Introduction

Welcome to CISSP Exam Cram! The aim of this chapter is to help you become prepared for the CISSP exam and understand what to expect when you enter the testing area. Most people do not eagerly anticipate exam taking. The best way to reduce your test-related anxiety is to be fully prepared before you attempt to pass the exam. Taking a few extra steps will help you feel more relaxed and confident when you enter the testing area.

The exam format is different depending on where you take the exam. However, before beginning your studies, you should take a few minutes to make sure you fully understand the CISSP exam process. You don’t want to wait until the day of the exam to figure out what you will face. Reviewing these details now will help you concentrate on the exam so that you aren’t worried about how much time you have to answer each question. Finally, mastering a few basic exam-taking skills should help you recognize—and perhaps even overcome—some of the tricks or unusual verbiage you’re bound to find on the exam.

In addition to reviewing the exam environment, this chapter describes some proven exam-taking strategies that you can use to your advantage.

Assessing Exam Readiness

Before you rush out and sign up for the CISSP exam, check out the (ISC)² website (www.ISC2.org) and review the CISSP certification requirements. To be eligible for CISSP certification, you must qualify for and meet two separate requirements:

• Examination: You must submit the examination fee and assert that you possess a minimum of five years of professional experience in the information security field or four years plus a college degree. (The information you provide is subject to audit and verification.) You must also review and sign the Candidate Agreement, stating that you will legally commit to adhere to the CISSP Code of Ethics, and answer several questions regarding your criminal history and background.

• Certification: You must pass the exam with a score of 70% (or 700 points out of 1000), submit a completed and executed Endorsement Form, and, in some cases, pass a verification audit regarding your professional experience.

When you are confident that you meet these requirements, you can continue with your studies. To be fully prepared for the exam, I recommend that you read this entire book, review the practice questions, and review the additional resources identified in each chapter. After you read the book and test yourself with the questions and practice exams, you will have a good idea of whether you are ready to take the real exam.

Be aware that the CISSP exam is difficult and challenging; therefore, this book shouldn’t be your only vehicle for CISSP study. The CISSP exam is based on the Common Body of Knowledge (CBK). The CBK is a collection of the subjects and items that all the topics on the exam are pulled from. You can read more at https://www.isc2.org/Certifications/CBK.

Many companies offer training classes to help you review the material and prepare for the exam. Because of the breadth and depth of knowledge needed to pass the CISSP exam, be sure to use plenty of study materials and use this book to help gauge your strengths and weaknesses. The (ISC)² website is a good place to find additional study material, and so are the “Need to Know More?” sections in the chapters of this book.

Exam Topics

Every three years, (ISC)² updates the CISSP exam topics. The 2021 version of the exam includes the following domains:

Domain 1: Security and Risk Management

Domain 2: Asset Security

Domain 3: Security Architecture and Engineering

Domain 4: Communication and Network Security

Domain 5: Identity and Access Management (IAM)

Domain 6: Security Assessment and Testing

Domain 7: Security Operations

Domain 8: Software Development Security

With each update to the exam, (ISC)² rewords topics, reorganizes topics, and adds new topics. The reorganization of topics between or within domains does not have a significant impact on prep or study. However, you do need to be familiar with the new and reworded topics. The “Domain Refresh” guide is the best place to learn about the changes in the exam from one version to another; see https://www.isc2.org/-/media/ISC2/Certifications/Domain-Refresh/CISSP-Domain-Refresh.ashx?la=en&hash=73FF18379098B1480D22A174BF7BB544E83237E9.

Taking the Exam

When you arrive at the testing center, you need to sign in. You will be asked to show your exam confirmation and photo identification. You cannot take the exam without a photo ID and your exam confirmation number. After you’ve signed in, you can find a seat, get comfortable, and wait for the exam to begin.

The exam is completely closed book. In fact, you will not be permitted to take any study materials into the testing area; you may be given a scratch pad to use that must be returned at the completion of the exam.

The biggest change from previous versions of the test is that the original CISSP exam was a paper-based, bubble-sheet test consisting of 250 questions to be completed in a six-hour time window. Today the exam is electronic and is very similar to CompTIA exams and those given by ISACA. (ISC)² now offers an adaptive test, called CISSP Computer Adaptive Test (CISSP-CAT). The CISSP-CAT is used only for the English version of the exam. For non-English versions, a 250-question, non-adaptive six-hour version is used.

If you are taking the English (CISSP-CAT) version of the exam, your exam strategy will be different than with the fixed length exam. As an example, the CISSP-CAT will not allow you to revisit a question. Once you answer a question you cannot go back.

You will view a minimum of 100 questions and a maximum of 150. Of the first 100 questions, 75 are graded and count toward your score, and the other 25—which are scattered randomly throughout the first 100 questions—are ungraded questions that are used for evaluation.

When you reach the 100th question, the system evaluates the probability that you will achieve a passing score. If the system estimates that your pass potential is 95% or higher, the test ends with a passing grade. If the system estimates that your failure potential is 95% or higher, the test ends with a failing grade. If the system cannot make this pass/fail determination at question 100, it reevaluates the potential again after each question until you reach the 150th question. You are then assessed only on the last 75 graded questions. This means that as you answer question 101, the first graded question is discarded and replaced with question 101. Then as you answer question 102, the second originally graded question is discarded and replaced with question 102, and so forth.

One big change is that with the CISSP-CAT you cannot revisit previous questions. You get only one chance to view a question and select an answer. If you skip a question, it is marked as incorrect. Therefore, guessing is a better strategy than skipping. You should always attempt to eliminate question options from consideration and then select your answer from the remaining options.

Non-English versions of the test contain 250 questions. Of these, 25 questions are for research purposes, and only the other 225 questions are actually scored for certification.

The exam questions are developed by an (ISC)² committee and are frequently updated and changed. Make sure to look for keywords such as not, least, and most. Or as an example a question may ask about configuration management but show some incorrect answers that discuss change management. Missing one word or confusing one word for another on the exam can make a big difference.

Examples of CISSP Test Questions

This section describes what CISSP test questions look like and how they must be answered. The following are some examples of the various CISSP test question formats. Following each example is a brief summary of each potential answer and why it is either right or wrong.

Drag and Drop Question Format

For a drag and drop question, you must move one or more correct answers from a pool of possible answers into the correct answers area. To answer this type of question, simply click, drag, and drop the correct answers from the “Possible Answers” section to the “Correct Answers” box.

1. Which of the following are examples of asymmetric encryption?

Hotspot Question Format

For a hotspot exam question, you must click on the correct area of a diagram—a hotspot—to answer a question.

1. When designing network controls, which would be the proper location for a firewall to protect the DMZ?

Answer to Multiple-Choice Question

1. B. Locks are the devices most commonly used to control physical access. Locks have been used since the time of the Egyptians. Answer A is incorrect because chains are not the devices most commonly used for physical access control. Answer C is incorrect because alarms don’t prevent access; they only inform you that possible unauthorized access has occurred. Answer D is incorrect because a firewall is used to control logical access.

Answer to Drag and Drop Question

1. RSA. RSA is the only example of asymmetric encryption. DES, AES, and SAFER are all examples of symmetric encryption. In this case, you should drag and drop only “RSA” into the “Correct Answers” box.

Answer to Hotspot Question

1. C. To answer the question, hold the mouse cursor over the area on the diagram that you want to choose as your answer. All available areas will light up (A, B, or C in this example), and you must click on the one you believe is correct. In this case, you’d want to deploy a firewall where item C is located between the internal network and the Internet.

Question-Handling Strategies

Because of the way that multiple-choice CISSP exam questions are structured, many times one or two of the answers will be obviously incorrect and two of the answers will be plausible. Take the time to reread the question. Words such as sometimes, not, always, and best can make a big difference when choosing the correct answer. Unless the answer leaps out at you, begin the process of answering by eliminating the answers that are most obviously wrong.

Almost always, at least one answer out of the possible choices for a question can be eliminated immediately because it matches one of these conditions:

• The answer does not apply to the situation.

• The answer describes a nonexistent issue, an invalid option, or an imaginary state.

After you eliminate all answers that are obviously wrong, you can apply your retained knowledge to eliminate further answers. Look for items that sound correct but refer to actions, commands, or features that are not present or not available in the situation that the question describes.

If you’re still faced with a blind guess among two or more potentially correct answers, reread the question. Try to picture how each of the possible remaining answers would alter the situation.

Only when you’ve exhausted your ability to eliminate answers but remain unclear about which of the remaining possibilities is correct should you guess at an answer. An unanswered question offers you no points, but guessing gives you at least some chance of getting a question right. Just don’t be too hasty when making a blind guess!

Mastering the Inner Game

Knowledge breeds confidence, and confidence breeds success. If you study the materials in this book carefully and review all the practice questions at the end of each chapter, you should become aware of those areas where additional learning and study are required.

After you’ve worked your way through this book, take the practice exams at the end of the book. Taking these practice exams will provide a reality check and help you identify areas to study further. Make sure you follow up and review materials related to the questions you missed on the practice exams before taking the real exam. Only when you’ve covered that ground and feel comfortable with the whole scope of the practice exams should you set an exam appointment. It’s advisable to score 90% or better before you attempt the real exam. Until you hit that magic number, you should obtain additional practice tests and keep trying.

Need to Know More?

Passing the CISSP exam: cybersecurityventures.com/how-to-pass-the-cissp-exam-top-10-tips-from-a-chief-risk-officer/

(ISC)² CISSP certification: www.isc2.org/cissp/default.aspx