the crucial facts that we
should be noting down. In the back of our mind we should remember
that other than expanding our knowledge, the end goal is to take the
CISSP exam which consists of multiple choice questions. So, as we
study we should be thinking, what sort of multiple choice questions
would I write if I had to examine someone on this? Lets break it
down piece by piece to see what we have:
The US Department of Defense (DoD) developed the Bell-
LaPadula model in the 1970s to address concerns about
protecting classified information. The DoD manages multiple
levels of classified resources, and the Bell-LaPadula
multilevel model was derived from the DoDs multilevel
security policies.
This is background/historical information none of which I would
expect to help me much in an exam so I wouldnt take anything from
this.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

The classifications the DoD uses are numerous; however,

discussions of classifications within the CISSP CBK are
usually limited to unclassified, sensitive but unclassified,
confidential, secret, and top secret.
This is more of a recap of another section of the book. The
classification of information is dealt with elsewhere and this
sentence doesnt really add anything to that again I would not take
any notes from this.
The multilevel security policy states that a subject with any
level of clearance can access resources at or below its
clearance level. However, within the higher clearance levels,
access is granted only on a need-to-know basis. In other
words, access to a specific object is granted to the
classified levels only if a specific work task requires such
access. For example, any person with a secret security
clearance can access secret, confidential, sensitive but
unclassified, and unclassified documents but not top-secret
documents. Also, to access a document within the secret level,
the person seeking access must also have a need to know for
that document.
Again, to me this mostly appears to be a recap of how clearances and
need-to-know work. You will most likely be able to infer this about
the Bell-LaPadula model from the more crucial points that youll make
note of further on.
By design, the Bell-LaPadula model prevents the leaking or
transfer of classified information to less secure clearance
levels. This is accomplished by blocking lower-classified
subjects from accessing higher-classified objects. With these
restrictions, the Bell-LaPadula model is focused on
maintaining the confidentiality of objects. Thus, the
complexities involved in ensuring the confidentiality of
documents are addressed in the Bell-LaPadula model. However,
Bell-LaPadula does not address the aspects of integrity or
availability for objects. Bell-LaPadula is also the first
mathematical model of a multilevel security policy.
OK, now were starting to get to the meat of it. The first sentence
is important but its still quite a verbose explanation its
basically saying that it stops higher classified material from

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

escaping to lower classified areas even though this is important, I

would not make a note about this specifically as its inferred from
the rules that we come across later. The most important piece of
information here to take note of is confidentiality. This is the
keyword that I would write down like this:

Bell LaPadula:

confidentiality
I wouldnt write down that it doesnt deal with integrity or
availability. Rather I would infer that from the fact that I hadnt
written it down. For me its a lot easier to recall the note above,
see that it only says confidentiality then assume that it doesnt
address anything else, rather than write down something like this:

Bell LaPadula:

confidentiality addressed
integrity not addressed
availability not addressed
Now rather than only having to remember one word, I have to
effectively recall six pieces of information three terms
(confidentiality, integrity, availability) plus whether each one is
or is not addressed by the model. The final sentence is more of a
historical anecdote and I would personally be surprised if it were
used to create a question; its not a history exam after all! Lets
continue:
This model is built on a state machine concept and the
information flow model. It also employs mandatory access
controls and the lattice concept. The lattice tiers are the
classification levels used by the security policy of the
organization. The state machine supports multiple states with
explicit transitions between any two states; this concept is
used because the correctness of the machine, and guarantees of
document confidentiality, can be proven mathematically. There
are three basic properties of this state machine:

The Simple Security Property states that a subject may not

read information at a higher sensitivity level ( no read up).

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

The * (star) Security Property states that a subject may not

write information to an object at a lower sensitivity level
(no write down). This is also known as the Confinement
Property.

The Discretionary Security Property states that the system

uses an access matrix to enforce discretionary access
control.
Now weve got some more of the crucial fundamentals of the model. I
would make a note of the two types of model on which Bell-LaPadula is
based State Machine and Information Flow. I would also write down
MAC (Mandatory Access Control). You may wonder why I wouldnt write
down lattice concept. This is an example of where how you take
notes is personal. Youre trying to strike a balance between writing
down enough of the key points that you can answer questions on a
topic, but at the same time the more you write down the less likely
you are to remember it all. After all if we wrote everything down we
would just have another copy of the text book! I would leave the
piece about lattice out because: a) I would hope to remember it
because I remember the different classification levels associated
with the confidentiality aspect of the model and b) because of the
models rules (below) which describe the actions that cross the
layers of the lattice itself. The three bullet points are
intrinsically
important to the
model and are easy
to write questions
for. In addition,
when you move on
to study one of
the other models,
you find that it
has the exact
reverse of the
first two rules
this makes for an
obvious exam
question that you

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

could write comparing the two models. As with deciding which material
youre going to make note of, I also find it important how I note it
down. The more economical I can be with words and letters the easier
I find it to remember. Now my notes would read:

Bell LaPadula:

confidentiality
no read up simple
no write down *
discretionary access matrix
MAC
state machine
info flow

[] These first two properties define the states into which

the system can transition. No other transitions are allowed.
All states accessible through these two rules are secure
states. Thus, Bell-LaPadulamodeled systems offer state
machine model security. The Bell-LaPadula properties are in
place to protect data confidentiality. A subject cannot read
an object that is classified at a higher level than the
subject is cleared for.

So this is really just explanation of what weve already noted down

that the model protects confidentiality and that it is a type of
state machine. The final sentence just spells out the Simple (no read
up) rule that we dealt with previously.

Because objects at one level have data that is more sensitive

or secret than data in objects at a lower level, a subject
(who is not a trusted subject) cannot write data from one
level to an object at a lower level. That action would be
similar to pasting a top-secret memo into an unclassified
document file. The third property enforces a subjects need to
know in order to access an object. The Bell-LaPadula model
addresses only the confidentiality of data. It does not
address its integrity or availability.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Again, this just goes on to explain the no write down Star property
and the Discretionary rule that weve noted down previously. It
reiterates that the model only addresses confidentiality (a point
that we dealt with earlier). Lets take a look at the final block:
Because it was designed in the 1970s, it does not support
many operations that are common today, such as file sharing
and networking. It also assumes secure transitions between
security layers and does not address covert channels (covered
in Chapter 9, Security Vulnerabilities, Threats, and
Countermeasures). Bell-LaPadula does handle confidentiality
well, so it is often used in combination with other models
that provide mechanisms to handle integrity and availability.

OK, so here Im going to contradict myself slightly. I would consider

noting down 1970s. Not because I expect a question asking me when
the model was developed, but because if I got a question about a
model which didnt support file sharing and networking I would hope

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

to remember seeing 1970s written down under Bell-LaPadula and infer

that this was the right one based on that. Its less to remember to
see 1970s in my mind rather than: does not support file sharing
and networking.

On the point that the model doesnt support covert channels, this is
something that I wouldnt note down at this point (or if I did I may
remove it later on). The reason being that the relevance of it from a
testing point of view depends on the other models that you are
expected to be able to compare with Bell-LaPadula. Its only likely
to be relevant if you find that other models do address covert
channels. The last sentence confirms what we already wrote down
that the model only provides confidentiality.

So after all that text the notes that we end up with are:

Bell LaPadula:

confidentiality
no read up simple
no write down *
discretionary access matrix
MAC
state machine
info flow
1970s

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

6. CISSP flashcards
(why you need them)
This chapter goes hand in
hand with Note Taking
because it relates both
to the initial study
period (where you create
the notes and flashcards)
and the revision phase
(where you use the notes
and flashcards to revise
for the exam). The reason
Ive included a whole
chapter on this is because I have no doubt that a big part of the
reason that I passed first time was due to my diligent use of
flashcards.
The reason that you need flashcards comes down to the actual process
of studying. I the past I was pretty bad at exams, in the first year
or so of my undergraduate studies my study/revision process went a
bit like this:
1. write some notes
2. maybe highlight some of them
3. read over them a couple of times before my exam.
I passed, but never did very well. Towards the end of my degree I had
a course that could decide my overall grade, if I did well it would
push my overall grade up. The pressure was on! In addition to
studying and revising harder, I also studied smarter. I wrote sets of
flashcards as I worked through the material and kept going over-and-
over them leading up to the exam to the point where I was almost
bored of knowing all the answers. The result? I passed with
Distinction. I used the same principle when I studied for the CISSP
exam. I was paying for the exam out of my own pocket and definitely
didnt want to have to take it more than once, I passed first time.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Why am I telling you all this? Because I want to you pass the CISSP
first time too!

The reason flashcards are so important is because they force you to

recall information. If you have notes, you can read them as many
times as you want but you arent practising how to recall the
information. That is what you have to do when youre taking the exam.
You read a question then have to fumble around in the gloomy archives
of your mind to find the information that you need to answer it. If
you havent practised the recall aspect then youre going to
struggle.

how to write them

This is very similar to taking notes, however the long and short of
it is that you have to distil the relevant information, noting only
material that you think is testable and that you are likely to
forget. Youll notice for example that none of my CISSP flashcards
have any questions on what CIA (Confidentiality, Integrity,
Availability) stands for. Why? Because theres no way I would forget
a fact like that so whats the point in wasting time revising it?

When you are writing your questions, experiment with giving yourself
prompts in terms of how many facts youre trying to remember. For
example, revising: what are the 4 steps to BCP? is easier to revise
than the open ended question: what are the steps of BCP?. In terms
of writing your answers, try to keep them as brief as possible,
youre trying to memorize them so the shorter they are the better. I
also like to write my prompts as questions, so that you are clear
what information you are supposed to be recalling. Too often I see
peoples flashcards with a single word on one side then one of a
number of possible responses on the reverse if I had bought these I
would find them very frustrating to use!

Whether you decide to have physical paper cards or use electronic

ones is a matter of personal preference. It depends on access and
how/where you will be studying. If you will always have the internet
available while studying then by all means use an online service. If
your access to internet/computer/phone is limited then you may prefer
physical flashcards.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

how many flashcards should you have?

As few as possible. This is the same as notes. If you had notes on
everything you would be reproducing your study guide. The aim is to
have as few as possible whilst making sure that youre covering all
the crucial facts. I ended up with around 550 not because I
couldnt think up any more but because I couldnt get it any lower
without missing crucial material!

You can get hold of my CISSP flashcards via: cyberonthewire.com/resources

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

7. how to revise
This chapter covers the process of revision this is probably the
most important part of your preparation in terms of passing the exam.
My intention is to try and keep this chapter brief, breaking the
subject into 5 topics, as if you are actually revising now, you
probably feel under pressure and I understand that time is precious!

1 know your enemy (and make friends with it)

The first thing that we need to recognize is that in order to revise
(read: prepare) effectively for anything, we need to know what we are
revising for. By this, I dont mean simply an exam or the CISSP
exam but rather what style of exam is it? What type of questions
could we reasonably expect? And what knowledge are we going to need
for it? Do your best to research question styles so that you at least
have a rough idea of what to expect. The bottom line is that the
CISSP exam is multiple choice. This points to two particular skills
that will really help you out: recognition and tactical elimination:
recognition by going over notes/using flashcards there will be
some answers that should jump out to you as being familiar (and
likely correct provided you check the question carefully)
tactical elimination for questions where you are uncertain
which the right answer is you can narrow the choices by
eliminating those that you know are incorrect

2 refresh your overview

Before you start freaking out that you cant remember how many bits
there are in a MAC address (48) you need to review your high level
overview of the CISSP material. The temptation is to dive into the
detail headlong (especially if your exam date is looming) but it
really helps to start by taking a step back to look at the broad
topic structure. The main benefit of this is that by having a broad
structure in place in your mind its easier to:
structure the topics so that you can add/link the detail that
you revise in the next section (as the information goes in)

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

provide a map which can help signpost your recall to the detail
that you require when answering questions (as the information
comes out)
This doesnt need to take long, especially if youve taken good notes
you can probably list the main topics and sub-topics within a couple
of hours.

3 revisit the CISSP study topics in reverse order

This the last time that youll review the material without a pointer
(see below). This isnt simply about reading the book again, its a
chance to review the material to check that you havent missed
anything in your notes its a skim read if you like, paying extra
attention to things like lists of contents, bullet points and end of
chapter review sections. If there are any topics that stand out as
being weak areas, now is the time to pause and revisit that material.
The reason for going through chapters in reverse order is that when
you finished the book the first time, chapter 1 was a long time ago,
I feel that by switching it up youre giving yourself a better chance
of keeping an equivalence of freshness across the topics (this may
seem illogical as I realise that the you now have the reverse
problem, but try it and see how you feel)!

4 keep your knowledge fresh (using flashcards)

For me, flashcards were a real
lifesaver. They force you to
actually use your mind to
recall information and help
prevent you from getting lazy.
There are several ways you can
use them, but other than
reinforcing your learning, they
will quickly highlight weak
knowledge areas acting as a
pointer. Concentrate on these
weak areas (by going back to your study guide if necessary) until you
are confident. I would keep them with me and do short bursts (say 5
or 10 at a time).

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

5 have a schedule but be flexible

This is perhaps the most crucial point. How long it will take you to
revise is personal and not an exact science. The fact that you can
cancel the exam close to the date without penalty is both a blessing
and a curse. If you couldnt cancel it, you would just have to do
your best up until the day, then cross your fingers. Now its up to
you to decide whether youre ready which isnt always easy.

The approach I took was once I had finished my initial study, I

estimated roughly how long it would take me to revise and booked the
exam accordingly. That way I had something to work towards, after
youve put so much work into your study it would be a shame to lose
momentum during revision, have second thoughts and back out. Map out
your revision schedule allocating yourself time for each section
(which you mapped out in phase 2) plus a safety margin prior to your
exam date. Based on your levels of success using your flashcards and
utilizing online practice questions you will be able to decide
whether you feel confident to take your CISSP exam. Having a schedule
for your revision should help you avoid the need to cram at the last
minute which is both stressful, and according to an article on the
Guardian less effective than spacing your revision out.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

8. how to know when youre ready

This chapter aims to give you some guidance in deciding when youre
ready to take your CISSP exam. There are a few hurdles which can make
this a difficult decision to make, but my aim is to help you make
that decision in a systematic manner that is bespoke to you.

factors knowing youre ready for your CISSP exam

So here are the factors to
consider when deciding if youre
reading to take your CISSP exam:
performance on practice
questions
confidence/familiarity with
your knowledge
cost
time sensitive factors
Practice questions
There are a few things which make
it hard to decide whether youre
actually ready. One of which is a
lack of accurate practice CISSP
exam questions. You know roughly
what style the questions will be
(multiple choice, scenarios,
drag-and-drop) but although
people cant discuss their exams
its common to hear the complaint
that the questions werent really
similar to any that theyd
practised. All you can really do
is make sure that youve
practised plenty of questions
ideally from multiple sources.
Certainly make use of the online

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

practice tests that come with the Official Study Guide and seek out
as many others as you can. In order to pass you effectively need to
be comfortably hitting over 70%. I would recommend that you ensure
that youre in the 80%s before taking your exam.

Confidence in your knowledge

Your revision phase should also be giving you a good idea as to how
well you know the material. In addition to using practice questions,
you should also be utilizing flashcards as they are excellent at
reinforcing learning and keeping your knowledge fresh. When youre
presented with a practice question, because its multiple choice, you
are being shown the answer. Whether you can correctly identify it or
not is another matter. But you are mostly recognizing rather than
recalling (when you first read the question) which are different.
This is particularly the case where you are going over practice
questions more than once. You will very quickly recognize a
particular scenario and remember the answer from before, even if you
dont actually have the knowledge that the question is asking about.

Whichever way you decide to structure your revision, you need to feel
confident that there are no major holes in your understanding.
Because you will be going over your flashcards repeatedly, you really
need to be getting over 90% of them right before taking the exam.

Cost
This is something that will depend on your personal circumstances but
if youre paying for your CISSP exam out of your own pocket the
chances are that you wont consider it cheap. At the time of writing
the US cost for the exam is $599, or to put it another way if you
fail the first time youll end up paying at least $1,198 in total to
pass! In the UK the cost was 415 when I took my test and there was
no way I was going to fail and have to retest for a total of 830 of
my own hard earned cash. If however youre being sponsored by your
company, this may not be such a concern. Because you can cancel the
your exam very close to the date this does mean that you can set a
date and book your exam, then as it gets closer if you dont feel
confident you can always cancel it and reschedule at no extra cost.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

By having a date set it gives you something to work towards which

should help you keep motivated.

Time sensitive factors

This aspect depends on your life events and what you have going on.
Do you need the certification in order to be able to take on new role
on a specific date? Are you on a contract that is ending soon and
want to be CISSP certified when looking for your next job? In that
case there are reasons specific to you that will encourage you to get
the CISSP exam under your belt sooner rather than later. Other time
sensitive factors may be things that impact your ability to study.
For example if youre currently busy with a project at work you may
not have the time to study effectively and may plan to pick up your
CISSP studies at a later date. On the other hand if you are expecting
a baby it may be wise to try and pass your CISSP exam before youre
kept up all night with a crying child!

taking the plunge

The questions you need to be able to say yes to before taking your
CISSP exam are:
1. Are you hitting over 80% in your practice tests?
2. Are you confident in your overall knowledge of the material to
the point where youre getting more than 90% of your flashcards
correct?
3. Are you clear on the exam costs if you dont pass first time?
4. Have you taken your own personal time sensitive factors into
account when setting a date for your exam?

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

If the answer to all these questions is yes then you should

consider yourself ready!

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

9. 24hrs to go
Crunch time, you have put a lot of work into this most likely
youve spent months studying hard and searching online how to pass
CISSP exam in its various guises. No doubt you soon found that
there arent any shortcuts. You have to study hard and smart to be in
with a fighting chance. Hopefully you have read the preceding
articles (particularly those on revision and my post on how to know
when youre ready). Ive been (un)fortunate enough to have to take a
few exams in the last few years however I understand that for some
people it could have been many years since you had to go through this
ordeal if so my sympathies are with you! Ive also been the
position in the past of performing solo classical piano recitals at
university so believe me, I know what it feels like to feel under
pressure to perform! Remember that this is my advice, if you disagree
with it and want to prepare in a different way thats fine its
your exam, not mine.

the day before

The day before any exam I do no study at all. None. Why? Well
actually there are a few reasons. Firstly, you already know that the
amount of material that you have to study for this exam is vast. Most
likely it has taken you months rather than weeks to get through, so
if you really think that studying for a few extra hours the day
before the exam is going to make a significant difference to your
knowledge youre kidding yourself. At this point preparation is more
about preparing yourself rather than preparing the knowledge.

Secondly, you are likely to keep going over topics that you struggle
with. For example if youve spent the last few weeks struggling to
remember the numerous key lengths of the various cryptographic
functions, this is likely to be what you will continue to do for the
last few hours. If you havent got it by now its better to accept
that you wont get it. Accept it rather than punishing yourself and
making yourself even more anxious than you are already.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Finally, its important to rest before taking the exam its

challenging, its long and there are a lot of questions to get
through which require your concentration. Dont put yourself in a
poor starting position by staying up late studying the night before.
The day before and exam I make sure that my books, flashcards, apps
and Facebook groups are out of sight and out of mind. The final
stages in how to pass your CISSP exam are: rest, relax and plan.

Plan?
What do you mean plan? Youve
already said not to study and
its not as if you know what
the questions will be, so how
can you plan? So this planning
is all about putting you in a
strong position so that you
can give yourself the best
chances of passing your CISSP
exam. The aim is to reduce
your worries and manage the
practical aspects of the day
to avoid unnecessary stresses. This includes:
planning your journey (Google maps is our friend) make sure
you know exactly how youre getting to your CISSP exam
be generous with time give yourself a safety margin
decide what youre going to wear comfort is the key
decide what youre going to eat before you leave running out
of energy isnt going to help
put your ID in a place you cant forget it imagine how
disappointed you would be to get turned away without even
starting
consider taking earplugs noise irritates some people (like
me), you dont have to use them but wouldnt it be nice to have
the option?
take food and drink you wont be allowed to take it in but can
leave it just outside the door and take a break to eat if you
want to

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

It goes without saying that getting a good nights sleep is important

but then we also know that this isnt always the easiest thing to
control. After all, the more you worry about the importance of
sleeping the more unattainable it seems to be. Suffice to say that
the better you have planned and prepared the less you will have to
worry about when you go to bed. Make sure you give yourself at least
the opportunity to get plenty of sleep and whatever you do, dont
stay up all night revising!

day 0
Test day! You thought it would never come, wished it would and now,
perhaps wish it hadnt! The most important thing about test day is
not to concern yourself about whether you pass or not by this stage
its largely out of your control anyway. Youve done whatever study
youve done and the rest is down to what questions you get and your
test technique. Make sure you have a decent meal before you take your
exam as the CISSP is long. Make sure you take your ID with you as
well as your snacks, drink and earplugs.

Stick to your plan in terms of travel to make sure you arrive in

plenty of time. One trick that Ive adopted is to get to the building
with plenty of time to spare so that I know EXACTLY where it is and
then go and have a coffee somewhere nearby. That gives me the option
of having a nice big safety margin (if I get delayed I just go
straight in) and avoids last minute panic of not being able to find
the right building. At the same time it avoids sitting around for
ages in the exam building waiting with a load of other worried
looking people!

Youll have to lock up your possessions (including phones) in a

locker, then will be provided with writing materials in case you need
to make any notes as you go along. Youll be allocated a computer
terminal at which youll take your test and then it will be time to
start. You have to accept the (ISC) 2 terms/conditions before starting
your test this times out and if you dont accept it in time you
cannot sit your exam! From then on its just you and 250 exam
questions.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

10. my top 5 CISSP exam tips

This chapter gives you 5 simple CISSP exam tips that you can put to
use while answering those 250 multiple choice questions. This is how
I approach multiple choice exams and these tips have served me well
I hope they do the same for you.

1 RTBQ!
A favorite of my old math teacher Read The Bloody Question! Exams
are stressful and the CISSP exam is no different, but before you race
onto the options in a rush to get to the next question, take the time
to properly read what youre being asked. It might seem obvious but
out of all the CISSP exam tips you get, if you get this right youll
massively improve your performance. I read exam questions at the
speed that I would if I were reading them aloud. Usually twice.

2 spot the key words

In my experience the CISSP exam isnt as bad as some others Ive
taken for this, but there are certain words that you should be
training yourself to watch out for because of the effect that they
can have on the meaning of the question (and hence the answer that
you choose). Words such as can mean literally is it possible
that not is it usually true that if you say no then youre
answering that the statement you are being asked about is impossible.
Another one is always remember that this means without
exception if you can think of a situation, however unlikely that
goes against the statement in the question then always doesnt
apply. The another little word which it is imperative that you dont
miss is of course: not!

3 elimination
This is a good technique both for when youre unsure of the correct
answer and to double check even when you are sure. If you arent sure
of the correct answer, go through each option and see if you can
eliminate it. Rather than asking yourself: is this answer right?
Ask yourself: is this answer wrong? Remember that to begin with if

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

you dont know the right answer your odds of guessing it correctly
are 25% (1 in 4 in questions where youre required to choose one
option from A/B/C/D) if you can eliminate two answers that you know
are wrong, even if you still arent sure which of the two remaining
options are correct at least youve improved your chances of guessing
it to 50%. This may not sound like much, but if you get a few like
this it could make the difference between pass and fail.

Even if youre confident that youve got the right answer, sometimes
it pays to go over the remaining choices to satisfy yourself that
they are all incorrect before you continue you might catch a couple
of mistakes that you would have otherwise missed by doing so!

4 flagging
As you may be aware, while taking the CISSP
exam you have the option of flagging a
question to come back to later. I recommend
making good use of this option with one small
extra exam tip select your best guess at
the time you flag. Although many people find
that they barely need half of the allotted
time you dont want to be going back to reread
and answer questions with only seconds to go.
So if you have a question that youre not
comfortable about, select your best guess, flag and move on. You may
even find that a question further into the exam might give you a tip
in answering the one you flagged. Flagging is there to help you, so
use it!

5 rely on the Official study material

Although there is a certain amount of using your mind to apply the
knowledge, dont make the mistake of trying to do the job. This is
an exam which is based on official study material. Answer
accordingly. The questions you are being asked arent a real-life
situation where youre being consulted for advice, its an exam to
test your knowledge. Every question you read first ask yourself:
what have I read that covers this? Answering a question whilst

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

thinking well this is what we normally do at work may well not be

correct according to the study material.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

11. passed? - now get certified and

stay certified
Finally! After all that study, revision and the trauma of actually
taking the CISSP exam you've passed! You'd like to think it's all
over now but unfortunately you now have the task of checking the
CISSP certification requirements again and putting together your
application to get fully certified which is a task unto itself.
Fortunately however, it's not as hard as people make out.

CISSP or CISSP Associate?

The first thing you need to do is decide whether you're going to go
straight for full CISSP certified status or whether you want to spend
some time as an Associate first. This decision may have already have
been made for you if you don't yet have enough relevant experience
(either 5 years or 4 with a qualifying degree or certification). The
only other reason you may wish to defer your full CISSP status could
be because you don't feel you have the time to keep up with the CPE
requirements or simply because you don't want to shell out as much
money (although this is unlikely as it's not that much considering
what it costs you in time and money to pass the exam in the first
place). I would recommend that as soon as you think you're eligible
go for full CISSP status!

putting together your application

Assuming that you are going for full CISSP certification there are
two routes available to you. The first is to find someone who you
know who is already a full CISSP who is willing to endorse your
application this effectively means that they have to check over
your application and vouch for you. The second option is to have
(ISC)2 do the endorsing. If you can find someone willing to endorse
your application I recommend taking that option although I havent
had (ISC)2 endorse my application I can only imagine that it would be
a slower more onerous process.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Either way, the first step is to look over the CISSP Exam Outline
from (ISC)2 to get an idea of what fits into each domain. You need to
demonstrate experience in at least two domains from the Common Body
of Knowledge. The process I used was to work through the Exam Outline
(which breaks down each domain) ticking off every point that I had
experience of. Once you know which areas you will be evidencing you
simply write your sentence explaining what you did, then to make
(ISC)2s job extra easy, reference the domain in parenthesis after.
For example:
Reviewing/amending privacy policies to ensure that customer and
employees privacy is protected and that all statutory requirements
are adhered to (1 Security and Risk Management)
Of course where your example hits several points you can include them
all in your parenthesis. By the way, your resume is written into the
online form within your (ISC)2 account so dont waste time typing up
and formatting a Word document. If you are waiving a year of the
experience requirement there is an option to upload a copy of the
relevant certificate within the same process.

submitting your application

Actually submitting your application is straightforward. You need to
enter the ID number of whoever is going to endorse you, then you
simply submit the application. From that point on, all you can do is
wait. Your endorser will then review your application, (hopefully)
approve it and then you have to play the waiting game again for
(ISC)2 to review it. You will be given an estimate of how long it
will take for (ISC)2 to review your application but it isnt
especially quick (I think it was about 6 weeks for me).

finally getting certified (phew)!

Assuming all goes well you will
get an email confirming your
status and you can then add
CISSP to your resume (and
wherever else you want to
display it including as a
digital badge on LinkedIn if

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

youre so inclined). In due course you will also get a neat parcel in
the post containing your ID card, pin badge and certificate but again
it takes a while. In fairness it is well put together and is a nice
touch considering the amount of work you put into getting it.

keep it and never let it go

Remember those dark days struggling through text books? Getting
frustrated when your brain refused to store the speeds of the
different types of WiFi? The stress and anxiety brought on by
the exam? Want to do it all again? No, didnt think so! So
whatever you do make sure you never ever let your certification
lapse otherwise thats what youll be doing.
At the time of writing, the requirements for keeping your
certification valid were:
Pay your annual fee ($85)
Submit at least 40 CPE credits per year (and 120 over a
three year period)
(you also have to abide by the code of ethics)
By far the easiest way to get your CPEs is to watch the
webinars that are provided free as part of your membership via
the (ISC)2 account. You simply select them and watch them. Most
of them get automatically added as CPE credits to your account.
So keeping it is as easy as paying your fees on time, make sure
you get your CPEs registered in time and dont do anything
stupid (unethical)!
N.B. As with all these things, the requirements are subject to
change as time goes on so do double check with (ISC)2.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

12. thanks for reading

(and where you can get more)
Thanks for taking the time to read this study guide. I hope that you
have found it helpful and that you have been able to put some of the
advice to good use. You will read plenty online where people say that
getting CISSP certified isnt really worth anything any more, I hope
that you know better. Its true that it isnt a golden key but having
it will certainly open some doors which were closed to you previously
and is still the gold standard in information security.
If you didnt get this guide from my website I recommend that you
check out cyberonthewire.com (where you can check out my list of
study resources) and get on the email list so that youre the first
to hear about updates. If youre a Facebook user you may prefer to
follow the Facebook page and you may want to join our group where we
share CISSP practice questions. If you prefer to get in contact via
plain old email you can reach me at: [email protected]
I wish you all the best with your exam and your learning!
Laurie BS CISSP

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Appendix A: Didnt quite make it first

time? Dont give up!
OK, so you didnt pass first time? Dont panic! Its common for
people to have more than one go at the CISSP exam before passing
dont be too hard on yourself, its a tough exam! Once youve got
over not passing, its time to establish how close you were, whether
you can identify any specific reasons that you werent able to pass
and see what you can do about addressing those reasons before you
retake it.
Remember that once youve taken the exam, the next time you take it
at least you will have a better idea of what to expect there will
be less of a feeling of being thrust into the unknown. You should
have been provided with feedback which breaks down your performance
by domain. If any stand out as being drastically weaker than the rest
then this is a good indication of where you should be concentrating
your efforts. Be realistic though with how much weaker they are. If
the difference isnt significant then avoid the trap of only
concentrating on them at the expense of forgetting the material for
the remainder of the syllabus.
Re-read this guide particularly the chapters on revision,
flashcards and how to know when youre ready and hit plenty more
practice questions before retaking the test. In terms of timing, you
have to wait 30 days before a retake. But unless you did especially
poorly (to the point where youre effectively starting again from
scratch), I would recommend retaking sooner rather than later. It
takes a lot of work to get your knowledge up to scratch, the longer
you have away from studying the more work youll have to do to re-
revise the material and get up to speed.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Appendix B: List of study resources

For the most up to date list of study resources please visit:
cyberonthewire.com/resources
However, a short list of what you may wish to consider includes:
Official Study Guide from Sybex
Sybex practice questions (access comes with the Official Study
Guide)
Decent set of flashcards (you can get mine via the above link)
Shon Harriss All In One Exam Guide
Copy of (ISC)2s current exam outline
For the full updated list please visit link above.

Get more study resources at: cyberonthewire.com/resources

CISSP Study Guide from cyberonthewire.com

Disclaimer
The information contained in this guide is for informational purposes
only. The contents is not affiliated with or endorsed by (ISC)2 or
any other organization. The advice given is provided in good faith
and is the personal views and opinions of the author. The author
accepts no liability for any information being inaccurate or
misleading. Readers should ensure that they conduct their own due
diligence when it comes to acting upon any advice given. Please
understand that there are some links contained in this guide that I
may benefit from financially either as they relate to products that I
own or due to affiliate fees that the product seller pays for the
referral. All trademarks and registered trademarks appearing in this
guide are the property of their respective owners. No liability is
accepted by the author where readers are unsuccessful in their CISSP
exam.
This guide may be distributed only where a hyperlink to
http://cyberonthewire.com is included. No part may be reproduced
without the accompanying hyperlink reference.
2017, Laurie cyberonthewire.com. All rights reserved.

Get more study resources at: cyberonthewire.com/resources