Chapter 1. The CISSP Certification Exam

Before beginning your studies, take a few minutes to make sure you fully understand the CISSP exam process. This is something that you don’t want to wait until the day of the exam to figure out. Reviewing these details now will help you concentrate on the exam so that you aren’t worried about how much time you have to answer each question. Finally, mastering a few basic exam-taking skills should help you recognize—and perhaps even overcome—some of the tricks or unusual verbiage you’re bound to find on the exam.

In addition to reviewing the exam environment, this chapter describes some proven exam-taking strategies that you can use to your advantage.

Examination—This portion of the process requires that you submit the examination fee, and assert that you possess a minimum of five years of professional experience in the information security field or four years plus a college degree (this is subject to audit and verification). You must also review and sign the Candidate Agreement stating that you will legally commit to adhere to the CISSP Code of Ethics, and answer several questions regarding criminal history and background.

Certification—The second step of the process requires that the candidate pass the exam with a score of 700 points or greater, submit a completed and executed Endorsement Form, and, in some cases, pass a verification audit regarding professional experience.

When you are confident that you meet these requirements, you can continue with your studies. To be fully prepared for the exam, I recommend that you read the entire text, review the practice questions, and review the additional resources identified in each chapter. After you read the book and test yourself with the questions and practice exams, you will have a good idea of whether you are ready to take the real exam.

Be aware that the CISSP exam is difficult and challenging; therefore, this book shouldn’t be your only vehicle for CISSP study. Many companies, such as my own (Superior Solutions, Inc., www.thesolutionfirm.com), offer training classes to help you review the material and prepare for the exam. Because of the breadth and depth of knowledge needed to pass the CISSP exam, be sure to use plenty of study materials and use this book to help you gauge your strengths and weaknesses. The ISC² website is a good place to find additional study material, and so are the “Need to Know More?” sections at the end of the chapters in this book.

The exam is completely closed book. In fact, you will not be permitted to take any study materials into the testing area; you will be given scratch paper to use that must be returned at the completion of the exam. The exam is electronic and is very similar to CompTIA exams or those given by Microsoft. ISC² allows you to make comments regarding the training environment at the completion of the exam.

During the six-hour time limit, you will need to complete 250 questions. This provides plenty of time to complete the exam and even provides some time to go back and review your answers. The test screen will show a timer to keep you informed of how much time you have left to complete the exam.

All questions on the exam are multiple choice, and the exam contains 250 questions. Twenty-five of the questions are for research purposes, so only 225 questions are actually scored for certification. The research questions do not count against you regardless of your answer. You should attempt all the questions, even if you need to guess the answer. Don’t leave any answers blank. The exam questions are developed by an ISC² committee and are always being updated and changed. I encourage you to make multiple passes on the test. On the first pass, answer all the questions where you are confident that you know the correct answer and mark the questions you are unsure of. On the second pass, work through the more difficult questions and make sure to underline key words such as “not”, “least”, and “most”. Missing one word on the exam can make a big difference. On the final pass, answer any remaining questions. Remember that it is better to guess at an answer than to leave a question blank.

In the next section, you learn more about how CISSP test questions look and how they must be answered.

1. What is the most widely used device to control physical access?

A. Chains

B. Locks

C. Alarms

D. Firewalls

1. Which of the following are examples of asymmetric encryption?

FIGURE 1.1 Drag and Drop Question.

1. When designing network controls, which would be the proper location for a firewall to protect the DMZ?

FIGURE 1.2 Location Placement Question.

As you read each question, if you answer only those you’re sure of and mark for review those that you’re not sure of, you can keep working through a decreasing list of questions as you answer the trickier ones in order.

Here are some question-handling strategies that apply to fixed-length and short-form tests. Use these tips whenever you can:

When returning to a question after your initial read-through, read every word again, as if for the first time. Sometimes revisiting a question after turning your attention elsewhere lets you see something you missed, but the strong tendency is to see what you saw before.

If you return to a question more than twice, try to articulate to yourself what you don’t understand about the question, why answers don’t appear to make sense, or what appears to be missing. If you chew on the subject a while, your subconscious might provide the details you lack or you might notice a “trick” that points to the right answer. If there is more than one good answer, the more general answer that encompasses others will usually take precedence and be the correct answer.

As you work your way through the exam, it’s wise to budget your time.

If you’re not finished when only five minutes remain, use that time to guess your way through any remaining questions. Remember, guessing is potentially more valuable than not answering because blank answers are always wrong, but a guess might turn out to be right, and there is no penalty for wrong answers. If you don’t have a clue about any of the remaining questions, pick answers at random or choose all As, Bs, and so on. The important thing is to submit an exam for scoring that has an answer for every question.

Almost always, at least one answer out of the possible choices for a question can be eliminated immediately because it matches one of these conditions:

The answer does not apply to the situation.

The answer describes a nonexistent issue, an invalid option, or an imaginary state.

After you eliminate all answers that are obviously wrong, you can apply your retained knowledge to eliminate further answers. Look for items that sound correct but refer to actions, commands, or features that are not present or not available in the situation that the question describes.

If you’re still faced with a blind guess among two or more potentially correct answers, reread the question. Try to picture how each of the possible remaining answers would alter the situation.

Only when you’ve exhausted your ability to eliminate answers, but remain unclear about which of the remaining possibilities is correct, should you guess at an answer. An unanswered question offers you no points, but guessing gives you at least some chance of getting a question right—just don’t be too hasty when making a blind guess!

After you’ve worked your way through this book, take the practice exams at the end of the book. Taking these practice exams will provide a reality check and help you identify areas to study further. Make sure you follow up and review materials related to the questions you missed on the practice exams before taking the real exam. Only when you’ve covered that ground and feel comfortable with the whole scope of the practice exams should you set an exam appointment. It’s advisable to score 90% or better before you attempt the real exam. Otherwise, obtain some additional practice tests and keep trying until you hit that magic number.

(ISC)² CISSP Certification Outline: www.isc2.org/cissp/default.aspx