Passed the ISC(2) Certified Information Systems Security Professional (CISSP) today

cissp-logo1

UPDATE! CISSP granted to me on Sep 22, 2011!

Security is one of the many things I do.  I chose to go after the Certified Information Systems Security Professional (CISSP) for a variety of reasons.  One and perhaps the most important is that it is required for many, if not most, upper level IT jobs in the Federal Government, whether you are an actual Federal Employee or a contractor (DoDD 8570).  So having CISSP is one of “those certifications” that are commonly listed on many job announcements.  I got serious about studying for the CISSP at the beginning of 2011, and I took the ISC(2) CISSP examination for on July 23, 2011 in San Francisco.

It takes ISC(2) a while to score the paper and pencil tests, but I received notification today that I passed!  Whew!  I didn’t want to have to take that one again.  (I guess the score reporting times vary, but it took me 17 days, a couple of weeks, to get email notification.  That’s in line with what ISC(2) says…)

I’m not officially a CISSP until ISC(2) processes my endorsement paperwork, I’m working on that. UPDATE! CISSP granted to me on Sep 22, 2011!

Read on for my thoughts about getting ready for the CISSP and what I did to prepare.

To recap ISC(2)’s turnaround times:

Exam date: Jul 23, 2011
ISC(2) notification of pass by email: Aug 09, 2011 (17 days)
Endorsement faxed to ISC(2): Aug 15, 2011
ISC(2) acknowledged endorsement rcvd: Aug 15, 2011 (Same Day!)
ISC(2) awarded CISSP, notified by email: Sep 22, 2011 (38 days)
Cert received via snail mail: Oct 07, 2011 (15 days)

Get the Proper Study Materials

This test, unlike most, covers a little bit of a *LOT* of subject areas.  I doubt that any mortal human could pass it cold without some review.  Get a couple big fat books and maybe some practice tests.  These are the ones I used:

  • Official (ISC)2 Guide to the CISSP CBK, Second Edition, Harold Tipton.  Although this is sometimes cold and humorless, I like that it is straight to the point.  I wound up using it and preferring it to the more popular Shon Harris materials.
  • CISSP All-in-One Exam Guide, Fifth Edition, Shon Harris.  Shon Harris has a lot of CISSP prep materials, videos, seminars, etc.  A lot of people have used them and like them.  Although I studied this book, I preferred the official ISC(2) guide above.
  • CISSP Video Course, Shon Harris.  A colleague let me borrow his copy of this.  It’s long, and I didn’t watch the whole thing.  I picked topics areas I was weak in and just watched those areas.  Shon Harris very helpfully at times during the videos makes statements like “you *REALLY* need to know this, you’ll see it again” while she’s stomping her foot.  If she says that, pay attention!  That’s a guaranteed test question.
  • Kaplan SelfTest CISSP practice exam.  I have used this vendor’s practice tests for many exams, I’m happy with them.  Their questions are at least somewhat like what you’ll see on the real examination.

How I studied

Even if you have a good background, there’s a lot to cover.  You need time.  I started out about six months in advance and got my materials together.  I have the luxury of having about 90 minutes a day on the bus, riding back and forth to work.  I used that time to study.  I’d take a “big fat book” and a small laptop with the practice test loaded on it.  I tried to take the practice test and read some out of the big fat book morning and night, five days a week, for six months.  I literally took the practice test hundreds of times.  Towards the end I was missing maybe one question, getting 95% on average or better, every time.

Registering for the exam

Unlike most certifications, ISC(2) manages all aspects of the CISSP.  They don’t out source it to Prometric or some other test vendor.  You register for the exam at the ISC(2) web site.  It’s one of the more expensive exams to register for, I paid $549.  Be careful to pick the right test date.  It costs $100 to reschedule the exam.  I registered long in advance, and then it turned out I had a family wedding on the date I paid for, so I had to pay the $100 fee to move it.

A Bit More About The Exam

This exam is “paper and pencil” – you actually fill out the little bubbles on a Scantron form and turn the paper in.  No other test I have ever taken from any vendor was done like this.

My test was on a Saturday morning.  I think this is the usual time for tests to be scheduled.  Since the tests are paper based, and require elaborate logistics, proctors, etc., they are not given too frequently, and they are only given at limited urban test sites.  I live in California, and my choices were basically San Francisco or Los Angeles, about once per quarter.  My test was given at the Embassy Suites hotel near San Franscico Airport (SFO).  What I did is book a room for the night before, drive up the day before, spend the night, get up all bright-eyed-and-bushy-tailed, eat a good breakfast, and report at the test site at 0800.  Don’t be late!  They lock the doors.  (I waited until about a month out to make hotel reservations, and the hotel was full!  Boo.  I got a room at a nearby hotel.  Don’t wait to get a room if you plan on doing this.)

The test experience is what I imagine a bar exam, or a medical examination to be like.  It’s formal.  People have their work clothes on.  No flipflops.  Most of the guys had jackets, some had ties.  There was a large room, that holds maybe 50 test takers.  When you come in the first time, they check your name on the roster, check your ID, make you sign in, and issue you a test taking location.  There was an army of proctors, maybe 6, constantly circulating in the room.  You have to leave all personal effects in a pile at the rear of the room.  The only thing you can have at the table is a bottle of water.  No cell phones.

At 0800, they asked you to sit at your designated spot at the empty tables.   The head proctor, in a very Army style voice, goes over the rules.  No talking.  Raise your hand for assistance.  Don’t move unless you ask.  Use only our pencils, etc.

The test booklet is maybe 40? pages.  The questions are printed on it.  You are allowed to write in the book, so feel free to scribble notes, cross out obvious distractor questions, etc.  You do have to turn this in later, but the only answers that count are the ones you put on the Scantron bubble form.

For the CISSP, you have a couple hundred questions and six hours, so there’s not a lot of time to linger.  My test started at 0900, so I had until 1500.  No lunch break.  If you thought to bring food, you can ask to stand up, go to the back of the room, and eat a snack.  I ate a big breakfast, but I didn’t bring any food or drink.  They did provide water.

The room was cold.  I’d bring a light jacket in case you get cold.  They will allow one test taker at a time to use the bathroom, and you are escorted by a proctor who waits outside the door.  I used the bathroom once.

When I started, I ignored the Scantron answer form, and did all my work in the test booklet.  I went through all the questions in one pass.  I didn’t come across more than one or two I had no idea about.  I skipped those.  The others, I usually could cross out at least a couple of obviously wrong answers.  I did the first pass in about two and a half hours.  I then took a bathroom break and got a drink of water.

The next pass, I finalized all answers.  I went from front to back in the book and answered every question in the book.  Ones I didn’t know, I made my best guess on.  You are not penalized for wrong answers, so answer every question.  This took another hour.  I got another drink.

Third pass through was to transfer all the questions to the Scantron answer form and fill in the bubbles.  This took about an hour.

Final pass through was to basically make sure I did the Scantron correctly.  This took longer than I thought, about half an hour.

That was it!  Turned it in at about five hours elapsed.  I had planned to stay until the bitter end, but after five hours I was sick of looking at it.

The Hard Part, Waiting for the Scores

Since the Scantron paper forms have to be gathered up and sent in by the proctors to be scored, it takes a while.  If you think about it, it’ll be something like 3 weeks – a few days to be mailed, a few days to sit around, a few days to be scored, a few days to be reported…  You get the picture.  It’ll take a while.  I took the test on July 23, I was notified by email from ISC(2) on Aug 9.  If you Google around, you will find people reporting up to 6 weeks before the scores are reported.

The email I got looked like (personal stuff redacted):

From: (ISC)2 Customer Support <customersupport@isc2.org>
Date: Tue, Aug 9, 2011 at 1:37 PM
Subject: (ISC)2 Examination Results ISC2:99999999999
To: greg@greg.porter.name

Gregory
Porter
<address redacted>
United States

ID/Examination number: 99999999

Dear Gregory Porter:
Congratulations! We are pleased to inform you that you have passed
the Certified Information Systems Security Professional (CISSP®)
examination - the first step in becoming certified as a CISSP.

The second step in the certification process requires submission
of two additional items:

1. A COMPLETED ENDORSEMENT FORM. The endorsement form and instructions
are available for download at www.isc2.org/endorsement.aspx. Please
make sure you sign and date the APPLICANT AGREEMENT section on page 2.

2. YOUR RESUME/CV. Please provide a copy of your resume/CV along with
your Endorsement in one email (Note: your resume/CV should be the same
as the copy you give to your endorser).

Please include the following information:

Company name and address for each employer.
Contact name/supervisor and phone number for each position held. If
the position was located outside of the United States, please include
an email address.
Position held - title with dates (including month and year).
Detailed description of your duties, as they pertain to the domains of
the CISSP CBK.

For detailed information about the experience requirements, please
visit www.isc2.org/cissp-professional-experience.aspx.

PLEASE BE AWARE THAT YOUR CERTIFICATION APPLICATION CANNOT PROCEED
WITHOUT THESE TWO DOCUMENTS.

Please have your endorser mail, fax or email these items to:

**If you need endorsement assistance you may mail, fax, or email these
items to:**

(ISC)2 Programs
Attn: Endorsements
33920 US Hwy. 19 N., Suite 205
Palm Harbor, FL 34684
USA

Fax: +1.727.683.0785 or +1.727.786.2989
Email: programs@isc2.org

Please allow 6 weeks for processing. It is not necessary to call or
email us to determine if your documents have arrived prior to that
time, as it will slow down the process. Please do not send multiple
faxes or emails of your documents unless requested by (ISC)2.

All examination applications are subject to random audit of experience
assertions prior to (ISC)2 issuing a certificate. If we do not select
your application for audit, your certification shall be issued upon
receipt of both your properly executed Endorsement Form and Resume/CV.
If we select your application for audit, we will send you a separate
email communication describing fully the process and requirements.

Shortly after we complete the audit of your Endorsement Form and
Resume/CV, if applicable, your certificate will be printed and your
membership package will be shipped to the ADDRESS LISTED ABOVE. This
package will contain your certificate, ID card, welcome letter, and
CISSP lapel pin gift certificate, which you can redeem at the online
(ISC)2 Company Store.

Congratulations again on your successful performance on the CISSP
examination! We look forward to receiving your completed Endorsement
Form and Resume/CV in order to move forward with the certification
process.

In the meantime, please visit our Website (www.isc2.org) for detailed
information about the endorsement and certification process. Should
you have any questions regarding the process, feel free to contact us
at programs@isc2.org.

Sincerely,

(ISC)2
  1. Greg, Thanks for this detailed post. I will be taking test soon and nice to get some idea what to expect.

    BTW, my son is first year at Cal poly. Applied Math with CS minor. The school and area are terrific.
    Best regards, Claudia

    • Mike_
    • October 2nd, 2015

    Awesome description of the process. I purchased the Shone book a year ago and never really opened it. I had other certifications to obtain, and topics to learn… e.g. Prog languages, applications, operating systems, etc. that I kinda let it slip by, but after reading your blog I think I will pick it up again.

    Thank you very much,

    Mike

  1. No trackbacks yet.