Talking Shop: CISSP exam prep options

Looks at the pros and cons of instructor-led CISSP training vs. self-study methods

The orchestra of an integrated enterprise security program requires a conductor who understands such disparate topics as fire suppression methods, biometric access controls, cryptography, and security architecture models, as well as legislative and ethical compliance, organization security policy management, system and applications design security, and logical access control. Although documented experience is the strongest indicator of an individual's qualifications, the Certified Information Systems Security Professional (CISSP) certification has become the bellwether credential for broad information security expertise.

The challenge of preparing for this particular exam lies in its exhaustive coverage of infosec topics. You're not likely to be familiar with all its topic areas even if you know firewalls inside and out and have been administrating network security for a decade. This article compares and contrasts some of the methods available for preparing for such a diverse and far-reaching exam.

More about CISSP certification
To learn more about the CISSP certification and exams, read "Security certs may be mandatory for IT pros in financial and healthcare fields" and "Just how tough is it to become a CISSP?"

CISSP exam preparation options
How you prepare for the CISSP exam often comes down to a compromise between good, fast, and cheap. You can have any two of the three.

To help you determine the best compromise for you, we'll take a look at the pros and cons of instructor-led CISSP training versus self-study methods. We'll also explore critical elements of each so you can make a better purchasing decision when you're ready to invest in your personal development and exam preparation. Your basic choices for exam preparation are:
  • Instructor-led training
  • Practice exams
  • Comprehensive self-study
  • Computer- or Web-based training

The option you choose depends on your prior knowledge and experience, your access to funds, and the timeframe in which you hope to become certified.

Option one: CISSP instructor-led training
If money is not a problem, you'll want to take a look at the CISSP instructor-led training options. This method of study is good and fast, but not cheap. CISSP instructor-led training costs between $2,000 and $3,000, plus travel expenses, if necessary. It takes about a week.

If done properly, instructor-led training can really fast-track your CISSP preparation. The training is usually provided by professionals who have successfully run the CISSP gauntlet and can transfer that knowledge and ability to you in a rapid fashion. By attending an intensive five- to seven-day class, it is actually possible to gain the enormous amount of knowledge you need.

Some classes even teach you the special test-taking skills you need to pass an exam as tricky as the CISSP. The value of instructor-led training really boils down to its ability to compress the time required for preparation and to ensure that you not only come to know a tremendous amount about information security, but that your new knowledge base maps to CISSP exam expectations. If your time is worth money, the time saved with an instructor-led CISSP class often more than compensates for the extra money spent on the class itself.

The disadvantages of instructor-led versus self study include the higher up-front cost, the necessity to travel, and the requirement of taking at least five consecutive days off from work.

Option two: Practice exams
For fast and cheap preparation, you could try pounding practice exams for one to three weeks. This can actually work if you already have an unusually high level of expertise in at least eight of the security domains and a finely tuned ability to take tests, and if you just want to polish up. Practice exams alone will not work for most people, and the cost for practice exams can vary greatly, from as little as $50 up to $400.

If you want to pursue this method, you can start your search for practice exams at fairly reputable vendors such as Boson and Transcender. Many of the most popular CISSP books on the market also include electronic practice questions.

Beware of exam-pass guarantees here, though. Many practice exam vendors have followed Transcender's lead in giving you your money back for a practice exam purchase if you can prove you failed your CISSP exam twice within 90 days of purchasing your practice exams. Chances of a CISSP exam being offered near you twice within a 90-day period are practically nonexistent. If you use the practice exams for one month before making your first exam attempt, it will still be another two weeks until you get your exam results back, leaving only six weeks to your guarantee. You'll have to hurry to fail again quickly to get the results back soon enough to get your practice exam refund!

Option three: Comprehensive self-study
If you have lots of time and very little money, there is finally enough material on the market in the form of books and whitepapers to prepare you for the CISSP exam. The comprehensive self-study method will cost between $100 and $600 and take about three to nine months.

Despite much of the advertising hype to the contrary, I have yet to find a book that really is "all you need to get your CISSP certification." If you are open to reading at least two books, I recommend the The CISSP Prep Guide, by Ronald L. Krutz and Russell Dean Vines, and the All-in-One CISSP Certification Exam Guide, by Shon Harris and Gareth Hancock. Combining the contents of both books will give you most of what you need. At 1,905 total pages, they will also overwhelm you with a lot of what you do not need. It will be up to you to figure out what you need to focus on for your exam.

Other books are available, and I encourage you to read independent reader reviews available through online bookstores on the alternatives. By studying from several sources and augmenting your studies with practice exams, you can prepare for your CISSP exam with reduced up-front investment. Just be careful to assess the risk of losing opportunities by extending your preparation time by several months.

Option four: Computer-based training
Earlier this year, my company, Certified Tech Trainers, released a computer-based-training (CBT) alternative for CISSP preparation. Another source of Web-based training is SmartCertify. These CBT options will cost between $1,500 and $2,500 and require between three and eight weeks study time.

CBT courses provide some key benefits: They eliminate the need for travel and provide the flexibility of studying at your own pace, whenever you have time. Further, this type of training allows repetitive review, which an instructor-led class doesn't.

Choose the preparation method that suits you
Because we all have different needs and constraints, there is no single best solution for preparing for the killer CISSP exam. If your time is at a premium, you can take a week off from work, and you can afford the higher up-front cost of instructor-led training, attending a CISSP class might be right for you. If you can't spend more than $1,000—which is the case for many of us in today's economy—you may opt for the longer and more laborious path of self-study with books and practice exams. If you find yourself caught in between, hoping to aggressively pursue CISSP certification without the luxury of the funds or time to travel, a CBT might be right for you.

However you choose to prepare, there is just no getting around the fact that the CISSP is a formidable exam and will require a lot of work and some investment. Of course, if it was all that easy, everyone would have it.


Editor's Picks

Free Newsletters, In your Inbox