Become (and stay) a CISSP on a Budget

Become (and stay) a CISSP on a Budget

Richard R, CISSP, FITSP-M, PMP, MBA, Security+, Network+, Project+

Last Revised: August 2015

Purpose

As I prepared for my CISSP certification I came to a serious realization; This can be a very expensive certification to earn and maintain! While many hopefuls have corporate backing and training budgets, there are many candidates seeking to obtain CISSP certification without external financial support. Between the costs of training materials, the annual maintenance fee, and the costs associated with obtaining continuing professional education (CPE) credits the dollars (or your chosen local currency) can really add up! While I don't consider myself to be "cheap", I would certainly consider myself to be thrifty. My CISSP journey started with successfully passing the exam in December 2010 and I have put together this resource, dedicated to helping others who are seeking to gain knowledge and competency in the domains of the CISSP common body of knowledge (CBK) without significant financial expense. To make myself clear, I do not consider any of this a "cram", "braindump" or "shortcut" technique, and I firmly believe that candidates for certification are expected to know the concepts of the CBK and apply them to successfully pass the exam. The only way to do this is to study, apply, review, apply, understand and apply the concepts on the day of the exam, hopefully leveraging some real-world experience to put it all together. Passing the exam will only be the start of your CISSP experience. It is my hope that all CISSPs will continually improve their skills and improve themselves (and hopefully their work environment) as they pursue opportunities to expand their knowledge of information security.

I welcome feedback and questions which will help me improve this resource for those who are working towards the CISSP certification. To ask a question or provide feedback, please contact me by email at cissp at avitria dot com - I'm always happy to answer questions from others working toward their CISSP certification. If you enjoy this memoir, you might also appreciate my CISSP Study Plan Memoir or how to go from CISSP to PMP certification.

Show Me the Money!

I was very fortunate in my quest to become a CISSP in that I had a supportive supervisor who was willing to invest in my certification by sending me to a Training Camp CBK review seminar. However, since I did not want to arrive for this seminar unprepared, I set off on a nine-month quest to ensure that I was indeed prepared. I was on my own when it came to paying for study materials, so I set out to find top-quality materials on a thrifty budget. What follows is a sampling of the lessons that I learned in preparing for the exam, and resources I've uncovered to help me earn CPEs at no cost to me. The sites I have listed below are materials that I have personally reviewed and find to be of value in the pursuit or maintenance of the CISSP certification. There are countless ways to obtain worthless CPEs (which hopefully are rejected through the ISC CPE audit process) but that is not what this resource is about.

From the Cheap Seats to the Exam Seat

Here are some suggestions for how to reduce your costs when preparing for the exam:

Buy Used Materials - You can save a ton of money on top-quality books by using Amazon, eBay, or Chegg - save yourself some time and do a Froogle search for the ISBN of the book you're looking for. For example, as of this writing you can get a copy of "The CISSP prep guide: mastering the ten domains of computer security" for under $5 shipped in the CONUS by searching with Froogle. A lot of people swear that having the most current materials makes all the difference, but as slowly as the CBK and question pool evolves, I feel that the right materials are better than the latest materials. For example, reading books listed on Robert Slade's Computer and Technical Book Reviews will give you an deep education in the CBK domains, the books are also (generally) older and therefore, easy to find inexpensively in used form online. His discussion of Reference books for the CISSP CBK domains is pure gold, a must-read for anyone developing a study plan.
Use Free Materials - There are numerous pre-recorded videos and webinars that can be found online. Many of them are referenced in my CISSP memoir.
Visit The Library - Many library systems will have the standard CISSP study materials. Borrowing them for a few weeks will help you decide which resources you find most useful.
Check With Your Employer - Maybe your employer is too cheap or unwilling to pay for a review seminar, but many employers offer access to CBT or eBook resources. Examples of this are the Safari Books Online, CERT VTE and more. Check with a CISSP in your organization to find out if any other resources are available.
Learn From Those Who Have Gone Before You - Thorough study-plan reviews are a treasure trove of sugestions and advice for those working on their CISSP certification, take a look at these study plan reviews:

http://avitria.com/cisspstudyplan.html - My memoir (shameless plug) which details in great depth my nine-month journey to become a CISSP.
http://www.techexams.net/blogs/jdmurray/the-cissp-certification-experience-my-study-plan/ - A good study plan review written by James Murray which discusses some resources I did not use.
http://ipositivesecurity.blogspot.com/2009/06/cissp-my-study-plan.html - A brief study plan review which follows a pretty "traditional" structure in terms of resources used.
http://www.tabpi.org/2004/fg.pdf - An incredibly detailed and generally incisive discussion of a number of CISSP topics including the CBK, the value of the certification, and the question types.
http://itauditsecurity.wordpress.com/2010/06/07/pass-exams/ - A brief "how to pass exams" review covering several certifications.
http://inchdeepmilewide.wordpress.com/personal-cissp-experiences/ - A valuable resource, because the guy failed the first time... learn his lessons and pass the first time!
http://www.ethicalhacker.net/content/view/176/24/ - Another seminar-based study plan article written by Donald C. Donzal, Editor for The Certified Security Professional Online Magazine
http://securecyber.blogspot.com/2007/04/i-passed-such-relief.html - Another study plan blog written by Roman Zeltser, CISSP

I'm a CISSP, What Do I Do Now?

You learn! And you learn some more! Here is the latest news regarding maintaining your credentials in good standing with (ISC)2:

https://www.isc2.org/uploadedFiles/Credentials_and_Certifcation/About_Our_Credentials_and_Process/CPE.pdf - This document lists a number of ways to earn CPEs, and since I don't want to rehash the ways to earn CPEs, I'll list a number of activities that might help CISSPs earn CPEs with minimal financial investment.

Podcasts - Listen to a podcast, take notes and submit them for CPEs. This is a great option for folks who travel a lot or have a long commute - earn CPEs on the go!

http://www.getmon.com/ - I particularly recommend "CERTs Podcast Series: Security for Business Leaders"
http://booksite.syngress.com/companion/conrad - Podcasts and more by Eric Conrad, SANS instructor and author of CISSP prep materials.

Web-Based Training - Here is a listing of free online training resources that could be used to obtain CPEs - be sure to take a screenshot or save a copy of any certificate of completion in case the CPEs are audited!

https://www.coursera.org/ - "Take the world's best courses, online for free!" This site was recommended to me by my friend James Beatty who recomended them as quality undergrad-quality courses, perfect for earning CPEs.
https://www.vte.cert.org/vteWeb/ - Requires a .mil/.gov email account for registration. This is an incredibly valuable resource. Note - the URL is now: http://www.fedvte-fsi.gov/ and the format has changed slightly, but all the content is still there.
http://www.teex.org/teex.cfm?pageid=OGTprog&area=OGT&templateid=1810 - DHS/FEMA State Cybersecurity Training (open access)
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training - A free demo course of security training offerings from Offensive Security.
http://iase.disa.mil/eta/index.html#onlinetraining - An excellent training resource for DoD and commercial industry professionals, provided by Defense Information Systems Agency (DISA). Each course has a printable completion certificate for proof of completion.
http://adventuresinsecurity.com/SCourses - A collection of free flash-based courses covering topics ranging from web application security to DNS cache poisoning.
http://www.learnsecurityonline.com/ - A free collection of more deeply technical training videos focused on vulnerabilities and exploits.

Pre-Recorded Webinars - Webinars are an acceptable way to earn CPEs as long as they are vendor-neutral and of a non-sales nature.

http://gocsi.com/Webinars - Computer Security Institute, producer of the "Computer Crime & Security Survey"
http://www.sans.org/webcasts/ - Good webinars, but watch out for the vendor Kool-Aid in some of them!

Written Resources - You can even pick up a book and read it! Here are several lists of excellent books that cover the domains of the CBK.

http://www.sans.org/reading_room/ - Papers and articles focusing on several dozen various categories of technology and security.
http://victoria.tc.ca/int-grps/books/techrev/mnbk.htm - Robert Slade's Computer and Technical Book Reviews - just pick a book, any book. I've read several excellent books from this list.
http://www.cccure.org/modules.php?name=News&file=article&sid=900 - An article by Clement Dupuis discussing how to earn CPE credits for certification renewal.