CISSP Exam - Introduction and FAQs
If you are an information security professional or work in IT, you have probably heard of the CISSP exam. I am a CISSP professional and through this brief article, I will try to answer some of the commonly asked questions about the CISSP exam.
(ISC)² regularly updates policies and procedures regarding the certification. Therefore, for the latest and up to date information visit their website.
CISSP Introduction
CISSP (Certified Information Systems Security Professional) is a certification conducted by a non-profit security organization called (ISC)². This exam tests the individual’s theoretical knowledge from a wide variety of information security topics.
Think about taking a road trip across Canada in less than 3 weeks. You get a sense of different provinces and some large cities, but you don’t fully explore the sights, culture, landmarks etc. You develop a broad perspective and get familiar with Canada as a country. CISSP is something similar. You develop a broad perspective of the security landscape, get familiar with what’s out there in the security industry and learn about different security technologies without deep diving.
As of July 1, 2021, there are 149,174 (ISC)² members holding the CISSP certification worldwide.
Following are the FAQs in no particular order.
What is CISSP exam format?
Exam format consists of multiple choice, drag drop or hotspot questions. The 3-hour exam has from 100 to 150 questions, out of which 25 questions are not scored, and you don’t know what those questions are, meaning you must try to answer each question correctly.
2. What is CISSP CAT?
CAT (Computerized Adaptive Testing) is a non-linear exam, in which the scoring algorithm re-evaluates the candidate’s ability with every question answered. CAT exam is offered only in English. Find out more here.
3. How many questions I must answer correctly to pass the CISSP exam?
It depends. If the CAT algorithm at 100th question (minimum number of questions required to answer) can determine with more than 95% of accuracy that candidate knows the subject, you will pass the exam.
If at question 100, algorithm determines that the candidate’s knowledge is insufficient, exam will finish with failure.
If algorithm is not able to determine, it will continue to ask questions until it is able to determine candidate’s ability or you reach question 150, whichever comes first.
4. Do I need professional experience to become a fully certified CISSP?
Yes, you will need 5 years of experience in 2 of the 8 security domains CISSP exam tests your knowledge in. A 4-year college degree or some industry recognized certifications may satisfy 1 year of required experience. More details can be found here.
5. What if I don’t have the required experience for CISSP?
In this case you can still sit on the exam, pass it and then work towards gaining the required experience. In this scenario, you will get the associate level certification.
6. In what security domains CISSP exam tests candidate’s knowledge?
7. What resources can help me prepare for the CISSP exam?
I was able to pass the exam using the two resources shown below. However, I have seen professionals using other resources as well, such as books written by other authors, bootcamps, cybrary course, boson practice questions etc.
Make sure you understand the key concepts in the official study guide and use the App for practice test questions and flashcards.
8. Do practice test questions in the official CISSP study app help?
They certainly help clear your concepts. App has a feature called Proficiency Level. The more practice test questions you answer correctly, the higher your proficiency level goes.
Make sure that your proficiency level is above 90% before you sit for the exam. Even then there is no guarantee that you will pass the exam, as the questions in the exam can throw entirely different scenarios from what you encountered in the practice exams.
9. How long do I need to prepare for the CISSP exam?
It depends. Assuming you have 5 years of quality work experience in 2 or more of the 8 domains mentioned above, you will need to read the official study guide (1200 pages approx.) at least once and then it also depends how quickly you ramp up your proficiency level in the official app.
For me it took between 6-7 weeks. I started off with only 2 hours of study, ramping up to 3 and then last couple of weeks I might have studied 4-5 hours or more. I think depending on your knowledge and work experience, you can pass it in less than a month if you dedicate more time.
10. I don’t want to be in the leadership role. Is the CISSP exam still a good fit for me?
It depends. If you are in the information security role, exposure to CISSP would help broaden your perspective. Chances are your employer will reimburse the costs if security is their top priority. Professionals in the following roles might want to consider taking the CISSP exam.
11. Does CISSP expire?
Yes after 3 years. However, the good thing is that if you continue to earn professional credits every year, which I think are 90 and pay AMF (Annual Maintenance Fee), your CISSP status will remain active.
12. How much does CISSP cost?
The exam costs around 800 USD. Once you pass the exam and have your experience endorsed, you must pay $125 AMF (Annual Maintenance Fee).
13. What steps are involved in getting fully CISSP certified?
After you pass the exam, you will have to get your experience endorsed by a CISSP member. After (ISC)² review of the endorsement, you pay AMF and then become official CISSP member. Membership is maintained by earning professional credits each year and paying the AMF.
14. What is CISSP exam experience like?
I felt throughout the CAT exam, that I wasn’t doing well. I guess this is what is expected of the CAT exam, since the algorithm changes the difficulty level as you progress. Although my proficiency level in the official CISSP app was above 90%, I felt like I might not be able to pass the exam.
I think knowing what I know now about the exam, I would have read the book at least twice.
15. Do I really have to think like CIO or Manager, while answering the CISSP exam questions?
I hear that a lot that wear manager’s hat when answering the questions. This might work for some questions but for other questions you might have to think technically. For example, when choosing which key to use to decrypt the message.
16. After the CISSP exam, I got the letter saying that I provisionally passed the exam. What does that mean?
Don’t fret. Basically, that means that (ISC)² will need maybe a couple of more days to do their forensic and psychometric analysis. I am guessing that they just want to make sure that exam’s integrity was maintained and how the experience can be further enhanced based on the data gathered.
Expect an email in a couple of days with instructions on how to get your experience endorsed.
17. Is the official CISSP study guide going to be enough for understanding the technical concepts?
No. You may have to consult other resources to understand some of the concepts. For example, I used external resources such as internet to fully grasp the concept of Kerberos.
18. Is CISSP well recognized and respected certification?
Yes. Following are some of the organizations which recognize CISSP certification.
19. What advice would you give to someone who’s thinking of taking the CISSP exam?
If you work in the security domain, do it. I think the CISSP exam is more beneficial for security professionals, who have practical, hands-on experience working with the security technologies, as compared to professionals who don’t have practical experience at all. For example, a security professional who has designed, implemented and/or provided operational support for authentication mechanisms such as Kerberos/OIDC or someone who has designed and implemented security policies, stands to benefit more from the CISSP exam.
Read the official study guide at least twice and make sure you understand the concepts.
Ensure your proficiency level in the official CISSP app is more than 90% before you take the exam.
Nothing is difficult if you are prepared, and everything is difficult if you are unprepared.
Finally, what matters is that you have gained knowledge irrespective of the outcome.
Good Luck in your endeavour!