I am watching the CISSP series and preparing to take the CISSP test soon. I am having difficulty understanding what depth in each area I am expected to master. How deep, for the test, am I required to go with knowledge of each area?
As an example, in the Risk section, Adam mentioned OCTAVE for risk assessment, but did not go into any detail on OCTAVE. For the CISSP exam, what level of questioning should I expect?
for this example, would the questioning ask something like, "which is a risk assessment methodology", and have OCTAVE as an answer? or could it ask a deeper question like "How many phases in the OCTAVE method"? or could the test expect even deeper understanding of OCTAVE?
Understanding the correlation between the video's level of explanation and the Test's expectation would help me understand other areas as well.
Thank you.
-
CISSP depth question
-
Brian,
Thank you for asking what is probably one of the most important questions regarding the CISSP exam:
" Depth vs. Breadth "
The traditional answer is that the CISSP exam is "a mile wide and an inch deep". Meaning that the successful candidate needs to be prepared to answer questions across a broad knowledge area, but only to a certain depth. Your OCTAVE example is a great one, so let's use that by way of illustration:
I mentioned OCTAVE in the Risk section as an example of one of several methodologies commonly used for Risk Assessment. There are also FRAP and Failure Modes and Effect Analysis and CRAMM and the NIST SP 800-30 guidance as well. All of these represent possible Risk Assessment methodologies or solutions that one could use to achieve the end goal of performing a Risk Assessment when asked to do so.
The trick for the exam is two-fold, as noted below:
First, you would need to be able to identify that these are possibilities for Risk Assessment if asked.
Second, you would need to understand what a Risk Assessment vs. a Risk Analysis is, being comfortable with the differences between the two, which is done before which, and what tools or techniques would one use to carry each out.
What you DO NOT need to do is become an expert in any/all of the methodologies or guidance around Risk Assessment, but rather have a comfort level with the concepts and the tools to be chosen if needed. (This is the inch deep part).
The mile wide part is the fact that there are a total of 10 domains of knowledge making up the CISSP exam, and that you are expected to become knowledgeable about all of them to some degree in order to pass your exam.
I hope that this helps to sort it out for you enough so that you feel comfortable preparing to be successful on your exam. If in doubt, it is always better to know a little bit more about something, but the trick is not to go too far overboard, as you cannot remember everything about everything.
Adam -
Following up on this question, I wanted to add, I took the test today and passed. I appreciate the videos. This was not my only training material, however it gave a great overview and solidified my book knowledge.
Cheers. -
Water,
Great news to hear! You're the reason we do what we do! Do you mind if we send you an email about your experience with ITProTV?
Cordially,
Ronnie Wong
Host, ITProTVCordially,
Ronnie Wong
Edutainer Manager, ACI Learning [ITPRO]
*if the post has answered the question, mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV.
