I’ve just returned from an enjoyable week in the City (Moorgate, to be precise) attending the CISSP ADC run by IT Governance Ltd.
CISSP is a certification that I first thought about back in 2008, so returning to this is long-overdue. As an academic I’ve developed course elements that align closely to CISSP, so have always had some familiarity with the certification content.
It was good to see a familiar face as the instructor on this course, the same as for my CEH course in 2018. I booked the exam with ISC2 (at a Pearson Vue test centre) at the same time as the development course, leaving a gap of at least a month.
I’ll cover two aspects in this blog post: a bit the course and the logistics of getting there, and the CISSP certification itself and in particular some tips that I can see being useful for getting this certification if you are working in the industry.
Course and logistics
The course was at the ETC Venues Tenter House facility in Moorgate. This is the third course I’ve attended at Tenter House. The ETC facility in Moorgate is a very cost effective venue to choose for a training course. It’s right next to the Moorgate underground station on the Northern line, lunch is provided, and a great coffee machine make this a good deal.
This CISSP AD course at ETC Venues did not include accommodation costs, which has to be arranged separately, but with these factored in the total cost is far less than competitor “all inclusive” training packages for CISSP (or other certifications for that matter). The view over the City is also interesting.
The course delivery was excellent and the motivation in the group was maintained throughout the five-day course. We covered all eight domains and learned a lot about how to approach the exam.
The eight domains in the current version of CISSP are:
- Security and Risk Management
- Asset Security
- Security Engineering
- Communications & Network Security
- Identity & Access Management
- Security Assessment & Testing
- Security Operations
- Software Development Security
Now turning to CISSP, and certifications in general, my experience can be sifted down to the following key observations:
- Booking the exam after the course is the right approach to take. This was confirmed by comments and advice in the training course. The consensus seemed to be about a month or more between the end of the course and the exam.
- You’re going to have to buy the books—there is no way of escaping it. Spending £100 or so on the popular textbooks is inevitable. You’ll want to identify the recommended text books for CISSP (I’ve provided a list at the end of this blog post).
- Week-long training courses are intensive, and you’ll be battling your stamina to stay focused, keeping your eye on the ball. Only you can decide how to approach this, based on your learning style. Coffee is a compensating control I recommend!
- The CISSP exam is heavily US-focused, and the question-bank has US-based questions that are confusing, based on our course quiz. These could be based on US legislation and the US government classifications scheme, for instance. This is not a great place to be (for UK candidates working in the British legal system), but you’ll have to devote revision time to make the best of it.
- CISSP is reading-intensive. The full stack of preparation material is well over 1000 pages. If you’re not a natural reader, or comfortable with 1000+ pages of text book material, you’ll have to compensate using other revision methods or perhaps using a longer revision period. It’s not insurmountable, but worth bearing in mind and factoring into your plan.
That’s about it on this for now. I’ll try and put some further updates on this as I plough through the course material for CISSP, and hopefully a book review or two.
CISSP reading list
Here is my list of recommended text books for CISSP in decreasing priority order:
- (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition, by Mike Chapple, 2018. I bought this book in advance of my course and it was also recommended as the course text book. All the indicators I have seen suggest this is the core text book for CISSP preparation, hence my “number 1” on this list.
- CISSP Official (ISC)2 Practice Tests, 2nd Edition, by Mike Chapple, 2018. This is the companion book to #1, and can be bought as a combi-deal through Amazon. Again this has been recommended to me several times, and appears to be a key focus area for CISSP candidates.
- Official (ISC)2 Guide to the CISSP CBK (ISC2 Press) by Adam Gordon, 2015. This is the “canon text” for the CISSP certification. I had an earlier copy of the Third Edition, which I found to be an average book insofar as security text books go. This newer version is a lot bulkier. The consensus is that fewer CISSP candidates end up buying this book. On the the course I took, this was recommended as the “desk book” in your workplace.
- CISSP Cert Guide by Troy McMillan, Sari Greene, and Robin Abernathy, 2018. I reviewed an earlier edition of this book (then by McMillan and Abernathy) for the publisher a few years back, and found it to be one of the better books out there. This is the newer version that I have not read, but have nothing to doubt it’s suitability.
- CISSP For Dummies, by Lawrence C. Miller, 2018. A few people have recommended this book to me. It’s easy to read and my intention is to use this as a casual reader book in the run up to the exam.
If you’re on a shoe-string budget, get 1 & 2. If the budget extends a bit further, get 1, 2 & 3, and if cost is no obstacle get 1-5.
Communications and networking
The biggest difficulty in CISSP for many will be the networking-focused domain. Even if you’ve had some experience in networks, you’ll want to get the heavy artillery out to ensure you have the best preparation. Here are my recommended text books for networking, based off my final year lecturing in my academic roles (and in no particular order):
- TCP/IP Protocol Suite (Mcgraw-hill Forouzan Networking) by Behrouz A Forouzan, 2009. A classic, and now somewhat dated, but it provides the most accessible presentation of networking material I’ve encountered.
- Computer Networks (English) 5th Edition, by S. Tanenbaum Andrew and J. Wetherall David, 2010. Another of the canon texts for networking, this is a good all-rounder.
- Computer Networks: A systems approach (4th ed) by Peterson and Bruce S. Davie, Morgan Kaufmann, 2007.
- Computer Networking: A Top-Down Approach: International Edition Paperback by James F. Kurose and Keith W. Ross, 2012. On the more theoretical end, this is again a classic text in networking and one I’d recommend.
You can’t go wrong by looking up more detail on topics from these books on the Cisco site, which contains a significant amount of good quality information.