Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

You can use only one of the experience reduction measures, either a college degree or a certification, not both.

If you are just getting started on your journey to CISSP certification and do not yet have the work experience, then our book can still be a useful tool in your preparation for the exam. However, you may find that some of the topics covered assume knowledge that you don't have. For those topics, you may need to do some additional research using other materials, and then return to this book to continue learning about the CISSP topics.

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)². (ISC) 2is a global nonprofit organization. It has four primary mission goals:

Maintain the Common Body of Knowledge (CBK) for the field of information systems security.

Provide certification for information systems security professionals and practitioners.

Conduct certification training and administer the certification exams.

Oversee the ongoing accreditation of qualified certification candidates through continued education.

(ISC) 2is operated by a board of directors elected from the ranks of its certified practitioners.

(ISC) 2supports and provides a wide variety of certifications, including CISSP, CISSP-ISSAP, CISSP-ISSMP, CISSP-ISSEP, SSCP, CAP, CSSLP, HCISPP, and CCSP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. You can obtain more information about (ISC) 2and its other certifications from its website at isc2.org.

The CISSP credential is for security professionals responsible for designing and maintaining security infrastructure within an organization.

The CISSP certification covers material from the eight topical domains. These eight domains are as follows:

Domain 1: Security and Risk Management

Domain 2: Asset Security

Domain 3: Security Architecture and Engineering

Domain 4: Communication and Network Security

Domain 5: Identity and Access Management (IAM)

Domain 6: Security Assessment and Testing

Domain 7: Security Operations

Domain 8: Software Development Security

These eight domains provide a vendor-independent overview of a common security framework. This framework is the basis for a discussion on security practices that can be supported in all types of organizations worldwide.

(ISC) 2has defined the qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ full-time paid work experience or with four years’ experience and a recent IT or IS degree or an approved security certification (see isc2.orgfor details). Professional experience is defined as security work performed for salary or commission within two or more of the eight CBK domains.

Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines (ISC) 2wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC) 2website at isc2.org.

(ISC) 2also offers an entry program known as an Associate of (ISC)². This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years of security experience. Only after providing proof of such experience, usually by means of endorsement and a résumé, can the individual be awarded CISSP certification.

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete this exam, you'll need to be familiar with every domain but not necessarily be a master of each domain.

The CISSP exam is in an adaptive format that (ISC) 2calls CISSP-CAT (Computerized Adaptive Testing). For complete details of this new version of exam presentation, please see www.isc2.org/certifications/CISSP/CISSP-CAT.

The CISSP-CAT exam will have a minimum of 100 questions and a maximum of 150. Not all items you are presented with count toward your score or passing status. These unscored items are called pretest questions by (ISC)², whereas the scored items are called operational items . The questions are not labeled on the exam as to whether they are scored (i.e., operational items) or unscored (i.e., pretest questions). Test candidates will receive 25 unscored items on their exam, regardless of whether they achieve a passing rank at question 100 or see all of the 150 questions.

The CISSP-CAT grants a maximum of three hours to take the exam. If you run out of time before achieving a passing rank, you will automatically fail.

The CISSP-CAT does not allow you to return to a previous question to change your answer. Your answer selection is final once you leave a question by submitting your answer selection.

The CISSP-CAT does not have a published or set score to achieve. Instead, you must demonstrate the ability to answer above the (ISC) 2bar for passing, called the passing standard (which is not disclosed), within the last 75 operational items (i.e., questions).

If the computer determines that you have a less than 5 percent chance of achieving a passing standard and you have seen 75 operational items (which will be at question 100), your test will automatically end with a failure. If the computer determines that you have a higher than 95 percent chance of achieving or maintaining a passing standard once you have seen 75 operational items (which will be at question 100), your test will automatically end with a pass. If neither of these extremes is met, then you will see another question, and your status will be evaluated again after it is answered. You are not guaranteed to see any more questions than are necessary for the computer grading system to determine with 95 percent confidence your ability to achieve a passing standard or to fail to meet the passing standard. If you do not achieve the passing standard after submitting your answer to question 150, then you fail. If you run out of time, then you fail.

If you do not pass the CISSP exam on your first attempt, you are allowed to retake the CISSP exam under the following conditions:

You can take the CISSP exam a maximum of four times per 12-month period.

You must wait 30 days after your first attempt before trying a second time.

You must wait an additional 60 days after your second attempt before trying a third time.

You must wait an additional 90 days after your third or subsequent attempts before trying again.

The exam retake policy was updated in October 2020; you can read the official policy here: www.isc2.org/Exams/After-Your-Exam.

You will need to pay full price for each additional exam attempt.

It is not possible to take the previous English paper-based or CBT (computer-based testing) flat 250-question version of the exam. CISSP is now available only in the CBT CISSP-CAT format in English through (ISC) 2-authorized Pearson VUE test centers in authorized markets.

In early 2021, (ISC) 2via Pearson Vue performed an online exam proctoring pilot for CISSP. The results of this pilot will be evaluated by Q3 2021 and a decision on how to proceed will be made by (ISC) 2based on those results at that time. Keep an eye on the (ISC) 2blog for updated information about online proctored remote CISSP exam offerings.