CISSP Study Guide [Paperback]

Obviously I am biased since I am a fellow SANS instructor, but will try to support my thoughts with data. I agree with another poster that the one star ratings are unfair, especially the guy that had not read the book; too funny. Well I have read the book, cover to cover on airplanes and some sections I have read twice. Why four stars? I am concerned that if this is the only CISSP prep you have, you will not be fully prepared for the exam. On the other hand, if you have taken a CISSP review course or read another book, this will be a great supplemental tool. I am a big fan of the Shawn Harris CISSP prep book as well, but you really can't take that monster with you on a trip, this book fit right in my carry on outside pocket.

OK, let's drill down into the book:
Ch 1: How to pass the exam, 5*s, clear and practical
Ch 2: Information Security Governance, 5*s, complete, concise, nothing missing that I can see
Ch 3: Access Control: 4*s, this chapter gets a bit muddy, the authors chose to cover some of the data flow access models in Ch 6 which is fine. First half of the chapter is true to the spirit of the book, the types of attackers section seems to be a touch superficial, thought the Metasploit "Point, click and root" was a chuckle.
Ch 4:Cryptography, 5*s, in my view this is the strongest chapter in the book, clearest explanations I have ever seen with one exception, in 2nd edition I would rework the Vienere Cipher section.
Ch 5: Physical Security, 5*s, complete, concise, let's you review the material in the shortest amount of time
Ch 6:Security Architecture, 4*s, I think there is a risk that the exam could cover more virtualization than the book prepares the candidate for. Not that I have knowledge of what is on the exam, but it is one of the most important topics in security right now and it only gets three paragraphs. I would also rework polyinstantiation, most of the sections are crystal clear, but this is a bit muddy.
Ch 7: Business Continuity, 4*s, I think this chapter could have been a touch shorter to be true to the spirit and approach of the book, all the information is there, but I had to force myself to read it, in second edition, suggest a do over.
Ch 8: Telecommunications, 5*s, authors are true domain experts, so they are able to concisely explain the material
Ch 9: Application Development Security, 5*s, same comment as above, since the authors know this stuff cold, they can make it very clear
Ch 10: Operations Security, 5*s, I do wish ISC2 would get on board with the better incident response model, but that is not the author's fault, this chapter is also true to the spirit of the book.
Ch 11: Legal regulations, 5*s, authors did a better job overall than I do with my course ( I will start the rewrite this week). I would suggest adding the concept of attestation to Chain of Custody.
The remainder of the book is a self test and the authors have additional practice testing on their web site. The Glossary is complete and also concise.

First things first. The two, 1-star reviews posted here are completely unfair. The first, gives the book 1-star just because he couldn't access the online content (which has been rectified). One star certainly for a book that failed to help him pass - but because he couldn't access an URL? Geez. And this guy wants to be a CISSP!!

The second review? - well, i don't even know what this guy is banging on about. Odd. Seems like no-one has actually read the book.

Anyway - on to the book itself.

If people really think they need a 200 pound monster-book, full of fluff and nonsense (though granted with good technical content)to pass the CISSP, they are wrong. Sure, if they need a reference post-certification, then by all means, get the 'other' book. However, if you want something practical, concise and most importantly, to the point, then this book is the way to go. I am not saying you only need one book, but this book could easily be your main book, which you would then supplement.

Don't listen to these two 1-star reviews. They totally miss the mark of being a fair and objective appraisal of this work.

The goal of every certification preparation book is to help the reader pass the exam, which is a noble goal. Evaluating the actually efficacy of a specific certification book is a challenge, if not an impossibility.

As to the CISSP exam; a statistical approach would be to take two sample groups using two different CISSP prep guides, using the same study methods, and then judge the outcome. The group with the higher pass rate could in part be attributed to the better study guide. Practically, such an approach is unachievable given the myriad difference in people, their study habits, and many other factors.

The best article about the exam is Andy Briney's Certifiable - A newly minted CISSP gives you the inside scoop on infosecurity's most coveted--and controversial--certification. Briney sums it up best when he notes that "the exam is best characterized as an inch deep and a mile wide. Whether this makes it easy or difficult is a matter of perspective". Part of the challenge that Briney (who passed the exam) and every other CISSP candidate have is the anxiety over just how much material to study.

With that, the CISSP Study Guide does a good job of helping the reader prepare for the CISSP exam. The authors write in the introduction that they wanted to find a happy medium between mega-CISSP prep guides at over 1,000 pages; with endless minutiae, and those that are far too concise and don't provide enough background. At 440 pages, the book does achieve the goal of depth of subject, without killing too many trees. The authors attempt to include content that is only relevant to passing the CISSP exam, and don't want to write an infosec encyclopedia.

One of the challenges any CISSP has in writing an exam prep guide is that they are bound by a non-disclosure agreement with ISC2. Prior to starting the CISSP exam, all candidates are presented with a non-disclosure agreement and are required to accept the agreement or they can't take the exam. Any CISSP author must straddle a fine line in ensuring they don't break the NDA.

The book does a good job of providing the reader with a thorough overview of the many elements of the Common Body of Knowledge (CBK). The book, like every CISSP prep guide is written around the CBK. Each chapter of the book has the same style, where it opens with the unique terms and definitions of each CBK module, and then goes into the various component parts. Each chapter closes with a 15 question self-test.

For most people, the most challenging CBK domain is that of cryptography. At 37 pages, chapter 4 on cryptography provides the reader with enough details to alleviate their fears of concepts such as symmetric encryption, cryptographic algorithms, and much more.

The appendix contains the same self-tests of each CBK domain, with the addition of an explanation of why each answer was correct, and the other answers incorrect.

The book also provides access to a web-site with two practice exams that one can take online. It is debatable whether such tests are of value, given the creators often lack the skill required to create effective tests. Most of these tests are created by those without any experience in psychometrics, while most of the exams themselves have been thoroughly vetted by psychometricians.

Also included on the web site is ten podcasts (one for each domain) to aid the reader in studying for the CISSP exam.

In conclusion, for those who have a decent background in information security, and don't need a five-pound tome to lug around, the CISSP Study Guide is a quality reference guide that can assist them in studying for the exam.

The common wisdom is to choose two study guides when preparing for the CISSP exam. For those that are serious about passing, the CISSP Study Guide should be one of them.

› Go to Amazon.com to see all 61 reviews  4.3 out of 5 stars