Monday, 23 May 2016

Passing the CISSP exam and how to do multiple-choice

If any of you have looked at taking the CISSP exam, you might already know that it consists of 250 mostly multiple choice questions and you have 6 hours to complete it. You might also know that test takers sign an NDA to not reveal the questions so I can't tell you what they are, after passing today!

What I can tell you is that in order to pass the CISSP, you need a combination of good general knowledge of the domains, good multiple-choice skills and then the icing is to understand the way that CISSP ask the questions.

If you have the CISSP Common Book of Knowledge (CBK), you will see a range of example questions and these are probably a reasonably fair indication of the types of questions you will see, although too many in the book, in my opinion, are poorly worded and helped feed my sense of fear that I would not be able to answer the questions even when I knew the topic of the question.

So here I go at listing a number of hints and techniques to reduce the fear that you will pay $700 and fail the exam.


  1. The CISSP is a practitioner's exam and is designed for experienced Information Security Professionals. If you are fresh out of college or have just changed career, you will find it VERY hard to learn enough to pass the exam (and you will need 5 years experience to get the title anyway). This is for two reasons. Firstly, you will be helped a lot on the exam if you already have good knowledge of 2 or 3 domains or perhaps in-depth knowledge in one and a good general knowledge of the others. I work in software so the whole areas of network security and software development are reasonably familiar to me, all I have to do is look out for specific words or phrases used in the book.
  2. The CBK is not a novel, it is more like a (poor quality) dictionary. The CBK, sadly, feels quite thrown together, it contains a vast amount of information, some of it out of date, some of it seems overly deep for a high-level accreditation but it is what it is. You are better off skimming the section headings, reading up on concepts you are unfamiliar with (but not too deep to begin with) and then do some test questions and get the feel for how deep to go. Not many of the exam questions required reading the fine detail of each topic.
  3. When you are doing these or other approved test questions, there are two things you can do to help the experience. Firstly, time the test to get a ballpark figure for how long you are taking per question. In the exam, you have a total of about 30 seconds per question, which is fine if you are a fast recaller but otherwise it could go quickly. Secondly, after marking your answers, look at all of them again and decide a) You knew the answer (good) b) You got it right but it was a guess (read up some more on it) c) You got it wrong because you didn't know the topic (read up some more) or d) It is a poorly worded question, which is why you got it wrong. In the case of d), it is really important to try and see where you got the question wrong (more on that later) since it might be something really subtle in the wording that you could have picked up on.
  4. Avoid any unofficial questions you might find on the internet. Are they correct? Possibly, are they useful? Hard to say. You can know the entire CBK and still struggle on the real questions because of their style so it is better to find something official. There are a few official CISSP books and apps around (check they are for the latest edition of the CBK) and I found the Sybex Android App really helpful - the questions weren't exactly the same style but it covered good ground to increase my confidence in taking the exam.
  5. Try to study little and often. Most knowledge takes a while to file in our brains and a few all-nighters will probably not help, especially in a subject with lots of fluffy words and concepts (risk assessment, BIA, threat analysis, vulnerability assessment etc.)
  6. Keep taking the test questions until you can get them mostly correct.
So here is some advice on the style of questions in the exam. I am not authorised or approved by ISC2 so take my advice for what it's worth!

  1. As you've probably noticed, there are various questions based on lists of answers. The steps in a Disaster Recovery or in a Risk Assessment or perhaps the ISC canons. In many of these questions, you will find each of the 3 wrong answers will contain a specific phrase that is either obviously wrong (e.g. will increase costs for something that would obviously decrease costs) or perhaps is wrong in a more subtle way (is risk assessment a step in the Business Continuity process?). Looking for the wrong answers is often easier than picking the correct one!
  2. The core principles of CIA are really important. Sometimes if you don't know the correct answer, you can work out which one(s) make or break the principles. The answer to a problem on a "critical" system is probably related to not interfere with availability. One answer that looks good but does not relate to a core principle is likely to be wrong compared to a CIA answer. Various questions on reacting to incidents fall into this camp.
  3. Lots of questions understandably relate to risk, threat and vulnerability. You should understand these concepts in order to tell the correct answer from what are sometimes 4 very similar answers.
  4. A trick question I have seen relates to "which of the core principles of CIA...." and then it lists the 3 principles and also a 4th answer. Although the 4th answer looks like the obvious fit and is the closest to the real answer, because it is NOT a core principle, it cannot be the correct answer! You have to be careful, these are not primary school questions about 10 + 4 but are looking to see that you understand the subtleties of Information Security and the concepts that don't necessarily match up to traditional "good engineering".
  5. Some questions that are to do with authorisation or reporting mention Line Managers. Again, in the real world, Line Managers are heavily involved in day-to-day operations but in Information Security, they do not automatically possess any involvement with any IS process or procedure.
  6. There are various questions (fortunately many more in the test questions than my real exam) that have confusing case statements e.g. Which of the following statements is NOT true followed by statements that begin with something like such and such is NOT something. Talk about confusing but, again, carefulness wins the day here. I had to read one question about 5 times to get it!
  7. If you are confused by the question (there was an exam one that was very vague), skip it and carry on. You might find some clue in a later question. In this instance, it was a scenario question with 2 or 3 sub-questions and reading all 3 sub-questions eventually made me understand what the original question was asking!
  8. Be careful with questions about 'which of these is NOT...' because in some cases, the answer is one that looks like a read one but it isn't quite. One test question listed "principle of least permission", which is NOT actually correct. Another listed Disclosure but it should have been Information Disclosure. Tricky but not impossible to spot.
  9. It's useful to know the various access control systems like MAC, DAC etc and what their strengths and weaknesses are.
  10. There are lots of questions about what is the first or what is the best or the primary. This immediately implies that more than one answer is correct so be careful not just to grab the one that jumps out at you - again, the primary one is probably related to CIA.
  11. Some questions relate to Business Continuity and Disaster Recovery. I got quite confused while training about the distinctions so it would be useful to spend some time and get these linked up correctly in your head.
  12. Some questions will have 2 answers that are obviously wrong and sometimes the two answers that are left are 50/50 in your head, other times, because you recognise one, you think that it must be correct. For example, you recognise Bell LaPadula but not Clark-Wilson. Don't just choose it without considering the ones you don't recognise but at the end of the day, it is better to choose one that might be right i.e. it is a model question and this is a model rather than one that you don't know is a model and therefore might well be wrong.
  13. Use acronyms or acrostics to remember lists (you could invent one for symmetric algorithms or the OSI 7-layer model). I thought of a way to remember the classes of fire extinguisher as simple as Solid, Liquid, Gas (for electrical fires), Metal.
  14. Use the hints in the answers to the CBK questions to try and get into the head of why certain answers are right or wrong. It will often explain that e.g. B and C are correct but are not the first thing or e.g. B is a stronger answer but is only sometimes correct but C is always correct
The main thing with this accreditation is to realise it is based in practice. In reality, you should not presume that you can obtain it without good quality work experience. You will need 5 years of experience to qualify for it so try and make those hours add up before taking the exam. By applying as many principles as you can and even asking for placements in areas outside of your normal expertise, then hopefully you can approach the exam and CISSP in general with confidence.
Post a Comment