At SanitySecurity we strive towards a high degree of knowledge of information security, both in the theory and application, this includes becoming (ISC)2 CISSP certified.
In this article we described three books that we have recently used to prepare for the (ISC)2 CISSP exam. The books are reviewed in sequence of thickness. All three books we reviewed are recommended but for very different readerships.
Here are some general comments on all three books:
- We found that all three books failed to describe updated law changes, such as US Privacy Shield, EU General Data Protection Regulation (GDPR), or AU Notifiable Data Breaches (NDB). The third Australian law will become more significant as countries implement similar laws. From the three updated law changes, we noticed that even newer editions of the ‘For Dummies’ book only covers EU GDPR.
- The syllabus for the (ISC)2 CISSP exam was changed in April 2018. Updated versions of these books that reflect the syllabus changes will be published before the end of 2018. All three books we reviewed were published before the April 2018 syllabus changes were published.
- We found that all three books focus heavily on the first 3 domains but are light on detail for the later 5 domains. This is fine if you are familiar with these later 5 domains, otherwise you might need to do more reading for yourself.
Full disclosure: SanitySecurity has no commercial relationship with any publisher at the time this article was published. If a publisher would like to deliver a truck full of scotch and cash then please contact us for the delivery address.
Eleventh Hour CISSP: Study Guide
‘Eleventh Hour CISSP: Study Guide’ by Joshua Feldman, Seth Misenar, Eric Conrad
Recommended for: Last minute revision before the exam.
Publication date January 2017, the ‘middle-child’ of the three books.
This book is short an sweet, and makes good points quickly. The authors cut to the core of points not addresses in the other two books that are much thicker. This makes it a great book for last minute revision before the exam.
A few points seem to be incorrect. For example, page 28 describes NIST 800-30 and a nine step risk analysis process. NIST 800-30 actually describes 4 steps for a risk assessment.
Test material: The only test questions are the ‘top five toughest questions’ at the end of each chapter. There is no material explictly associated with the book. After a little digging we found some online test material directly from the Elsevier / Syngress publisher. We have been unable to use the test material as we faced difficulties with the required version of Adobe Flash.
Elsevier online practice tests
Conclusion: We found this book to be accessible and can be read from cover to cover.
CISSP For Dummies
‘CISSP For Dummies’ by Lawrence C. Miller and Peter H. Gregory
Recommended for: Information security professionals that have experienced in some domains but would like a book that covers all 8 domains.
Publication date May 2016, the oldest of the three books.
This book is also to the point, but provides additional explanation on points without going into too much detail.
There are lots of useful references to other web sites and other ‘For Dummies’ books. The book contains mixed messaging regarding whether they cover the entire syllabus, sometimes “yes” and sometimes “no, read more”.
The book makes interesting points about the application of information security, for example regarding safety for security professionals living in an IoT world.
Test material: The book includes access to an extensive online test suite available from the Wiley Test Bank website. Simply create an account and register your books using details contained in the print or ebook.
Conclusion: We found this book to be accessible and can be read from cover to cover. It provides a useful level of depth and is our faourite of the three books.
CISSP All-in-One Exam Guide
‘CISSP All-in-One Exam Guide’ by Shon Harris and Fernando Maymi
Recommended for: Professionals that are new to information security, such as those professionals without the 4 to 5 years of experience and aim to become (ISC)2 CISSP Associates.
Publication date January 2018, the most recent addition of the three books.
Despite having been published relatively recently, the book fails to mention US-EU Privacy Shield or GPDR. Instead, the book just describes that Safe Habor is no longer in place. The book contains other out of date points, such as referring to OS X not macOS High Sierra.
The book contains great detail about the the theory and application of information security in the business world, as well as hard-won lessons from difficult experiences. For example: how information security is driven by and integrates with business decisions and business risk.
This book paints a much bigger picture, but some of the language is unclear making for opaque patches. We also disagree with some points. For example: 339pg states that Polish cryptographers broke the Enigma code and gave Britain insight into Germany’s attack plans and military movement, although Polish cryptographers certainly played a key role. We think that this statement misses out on the work performed by the team at Bletchley Park.
Test material: The book includes a CD-ROM that includes an extensive testing software. We successfully installed the software on MS Windows, not Apple macOS or Linux. This means that you might have limited access to the testing software, depending on your access to the computer containing the installed software. In other words, if you use a tablet and smartphone then you might have very limited access.
Conclusion: We found this book is too thick to read from cover to cover but the level of detail makes it a great resource to dive into for specific subjects. It will almost certaintly provide more comprehensive information that what you will likely find on Wikipedia or from a Google search.
We hope this information is useful to information security professionals who are currently considering taking the (ISC)2 CISSP exam.