Monthly Archives: December 2006

CISSP Certification

As of Thursday I’ve fulfilled all the requirements for CISSP certification, my papers should be in the mail by Monday. I haven’t wanted to talk about it online until I had some firm results, but folks who know me in meatspace know I’ve been studying on and off since August. I’m a little more amped about this credential because they’re not handed out like party-favors and people who have them seem to be doing interesting things.

Although my study schedule was 4 months, my intensity level for the second and third month varied a lot. I also spent a lot of time doing cover-to-cover reading, which in retrospect isn’t a terribly efficient way to approach an exam with this much breadth. I kind of wish I had done more practice tests early in my study process so I could have spent more time on weak areas and less time agonizing over the subtleties of topics that I already fundamentally understood.

Most folks use a number of study resources, and I was no exception:

  • I started with Shon Harris’ CISSP All in One Exam Guide. Like most Osbourne books, it’s a little bit chatty, has some laughably bad diagrams, and more than it’s share of ambiguities, errors, and bad practice questions. Even still it’s a pretty good book, especially if you need to bootstrap yourself a bit before you feel prepared for the more no-nonsense books.
  • Once I felt comfortable with Harris, I started working through the Hansche/Berti/Hare Official (ISC)2 Guide to the CISSP Exam, published by Auerbach. Although dry, I think it’s important to work with this book. Because of the strict confidentiality requirements surrounding the test it’s hard to get reliable information about which topics are emphasized, what the editorial style of the questions is like, and how to disambiguate words that may have a number of meanings depending on what part of the industry you work in but which are used in a specific and consistent way by (ISC)2. I found that I simply absorbed a lot of useful information about the (ISC)2 writing style when reading this book that gave me a tangible edge in the exam room. Plus it’s generally well done and has the best practice questions I was able to find. The worst thing I can say about it is that the CBK sections at the end of each chapter are fantastically vague, needlessly scary, and completely useless. They’re easy to ignore, though, and that’s what I recommend doing with them.
  • is an excellent resource for free practice questions. Quality does vary, but at the high end is very good and on average is pretty ok.
  • I also bought a set of Boson practice questions and was extremely disappointed, to the point of not even using most of them. Some of the highlights of my Boson experience were:
    1. A fill in the blank question with a nine word answer that needed to be typed exactly to be graded correctly. The answer was obviously not a standard phrase worth memorizing, and the CISSP exam is entirely multiple choice.
    2. A multiple-choice question that offered only one answer option… er… I mean… a single-choice question… or… um… would that just be a statement?
    3. An email conversation with a Boson support rep that took three rounds of explanation before understanding why a multiple-choice question with no alternate options is defective, and who offered to take no corrective action other than passing the complaint up the chain.
  • I did a lot of Googling to fill in gaps on topics I wasn’t familiar with.

If you’re thinking of becoming a CISSP, have a look at the flash video introduction on