securityzed contains opinions and anecdotes about INFOSEC issues. Views expressed herein belong solely to the contributors. Not to be taken as professional advice, or internally.
ISC2 is developing a new cert, something to “certify entry-level professionals.” Now, I thought the SSCP already existed for that purpose…and I’m also curious how someone “entry-level” can also be considered a “professional”…..but if you are an ISC2 member, and you help fill out a survey that will be used to construct the exam that will be used for this new cert, you can get five free CPEs.
So…go get your CPEs: ISC2 Link to Survey
One of my former students, Mark Landes, shared this with me today. Mark reminds us of the purpose and use of practice questions: not to learn the material, but to prepare for how to deal with questions about the topics. Thanks, Mark, and congratulations!
”Hi Ben. I was in the CCSP boot camp with ISC2 conference last November. Just wanted to let you know I passed the certification exam in December and got the confirmation of award in late January. Your class and books (study guide and practice exams) were a great help. There were not a lot of direct ‘book questions’ from either, but rather a lot of questions applying the cloud models and technologies the books taught. The practice of answering all those sample questions really helped prepare from a psychological perspective. Thanks again!”
A former student wrote in yesterday to tell me:
” I passed the exam last Wednesday. A few observations on my experience:
1. Like others posting their results to LinkedIn recently, my exam cut off at the 100 question mark. My elapsed time at that point was somewhere between 90 and 100 minutes.
2. Candidly, the first thought that passed through my mind when the exam cut off was that I failed, because...
3. A lot (I would estimate 60-70%) of the questions required a good deal of domain knowledge synthesis to answer. By that, I mean the question wasn't just asking for a fact or straightforward application of domain knowledge. I got about 50 questions into the exam and considered walking away from the test, I thought I was doing that poorly. I really thought "OK, those first 25 or so were the 'evaluation' questions for future exams, now the real exam is starting" but the questions didn't change in style after that.
4, I really had to slow myself down to make sure I read the questions and answers correctly and thoroughly. This is probably what saved me from failing, of course, since the result is only pass/fail there's no way to know if the answers I changed after re-reading the question and answer while thinking about every word were the correct choice.
5. Notwithstanding the "synthesis" comment above, most questions did have 2 fairly obvious wrong or distractor answers. It was deciding between the remaining two that created the most frustration.
6. I did use current editions of both the Shon Harris and Mike Chapple texts and practice exams for preparation. I guess that's why I was a bit surprised at the nature of the questions. Practice exam questions from both books were for the most part more oriented toward straightforward domain knowledge demonstration.”
Great advice— SLOW DOWN, everybody. And remember that you can’t fail until you’re done. Good luck to you all!
Saw this on reddit recently:
“So, to your primary question, during those best 90 minutes of my exam - I passed at 100Q at 90 minutes - this was what I'd written on my dry-erase board and what I focused on:
YOU ARE A RISK ADVISOR/CEO – think like one.
Do NOT fix things (unless asked to do so, or unless those are the only answer options)
Think END GAME
Read EACH question 3x and then THINK before responding
This said, during my last two weeks, I did a high-level but comprehensive review of notes from ALL domains, and I particularly focused on making sure I knew and understood processes like RMF, SDLC, IR, BCP/DRP, etc. I took several 100-125 question practice exams during the last 10 days and used feedback from those exams to further hone the things I needed to focus on prior to my exam. Good luck and all the best as you make final preps for your exam!”
https://www.reddit.com/r/cissp/comments/i1eshf/exam_tips/fzx8qth/
From another former student, just received yesterday:
“ I passed the CISSP earlier this evening, with much thanks owed to you! At 150 questions.
I didn’t interact much in class but paid a ton of attention and also rewatched the recordings over again. And also bought and read your book, along with Boson and the mike chappel practice tests. I felt that the class paired with the student guide prepared me the best, and the boson was a decent approximation for the questions but also not so much... I read your book in the two days before the exam and it helped solidify my mindset as well.
As for the test, there were some bizarrely worded questions there for sure. I assume the test is slightly different for everyone, but for me there were MAYBE 10 questions that I would deem ‘technical’, and I may very well have got them all wrong, yet here I am on the other side! I am more of a big picture person in my role at work and I think that helped.”
Awesome news! Thanks so much for the feedback— great stuff, and congrats.
One of my recent students shared this with me, and gave me permission to post it:
“I’m not sure if you remember but I am the student that just graduated college with a Cyber Security degree and won the CISSP class in a raffle. I was lucky enough to be trained by you on scholarship and capitalized on it and now I am an Associate of Isc2.
In terms of the exam, the main thing I studied was the notes from your class. I memorized each and every foot stomper. You covered everything I saw on the exam but some of the questions were extremely detailed in things we barely brushed over. I also read the entire study guide by doing 30 pages a day. I didn’t use the Sunflower guide because I felt as if it went into too much unnecessary detail in some parts. I also bought the Boson practice tests but I didn’t use them at all.
The main thing that helped me besides your class was this video: https://www.youtube.com/watch?v=-99b1YUFx0A. It just helped to enforce the idea that the CISSP exam is managerial and about half of the questions I saw I referred back to this video. Instead of solving the problem instantly I thought of what a manager would do. To put your future students at ease, you can tell them I have no working experience and all I did was read the study guide, took your class and watched that one youtube video and I passed. Once again, thank you for all the help with everything. Your class has left a lasting impact on me and I will always be grateful.”
I am impressed by the accomplishments of this young person; very well done, and thanks for sharing insight into your experience! I expect big things from you in our industry. I hope you will hire me to work for you someday!
Very proud to have been interviewed by Jim Gibson from Blackstone Cybersecurity at the ISC2 Security Congress a few months ago. Thanks, Jim!
https://www.youtube.com/watch?v=fgMCVPAIXxA&list=PLOblQddYGu5QOWqGOJE6QxnSFu2XDI_4I&index=16&t=0s
One of my recent students, Buddy Lott, shared some of his feedback about his recent exam experience. Thanks, Buddy!
”
I got to question 99 in about 1.5 to 2 hours. Was settling in for another 20 or 30 questions with plenty of time. I don’t think I had more than 5 more questions when I got the “Test over” screen. It scared the crap out of me. I was sure I had failed. I don’t know exactly how many questions I had to answer. Then I had to wait for the check out procedures to get the results and discovered I had passed. It felt like forever.
I felt like the test was pretty challenging. I have no idea which questions I got the right or wrong but lots of the questions I felt had answers that were very similar or the correct answer depended on how much you read into the question. I had to make a focused effort to not read too much into the question while making sure I was paying attention to the details that were there.
Plus … I had to make sure I answered some of the questions based on the the book/class and not what my experience is/was.
Thanks again.
Leslie Lott
Brad Lee is a driving force in the reddit community for ISC2-related material; he’s created entire subreddits and discord families to engage in cooperation and advice for candidates of all certifications. He’s also just a generally cool and nice person.
He recently took —and passed— the CAP exam. He said it was all right to share this digest here at the blog. Thanks, Brad, and congrats!
“I am happy to say that I have now passed the (ISC)² Certified Authorization Professional exam!!! This was a long day coming, and I'm so glad that the pressure is FINALLY OVER!! WOOOOOOOOOOOOOOOHHHHHHHHHHHHHHHHHHHHOOOOOOOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!
Now I would like to thank all of those out there that have contributed as much as they could to the help with studying for this exam. So many people have helped me in my journey, and I would like for those people to get the praises they deserve. After I created this (ISC²) CAP Reddit channel on May 29, 2019, I decided to reach out to those in the Reddit community as well as the ISC2 forums for advice, materials, etc. I, just like many others, had realized that there was a HUUUUUGGGGEEEE lack of official resources for this certification!!!! Why is that?? I have no idea! This is a very obscure and less-talked-about certification out of all (ISC)² certs. And I don't see too many people taking the exam, either. I have been working as a Security Control Assessor in Risk Management for over a year, so I do have a comprehensive understanding of the RMF. On my team, I was usually the one who sent out Security Control Assessment Plans, conducted Risk Assessments, generated Security Assessment Reports, and created a Plan of Action and Milestones for weakness remediation.
Over the summer, I decided that I would start a study group for (ISC)² CAP. This was a long time coming, but highly needed!!! I spoke to people on Reddit and (ISC)² Forums that were interested in taking the exam, and asked if they could join my group. Those that obliged came aboard and we started. Now it was rocky at first, as many of us were afraid that the exam was based on NIST SP 800-37 Revision 2 and not NIST SP 800-37 Revision 1. Plus, with the lack of official resources for this exam compared to other (ISC)² exams, some were even reluctant to take it. Some postponed their exams til' next year. We all had very busy schedules to begin with. Also, some people like to study for certs by themselves, which is fine. And they don't want to share their experiences about certs, either.... which is also fine. But NOT ME! I want it all, baby!!!! I want the smoke, even if that means me getting burned.
Starting in August, my study group gathered many materials from boot camps, NIST's website, etc. We studied very, very HARD. We reviewed FIPS documents, Special Publications, many practice questions, cheat sheets, etc. In September, I started to watch (ISC)² CAP course videos on the FedVTE website because I could NOT find any instructive videos to watch for this certification. Some people have recommended this site for those interested in taking IT certifications. As I was watching the videos, I noticed that one of the professors teaching the course would always give candy to any of his students that answered his questions correctly. It wasn't until later on that I realized that professor was none other than Ben Malisow!!! I couldn't believe it was the same person, and after talking to him about it recently, I'm sure he wouldn't believe it, either lol. All of the professors did very well jobs in breaking down the CIA, RMF, as well as the SDLC. The CAP course was excellent. I will say that this is the BEST site to watch videos pertaining to the CAP certification. I learned the MOST from this online course and took down so many notes from it. It's not recent, but many of the concepts and guides are still EXTREMELY helpful. And even though the site requires a government email to sign up for access, it is VERY worth it.
As time went on, members of my group were taking the exam, one by one. From September to October, people from my study group were passing the CAP!!! This was interesting, and I was so happy!!! So far at the time, only four people had passed!! Now for me, I will say this. Everybody has their way of studying for exams, but me, I love to review practice questions to get myself in "test mode". Although I did purchase the material, I did NOT read the Official Guide to the ISC2 CAP CBK book. I glossed over the first couple of pages of the first chapter, but then ultimately decided to review other material. I felt that the book was outdated and focused on older standards and acts. And I did NOT take a boot camp, either. I did not see the need in me spending $2,700+ when I already had at least one year of Risk Management experience. Even if I did not, I STILL would not do it, but others are different. I did something similar like that once before. I took an self-study online course for another exam from a different vendor, and I paid an UNBELIEVABLE amount. My company was not paying for me, and I was not getting reimbursed, either.
In October, I still asked people online on what to expect from the CAP exam. Some (ISC)² professionals told me that the exam is pretty much all of NIST SP 800-37, no DIACAP, DITSCAP, etc. I continued to go over the steps of the RMF and connect them to the SDLC. Later that month, one member of my study group panicked (as most of us would before we took our exams). He just wanted to get the exam over with, and I don't blame him!! He even hit the gym continuously just to relieve anxiety. He decided to schedule his exam on a Monday morning at 8:00AM, After he finished his exam, he came out and told us that he passed! Now, five people have passed so far. This was getting very interesting, as no one had failed yet.
It was November, and I STILL have not booked my exam, yet. I guess one factor of why I had not all this time was that I feared that that the exam would be updated with newer topics. Also, I have had TERRIBLE experiences before with booking (ISC)² exams in the past (cough cough SSCP cough cough). I will save that for a later story, but basically I did not want to go to a testing center with NO PARKING, and ARGUMENTATIVE PROCTORS that will embarrass you in front of everyone and prevent you from taking your exam!!! The CAP costs $599, so that's really not money you wanna be playing around with. Shortly thereafter the start of the month, another person from my study group decided to attempt the exam.... and she passed!!! Now it was time... for ME!! As the days went on, I was looking for the PERFECT date and time for my exam on Pearson. Sometimes, you just have to wait and see... a REALLY GOOD date will appear for you (probably you will see what you like late at night).. and it did!!! Friday, November 22 at 5:30 PM was SET!!!
Until my exam date, the only documents that I read for this exam were FIPS 199, 800-18, 800-30, 800-64, and 800-137. I glossed over the 800-37r1 at the beginning of my studies, but it was pretty much me understanding the RMF steps and tasks as well as the associated roles and responsibilities. Also, MAKE SURE you understand the connection between RMF and SDLC! I CANNOT STRESS THIS ENOUGH!!!!! It helped me tremendously.
11/22/2019 I went to a BEAUTIFUL testing center that had AMPLE amount of parking and had the best staff of people!!!!! I couldn't believe my eyes. The proctors were very cool and were funny too haha. They knew all about (ISC)² madness lol. They asked me if I ever took CISSP before. I told them I did, which was even a CRAZIER exam!!! I went through the regular procedures, and it was no pressure at all!! I went in and sat at my seat. I quickly wrote down all the stuff I needed for memorization on my scratch sheet. After the 5 minute window, I started my exam. The exam mostly focused on roles (System Owners, Authorizing Officials, Security Control Assessors) responsibilities/tasks (RMF steps, SDLC), and the type of controls (common, system-specific, hybrid, compensating). There were a couple of DIFFICULT questions that could have any answer as correct. Now, 125 questions in 180 minutes is okay, but it comes to a point where you just say "Can be it over already??". Overall, my best method to handle all of the exam questions was to use the process of elimination. Once I finished, I did the closing procedures and then went to the front desk. I received my score report from the nice proctor, who had folded it in half. Once I saw the message, I fell to the floor..... I PASSED!!!!!! I was so HAPPY and it was a beautiful experience all the way around HAHAHAHAHAHAAH!!!!!!!!!!!!!!! It was waaaaaayyyy better than that wicked experience I had with SSCP at a specific testing center two months prior; a place with NO parking and a CURRAHHHHZZZYYY proctor trying to act tough and smart in front of everyone. I drove home relieved, and my study partners were extremely pleased afterwards.
I would like to shout-out some people who have helped me along in my journey: u/reed17purdue, u/sanileo, u/Telemundo, u/super_user_anonymous, Pinaykutie, Moro, Kofi, Ben, Alfred, Kadir, Valentine, and Ben Malisow!!! I cannot thank you guys enough for the help and the long ride!! A job very well done!! I am willing to help anyone who plans on taking this certification in the near future. See you guys around!! On to the next one!!!”
Mary Pat Esposito, a former student, recently passed the CISSP, and had this to say:
“I took the test yesterday and passed! 😉
Here’s the advice that helped me the most…
[Ben’s] “footstomps” helped filter the minutia out of the study guide. No RAID questions. Phew!
Kelly [Handerhan]’s video. The link was provided in the chat. She recommended selecting responses from a management perspective not a practitioner perspective.
Read the responses backward, forward, read the question over and over. You can’t go back so be sure you’ve taken the time to understand the question and the options"
Great info, Mary Pat— thanks! Congrats to you, and good luck to everyone taking the exam soon.
ISC2 just posted these updates, which will take effect 01 AUG 19:
This week’s CCSP class pointed out that one of the multiple-choice answers in my book of practice tests included the term “flatline cohesion principle.” They asked me what it meant, and I had to admit that I had no clue…maybe it meant that I was drinking too much scotch when I wrote the book?
Turns out, it was a nonsense term I invented as a distractor from the correct answer to that specific question. So we discussed the idea, and decided we had to come up with a definition for the completely blank term.
The consensus was that it should mean: “When you write a book of practice tests that may or may not have complicated, misleading questions in it, then use your class to crowdsource how worthy the material is for study purposes.”
I do like this. But I am very open to alternative uses for the term. If someone comes up with something better, put it in the Comments section, and I’ll send you a free copy of the book. I will be the sole judge of what constitutes “better.”
In the meantime: everyone should follow the flatline cohesion principle.
And many, many thanks to this week’s CCSP class participants: y’all were awesome, and I think you’re all gonna to conquer the exam.
From a recent student:
”I found it to be quite challenging, mostly because more than a few of the questions and / or answers were so tersely worded that it was very hard to determine what was being asked. I also ran into some test questions on concepts that weren’t covered in the course material, or if they were, it was in passing and didn’t really justify the attention it got on the exam. However, I passed, so it’s all behind me now. :^) “
Just in time for 2018, the CISSP exam from ISC2 has converted from standard multiple-choice format to a Computerized Adaptive Testing model for exams delivered in English (foreign-language versions of the test currently remain in the traditional format). This means that instead of the grueling 6-hour, 250-question test, CISSP candidates now face only 100 to 150 questions, in a maximum of three hours.
Depending on your success with multiple-choice tests, and your personal technique, the new experience could be either a massive boon or a ridiculous hurdle to get the certification.
I got my CISSP back when the test was in the traditional format...and done with pencil and paper. I have no clue how I'd do on the current version.
I have, however, received feedback from the first of my students to take the new version of the test: they passed! Their exam was also only 100 questions long (meaning the student demonstrated sufficient command of the material so that the testing engine didn't have to throw more questions at the student), and it took the student an hour to complete. Perhaps most interesting, this particular student is not an IT practitioner, but is familiar with the industry in other roles. Main impression? The student repeated what I always try to stress to anyone taking one of the certification tests: READ. THE. FULL. QUESTION. Make sure you read it completely, and understand what's being asked, and that you read all of the possible responses.
The exam is still being administered by PearsonVUE, and you can download the outline from ISC2's website.
Have you taken the exam in the new format? Please add some feedback about your experience in the Comments!