Order of CBK domain importance on the CISSP exam

JDMurray

From what I've been reading over at cccure.org and on the CISSP mailing lists, it looks like the order of importance of the CBK domains on the current CISSP exam is:

1. Risk Management
2. Access Control
3. Security Architecture
4. Telecom
5. BCP/DRP
6. AppSec
7. Crypto
8. Legal
9. Physical
10. OpSec

There have been debates that Access Control is actually the most important and physical and crypto the least. Of course, people are speaking from their experience of having seen only one or two CISSP exams. The randomization of the questions probably makes the distribution of the domain questions uneven. One person might get an exam that's heavy on risk management and BCP, while another might get a lot more questions access controls and telecom.

There's also the theory that people most easily remember the questions that they did the worst on. For example, if you had a hard time on the crypto questions then you'll perceive that there were a lot of crypto questions on the exam.

Opinions from people who have taken the CISSP exam?

LarryDaMan

I haven't taken the exam yet, but from all that I have read, your list looks right on the money. I think Cryptography is the wild card, I have seen it ranked everywhere from 6th to 9th in terms of importance.

Those top 5 are very important to know inside and out, Access Control especially because so many access control themes are found in the other domains.

I would also be interested to hear from those who have taken the exam.

RTmarc

I really don't think you can rank the importance. I had questions all over the board. If memory serves me correctly, I had very few Security Architecture / Framework questions and quite a few crypto questions. I know for a fact that I didn't have a single Application security question and had very few physical.

In my opinion, you can't really weight the domains and it apply exam-wide. The only suggestion I have is know them all; but you already knew that.

mog27

Is there a certain order you would recommend when studying for the domains?

JDMurray

Start with the domains you know the least because those are the ones you will need to learn the most.

Paul Boz

I'm learning them in the order that the Shon Harris book is laid out. It seems to jive with most of the list that was posted in this thread.

JDMurray

I can't believe what a difficult time I'm having mapping-out the BGP/DRP domain concepts in my brain. It looks a lot like the same framework as AppSec, but not really. Oy.

mog27

JDMurray wrote:

I can't believe what a difficult time I'm having mapping-out the BGP/DRP domain concepts in my brain. It looks a lot like the same framework as AppSec, but not really. Oy.

There's a Border Gateway Protocol domain?!?

I assume you mean BCP?

LarryDaMan

My lowest practice scores have been in Security Architecture (65-75% on average). There are differing opinions on how much TSEC stuff is still in there, but I guess I will have to spend some more time on the ol Orange Book.

JDMurray

LarryDaMan wrote:

My lowest practice scores have been in Security Architecture (65-75% on average). There are differing opinions on how much TSEC stuff is still in there, but I guess I will have to spend some more time on the ol Orange Book.

I wouldn't put too much stock in the scores you get on practice exams. Instead, use the exams to show you the subjects/concepts that you still need to understand more.

And who knows how much Orange Book stuff is still in the exam, and how much Common Criteria stuff they've put in by now. Gotta learn it all.

LarryDaMan

This may have been posted before, but these CISSP Mind Maps are a different way to look at the information. I like them. They were posted on a publicly available blog.

http://www.mindcert.com/category/mind-maps/cissp/

JDMurray

I noticed those mind maps mentioned on this CISSP study blog, but I haven't read anything from anybody that's used them. They are big and really need to be printed out as C-sized drawings to be easily legible.

Look in http://www.mindcert.com/resources/ for mind maps on Cisco, CEH, and NMap too.

LarryDaMan

JDMurray wrote:

I noticed those mind maps mentioned on this CISSP study blog, but I haven't read anything from anybody that's used them. They are big and really need to be printed out as C-sized drawings to be easily legible.

Look in http://www.mindcert.com/resources/ for mind maps on Cisco, CEH, and NMap too.

The comments on the blog entries seemed to indicate that they were well received, but they are just a different way to digest an outline, not an in depth tool.

Global Knowledge has a good White Paper on the different types of CISSP questions that you may run into. Good info.

http://www.globalknowledge.com/training/whitepaperdetail.asp?pageid=502&wpid=144&country=United+States

The week before the test, I am going to work on a test taking strategy. How many breaks? How to mark the test booklet? Time management. Review strategy. I'll probably do a full timed practice test with a scantron sheet as a dress rehearsal. I have heard many people comment that preparing for the physical and mental drain of a 6 hour test can make the difference.

JDMurray

LarryDaMan wrote:

The week before the test, I am going to work on a test taking strategy. How many breaks? How to mark the test booklet? Time management. Review strategy. I'll probably do a full timed practice test with a scantron sheet as a dress rehearsal. I have heard many people comment that preparing for the physical and mental drain of a 6 hour test can make the difference.

A lot of people have written their thoughts on taking the test itself here and at cccure.org. A good post on that subject just came across cccure.org's CISSP-Discuss mailing list. And if you haven't already, start with reading my blog post on the SSCP exam. It's the identical experience to the CISSP, but in half the time and with a different exam booklet.

LarryDaMan

I am a member of the cccure mailing list. Good stuff.

My co-worker was telling me about how much easier we have it nowadays with the many CISSP resources at our disposal.

He said the 1st edition of Shon Harris (much thinner, I think 700+ pages back then) was one of the only good resources available at the time of his studying. He took a bootcamp with Shon herself, and even she commented on how tough it was to find quality preparation materials.

Now, I have more materials than I have time to read and watch. Time to go read some more...

JDMurray

LarryDaMan wrote:

My co-worker was telling me about how much easier we have it nowadays with the many CISSP resources at our disposal.

Oh, I believe it. My endorser for my SSCP got his CISSP in 1999 when there were only six domains in the CBK. I have no idea how he studied for it at all.

chager00

JDMurray wrote: »

From what I've been reading over at cccure.org and on the CISSP mailing lists, it looks like the order of importance of the CBK domains on the current CISSP exam is:

1. Risk Management
2. Access Control
3. Security Architecture
4. Telecom
5. BCP/DRP
6. AppSec
7. Crypto
8. Legal
9. Physical
10. OpSec

I know this is a really old thread, but I'm just getting serious, finally, about preparing for and taking the CISSP exam, and I'm writing down a "strategic road map" to guide me through the preparation process. Do you know if this ordering is still accurate? I am thinking I would like to study them in order from least to most important. TIA!

bobbaphatt

chager00 wrote: »

I know this is a really old thread, but I'm just getting serious, finally, about preparing for and taking the CISSP exam, and I'm writing down a "strategic road map" to guide me through the preparation process. Do you know if this ordering is still accurate? I am thinking I would like to study them in order from least to most important. TIA!

Having just taken the exam last month, the only thing that really surprised me was the amount of BCP/DRP questions. I would rank it as #2 on my list.

Earlonics

Hi Hope you are well, I'm just about to embark on the CISSP Exam once again, I took it in 2006 after sitting a Bootcamp in the UK unfortunatly I managed only 695 mark which meant I failed, since then I have had security roles where there was no need for CISSP credentilas, I was so close in my eyes I felt I knew enough about IT security. I now have about 6 weeks to get back up to speed. I found the exam quite tough to be honest and took the full 6 hours.

I would like to know what training material you are using, I have purchased quite a few books but they seem to give me information over load on topic.

and observations are right n this post there seems to be too much information now and its trying to come up with a stratergy which will give you an edge on exam day.

cheers

PaulE

Lob

c/o Clement Depuis, the current feeling is this:

1. Information Security Governance and Risk Management
2. Access Control
3. Security Architecture and Design
4. Telecommunications and Network Security
5. BCP and DRP
6. Application Security
7. Cryptography
8. Legal, Regulations, Compliance and Investigations
9. Operations Security
10. Phsyical and Environmental Security

Hope that helps, it helped me!

!nf0s3cure

It is good list, I refered to it as well. How correct is it ...humm say top 5 will cover 70%? That was my feeling.

Darril

Thanks for posting the list. I recently analyzed the topics in the CIB looking at the major topics and the line items devoted to each domain trying to see if there is any relationship between the number of major topics or line items in the CIB and the weighting of the topics.

If you count the major topics (lettered as A, B, C, and so on) in the CIB the order is this way:

1. Cryptography 12 major topics 19.05%
2. Information Security Governance and Risk Management 10 major topics 15.87%
3. Operations Security 7 major topics 11.11%
4. Security Architecture and Design 6 major topics 9.52%
5. Legal, Regulations, Compliance and Investigations 6 major topics 9.52%
6. Physical and Environmental Security 6 major topics 9.52%
7. BCP and DRP 5 major topics 7.94%
8. Access Control 4 major topics 6.35%
9. Telecommunications and Network Security 4 major topics 6.35%
10. Application Security 3 major topics 4.76%

If you count the line items (major topics plus numbered subtopics) in the CIB the order is this way:

1. Information Security Governance and Risk Management 36 line items 18.00%
2. Cryptography 32 line items 16.00%
3. Legal, Regulations, Compliance and Investigations 24 line items 12.00%
4. Operations Security 20 line items 10.00%
5. BCP and DRP 18 line items 9.00%
6. Access Control 17 line items 8.50%
7. Telecommunications and Network Security 15 line items 7.50%
8. Security Architecture and Design 15 line items 7.50%
9. Physical nd Environmental Security 12 line items 6.00%
10. Application Security 11 line items 5.50%

This had me curious about how much space the Official (ISC)2 Guide To The CISSP CBK devoted to each topic. Here's the order based on the number of pages devoted to each domain:

1. Access Control 155 pages 18.41%
2. Telecommunications and Network Security 121 pages 14.37%
3. Application Security 103 pages 12.23%
4. Information Security Governance and Risk Management 101 pages 12.00%
5. Cryptography 91 pages 10.81%
6. Physical and Environmental Security 87 pages 10.33%
7. Security Architecture and Design 63 pages 7.48%
8. BCP and DRP 47 pages 5.58%
9. Operations Security 39 pages 4.63%
10. Legal, Regulations, Compliance and Investigations 35 pages 4.16%

This page count might be meaningful because the publisher could have dictated a specific page count for each domain/chapter. It might also be meaningless because the authors might have been free to simply write a topic to cover the material without regard to page counts.

There aren't many matches when you compare these lists to the order of importance lists by JD Murray and the more recent one posted by Lob (c/o Clement Dupuis). The conclusion I'm coming to is that while you might see fewer questions within a given domain, you might need a wider breadth of knowledge to get those questions correct. For example, Cryptography comes in at 1 or 2 based on the volume of information specified in the CIB but is viewed as number 7 in the order of importance for the exam. Similarly, the CBK devotes twice as many pages to cryptography as they do to BCP and DRP.

It would be outstanding if (ISC)2 would actually identify what they consider most important by providing actual weighting. I'm left wondering if it is a moving target and not consistent from exams taken in January with exams taken in July.

!nf0s3cure

That is a great effort. BCP coverage in the ISC2 guide is surprising. It should be a lot more.

JDMurray

I believe the references listed in the CISSP CIB are the significant publications used by the CISSP exam authors to create the CISSP exam items. I don't think it's useful to try and gather any meaningful statistical correlation between the size and topics of the references and the presence of the CISSP CBK domains in the CISSP exam. What items are added to the exam pool are not determined by the metrics of the materials used to create the questions, other than the domain the item applies to.

My assumption is that each CISSP exam is randomly generated with 25 items selected from each of the ten CISSP CBK domains, plus an additional 25 research questions added that may be from any domain. I also assume that any exam item may actually contain information from two or more domains, yet is classified as beloning to only one domain. Now add in that people tend to best remember the exam items they had problems with, and not the ones they just easily "zoomed by," makes it very difficult for anyone to determine the actual statistical spread of domains when they are taking the CISSP exam (I know because I tried ).

Darril

Sorry if I wasn't clear, but I wasn't speaking to the references, but instead what I'm viewing as the objectives within each domain.

For example, Software Development Securitying includes three major topics:
A. Understand and apply security in the software development life cycle
B. Understand the environment and security controls
C. Assess the effectiveness of software security

With these, there are sub topics in some major topics such as A.1, A.2, and so on and by counting all of the major topics and sub topics, I came up with line items.

And I certainly understand your point about what people remember. I've had many conversations with people coming out of the Security+ exam and the same concept applies. A topic they didn't know stuck with them, and they indicated they got hammered with several of those questions.