Top tips for passing your (ISC)² CISSP or CCSP exam

Graham Thompson   ·   Wednesday, April 21st, 2021

Are you preparing for your CISSP or CCSP exam?

Stop studying right now and understand the following preparation tips before reading another sentence of any exam prep book.

Although the focus of this blog is these ISC2 exams, these concepts are generally true for any exam.

Know your role

Why are you taking the CISSP or CCSP exam? Probably to advance your career, right?

The CISSP and CCSP certifications are for Chief Information Security Officers, risk directors, security leads, and managers.

It is NOT for tactical positions.

Does your CISO adjust firewall rulesets? Likely not if you work for an enterprise. If you want to work on firewalls, get certified by your preferred vendor.

Want to position yourself for security management? Become an (ISC)² certified professional. Know your target role, choose your desired certification and always keep this focus top of mind. This will stop you from going down rabbit holes that may satisfy your curiosity, but ultimately distracts from your goal and increases your preparation time with little benefit.

Understand how the exam is created and maintained

To talk about this, you need to understand how the (ISC)2 makes their exams to understand what you are up against.

First, they periodically send out a Job Task Analysis (JTA) survey to existing certification holders. In a blog post on the (ISC)2 site that discusses the JTA, the importance of the JTA is pretty clear:

“The (ISC)² Job Task Analysis surveys provide the essential foundation for all of our certifications. They are the single most important activity that shapes our certifications. They map the actual current job tasks performed by our certified members to the content of our credentialing exams. This ensures that the content of our exams remains relevant to professionals immersed in this dynamic, demanding and fast-moving industry and that our certifications continue to be the “gold standard””.

Having done a recent JTA survey, I can tell you they basically go over each major area of focus that currently exists in the certification’s Common Body of Knowledge (CBK).

You then rank the importance on a scale of 1 to 5. It makes sense then that if in real-life a subject isn’t important, they’ll either minimize the amount of questions on that subject, or remove the subject completely in the next revision of the exam.

From there, the blog entry describes the next action that takes place:

“The data collected from these surveys contribute to updating the existing Detailed Content Outline (DCO) of our exams. Psychometricians, who are experts in measuring the knowledge, skills, and abilities of professionals, analyze the data and use the survey results for developing DCOs for the certification exams.”

The Detailed Content Outline (DCO) is available as part of the Certification Exam Outline. As of the time of writing, they are available at the following links:

• CISSP Certification Exam Outline
• CCSP Certification Exam Outline

The table below lists the domains, their exam weightings and number of topics per domain for the CISSP exam (select to enlarge):

And here’s the CCSP exam breakdown from that exam DCO (select to enlarge):

Putting it all together

The process for researching and delivering exams can be summarized in the following infographic (select to enlarge):

See the forest for the trees

The ISC2 describes the CISSP as follows:

“CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.”

And here’s their description of the CCSP:

“The Certified Cloud Security Professional (CCSP) applies information security expertise to a cloud computing environment and demonstrates competence in cloud architecture, design, operations, data security, governance, risk, and compliance. This professional competence is measured against a globally recognized body of knowledge.”

I’m going to make this as clear as possible. If your answer is the most technical one listed, you’re probably wrong.

Always stick to the big picture. A phrase I like to use is “know the What, Where, When and Why; not necessarily the How. The “How” comes with vendor-specific training and certification.

You’re never going to be asked how to configure a security control. It’s not the focus of the certification.

Experience is paramount

There are experience requirements for each certification.

ISC2 states that CISSP candidates “must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK.”

For the CCSP, ISC2 states “candidates must have a minimum of five years cumulative paid work experience in information technology, of which three years must be in information security and one year in one or more of the six domains of the CCSP CBK.”

The ISC2 will, without a doubt, hit you with questions that are not explicitly stated in their books (or training courses).

They will gear their questions so that someone with 5 years experience would be able to answer, whereas someone with no experience wouldn’t understand where the question is actually heading.

There is no amount of cramming for an exam that can replace the experience requirement.

Know your strengths and weaknesses

This is straight-forward, but it’s human nature to focus on strengths because it’s easier and frankly feels like you’re accomplishing more.

We already covered the breadth of information of each exam. There is simply no way that anyone can claim themselves to have expert-level knowledge of 280 CISSP topics.

Your strengths are already your strengths.

Address your weaknesses by understanding the broad strokes of a topic and how they fit in the big picture.

This might sound off at first blush, but have at least a Wikipedia level of knowledge on all subject matter and consider how it fits into the Big Picture.

Security is much more than technology

This comes back to a previous statement that if your answer is the most technical solution, it is probably not the best answer.

I am going to give an example using a made-up CCSP question:

Your company is interested in procuring storage as a service from a cloud provider. What is the first thing you should address prior to using the cloud service?

1. Understand the encryption level used by the provider.
2. Understand the geographical area where the cloud provider is located.
3. Understand the Service Level Agreement with attention to availability.
4. Understand the shared responsibility model stated in the contract.

All of these are important and any of them could be a right answer…but which one is the best answer from an ISC2 perspective?

The best answer is #4.

If you don’t understand what the provider is responsible for and what you are responsible for, how are you going to secure your usage of the providers service?

Also, all the other answers will be laid out in the contract.

This is what I’m talking about.

Big Picture. Always.

People are your number one asset

This is kind of my inside CISSP joke (along with protect the Commonwealth), but it’s equally true for any ISC2 exam.

People’s lives are the single most important focus.

This mostly applies to physical security topics such as fire suppression systems, exit doors and the likes. It is suboptimal if people’s computing experience is negatively impacted by security, but security should never kill someone.

If your answer is the most technical one, it is likely wrong

Just worth repeating. Next…

Everything in cybersecurity is defense in depth and there is more than one control type

Controls will fail, it is a fact of life.

You always want to have multiple layers of defense in place.

Oh, another important thing, security controls are not just things that prevent bad things from happening.

Yes, preventative controls are particularly important, but so are detective, corrective, recovery, deterrent and compensating controls.

If you just rely on preventative controls, you are building a one-legged stool as far as security is concerned.

Security serves the business

Just a reminder of the mindset needed.

Your role is to maximize protection of corporate assets and work with others to address Governance, Risk, and Compliance across all aspects of the business.

That’s the goal. That’s the building block.

Everything in the CBK for both the CISSP and CCSP certifications supports this core concept. Never forget this.

Bonus Tip: Never change your answer

Trust your gut. I mean never is a very strong word, but in reality, the only time you should ever change an answer is if a later question proves your initial thought wrong.

Parting thought

A final note about training options…

I would not even consider an unauthorized training supplier.

Just remember, you always get what you pay for, and cheap is cheap for a reason. You will not get authorized courseware and your instructor will not be a certified instructor either.

A bad course will just leave you confused and less likely to take, let alone succeed on the exam.

Given the choice between a cheap course and self-study, I’d probably just self-study. The downside of self-study is that you need a lot of discipline to spend a couple of hours preparing every evening.

Here at Intrinsec Security, we only offer authorized ISC2 training with authorized trainers and material and we support you after your course is done.

If you are considering taking official ISC2 training for your exam, or getting your team trained, contact us to discuss the options best for your needs.