I know that people studying for the CISSP exam are by nature very busy people and I recognize that navigating websites trying to find all the advice you need is often a frustrating experience (even where the navigation is good). To give you a leg up I’ve carefully compiled a new 49 page CISSP study guide pdf which you can download for FREE!
CISSP study guide pdf – what’s in it
This study guide covers practical advice for people who are looking to study for and pass the CISSP exam with a view to becoming CISSP certified. This CISSP Study Guide offers guidance on what the CISSP is and reasons why you may decide to pursue it, strategies and tactics on effective study and advice on last minute preparation before taking the exam. Further to that, it also includes guidance on what happens after you pass the CISSP exam with a view to getting your CISSP certification application completed (and what to do if you don’t pass first time).
This guide isn’t just another technical guide – there are other people who have produced comprehensive guides (such as the Official Study Guide from Sybex and Shon Harris’ guide). This CISSP Study Guide covers advice about how to prepare yourself to give yourself the best chances of success in passing your CISSP exam first time. Here’s a sneak preview of the table of contents to give you a flavor of the content:
What is CISSP?
Planning for certification
Planning your CISSP study
How to revise
How to know when you’re ready
24hrs to go…
My top 5 CISSP exam tips
Passed? – now get certified
Thanks for reading (and where you can get more)
Appendix A – Didn’t quite make it first time? Don’t give up!
Appendix B – List of study resources
The CISSP Study Guide PDF is structured to read in the order that you progress through the CISSP certification process: from the initial decision to get certified and the requirements to get certified, through planning and structuring your studies, revision techniques, last minute exam preparation and how to get certified after passing.
I know someone else who would benefit from this CISSP study guide, can I share it?
Yes! Absolutely! The guide is free and I actively encourage you to share the guide with anyone you feel could benefit. The only request that I have is that you include a reference and hyperlink to cyberonthewire.com when you do so.
OK, I want it – how do I get it?
Simply scroll down and fill in your email address in the box below and press the blue ‘Submit’ button – I’ll email you the link where you can download your CISSP Study Guide PDF straight away. Hate being on mailing lists? No problem, every email (including the initial one you’re sent) has an unsubscribe link built in. If you decide to stick around I’ll be pleased to have you on board – subscribers get stuff before everyone else and it gives you a way to email me directly if you have any questions.
Following a poll I ran asking you, the readers which topics you wanted covered, the majority of you said that you wanted to see more about the actual revision process of CISSP study. My intention is to try and keep this post brief, breaking the subject into 5 topics, as if you are actually revising now, you probably feel under pressure and I understand that time is precious! If you’re looking for study resources to support your learning be sure to check out the resources page!
1 know your enemy (and make friends with it)
The first thing that we need to recognize is that in order to revise (read: prepare) effectively for anything, we need to know what we are revising for. By this, I don’t mean simply ‘an exam’ or ‘the CISSP exam’ but rather what style of exam is it? What type of questions could we reasonably expect? And what knowledge are we going to need for it? Do your best to research question styles so that you at least have a rough idea of what to expect. The bottom line is that the CISSP exam is multiple choice. This points to two particular skills that will really help you out: recognition and tactical elimination:
recognition – by going over notes/using flashcards there will be some answers that should jump out to you as being familiar (and likely correct provided you check the question carefully)
tacticalelimination – for questions where you are uncertain which the right answer is you can narrow the choices by eliminating those that you know are incorrect
I will go into the actual taking of the exam on a later date but for now it’s important to know what you’re revising for in advance.
2 refresh your overview
Before you start freaking out that you can’t remember how many bits there are in a MAC address (48) you need to review your high level overview of the CISSP material. The temptation is to dive into the detail headlong (especially if your exam date is looming) but it really helps to start by taking a step back to look at the broad topic structure. The main benefit of this is that by having a broad structure in place in your mind its easier to:
structure the topics so that you can add/link the detail that you revise in the next section (as the information ‘goes in’)
provide a map which can help signpost your recall to the detail that you require when answering questions (as the information ‘comes out’)
This doesn’t need to take long, especially if you’ve taken good notes you can probably list the main topics and sub-topics within a couple of hours.
3 revisit the CISSP study topics in reverse order
This the last time that you’ll review the material without a pointer (see below). This isn’t simply about reading the book again, it’s a chance to review the material to check that you haven’t missed anything in your notes – it’s a ‘skim read’ if you like, paying extra attention to things like lists of contents, bullet points and end of chapter review sections. If there are any topics that stand out as being weak areas, now is the time to pause and revisit material before completing this phase. The reason for going through chapters in reverse order is that when you finished th
e book the first time, chapter 1 was a long time ago, I feel that by switching it up you’re giving yourself a better chance of keeping an equivalence of ‘freshness’ across the topics (this may seem illogical as I realise that the you now have the reverse problem but try it and see how you feel)!
4 keep your knowledge fresh (using flashcards)
As I’ve mentioned in another post, for me, flashcards were a real lifesaver. They force you to actually use your mind to recall information and help prevent you from getting lazy. There are several ways you can use them, but other than reinforcing your learning, they will quickly highlight weak knowledge areas acting as a ‘pointer’. Concentrate on these weak areas (by going back to your CISSP study guide if necessary) until you are confident. I would keep them with me and do short bursts (say 5 or 10 at a time). You may decide to go through them at random, or by topic, or you may separate those you manage to answer and those you struggle with so that you can continue to concentrate on the ones you’re finding difficult.
5 have a schedule but be flexible
This is perhaps the most crucial point. How long it will take you to revise is personal and not an exact science. The fact that you can cancel the exam close to the date without penalty is both a blessing and a curse. If you couldn’t cancel it, you would just have to do your best up until the day, then cross your fingers. Now its up to you to decide whether you’re ready for the CISSP exam, which isn’t always easy. The approach I took was once I had finished my initial CISSP study, I estimated roughly how long it would take to revise and booked the exam accordingly. That way I had something to work towards, after you’ve put so much work into your CISSP study it would be a shame to lose momentum during revision, have second thoughts and back out. Map out your revision schedule allocating yourself time for each section (which you mapped out in phase 2) plus a safety margin prior to your exam date. Based on your levels of success using your flashcards and utilizing online practice questions you will be able to decide whether you feel confident to take your CISSP exam. Having a schedule for your revision should help you avoid the need to cram at the last minute which is both stressful, and according to an article on the Guardian less effective than spacing your revision out.
Revision is crucial to all exams but perhaps is particularly important in studying for the CISSP – its an exam which relies largely on being able to recall/recognize information and unlike some exams there is no real practical element which you can ‘work out’ as you go. The amount of material to cover is vast and the length of the exam is similarly gargantuan (although you’re unlikely to need the full 6 hours).
If you have any other tips that you think will help people in their CISSP revision please feel free to leave a comment below and check out the resources section for CISSP study materials to further support your learning. I wish you the best of luck in your CISSP study!
In this post I want to talk about how you actually plan your studies, including the techniques I used to study for and pass the CISSP exam, on my own, in my spare time. We will cover:
study techniques and styles
timescales and setting goals
Study techniques and styles
The first thing to realize is that not everyone learns most efficiently in the same way. Although there are plenty of resources which go into great depth on this topic, I will use the three broad categories that feature on the wikiHow page on learning:
Visual is fairly self explanatory – you learn well through the use of images, diagrams, colors and perhaps through (reading) text. Aural is learning through listening, this would include listening to podcasts or other recordings, or perhaps through someone speaking on a video or in person. Kinesthetic or tactile learners learn primarily through ‘doing’ or touch. It’s not important to get too tied up with the details of exactly which category you fall into, but what is important is to be willing to try more than one technique in your learning – especially if you haven’t studied for a long time. For example I know that I learn better by not only reading material, but by writing notes as well (even if I didn’t use them to revise later). To me this suggests that there is an element of the kinesthetic learner in me – the action of writing helps me to remember. However I’m also highly visual in that diagrams or pictures are something that I can easily remember – I can then remember the facts that are associated with them. If those images weren’t there then I would struggle to remember the words on their own. Another technique that I find very helpful is using and visualizing examples; particularly where there are abstract theories involved. Again, for me this suggests that I learn best through visualizing the example (visual type learning) and through ‘acting out’ the example in my mind (kinesthetic type learning).
The reason this is important, is that generally everyone’s initial study starts off with buying the Official Study Guide – a text book. I would recommend that you at least experiment with other study techniques, other than simply reading, to work out how you learn best.
Timescales and setting goals
One of the hardest things when studying on your own is pacing yourself and setting goals. This is what you should be doing in your planning phase before you even start your study. That way, even when you’re up to
your armpits in governance or malware, the end is always in sight! I recommend that you base your planning on the Official Study Guide. My study technique is simple, structured and is made up of 2 phases:
studying – initial learning of material and making your own revision materials as you go
revising – revisiting key material, refreshing your memory and testing yourself
In terms of studying this is how I recommend that you structure it, working from the Official Study Guide:
work through the book chapter by chapter
as you read make your own notes or flashcards
use the end of chapter activities and revision questions to refresh your knowledge
The book (7th edition) is broken down into the following 21 chapters:
Security Governance Through Principles and Policies
Personnel Security and Risk Management Concepts
Business Continuity Planning
Laws, Regulations, and Compliance
Protecting Security of Assets
Cryptography and Symmetric Key Algorithms
PKI and Cryptographic Applications
Principles of Security Models, Design, and Capabilities
Security Vulnerabilities, Threats, and Countermeasures
Physical Security Requirements
Secure Network Architecture and Securing Network Components
Secure Communications and Network Attacks
Managing Identity and Authentication
Controlling and Monitoring Access
Security Assessment and Testing
Managing Security Operations
Preventing and Responding to Incidents
Disaster Recovery Planning
Incidents and Ethics
Software Development Security
Malicious Code and Application Attacks
(source CISSP Official Study Guide, Seventh Edition Stewart, Chapple, Gibson)
The chapters do vary in length, however I strongly recommend setting a goal for your study dependent on how much free time you are willing to dedicate. For example you might decide to aim to do one chapter every 2 days which would give you a total time of 6 weeks to complete the book. You will have a better idea of how long you need once you’ve done the first couple of chapters, but by having a goal like this at least the end is in sight! You can look at your diary and say: “well at least I’ll have finished the book by such-and-such a date.” This really helps with motivation and I also found that when I didn’t study, I felt a bit guilty because I wasn’t keeping up with the schedule I had set. If I hadn’t set one, then I wouldn’t have minded so much because I wouldn’t have been off schedule – there wouldn’t have been one! While we’re on the topic of pacing it’s worth being wary of the dangers of either rushing through the material too quickly or being overly slow. If you rush through the material at breakneck speed you might find that you struggle to retain the knowledge because you’re simply cramming information into your mind at a speed that you can’t keep up with – your mind does need some time in order to process what you’re learning. Conversely, if you only read a page a day it would take you so long to finish the book that by the time you finished you probably wouldn’t remember much of what was at the beginning of the chapter, let alone the beginning of the book. This makes revision even harder because you don’t have much of a foundation to build on.
To set your own schedule for completing the book I would suggest that you time yourself to see how long you need to complete the first chapter then establish how much time you’re likely to have day-to-day over the coming weeks so that you can set your own goals in terms of how long you will give yourself to complete a chapter. My overall study time was around 3 months.
The revision phase is where you’ve completed your initial study/learning of the material and you’re now trying to refresh that knowledge to a point where you can use it in the exam. If you’ve been through the chapters in order, by the time you’ve finished chapter 21 on Malicious Code you will probably have forgotten much of the material in chapter 1 – Security Governance. This is where your revision notes/flashcards become particularly valuable. Because you’ve distilled the essential keywords and facts and cut out all the explanation you can quickly refresh your knowledge without getting bogged down. I wrote flashcards rather than notes which meant that I had questions that I had written myself on one side with the answers on the other. One of the benefits of this, was that it exercised the recall part of memory, forcing me to access the knowledge, rather than just repeatedly reading facts.
Once you’re comfortable with the knowledge on your flash cards it’s time to try some of the Sybex online practice tests that come free with your Official Study Guide. When you get questions wrong, it’s important to consider whether they are pointing to a specific weakness in your knowledge and if so, revisit the relevant section of the book. For example, I found that I was getting quite a few questions wrong which were about the Governance topic so I decided to go back and re-read the relevant sections of the book. Once you’re consistently hitting over 80% in your practice exam you should consider yourself ready to take the exam for real.
The resources that you will need to prepare for the CISSP exam are, in my view, separated into the ‘must have’ and ‘could have’ categories. The Official Study Guide is a must-have along with the online resources that come with it. Either making your own notes/flashcards as you go along or having someone else’s (you can get mine from the resources page) are another must-have. Other resources depend a bit on your learning style. If you find them helpful, then look into what audio/video resources there are as well as other companion books. But remember that a companion book is just another book to read and you might find that you’re adding to your workload without a great deal of benefit. I would also suggest that you don’t solely use videos or audio guides for your study but rather use them to supplement your study of the book. You can also sign up for either online or in-person training which I discuss here. In short:
Official Study Guide (with accompanying online resources)
Either your own notes/flashcards or someone else’s (that you trust)
This post has covered looking forward to and planning your studies, including considering what type of learning suits you best (visual/aural/kinesthetic), the importance of setting goals for your study to help with motivation and some of the basic resources that you will need. By establishing what styles of learning work for you, you can maximize your learning efficiency and capacity and ensure that you obtain resources that properly support you in your studies. Without goals you might find that you struggle to motivate yourself to pick up the book and may simply procrastinate with your studies. If you have any suggestions of further information that you’d like to see here please feel free to leave a comment below and be sure to check out the resources page for study materials.
The purpose of this article is to discuss the various options for getting CISSP certified and to answer some of the common questions that arise. If you have any further questions then by all means leave a comment at the foot of the article. The bottom line in terms of getting certified is that there are two primary hurdles:
you must pass the CISSP exam
you must have 5 (or in some circumstances 4) years of relevant experience
Although you may have your sights set on the exam and are concentrating on that being the challenge, it’s important that you consider the experience requirement carefully. From the point that you pass the exam, you start a timer which gives you 6 years to certify. If you don’t manage this, you have to take the exam again (which no one wants to have to do, believe me, once is enough). This 6 year window gives you time to build up your experience in order to get certified but what sort of experience do you require?
The first thing to know, is how much experience is needed. You may have noticed that in the bullet points above I referred to either 5 or 4 years being required. This depends on whether you can waive a year by having a relevant qualification or certification. The (ISC)2 guidelines state that:
“A candidate shall be permitted a waiver of one year experience if:
Based on a candidate’s education Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree or regional equivalent or an advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE).
For holding an additional credential on the (ISC)² approved list below Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator, or instructor that requires information security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full-time information security work (not just information security responsibilities for a five-year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.”
So, if you want to use 4 rather than 5 years, you either need an undergraduate degree (or the alternative listed above) or you need a credential from the approved list. In addition the work must be paid and cover at least two of the 8 domains from the Common Body of Knowledge. The best source that I’ve found to decide whether your experience is sufficient, is to use the exam outline provided by (ISC)2 because it breaks down each domain into sub topics, which make it much easier to gauge your level of relevant experience. You can download a free copy of the exam outline here.
Planning when to take the exam
By now you should have noticed that this decision is dictated largely by how you intend to fulfill the experience requirement. If you already have the 4/5 years of experience then it doesn’t matter when you pass. If you’re looking to change careers and feel being certified would be of benefit, or if you have a significant period of free time in which to study, then of course these factors will affect your decision of when to take the exam, but having the experience already makes the tactical decision of when to study for/take the exam moot.
You can pass the exam without the experience and become an Associate of (ISC)2. This effectively means that you get to bank your exam for 6 years, at the end of which you must have your 4/5 years of experience in order to certify as a full CISSP. You can call yourself an Associate of (ISC)2 but cannot call yourself CISSP, or imply that you are certified in any way while you are an associate. This 6 year timer can give you a good idea of how to plan your certification if you don’t yet have the required amount of experience. There are a number of situations you may find yourself in which I have laid out below:
you have no relevant experience and are not in a job that will give you that experience
you have no relevant experience but have started a permanent full time job that will give you the relevant experience (in 2+ domains)
you have some years of relevant experience but are short of the required 4-5 years
If you fall into scenario 1 you may wish to think twice about whether you really want to study for the exam just yet. If you pass, you then have the pressure of finding the relevant 4-5 years of experience when don’t yet even have a job that will give you that experience. My recommendation in this case is to wait until you are in a relevant role. For those of you who are in scenario 2 then there’s nothing stopping you taking the exam and becoming an Associate of (ISC)2 until you have accrued the relevant experience. Your timing in this case will probably depend on when you have the time to study (e.g. if you’re planning on having children in the next couple of years then now might be a better time to hit the books!). The 3rd scenario is similar but gives you a little more of a cushion in that you can already knock some time of the 4/5 year requirement.
The decision of when to study for and take the CISSP exam depends on a combination of:
how you will fulfill the experience requirement
when you will have sufficient time to study
when you are planning a career change that would benefit from being certified
The long and short of it is that you must either have the required 4/5 years of experience when you pass the exam, or be confident that you will have within 6 years of passing the exam. If you have found this article useful or have any feedback please comment below and share with anyone you think might benefit from it! You can also get hold of study materials to help you pass your exam from the resources page!
The purpose of this post is to discuss the various study options available to you when you prepare for the CISSP exam. If you’re looking for study materials be sure to check out the resources page. As with most exams there are a variety of study options available to you, which you decide to choose will likely depend on a number of factors including:
how you absorb and assimilate information
The options available to you broadly fit into three categories:
self study with the Official (ISC)2 Study Guide, other books and free online resources
take a paid online course
take a physical – location based training
of course you can mix and match and do a combination of these options.
This is the cheapest option as you can technically buy only the Official Study Guide and use this to study for the exam, however it’s also the hardest. It will be down to you to work out how to plan your study and incorporate effective revision. The material that the CISSP exam covers is very broad which means that it’s hard to keep your knowledge fresh for every area and if you aren’t used to studying you might find the whole thing too daunting and never get started in the first place. Self study is how I passed my exam however and I hope that the material and guidance that I share on this site will help you in your studies. The important thing about studying using this method is to have a plan, the old adage of ‘fail to prepare – prepare to fail’ fits well and if you simply read the book without studying then you are unlikely to fare well. The good thing about the Official Guide, other than the fact that it’s ‘official’ is that it comes with some (limited) online resources as well. These consist predominantly of practice tests and flash cards which are very helpful when it comes to revising prior to your test. The other benefit of self study is that you can fit it around your life. If you have downtime or commute time you can fit some study in. This isn’t something that you can do with physically delivered courses.
Other resources you may wish to make use of are YouTube videos, other study guides and online searches. I would recommend that you structure your study plan with the Official Guide at the center, it is, after all, the official guide which should ensure that you have covered everything that turns up in your test. I used YouTube videos and online searches mostly to try and clarify things that I read in the guide but didn’t properly understand. I would suggest that any additional study materials that you might use will depend on how you learn best. For example you may not learn particularly well through reading but find that you do learn well from videos or audio. Even if you do learn well through reading, you may find that supplementing this with video or audio helps to cement the information in your mind.
Paid online courses
This option is of course more expensive that just studying on your own with books and free resources but they are a way to get yourself onto a program of study that doesn’t require you to do the planning – that’s done for you. If you are considering taking a paid online course there are a few things that you will want to know before you fork over your hard earned cash. Firstly, is it a course which you can do whenever you want or is it live webinars that require you to be available at a specific time. The former is clearly more convenient and you can go at your own pace whenever you want but the live option may be easier from the point of view of being able to ask questions to clarify what’s being taught at the time. You will want to know what options you have to ask questions about the material as this could range from real time (phone/chat) to none. You’ll also want to know what materials are included in terms of video, online written material, material that you can download or in some cases hard copies of materials that can be posted to you. You should also have the opportunity to see samples of the materials before you buy a course as well being clear on what the money-back guarantee is. Most vendors will offer strong guarantees if they are confident in their product.
Physical location based training
This is the most expensive option (typically over 1000 USD) and the most traditional in the sense that it is effectively classroom teaching. The benefits of this are that as with any other classroom training you can ask questions of your teacher and get an immediate response. Similarly if something isn’t clear you can ask for clarification. The drawbacks are that you cannot set your own pace, so if you already work as a network engineer for example but have knowledge gaps in other areas you still have to sit through the section on what IP and MAC addresses are – time which you could have better spent on another topic. The courses tend to be intensive – typically a week which may not be the best way to absorb so much information. If you do decide to take a course I would recommend doing so only after you’ve read the book. At least that way you will be familiar with the material and can treat the course as a revision tool prior to the exam.
To summarize, my initial recommendation is to make sure you buy the Official Study Guide as your first step and base any other study off that. Use the online resources that come with it and make sure that you formulate a plan paying special attention to how you’re going to revise once you’ve been through the book. Make sure you’re aware of what free options you have and work out whether you learn best through reading, writing, audio, video or a combination of these offerings.
Get the Official Study Guide
Plan your study and revision around the study guide
Use paid online or offline training to supplement your own studies and research offerings carefully before handing over money
The next post will concentrate on study planning. If you have any feedback or suggestions please feel free to comment below and be sure to check out the resources page for materials to help you pass first time!