Kennis Blogs How we got CISSP's

How we got CISSP's

Barri Jansen and I went back into the school banks last year. Mid-2016 we decided to affirm our security related knowledge by getting the CISSP-title. CISSP stands for Certified Information System Security Professional (Lord, how I hate those unpronounceable titles) and is the leading international title in information security. When someone is CISSP, you know two things for sure: (1) he or she has gone through a lot of pain in studying the Common Body of Knowledge (CBK), which CISSP prescribes, and (2) he or she has been challenged for hours in a tough exam to test the gained knowledge. Ok, I'm exaggerating, though there's some truth in it. 


Choosing a preparation course

To go for the best preparation and increase our odds for the exam, we chose to follow a 'CISSP preparation course'. There are loads of training camps out there, which differ in approach. One approach is to segregate yourself days off from the outside world. You eat, sleep and breathe the CBK all day long, which costs you a total of five consecutive days. Another approach is to go to training one day a week for ten weeks long. That's 20% of one year, with the exclusion of the time you need to study between the training and the exam. However, we chose the latter since we are convinced that knowledge has to sink in before it moves into long term memory, instead of short term. We started in September and passed the exam in December, so it took us a quarter of a year. Quite a time, so keep this in mind when planning other activities.


We moved ourselves to the Security Academy week after week and this turned out to be a good choice. We received the official (ISC)2 Guide to the CISSP CBK, which contains eight domains spread over more than 1200 pages of (interesting!) information. Along with the book, we received sheets per day or domain. We discussed the sheets in the classroom with the other participants. After every training day, we were supposed to do some homework. As in: study the massive load of theory and read through the notes we made during that day. Doing this really pays off and increased my remembrance greatly.


Content of the course

The first weeks went by and suddenly I noticed that it's quite hard to miss out one day of my daily job for ten weeks long. More than I thought it would be in advance. My schedule ran out a bit... Don't panic, I was already (or only?) half way! The last five weeks went by fairly quick and I had spent quite some time studying at home. I reserved two study blocks of two to three hours (while my daughter was asleep) in the week to study at home. A moan from the baby phone made me 'come back to senses' and stop studying. Sometimes I went on studying while seated my daughter on the couch, watching the telly (I hope there are no pedagogic parties amongst us) with a bottle of orangeade and a bowl of fruit, because I enjoyed what I was reading and sometimes wouldn't want to stop yet.


A tip: you have to like theory about information security, because otherwise, you'll fail. You also need a certain amount of basic knowledge to comprehend the security concepts that pass by.


On November 21, the last day of the course, the Security Academy threw a practice exam. We spent the morning on answering 150 multiple choice questions and discussed them in the afternoon. I did surprisingly well and it gave me courage to go for the 6 hour exam of 250 multiple choice questions, which Barri and I planned exactly one month later on December 21. In the weeks before the exam I re-studied all domains. One more than the other, depending on the degree of difficulty. After that, I spent time to do some more practice exams.


Another tip: buy the (ISC)2 CISSP Official App in the App Store. It is of great help and trains you with questions and answers. Another helpful (free) tool is aiotestking. This one contains many questions whereof some of them also appear in the official exam.


Judgement Day has come

The day has come. We were expected to start at 9 o'clock in Utrecht (we come from Arnhem), so after a ride of an hour I arrived at the location. More than an hour too early; better safe than sorry. Barri was there already, what a coincidence. We drank some coffee, we waited, and drank some more coffee again. The first staff appeared so we moved ourselves to the registration desks where we had to sign a couple of documents and were photographed to prevent falsification, I assume. The photo appears afterwards on the paper which says you've passed the exam.


Slightly tense, a staff member guided me to a computer where the exam would take place. I installed myself and started the first question.


Tip: the exam really covers the theory of the CKB. However, (ISC)2 has chosen to test your knowledge not merely using fact-based questions, but a big part is based on insight and understanding by offering scenario-based questions. So it's important to not merely 'know the rules of information security', but you have to feel it too to pass the exam and become a good Security Practitioner.


When answering the last question (four hours later), I forced myself to review all questions once again before I left the room. I marked a couple of questions which I did not know for sure and used my exam strategy for answering them. Barri finished ten minutes before me, which made me slightly nervous because I was almost finished as well and was dying to receive my result. I reviewed the last question and finished the exam. Are you sure? It prompted. Hell yes. I was finished!


I walked out the room and turned to the registration desk. "Congratulations!" the guy behind the desk said. I was overwhelmed, I did it! I had to sign another document and now - at this very moment - I am in the endorsement process. Barri passed the exam as well and we are very proud that our hard work is rewarded. In the last phase, the endorsement process, we have to prove our working experience and once we have proven so, we have to maintain our CISSP-title yearly. This is done by gathering study points through visiting security related events and seminars, read articles, and so on. By becoming a CISSP, we make sure we keep up in the ever-moving world of information security and aim at making a difference in securing our society.