Skip to content

Page002

How to Prepare for the Exam

Read this book and understand it: all of it. If we cover a subject in this book, we are doing so because it is testable (unless noted otherwise). The exam is designed to test your understanding of the Common Body of Knowledge, which may be thought of as the universal language of information security professionals. It is said to be "a mile wide and two inches deep." Formal terminology is critical: pay attention to it.

The Common Body of Knowledge is updated occasionally, most recently in April 2015. This book has been updated to fully reflect the 2021 CISSP® Certification Exam Outline. Downloading and reading the exam outline is a great preparation step. You may download it here: https://www.isc2.org/CISSP-Exam-Outline.

Learn the acronyms in this book and the words they represent, backwards and forwards. Though you can generally expect acronyms on the exam to include their expanded form students comfortable with the acronyms will be able to progress through the exam more quickly.

Much of the exam question language can appear unclear at times: formal terms from the Common Body of Knowledge can act as a beacon to lead you through the more difficult questions, highlighting the words in the question that really matter.

The CISSP® Exam Is a Management Exam

Never forget that the CISSP® exam is a management exam: answer all questions as an information security manager would. Many questions are fuzzy and provide limited background: when asked for the best answer, you may think: "it depends."

Think and answer like a manager. For example: the exam states you are concerned with network exploitation. If you are a professional penetration tester, you may wonder: am I trying to launch an exploit, or mitigate one? What does

"concerned" mean?

Your CSO is probably trying to mitigate network exploitation, and that is how you should answer on the exam.

The 2021 Update

The 2015 update represented a large change that moved to 8 domains of knowledge (down from 10). Lots of content was moved. The domain content can seem jumbled at times: the concepts do not always flow logically from one to the next. Some domains are large, while others are smaller. In the end this is a non-issue: you will be faced with questions from the 8 domains, and the questions will not overtly state the domain they are based on.

The updates since then (2018 and 2021) kept the same design of 8 domains. The 2021 update focused on adding more up-to-date technical content, including an emphasis on supply chain security, Zero Trust, microservices, containers, serverless, quantum cryptography, as well as other modern technical topics.

The Notes Card Approach

As you are studying, keep a "notes card" file for highly specific information that does not lend itself to immediate retention. A notes card is simply a text file (you can create it with a simple editor like WordPad) that contains a condensed list of detailed information.

Populate your notes card with any detailed information (which you do not already know from previous experience) which is important for the exam, like the five levels of the Software Capability Maturity Model Integration (CMMI; covered in Chapter 9, Domain 8: Software Development Security), or the Common Criteria Levels (covered in Chapter 4, Domain 3: Security Architecture and Engineering), for example.

The goal of the notes card is to avoid getting lost in the "weeds": drowning in specific information that is difficult to retain at first sight. Keep your studies focused on core concepts and copy specific details to the notes card. When you are done, print the file. As your exam date nears, study your notes card more closely. In the days before your exam, really focus on those details.