talha.com

Just got an email from isc2 telling me that I have passed my CISSP (Certified Information Systems Security Professional) exam. I took the exam on 19th May 2007 in London and it got email confirming my result on 5th June, around 16 days after the exam.

It was quite a different experience on passing a non-product related exam. As usual, I did not start preparing early as I forget things too quickly. I started reading from the official CISSP book that is around 1,000 pages thick and skipped lots of boring material in first week. Then started second week by practicing on cccure.org site and referred to the official book on questions that I did not understand.

I did not concentrate on the Business Continuity Planning / Disaster Recovery Management domain along with Orange Book standards from one domain. I read and understood the core concepts of cryptography but could not memorize the encryption key lengths.

The night before exam, I went to bed early but could not sleep due to unknown feelings, despite eating multiple bowls of corn flakes.

On the big day, I reached the exam center an hour before start time and was surprised to see a room full of people for the CISSP/SSCP exam.

It took me almost 5 hours to answer all the 250 questions on the question booklet and almost one hour to transfer them to the answer sheet. Although it was simple “filling the circles” with pencil to mark the correct choices, but the slow speed got me worried near the end of examination time.

Most of the questions were quite simple and took me less than 30 seconds to read and answer. But there were a couple of questions that took me more than 15 minutes to answer due to amount of maths or simulation involved.

There were lots of questions that had multiple valid answers and it was very difficult to guess the most valid answer. There were around 70 questions left that I narrowed down to 2 choices out of 4 and later marked the answers by making educated guesses between the two.

Finally, this was the only professional exam that did not tell me the results at the end of the exam. It was quite a hard for me to wait for more than 2 weeks for the result, but all well that ends well.

The best topics that I learned from CISSP exam were the Information Classification, Risk Assessment and Risk Mitigation concepts. The software development life cycle models will be extremely useful in my own projects. Most of the Telecom Security stuff was pretty much same that I have been implementing for years. Some really interesting stuff were the types of fires and the different classes of chemicals used in fire extinguishers to handle these fires. Some physical access controls were interesting, like the difference between the retina and iris eye scanners, and other biometric scanners.

I have now been asked to submit my CV along with the endorsement form from an active CISSP in good standing who can attest my experience.

Looking forward for my CISA (Certified Information Security Auditor) exam in December session.

Talha Ghafoor
CISSP, JNCIA, JNCIS, JNCSA, JNCSS, NNCSA, NNCSE, ACSS, ACSE, CSCA, CSCE, CCNA