Saved searches

Use saved searches to filter your results more quickly

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

License

Notifications You must be signed in to change notification settings

jefferywmoore/CISSP-Study-Resources

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Folders and files

Latest commit

History

Repository files navigation

CISSP Study Resources

Material and Resources pursing CISSP Certification This is my collection of resources, study materials, notes, and advice I have gathered, working towards certification. Because there is so much material available, when you are starting out it can be a bit daunting to even know where to begin, and what really merits your time and effort. No compilation is exhaustive, but my goal is to put together information that will be useful and encouraging to others undertaking this effort. At the least, it provides a list of resources, tests, and reference material to review. My study notes/guides are based on the 2021 Official Study Guide, 9th edition ("OSG-9"). For an overview of what's been added and changed in 2024, take a look at Destination Certification's CISSP 2024 Exam Changes. Feel free to share this repo or any of the resources if you find them useful. Tell me about mistakes or improvements you think should be made! Connect with me on LinkedIn

Table of contents

• Overview of CISSP exam and content.
• Reference Material including books, articles, courses, videos, and test banks.
• My Study Guides By Domain built as I'm progressing through the reference material.

Overview

There is a ton of information on the CISSP exam available, including from (ISC)², associated & third-party instructors and authors, as well as guides put together by those in preparation. If you're just starting out, I'd recommend the Sybex Study Guide and Practice Test bundle (note that I get a small commission for purchases made through Amazon links).

Many have noted that the most appropriate frame of reference is that of a manager, and not a technician. Try to understand the process, and why any technology would be used. As Lance puts it, try to answer these questions for basic topics:

• Why technology is needed?
• What is the process for making a pro or con decision?
• When would it be needed, and under what circumstances?
• Who makes the decision?
• Who will be operating it, and what access controls need to be implemented? How are they defined? What are the steps involved?
• Who will be auditing usage? Internal vs external and why?
• Who will create relevant policies for it?
• Who implements it, and what are the steps in doing so?
• What are the risks, and who evaluates,quantifies,and accepts (or rejects) them?
• What are the implications for architecture, for structure, for costs?
• What are the privacy ramifications?

Focus on understanding the topics, and the analysis process. Your goal is to reduce risk.

• Read the question and answers twice: skim the question and answers,then go back and read through the question carefully. Argue with each of the answers. Does an answer meet all requirements in the question? Are any other answers more efficient for time and cost?
• If you have no idea what the answer is, you can generally eliminate at least two answers by thinking about the language used in the question. For instance, the question could be asking for a technology, and two of the answers are about process.
• The first priority for any incident is saving human life.
• Think before you act:
  • Understand business objectives
  • Review current security state
  • Interview stakeholders
  • Identify owners/assets/values
  • Assess current controls
  • Analyze impact/exposure/alternatives
  • Verify/confirm reports

  Reference Material

  • As mentioned above, the Certified Information Systems Security Professional, Official Study Guide (10th edition) and Practice Tests - is a great study base line, with 100 questions for each of the 8 domains & more than 1300 questions total.
  • CISSP All-in-One Exam Guide (currently Ninth Edition is available, from May, 2023) - I've found the book valuable, as it reinforces core concepts, and provides additional clear explanations to supplement the OSG.
  • This course has been highly recommended by several people: CISSP Overview by Kelly Handerhan
  • Thor Teaches:
    • Thor Teaches CISSP Study Bundles
    • Daily CISSP Questions
    • OSG and All-in-One Exam Guide practice tests: once you've traversed the OSG material, these tests are a good baseline.
    • CISSP Exam Prep: users have commented on the "tricky questions" in this test bank; that might be a distraction or conversely force you to pay closer attention, depending on your POV; note that you'll need a subscription ($24.99 for 6 months).
    • CertPreps: user comments range from "very realistic" to "will make you worry unnecessarily." Many questions focus on identifying the "most" significant/effecive strategy/benefit, or "highest" priority.
    • CCCure: freepracticetests.org redirects to CCCure, which requires a subscription (from single-user 1 month @ $59.99 to 12 months @ $149.99). I took a practice test and found it underwhelming, but your mileage may vary.

    Note: these are the notes and resources I've found helpful in my study so far. You are advised to do your own analysis to determine what will be helpful to you in your study. There are no guarantees, implied or othewise that these notes are complete or will meet your needs to pass the CISSP certification.

    Study Guides By Domain

    • Domain 1 - Security and Risk Management
    • Domain 2 - Asset Security
    • Domain 3 - Security Architecture and Engineering
    • Domain 4 - Communication and Network Security
    • Domain 5 - Identity and Access Management (IAM)
    • Domain 6 - Security Assessment and Testing
    • Domain 7 - Security Operations
    • Domain 8 - Software Development Security