7/20/2005 -- The Certified Information Systems Security Professional (CISSP) certification from The International Information Systems Security Certification Consortium [(ISC)2] is arguably the most sought-after and widely accepted certification in the information security industry. It’s become established as the standard baseline for demonstrating knowledge and proving expertise in this sphere.

Compared with most other technical certification exams, the CISSP exam is quite long. Passing the test requires not only the prerequisite knowledge to answer the questions correctly, but the stamina and mental fortitude to get through the six-hour, 250-question paper-based exam. For an information security professional, preparing for the CISSP exam is a little bit like a runner preparing to race in a marathon.

Don’t fret, though. It can be done. There are plenty of CISSPs out there in the world as proof that you can pass the exam. Here are 10 tips I recommend to prepare for this challenge and give yourself the best possible chance of success.

Tip #1: Hands-On Experience
One of the requirements for being awarded the CISSP certification is a certain amount of time in the industry and hands-on experience: three to four years of full-time work, depending on your educational background. Even if it wasn’t a requirement, hands-on experience is a valuable means of learning about computer security.

Note: If you don’t have three to four years of experience, that doesn’t mean you can’t sit the CISSP exam. (ISC)2 will allow those who pass the exam without meeting the experience requirements to become Associates of (ISC)2, and then award them the CISSP title after the experience requirement has been met.

Many people simply learn and retain information better when they actually do it instead of just reading about it. You can listen to seminars and read books about various aspects of information security, but until you do it yourself and experience it firsthand, it’s just theory. In most cases, nothing teaches faster than actually doing it and learning from your own mistakes.

Another way to get hands-on experience, especially in areas you’re not currently focused on at work, is to set up your own mini lab. Use old or virtual computers to experiment with different operating systems and security configurations.

Tip #2: Begin Studying in Advance
The CISSP certification demonstrates that you know a little bit about a lot of different information security topics. Even if you work in the information security industry, odds are that you don’t focus on all 10 core bodies of knowledge (CBKs), or subject matter areas covered by the CISSP, on a day-to-day basis. You may be expert in one or two areas, and very familiar with a handful more, but there are probably at least one or two CBKs that you’ll almost have to teach yourself from scratch to pass the examination.

Don’t expect to start studying the week before your exam and think you can pick up enough about subjects you’re not familiar with to pass. The scope of the information covered is huge, which you’ll need to study and learn over a long period of time, so don't expect to just cram the night before. I suggest you start studying at least three months before your exam date and draw up a schedule for yourself to ensure you dedicate at least an hour or two a day studying. It’s not unheard of for CISSP candidates to begin preparing six to nine months out.

Tip #3: Use a Study Guide, if Not More Than One
There are a number of excellent books you can use to help you prepare for and pass the CISSP exam. Study guides and exam preparation books can help boil down the mass amounts of information and assist you in keying in on the critical components you need to remember to pass the exam.

The sheer volume of information covered in the exam makes it difficult, if not impossible, to learn about everything in depth. Rather than trying to learn in a vacuum, so to speak, and not knowing which components of a given subject area are truly important, checking out some CISSP exam guides can help you key in on the specific information within the CBKs that matters most for passing the exam.

CISSP preparation books will certainly not make you an expert in subjects you’re not already an expert in. But, for the subject areas you know little or nothing about, a CISSP book, such as the “CISSP All-In-One Exam Guide” by Shon Harris, provides you clues and guidance about what the important information from those subjects is when it comes to passing the exam.

Tip #4: Make Use of Free Resources
When the economy dips and budgets get tightened, one of the first things to go from corporate spending is training. There are plenty of courses, boot camps and cram sessions that promise to prepare you for the CISSP exam, but they are exceptionally expensive. As much as possible, for your own benefit, you should look for resources that are free.

Experience is an excellent teacher, but it doesn’t always have to be your own personal experience. By joining online forums, mailing lists or local user groups, you can associate with others working in information security and learn from their mistakes and examples. Exchanging stories, issues and solutions among your peers will provide you with invaluable real-world scenarios to learn from rather than just theoretical book knowledge. Check out the many CISSP study groups on the Web, or look to join a local one with other candidates in your area.

Search online and you can find various study guides and practice exams or articles (such as this one) available for free. Here’s some links to get you started:

• SearchSecurity.com’s “Security School: Training for CISSP Certification” Webcast training series by Shon Harris
• Free study guides straight from the source -- (ISC)2.
• CCCure.org
• About.com’s Web page on the (ISC)2 CISSP certification.

Tip #5: Practice Makes Perfect
Even if you’re confident that you have sufficient knowledge across all 10 areas of subject matter to pass the exam, you should take some sample or practice exams before you go take the real test. Practice exams will enable you to assess your knowledge and also prepare you for the types of questions you might see so you aren't caught off-guard on test day.

Many of the study guides and CISSP preparation books come with a CD containing a practice exam or some sort of practice test. You can also get practice questions from each of the ten CBKs in the Web cast training sessions mentioned above. Longer practice exams that mimic the CISSP in terms of length and scope are available from some providers, like Boson and Transcender. Also stop by CCCure.org and check out its online quiz engine.

Tip #6: Read Carefully
When you first start the exam, you might be excited just to find out you actually understand the questions. The terms used and information covered may seem to be exactly what you’ve prepared for, and you could become a tad cocky or be lulled into a false sense of security.

No matter how familiar the information may seem or how easy the questions sound at first glance, it’s imperative you take a deep breath, slow down just a bit and make sure you read every word of every question to make sure you’re answering the question being asked.

Test writers like to use double-negatives or slide words in to change the meaning of the question. Missing the word "not" in a sentence can be catastrophic.

Tip #7: Watch the Clock
Time management is essential for the CISSP. You have six hours to complete the CISSP exam, which might seem like an eternity to take one test. It’s not.

Do the math: With 250 questions, you have less than 90 seconds per question in that six-hour time span. If you spend five minutes pondering one question, you need to answer three other questions in under 20 seconds to stay on track to finish within the allotted time. And you still have to read each question carefully, as pointed out in the previous tip; keep your eye on the clock as well to make sure you’re making sufficient progress to finish on time.

You should be able to answer many questions in the blink of an eye, so you’ll have some time to spare to dedicate to questions that stump you. However, you aren’t going to suddenly learn information you don’t know if you stare at the question long enough. Give yourself enough time to think about the question and try to remember the answer, but after a couple minutes just pick your favorite answer and move on. Better to take your chances on getting one question wrong than to devote so much time to that one question that you run out of time and never get a chance to answer a handful of easier questions.

Tip #8: Stretch and Relax
It’s difficult enough to think under pressure without adding discomfort. Six hours is a long time to sit in one place. If your mind is too stressed or tense, or you’re physically uncomfortable, it’s difficult to focus and think straight.

Yes, I did just got done writing about how little time you have to devote to each question in the first place. For many people though, a short break to stand up, stretch and relax will prove invaluable. Stretching your muscles and giving your brain a few seconds of serenity will help you to concentrate on the questions in front of you and think clearly about the answers, rather than focusing on how uncomfortable the chairs are or getting so stressed out that you can’t think straight.

Tip #9: Get Some Sleep!
No, there won't be any entertainment during the test and the questions are not that engaging. To make sure you don't fall asleep or disrupt your neighbor's concentration with your growling stomach, make sure you get a solid night of sleep and eat a good, healthy breakfast before testing. Being well rested and getting the proper nutrition the day of the exam will serve you much better than pulling an all-night cram-session.

Aside from these two imperatives, though, how you prepare the night before or the morning of the exam is a personal choice. Some people may want to read their notes, take another exam simulation test or cram down to the very last second. Personally, I woke up and played Tetris all morning. I find it gets my brain in gear while also taking my mind off of the stress of the exam.

Tip #10: Don't Be Intimidated
Some people can take almost any test cold and still pass. Others may have dedicated themselves to studying and learning everything they possibly can for months, and freeze up on test day. If you have the above tips you should be prepared and have no problem passing the exam. Don't let the 250 questions or the six hours intimidate you.

It’s a long exam to earn a valuable certification which may have an impact on your career and your future. But when exam day comes, you either know the information or you don’t. Have faith in yourself that you’ve done all you can to prepare for and pass the CISSP exam and don't pop a blood vessel trying to second-guess yourself.

Best of luck to all of you on your path to the CISSP!