Are you looking to start a career in cybersecurity and don’t know which certification to take first? Are you wondering if you should take the CISSP exam and if it worth your time and money? Or Perhaps you’ve already decided to take the CISSP exam and you are wondering what it takes to pass this exam?
I was exactly where you stand right now couple of years back. After a careful consideration and a lot of search, I decided to take the CISSP exam and went through a lot of experience that led to my CISSP certification from the first time. In this blog post series, I am sharing all my experience on how I prepared for the exam and most importantly, what was my studying strategy, my studying material and of course what to expect in the exam day. So let’s start.
To verify I actually passed the exam, you can find my CISSP badge here. This blog post is part of a blog series:
- How To Prepare for The CISSP Exam Day and Pass
- How I Passed CISSP Exam – My Personal Experience
- How I Passed CISSP – My Three Months CISSP Exam Study Plan
Why I Took the CISSP Exam?
I want to start this writing by sharing with you a personal story that eventually led to me take the CISSP exam and then blogging about my experience. I like good stories as they inspire us the most. They have that personal touch that you can quickly relate to and say, “This is exactly what’s happening with me”.
Once upon a time, I was having this interview and I was asked to talk about my experience and areas of expertise. I talked and talked about how awesome I am when it comes to infrastructure, data centers, Office 365, cloud computing and so many other things. After 15 minutes of non-stop talking, the interviewer politely stopped me and asked “I can see that you know a lot of things in different areas, but If asked you right now to pick one area of specialty, the closest thing to your heart, the one thing you feel more comfortable doing, what would that be?”
I was shocked by the question like a 10 years old boy being asked by his teacher to solve a hard-mathematical problem. I just didn’t anticipate such question, and frankly speaking, I didn’t know the answer back then.
This interview changed my perspective in many things. I realized I am so good in many things, but it is time to specialized and be good in one thing to shine between the crowd. I realized I am good at many things, but I always felt more comfortable and excited when working in cybersecurity. I decided to spend the rest of my career years developing my cybersecurity skills and be as good as I can in this field.
This was three years back, and I remember looking at my certifications and realizing non-of them are related to security specifically. Of course, I have most of the Microsoft certifications (MCP, MCSE, MCSA, MCITP) and couple of other certifications like (CCNA, ITIL, PMP…).
I thought that it would be great to start taking couple of security certifications as I dive into this cybersecurity world. Not only it will give me more credibility, but it’s a good chance to sharpen my skills and learn new security stuff. The question thought is “Which security certification I should take first?”.
To answer this question, I had to do an extensive research on the most common security certifications and which certifications are in high demand. It was a real shock for me to learn how many security certifications are available for security professionals to take!
I realized that I don’t want to take a Microsoft security certification or vendor specific security certification. I want to take a foundation security certificate that tells the world that I’ve proven my skills in security practices, and I know enough to be considered a security professional regardless of the underlying technology. It’s like when you study to become a doctor, you spent the first four or five years doing nothing but studying general topics that qualifies you later on to specialize in a specific area of expertise. That’s what I am looking for.
CISSP as a Foundation Security Certification
I found out that CISSP represents that foundation security certification that gives you credibility to go out there and say that you know general security practices and methodologies. As a CISSP certified, you get that security sense that makes you understand general concepts and if you sit in a room with other security teams, you don’t feel like an outsider.
The beautiful thing about CISSP is that it covers a lot of security areas, unlike any other certification that I know about. It does not cover technologies, but rather it introduces you to security concepts and makes you think differently from a security perspective.
Personally speaking, I enjoyed learning about the physical security section in the CISSP exam. I always worked with firewalls and servers, but physical security to me was something I never had to take care of. I mean, did you know that there is a well-established school of thought on “Secure Architecture” that’s often called Crime Prevention through Environmental Design (CPTED) that talks about how the physical environment and surroundings influence individual decisions that attackers make before committing any criminal act?! I really enjoyed learning about physical security and its now one of my favorite topics.
Other things that you don’t hear about that often, especially if you are not an American or European citizen is criminal law. There is a whole section in the CISSP exam talking about Civil Law, Administrative Law, and Criminal Law. I have never considered reading about such topic, but now I had to do so to pass the exam. At first, I thought this is going to be boring and hard. But after digging into the subject and thinking from a security professional perspective, I realized it is something every security expert should learn about. I mean, what if someone in your company commit a digital crime, do you know how to preserve the evidence so that it will be accepted in court?
Frankly speaking, I never thought I would enjoy such topic, but it’s actually a fun topic. I bet you watched Hollywood movies when someone is talking about trade secrets, the Privacy Act, or even the fourth amendment which is huge by the way. In the CISSP exam, you learn about all that and it really makes you feel like “Oh, now I get it”.
Of course, the CISSP exam covers a lot more topics but I just wanted to give you a feeling of why I consider it as the foundation security certification. After CISSP, you can specialize in any security topic such as penetration testing and ethical hacking (for example getting a CEH certification), specializing in cloud security (for example getting the CCSP certification), or any other security certification.
You will even notice that if you are taking any other security certification after CISSP, that some topics are already covered in the CISSP exam, and it helps you get that quick start when taking other security exams, and this is what happened with me when I took my ISACA CISM exam after taking CISSP. I realized that the knowledge I took from studying for the CISSP exam, really paid off when studying for the CISM exam. Things like risk management, disaster recovery and continuity management are all common topics between CISM and CISSP.
Therefore, I believe you should consider taking the CISSP exam if you are starting a career path in security or if you are trying to elevate your existing security skills. It opens the door for many opportunities to come and recruiters look for people with CISSP certification for most security jobs. In fact, many security related jobs out there requires that you have at least a CISSP certification, take it from someone who experience this firsthand.
CISSP Certification and CISSP Domains
The CISSP (Certified Information Systems Security Professional) certification is maintained by a non-profit organization called (ISC)² or the International Information System Security Certification Consortium. These guys specialized in training and certifications for cybersecurity professionals since 1989 and currently, they have over 140,000 members. In fact, (ISC)² maintains many other exam security certifications like SSCP, CAP, CCSP and CSSLP.
Therefore, if you are wondering what is covered in the CISSP exam, your best source of information is (ISC)² that published the CISSP Exam Outline here. You can think of the CISSP exam outline as exam objectives to help you understand what the exam covers so that you can prepare for the exam. I highly recommend you read that document carefully as part of your CISSP exam preparation.
Now these exam objectives people like to call them domains, so you will hear the term CISSP domains, and there are eight of them. These CISSP eight domains are nothing but the different areas that the exam covers. Here is the updated list of the CISSP domain as per 2019:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
What this means is that you will be asked about identity and access management for example because it is one of the CISSP exam objectives or domains. Now the question is “how many questions will come from each of these exam domains”.
To answer this question, the (ISC)² assigned a weight to each CISSP domain:
- Security and Risk Management [Weight: 15%]
- Asset Security [Weight: 10%]
- Security Architecture and Engineering [Weight: 13%]
- Communication and Network Security [Weight: 14%]
- Identity and Access Management (IAM) [Weight: 13%]
- Security Assessment and Testing [Weight: 12%]
- Security Operations [Weight: 15%]
- Software Development Security [Weight: 10%]
This means, 15% of the exam questions are going to be about “Security and Risk Management” while only 10% of the exam questions are about “Software Development Security”.
The Updated CISSP Exam [Effective April 2018]
In April 2018, (ISC)² decided to do a lot of changing to its most famous security certification, CISSP. This change created a lot of noise back then and many people was wondering what’s going on. I did an extensive research about what are these changes, because I took the CISSP exam right after these changes happened, and I wanted to know what to expect. I was wondering why (ISC)² decided to do a change in the CISSP exam, and here is the answer I found in their official portal:
“(ISC)² has an obligation to its membership to maintain the relevancy of its credentials. These enhancements are the result of a rigorous, methodical process that (ISC)² follows to routinely update its credential exams. This process ensures that the examinations and subsequent continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals”Source: Office (ISC)² Statement Here
They also mentioned this:
“The content of the CISSP has been refreshed to reflect the most pertinent issues that information security professionals currently face, along with the best practices for mitigating those issues. Some topics have been updated while others have been realigned. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.”Source: Office (ISC)² Statement Here
In other words, the exam is often updated to keep up with this ever-changing field and to ensure professionals are tested on the latest thematic and can demonstrate skills that are relevant to the current Information Assurance scenery. Many organizations, in fact, rely on this test to ensure the readiness of their IT security teams; for example, the CISSP cert is approved by the DoD for workforce conducting Information Assurance (IA) functions.
The changes happening to the CISSP exam can be categorized as:
- Changes to the exam itself [as of Dec 2017]: this includes a new exam format called the CAT Exam, reducing the number of questions from 250 questions to a maximum of 150 questions, and reducing the exam time from 6 hours to 3 hours.
- CISSP domains refresh [as of April 2018]: the exam outline is changing
- Study materials: study materials are changing to reflect the new updated exam outline
I will talk about the exam format and the new CAT exam experience in coming blog post. Instead, I want to give you a quick insight about what (ISC)² changed in the CISSP domains (they call it CISSP domains refresh). First, they introduced new content like:
- Threat modeling
- Data states
- Contractual, legal, industry standards, and regulatory requirements
- Understanding and conducting Internal, External, Third-party audit strategies
- Personnel travel and duress
- Secure coding practices
They’ve also did a slight change in the CISSP domain names as you can see in the below figure, which I believe it is hardly a change. Here is the reference document about such change.
They’ve also changed the CISSP domain weights:
- Domain 1: Security and Risk Management 1% Decrease
- Domain 2: Asset Security No Change
- Domain 3: Security Architecture and Engineering 1% Increase
- Domain 4: Communication and Network Security 2% Increase
- Domain 5: Identity and Access Management (IAM) No Change
- Domain 6: Security Assessment and Testing 1% Increase
- Domain 7: Security Operations 3% Decrease
- Domain 8: Software Development Security No Change
Is it going to be a harder exam with all these changes? No and yes. Overall, the passing rate of the exam is unlikely to change. However, it is important that you use study resources that are up-to-date and reflect the most recent CISSP exam objectives.
In addition, any work experience in the added content knowledge areas will be helpful on test day. For example, if you are a test taker with first-hand experience with security audits or source-code level security (or any of the before-mentioned new content), you will be at an advantage.
CISSP Study Guides, Study Strategy and Exam Day Experience
In an upcoming blog post, I will be talking about what resources I used to study for the exam, what is my study strategy for preparing for the exam in 3 months, and the full details about CISSP exam day and the new Exam CAT format. In fact, here is my new blog post about CISSP Exam Day.
- Official CISSP Certification Outline (Effective April 2019) from ISC2
- CISSP Official Domain Refresh
- CISSP Computerized Adaptive Testing CAT
If you are considering taking other security exams, then I have blogged about how I passed couple of security certifications. Here is how I passed CISM (Certified Information Security Manager) from the first time, how I passed AZ-500 Azure Security Engineer Exam, and how I passed MS-500 Microsoft 365 Security Administration Exam