Your CISSP Certification Blueprint is Ready

CISSP GC 7 17 computer sword and shield guy

The Certified Information Systems Security Professional (CISSP) is more than a mouthful to say, and it's currently the leading certification among security professionals. But what does it take to achieve this coveted cert? Well, I liken it to Neo becoming the "One" in sci-fi adventure movie The Matrix. You won't actually be the "One" — more like one of 740,000 — but achieving the credential will feel like nothing you have experienced before.


What you are up against — General


Much like Neo, who needed to learn about the threats posed by "agents," you need to know what you are facing with this exam. The basics are something you can easily look up: Per (ISC)2, the organization that operates the CISSP program, you will have six hours to complete 250 questions.


A passing score is 700 out of a possible 1,000 points. The price tag for the exam is $599, a cost of $2.40 a question, so you had better come prepared. Unlike with some credentials, even after successfully passing the exam, you will still need a current CISSP to vouch for you in order to complete the certification process.


What you are up against - Advanced


The CISSP exam will test candidate's knowledge in eight specific domains weighted thusly:


? Security and Risk Management — 16 percent
? Asset Security — 10 percent
? Security Engineering — 12 percent
? Communications and Network Security — 12 percent
? Identity and Access Management — 13 percent
? Security Assessment and Testing — 11 percent
? Security Operations — 16 percent
? Software Development Security — 10 percent


Just as with Neo — in the movie, no one can be told what the Matrix is, they must be shown — it's impossible to grasp the extent of the knowledge needed to pass the exam simply by looking at the domains covered. And you shouldn't plan to just blow through a study and then make your appointment at the testing center.


You will need at least five years of paid full-time experience in in two or more of the above domains. Even then, (ISC)2 wants to see your resume and have a current CISSP holder vouch for your experience. So as soon as you've committed to the credential, start making contacts — network! Knowing one or more current CISSPs will give you easy access to the "vouching" requirement when it's time.


Discipline and Training: Neo


In The Matrix, Neo is required to undergo extensive training in the martial arts to prepare him to fight back against his foes. You won't need fists of fury for the CISSP, but you will need a very detailed and disciplined study routine.


It is impossible to absorb all of the required information within a couple of weeks. That being the case, unless your employer wants to drop $2,500 dollars on a boot camp train you up, I suggest you opt for the self-study route. If you sincerely apply yourself, you will retain a broader and deeper level of knowledge for a longer period of time.


I recommend ate least two solid weeks of self-study, per domain. That is 16 weeks or around 4 months. Is it possible to do it faster? Yes. Is it possible to take the exam after a boot camp? Sure, but I would argue that the retention factor is far below what you can achieve through a well-planned and -executed self-study course.


Once you understand and appreciate exactly what you have to do, you will need a place to do it. A nice, quiet place that enables you to study nightly for 2-to-4 hours is essential. If you have children, like I do, then you may only cram in an hour or two of studying each night. In that case, you will have to make it up on the weekends, or by getting out of bed before everyone else does.


I have found flashcard sites to be very helpful. If you like practice quizzes, and I recommend that you try some because they are invaluable, then check out the CISSP quiz set right here at I also devour books, found inexpensively on Amazon, as quickly as I can get them.


CISSP GC 7 17 woman expert

The preferred form of study material will vary with the individual candidate, but I recommend that you only use study materials that are peer-recommended. Check out the blogs and other social media presence of current CISSPs and find out what they used. Go with whatever you find recommended most frequently. Unlike Neo, you should be a conformist. Following the crowd in this case will bring you success.


You should also make it a point to Google at least one or two CISSP "cheat sheets." These sites boil the main points down into areas of focus. "Sunflower" is a little outdated, but is a very nice resource in this regard.




It's easy to pick the exam date. Scheduling the exam in advance gives you a hard date to prepare for. Because rescheduling will cost extra money, you will be less likely to move your exam back. You have the time frame for study: Just pick the end of that period, and book your exam. Don't hide the date, talk about it with others. This will help you stick to your schedule.




Too many people doubt themselves, often saying they aren't "good test takers." This is garbage. Good test taking is all about having the knowledge, not about being able to guess well. If you have prepared, and stuck to your disciplined study routine, then you will have no issues passing the test.


While I don't condone dressing in skin-tight leather like Neo, you want to be as comfortable as possible when it's time to head to the testing center. Remember, they will have you turn out your pockets and roll up your pant legs, pass through a man trap, and be watched for the entire six hours.


Make sure to perform the basics of prepping for test day.  Get a good night's sleep, eat your normal healthy breakfast — this isn't the day to try something new or exotic. While you do want to be well-hydrated, watch the caffeine and energy drinks. You will have to go through the check-in procedures after every bathroom break.


Although the exam is six hours, if you are not all the way through at four hours and checking your answers, then you have probably failed. The exam is designed to allow you to recheck EVERYTHING. Devoting the whole six hours to simply getting through the test is not advisable. Pace yourself, take a mid-set break, and mark answers you don't know.


CISSP isn't a competition or a race. You won't ever find out how well you did, just whether you passed or failed. In that sense, a passing score means that you are on par with the greatest security minds that ever took the test.


The BIGGEST tip to answering the questions is to answer them like a CIO would answer, and not like a CISO would jabber to a board of directors. It isn't a technical test, but a test of how well you know the domains. If it comes down to two answers, one about fixing some DNS issue and one about getting stakeholder buyoff � choose the latter, every time.


In summary, if you understand your adversary, map out a disciplined approach to beating that adversary, have a network of individuals who have beaten the adversary and perform on the day of reckoning, you too will become the One. As always, best of luck and happy certifying.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author
Nathan Kimpel is a seasoned information technology and operations executive.

Nathan Kimpel is a seasoned information technology and operations executive with a diverse background in all areas of company functionality, and a keen focus on all aspects of IT operations and security. Over his 20 years in the industry, he has held every job in IT and currently serves as a Project Manager in the St. Louis (Missouri) area, overseeing 50-plus projects. He has years of success driving multi-million dollar improvements in technology, products and teams. His wide range of skills include finance, ERP and CRM systems. Certifications include PMP, CISSP, CEH, ITIL and Microsoft.