CISSP Certification All-in-One Exam Guide

by Shon Harris

The Barnes & Noble Review
Statistics can be misleading, but last year, security professionals who earned (ISC)2 s CISSP certification reported earning an average $7,140 raise as a result. That s the second highest payback of 37 credentials studied by Certification magazine, and it reflects a first-year ROI of 7.9 to 1.

Over the past two years, CISSP has clearly emerged as the industry s No. 1 security certification. For instance, when the U.S. National Security Agency sought to establish its own elite infosecurity certification, it partnered with (ISC)2 to build that certification on top of CISSP. If that s not an endorsement, what is?

To earn your CISSP, you need to pass one brutally tough exam. It s six hours long, with 250 questions covering all ten domains of the CISSP Common Body of Knowledge. That means you ll need a deep understanding of everything from networking to operations, cryptography to law, access control to disaster recovery. Fortunately, there s an equally systematic study tool: CISSP All-in-One Certification Exam Guide, Second Edition by Shon Harris.

Harris is a member of the U.S. Air Force s Information Warfare unit, as well as contributing writer to Information Security magazine. (She contributed some of the toughest scenarios in the recent bestseller Hacker s Challenge.)

She s also starred as instructor in a series of weeklong CISSP bootcamps, earning raves from attendees who paid several thousand dollars apiece to participate. As one put it recently, Shon lives and breathes the 10 Domains. A more qualified and capable CISSP instructor you could not find.

She s just updated her study guide to fully reflect the just-released version of the CISSP exam, with new coverage of the latest topics -- from wireless LAN security to penetration testing, asynchronous attacks to transborder information flow.

The new coverage is woven into clear and careful discussions of every exam objective. To name just a few: authentication, passwords, monitoring, firewalls, security models, physical security, protecting software applications, network security up and down the ISO stack, PKI, attacks and countermeasures, and incident investigation.

Harris is especially strong when it comes to day-to-day, non-sexy security management practices that systematically reduce the risk of attack or compromise.

Here, she addresses everything from risk management to policies and procedures, security baselining to information classification, security organization to internal training and awareness programs. You ll especially appreciate her detailed walk-throughs of qualitative and quantitative risk analyses, and her list of 19 factors to take into account when evaluating safeguards.

CISSP All-in-One Certification Exam Guide, Second Edition is replete with practical examples and scenarios. Best of all, Shon Harris brings exceptional real-world insight to information security. Pros. Cons. Limitations. Trade-offs. And if you like sample questions, this book is a bonanza. You ll find more than 1,000, including hundreds on CD-ROM.

That disk also contains live video training from Shon Harris -- so you can see for yourself what top security professionals gladly paid thousands of dollars for. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks for Dummies, Second Edition.

Genres: Reference, Technology, Technical, Business, Nonfiction, Computers, School

1008 pages, Hardcover

First published December 26, 2001

Reviews

[Emily · Rating 4 out of 5]

I just passed the CISSP exam yesterday. This book was by far the better of the three that I purchased. I found its explanations more detailed and didn't assume a baseline of knowledge (I do not have a background in ISMS or anything technology related). I took off one star because the test prep questions were on a CD-ROM (my work computer doesn't have a drive and the CD is not compatible with Macs) and the questions on the CD seemed MUCH easier than the questions at the end of each chapter.

What I liked : The organization of the book is consistent with ISC2 8 topical areas, the Exam Tips were very useful, the end of chapter summaries were very comprehensive, and the book is hard cover which helps with keeping it open when you read it cover to cover.

If you were going to buy one book for the CISSP I would make it this one.

[Vellanorah · Rating 4 out of 5]

Shon Harris has some funny Techie wit in this very long guide. She does a great job of explaining all the material and I really appreciate that it is written from a woman's point of view. She uses females in all her examples which I have never encountered in technical novels before. I only gave it four stars because it is a technical novel and well they are not the most interesting things to read but she does a great job and covers it all. A must read for CISSP candidates. ;-)

[Richard · Rating 2 out of 5]

In a word "comprehensive". Full of interesting facts and theories. Let's see if it gets me though the exam.

[Vagabond of Letters, DLitt · Rating 4 out of 5]

This 1400-page monster assumes absolutely zero previous knowledge of information security, cyber security, information management, risk management, information assurance, identity management, practical cryptography (types of ciphers and modes of operation: no formal proofs of security, no math nor theory: just read the NIST Special Publication 800-series docs, like 800-90 on CSPRNG, and for the math Goldreich's Foundations of Cryptography in 2 vols.), or any sort of development or engineering and only a basic familiarity with technology.

This means that anyone who is in a position to pass the exam after reading this book could have done with 600 fewer pages of introductory exposition. The book is, like many technical works that aren't mathematical, both too long and too short. It's too long for someone with experience in engineering, but too short to descend into the weeds past generic applications of the abstract principles of the '8 domains of the CISSP Common Body of Knowledge'.

The 8-volume, outdated Information Security Management Handbook of 7,000 pages goes into great detail of every application of every domain. CyBoK, the European work, is more practical and engineering-oriented, but of no relevance to the credential. Thanks to the influence of the credential, the practice of security in real life is often divided along the same lines as the exam. The CISSP CBK [Common Body of Knowledge] Reference is more detailed and shorter, nondidactic but sufficient for anyone who can solve a leetcode easy to learn the jargon and style of (ISC)2's CISSP.

It's said the CISSP is a management credential and also useful for government work. I wouldn't know, but it's pretty universal on the security side of the house at tier-2 corps for engineers, architects, security officers, and so forth, and common at tier-1s among middle management and GRC people. It's certainly not an engineering credential because it will teach you little of secure development or secure architecture but much of security tradeoffs.

I got one of these back when the exam had 10 domains and was on paper, but here's the only advice you'll ever need: The exam is nothing like the book. It is less technical and much more ambiguous, with few right or wrong answers, and full of convoluted phrasing and 'gotchas' in the same class as double negatives.

Consider it practice for email threads with non-technical people when you become an engineering manager. The cert is worth it for middle engineers (not junior, not senior) with an interest in systems security, anyone who has a job that pays for it, and for people who want to become managers without getting an MBA.

Vagabond of Letters, CISSP-ISSAP/ISSMP

[Epsilon · Rating 4 out of 5]

Nice and detailed review of all CISSP domains.
If you have previous knowledge in a certain area and you're familiar with the concepts you can get easily bored with the elaborate examples and probably will skip them.
I liked the overall presentation style.
The only annoying thing were the 'funny' remarks at the beginning of each topic.

[Rohit Salecha · Rating 5 out of 5]

I just read this book for clearing my CISSP exam. Only thing you need to clear CISSP

[Ben Rothke · Rating 5 out of 5]

The Certified Information Systems Security Professional (CISSP) is the most popular information security certification today. Those in the security field often find that the CISSP certification is a prerequisite for hiring. Human resources departments often use it as a filter to determine qualified candidates, and information assurance personnel in the U.S. military are required to be certified. Because the certification is so important, a wide array of authors and publishers have written study guides.

The framework of the certification is the (ISC)2 Common Body of Knowledge, which underwent a major update a few years ago. The biggest change was that it went from 10 domains to eight. The eighth edition of CISSP All-in-One Exam Guide goes into significant detail for all preparatory areas and more. It is a solid, albeit potentially overwhelming, study guide for the serious CISSP candidate.

Previous editions of the book included a CD-ROM with the additional study material and test questions. For this edition, the study material and questions have moved online.

The CISSP test has been called an inch deep and a mile wide. That may be an exaggeration, but it is clear that the test requires knowledge of a lot of information. This reviewer believes that the recent update of the CISSP All-in-One Exam Guide will help candidates prepare for and pass the CISSP certification exam.

[Dolly · Rating 5 out of 5]

This book provides detailed explanation on topics of CISSP and doesn’t assume any background knowledge on reader. The basics and background knowledge explained in this book might not be directly tested in CISSP Exam but they help readers revise the foundations that form the basis of the testable areas. I read this book concurrently with the Sybex official guide and find myself coming back to this book when I need to reaffirm my understanding on certain topics. I also like the how the examples given are relatable and humorous at times.

[Shobhit M · Rating 4 out of 5]

Anyone who is not just preparing for the CISSP but in any way is related to the Information Security profession should read this book at least once. I remember my manager recommending me this book in Aug 2011, when I just started my first job, but I disregarded his recommendation. I wish I had read the book then.

[Dolf van der Haven · Rating 4 out of 5]

Exhaustive and exhausting, this book uses so many words to explain the concepts for the CISSP exam, that it is hard to find the essence of what you really need to know. Fortunately, I had another book so I could do overlap analysis, which made it easier to go quickly through sections on this one that were redundant.

[Patty Luxton · Rating 3 out of 5]

while I read this book, i ended up reading the Gibson CISSP official study guide as well and was so much much more relevant and consise. This book seems to be rather dated and while they keep revising it, they are not truly updating the overall content - it really needs an overhaul. I passed the test on the Gibson book, not on this book.

[Natalie S Harmon · Rating 5 out of 5]

Better preparation

This book provides a lot of detail which may not be necessary for the exam but is certainly helpful in fully understanding the domains . It’s easy to read and is a great preparation tool.

[Aladdin Ch · Rating 4 out of 5]

Very interesting book. It goes beyond (ISC)2’s training and gives more details and explanations. Though neither this book nor the training got me through the exam as it is more experience oriented (which I haven’t).

[John G Larrison · Rating 4 out of 5]

Used this book and a few others years ago to pass my CISSP exam. Never attended a class just previous experience and hours studying book like this. The sample questions are very helpful. Passing the CISSP is as much about getting familiar with how questions are asked as knowing the material

[Daniel Alexander Suarez Campos · Rating 5 out of 5]

Excelente material

excelente libro de estudio para los profesionales en seguridad de la información. Ganen el CISSP con este libro, yo ya lo estoy estudiando.

[Kathryn Mortimer · Rating 4 out of 5]

By far the most readable and useful of all the CISSP training material. Without it, I doubt I would have got as far as taking the exam - let alone passing it!

[Kevin]

Used this and passed...

[Omar El-Mohri · Rating 5 out of 5]

The One book you need to read for the CISSP

[Peter Gephardt · Rating 2 out of 5]

I prefer the official guide but this is a good reference.

[David · Rating 5 out of 5]

It has been well known for years now, if you want to pass the CISSP exam (properly) the book by Shon Harris is what you need to read. Know it from cover to cover and the exam is straight forward.

[Oleksandr Andrieiev · Rating 4 out of 5]

Definitely a tough read.
There are some mistakes here and there and a bunch of recommendations I would not agree with.
But overall - it's a good start, if you're interested in CISSP.

[Arlene · Rating 5 out of 5]

I uses this over the IC2 books. This is the better book.

[Khalid Beg · Rating 5 out of 5]

Very good book, thoroughly covered the subject. Is a great help if you are planning to give CISSP exam.

[John Behnken · Rating 3 out of 5]

Okay, not everyone's favorite subject. I'm reading this to help get a security certification - but it's surprising how the author makes this stuff interesting. 1200 pages....oy.

After finally finishing the book I have to say that I don't regret the read at all. It was very well done, but it did have some problems. I think the diagrams provided in the book really needed some help. At times I sat there staring at them for several minutes trying to understand how it related to the text that referenced it. I see diagrams like this every day at work, so I'm no slouch in this arena. I think the author could use some help in this area in her next release. I also found some chapters to be a bit off-topic in the way she covered them. If it's true that the CISSP exam asks questions on some of this material, then I really have to question whether their focus is 100% on security. It seems to me that much of it strayed into excrutiating technical detail about the way things worked rather than focusing specifically on security.
This is, of course, necessary to a degree because you need to understand the basics of a system in order to understand how it can be exploited, but firmly believe that she went way to far in some cases.
On the other hand, big kudos to her depth of knowledge.

[Phil (Theophilus) · Rating 5 out of 5]

With regard to content, Harris' CISSP Guide is, in a word, outstanding. CISSP material is on the dry side so the book breaks the monotony by interspersing the content with amusing anecdotes. Note: If you are one of those people who just cannot accept that a technical book can be anything other than *dry* & boring, then go buy Krutz & Vines CISSP Prep Guide. While I found that title informative it was *extremely* challenging to stay awake to read it.

In all matters of practicality, reading both Harris' & Krutz & Vine's CISSP books were largely informative exercises for me because I don't plan on dropping the $400 bucks to take the exam. The economy simply doesn't warrant the expense. There *are* no jobs in security because all the good paying highly skilled positions are being outsourced & offshored to 3rd world scab nations at the fastest rate Congre$$ enables them to be.

Furthermore, what's the point of putting your all into studying and securing professional certifications if the best you can do is flipping burgers at $6.00/hr. Don't kid yourself - that's what the United States is depreciating to. It's a race to the bottom where the multibillion dollar transnational corporations have carte blanche to shop the planet for the *cheapest* labor and couldn't care less about American jobs.

[Elwin Kline · Rating 4 out of 5]

I was waiting until I passed the CISSP before I wrote this review for this book.

One my main study sources for passing the exam. I know this book has a lot of infamy for being so long in length and in drawn out content on the topics within, but I for one actually enjoyed it. I "want to know" and I am not looking for an easy solution or a way to cut corners. While the book certainly does cover a lot, it warns the reader at various stages with a message along the lines of: "The following content goes beyond the CISSP exam, however, I felt it was so important I wanted to include it anyways." ... Absolutely giving the reader the opportunity to skip that portion and reduce their over read time.

I would say that this book is a must read for passing the CISSP exam. The last 72 hours before I took the live exam, I skimmed through the chapters and stopped and read paragraphs that caught my eye that I identified I needed a little refresher knowledge on.

Yes, it's a long book. But, actually take the time to read and absorb the material. It will pay off in the end when you see "Congratulations!" on your end of exam print off at the testing center.

[John · Rating 3 out of 5]

As this is a professional exam prepatory book, my experience is pretty much guaranteed to be unique and the following review is based on the utility of the guide rather than the information provided within.

This book is the end-all, be-all of professional security knowledge. In its exhaustive coverage of the CBK, you will find wonderful anecdotes, derails, and diversions written in by Shon and the other contributors over the past editions. The cover says that the book is to be used to prepare for the exam, but the true utility of this book comes after the passing grade.

To me, this book is designed to live on your desk and be referred to whenever an audit point or design issue arises. As a piece of living reference material, it is second to none and is immediately searchable and accessible in any situation.

Get it after you pass the CISSP, or if you're a student wanting to learn about InfoSec. Use Conrad's test prep to get the real edge

[Kath · Rating 5 out of 5]

What a great and comprehensive book for the CISSP. I also loved the accompanying test CD. If you are studying for the CISSP this is a must have. I must admit, it's a bit overwhelming at over 1000 pages, but the practice tests help identify what you need to focus on.

I would highly recommend this book.

[Kevin · Rating 3 out of 5]

1200 pages of pure joy. The author is good. Made it less tedious. The subject is IT security. Not the novel you curl up in front of fire with. Nor with a glass of wine. Alcohol and textbooks don't mix. Although if I don't pass the exam that this is for then there will definitely be a mix of textbook, alcohol and fire.

[Franjessca · Rating 5 out of 5]

A lot of information in this book for CISSP. Maybe became I'm a computer geek, is the reason why I read it ALL and found it all very informative (and exciting…yup proud computer geek here). Thanks to the Navy for already teaching me some of the stuff that was in this book.

Looking forward to taking this certification exam, hopefully soon. =)