CISSP - ISSAP Prepration

I am working in Corporate Security Arch and Engineering team for last two years and before that I have 8 years of experience in Operations Security, Network Security, Access Control along with ISO 27001 and PCI-DSS Certification in Financial Services. I choose to pursue ISSAP over CISM or ISSMP to advance my career at this point of time. I lurked alot in the forum to find whatever possible regarding CISSP-ISSAP but ISC2 Official Guide Version-2 is best I managed to find.

Any feedback will be appreciated on :

Which Books to study for CISSP-ISSAP ? ( Apart from ISC2 Version 2 )
Any book from Non-Certification perspective which can give me alot of insight to Security Arch. & Engineering irrespective of exam targets and help me play role in real life scenarios like Federated Identity Management, Security Arch in Cloud Based Applications, Security in Service Oriented Arch. All theese topics are so important but are lost somewhere in CISSP Exam.
Any particular methodology to Study for CISSP ISSAP?

Find more posts tagged with

Comments

beads

Rawhide;

I used and only used the (ISC)2 "Green Book" for preperation. Still a tough exam but everything on the test was readily available in the bibliography. The articles are really just a starting point to the bibliographies where the real information is held. Read all the website information and .PDF stuff. The worst of the exam is crypto (length and chains). Deciding how long the bits are going to be and all that level of stuff. Really alot of mental math involved.

As far as outside study material. Expect difficult questions to the likes of Rao's Green book if you need a quiz book. Rao writes overly obtuse questions of very similar nature. BCP/DRM was moderately more difficult. Physical is easy to figure out. Let's see. Telecom is a pain as well as Networking. Expect these to be a cut above the normal CISSP exam level questions. Be prepared. Took me almost as long to do these 125 questions as it did to do the full CISSP, about 2 and a half hours.

Crypto, crypto, crypto. Other than crypto it was a fairly fun test to do.

Last bit. After I came out of the exam, put it this way. I had to ask a security guard how to exit the building.

- B Eads

rawhide

Thank you B Eads,

I think I got your point, will use biblio extensively along with the book articles. I have done some applied cryptography in graduate and masters coursework so assuming it will help.

When you say "Read all the website information and .PDF stuff " do you mean ISC2 website and CD inside greenbook ? ( I am still waiting for greenbook to arrive.)

beads wrote: »

Rawhide;

I used and only used the (ISC)2 "Green Book" for preperation. Still a tough exam but everything on the test was readily available in the bibliography. The articles are really just a starting point to the bibliographies where the real information is held. Read all the website information and .PDF stuff. The worst of the exam is crypto (length and chains). Deciding how long the bits are going to be and all that level of stuff. Really alot of mental math involved.

As far as outside study material. Expect difficult questions to the likes of Rao's Green book if you need a quiz book. Rao writes overly obtuse questions of very similar nature. BCP/DRM was moderately more difficult. Physical is easy to figure out. Let's see. Telecom is a pain as well as Networking. Expect these to be a cut above the normal CISSP exam level questions. Be prepared. Took me almost as long to do these 125 questions as it did to do the full CISSP, about 2 and a half hours.

Crypto, crypto, crypto. Other than crypto it was a fairly fun test to do.

Last bit. After I came out of the exam, put it this way. I had to ask a security guard how to exit the building.

- B Eads

atx1975

rawhide wrote: »

Thank you B Eads,

I think I got your point, will use biblio extensively along with the book articles. I have done some applied cryptography in graduate and masters coursework so assuming it will help.

When you say "Read all the website information and .PDF stuff " do you mean ISC2 website and CD inside greenbook ? ( I am still waiting for greenbook to arrive.)

I heard the book " Security Engineering: A Guide to Building Dependable Distributed Systems - Ross J. Anderson" was a good book to study for the ISSAP I might purchase it soon as I am looking to get my ISSAP within the next 3-4 months.

Notorious BIG-IP

Pardon my naivety, but what do you guys mean by "Green book"? ...Are you just referring to the "Official (ISC)2 Guide to the ISSAP CBK" book?

Thanks!

rawhide

Yes it is ISC2 CISSP-ISSAP Version 2 Guide.

rawhide

Thank You ATX, This book has some very good feedback on Amazon. I will try to get my hands on this one...

Edit....here is the link you can read this book free online http://www.cl.cam.ac.uk/~rja14/book.html

Security Engineering — By Ross Anderson

beads

Frankly if there is a CD that came with the book - its still with the book. Now, I have to check. Ummmm... where's that book again?

Seriously, I read every reference in biblio and tested out just fine. The grad work (same here) was very helpful with Cryptography. If you had a good class your far and ahead of the pack. As I have probably mentioned before: Crypto is hard because you really don't work with it. More to the side using applications that do crypto algorythms for you. Installing an SSL cert is not really working "with" crypto. Its para-working in my opinion. Off to the side.

Yes, I am harping on crypto on the test. Less we forget the objectives of the ISSAP itself. Hmmmmm...

Cannot speak specifically to the other book but have heard good things about it. Perhaps I should look it up on Amazon and read it myself. Thanks for the tip.

- B Eads

rawhide

Kicking off my ISSAP preprations today, here is the study material I am going to refer so far :

ISC2 CISSP-ISSAP Official Green Book
Security Engineering - Ross Anderson
Shon Harris - 6th Edition, Reference

Will keep this thread active with progress.

GoodBishop

Nice! I ordered the Blue CISSP 6th edition book as well as the 2nd edition ISSAP book, and am waiting to get them. I'll let you all know how it goes as well.

atx1975

Nice I just ordered:

ISC2 CISSP-ISSAP Official Green Book
Security Engineering v2 - Ross Anderson

5ekurity

I've seen in a couple of places that people have picked up the John Sherwood book "Enterprise Security Architecture: A Business-Driven Approach" which explains the SABSA framework for security. I don't know a lot about it truthfully, but it might be worth looking into also.

prateek.vyas

I too am planning for ISSAP and I am preparing with the same biblo you shared. Still waiting for my Green Book though

Will follow this blog

rawhide

It seems we have got a whole gang going for ISSAP here.
My initial experience is not really going well, having difficult time focussing on studies after two week break after CISSP Exam..

rawhide

This book is more focussed on SABSA framework, I am not sure how much SABSA we have in ISSAP exam ? I think the author is John Sherwood is of SABSA (Sherwood Applied Business Security Architecture) fame.

I am still struggling with first domain in green book

5ekurity wrote: »

I've seen in a couple of places that people have picked up the John Sherwood book "Enterprise Security Architecture: A Business-Driven Approach" which explains the SABSA framework for security. I don't know a lot about it truthfully, but it might be worth looking into also.

Humbe

Hi rawhide,

First of all, in order to take the ISSAP you must be CISSP certified. I'm not sure if you already hold that certification (not showing on your profile). Just wanted to clear that up in case it's been overlooked.

I took the ISSAP exam back in March of 2013 and I was short by about 40 points. The exam could be quite stressful to be honest (a lot more than the CISSP one). Make sure you don't walk in sick (like happened to me) or you will be digging your own grave.

I studied by using the green book which had all the content you need to pass the exam.

Good luck in your studies.

rawhide

Humbe,

Thanks for your wishes and stressing on the point that ISSAP was more stressful than CISSP. This should get me back to basics and not feeling over confident after clearing CISSP Exam.

I cleared my CISSP exam three weeks back and still waiting to be "certified" after submitting resume and endorsement. That's also the reason for not adding CISSP to my credentials in this forum. With my 9-10 years of experience in Security operations, designing , ISO 27001 & PCI-DSS implementation I am confident yet keeping my fingers crossed

In the mean time I have started preparing for ISSAP ( will book exam once I recieve certification ). I am considering my experience in last 2-3 years with Security Architecture and engineering will come handy in this certification.

How was your experience of ISSAP in terms of :

Is there any different thought process to attempt ISSAP ? ( For eg, thought process while CISSP was " think like manager"
Did you practise questions ?

Thank you !

Humbe wrote: »

Hi rawhide,

First of all, in order to take the ISSAP you must be CISSP certified. I'm not sure if you already hold that certification (not showing on your profile). Just wanted to clear that up in case it's been overlooked.

I took the ISSAP exam back in March of 2013 and I was short by about 40 points. The exam could be quite stressful to be honest (a lot more than the CISSP one). Make sure you don't walk in sick (like happened to me) or you will be digging your own grave.

I studied by using the green book which had all the content you need to pass the exam.

Good luck in your studies.

Humbe

rawhide wrote: »

How was your experience of ISSAP in terms of :

Is there any different thought process to attempt ISSAP ? ( For eg, thought process while CISSP was " think like manager"
Did you practise questions ?

Thank you !

Rawhide,

I wish I could get more in detail about my exam experience but I can tell you that I saw about 80% crypto questions on the exam. Quite disturbing to be honest.

We had a group of about 5 of us current CISSPs trying to go for the ISSAP, we had a forum thread explaining what we were doing (Google Hangout meetings) but due recent family/personal issues most of us have stopped meeting. Hopefully we can kick it off soon as I see more people interested on the ISSAP.

5ekurity

Humbe wrote: »

Rawhide,

I wish I could get more in detail about my exam experience but I can tell you that I saw about 80% crypto questions on the exam. Quite disturbing to be honest.

We had a group of about 5 of us current CISSPs trying to go for the ISSAP, we had a forum thread explaining what we were doing (Google Hangout meetings) but due recent family/personal issues most of us have stopped meeting. Hopefully we can kick it off soon as I see more people interested on the ISSAP.

Let me know when you get this started up. If the time is right for me, I'd like to participate and get the ISSAP done. Been kicking around the idea, and depending on the school schedule, I might be able to and participate in discussions and knock this thing out.

5ekurity

rawhide wrote: »

This book is more focussed on SABSA framework, I am not sure how much SABSA we have in ISSAP exam ? I think the author is John Sherwood is of SABSA (Sherwood Applied Business Security Architecture) fame.

I am still struggling with first domain in green book

I'm not quite sure either, there was a thorough Amazon review for the green book that referenced SABSA and the knowledge of the book/course as being very helpful.

dijital1

Between the Official ISC2 Study guide and the Ross Anderson book, you should be ok. I found the ISSAP exam more enjoyable than the CISSP exam because of its focus more on the technology side of the house. All of the domains are important to know well. I didn't find that the exam focused more on one particular area than the other.

It was pretty well rounded. Of all the specializations, I found the ISSAP exam to be the most straightforward.

jasonaroberts

beads wrote: »

Expect difficult questions to the likes of Rao's Green book if you need a quiz book. Rao writes overly obtuse questions of very similar nature.

B eads - I have the (ISC)2 Green Book, but no mention of 'Rao' or a quiz book. Am I missing your meaning?

rawhide

Jason, Here is the link for Rao's book discussed in this forum: http://www.techexams.net/forums/isc-sscp-cissp/93001-s-rao-vallabhaneni-cissp-practice.html. I am not using it so far for my prepration.

rawhide

Not much progress made on ISSAP prepration so far, I have been taking things easy in last two months out of sheer lazinees and now summer is approaching. Dont want to miss Summer fun after brutual winters of Michigan.

I think I will appear for ISSAP somewhere in December

GarudaMin

Any of you taking it in a month or two or anytime soon? I am thinking of taking it in a month or two and don't mind knowledge sharing

superg

I'm also interested in the CISSP-ISSAP. A SANS/GIAC instructor recommended:

Expanding Security ISSAP Mind Maps Study Tool
ISSAP Mind Maps Study Tool | Expanding Security – Certification & NICCS training

In addition to the Official (ISC)²® Guide to the ISSAP® CBK, Second Edition (green book)

lionel25

Beads.

I just read the Crypto Section in Version 2 of the ISSAP Study Guide. Nothing really in there about length and chains and how long the bits are going to be. In fact, I did the questions at the end of the chapter and encountered very little mental math. I am curious as to where you got this info from.

Regards

Lionel

beads wrote: »

Rawhide;

I used and only used the (ISC)2 "Green Book" for preperation. Still a tough exam but everything on the test was readily available in the bibliography. The articles are really just a starting point to the bibliographies where the real information is held. Read all the website information and .PDF stuff. The worst of the exam is crypto (length and chains). Deciding how long the bits are going to be and all that level of stuff. Really alot of mental math involved.

As far as outside study material. Expect difficult questions to the likes of Rao's Green book if you need a quiz book. Rao writes overly obtuse questions of very similar nature. BCP/DRM was moderately more difficult. Physical is easy to figure out. Let's see. Telecom is a pain as well as Networking. Expect these to be a cut above the normal CISSP exam level questions. Be prepared. Took me almost as long to do these 125 questions as it did to do the full CISSP, about 2 and a half hours.

Crypto, crypto, crypto. Other than crypto it was a fairly fun test to do.

Last bit. After I came out of the exam, put it this way. I had to ask a security guard how to exit the building.

- B Eads

beads

lionel25 wrote: »

Beads.

I just read the Crypto Section in Version 2 of the ISSAP Study Guide. Nothing really in there about length and chains and how long the bits are going to be. In fact, I did the questions at the end of the chapter and encountered very little mental math. I am curious as to where you got this info from.

Regards

Lionel

Probably having taken the exam vs what might or might not be in the book. It comes down to HOW you solve the question not necessarily the techniques involved.

- B Eads

CloseShave

Hi,

My 1st post here, what a great web site. I've learned allot just cursing through the various threads.

I'm starting to prepare for the ISSAP and this is the 1st resource I've come across that discusses these topics.

I have a couple of questions maybe I could get some guidance on:

1. I have the CBK and Security Engineering books, what about the Bibliography referenced in the CIB. Are there books in there that have been useful in test preparation?

2. I've wondered if there are any good practice exams and whether these practice exams are worthwhile. I saw something from a company called uCertify, I think and wondered if its helpful.

Many thanks for the help!
Steve

rawhide

1. I have the CBK and Security Engineering books, what about the Bibliography referenced in the CIB. Are there books in there that have been useful in test preparation?

Yes, I used bibliography relegiously

2. I've wondered if there are any good practice exams and whether these practice exams are worthwhile. I saw something from a company called uCertify, I think and wondered if its helpful.

I used only CISSP Questions from CCURE for ISSAP, nothing specific to ISSAP. Never heard of uCertify

CloseShave wrote: »

Hi,

My 1st post here, what a great web site. I've learned allot just cursing through the various threads.

I'm starting to prepare for the ISSAP and this is the 1st resource I've come across that discusses these topics.

I have a couple of questions maybe I could get some guidance on:

1. I have the CBK and Security Engineering books, what about the Bibliography referenced in the CIB. Are there books in there that have been useful in test preparation?

Yes, I used bibliography relegiously

2. I've wondered if there are any good practice exams and whether these practice exams are worthwhile. I saw something from a company called uCertify, I think and wondered if its helpful.

I used only CISSP Questions from CCURE for ISSAP, nothing specific to ISSAP. Never heard of uCertify

Many thanks for the help!
Steve

lionel25

Read the official guide. A better job could be done on the editing but it is still a good source. I didn't really bother reading reference material. Also went over everything I'd done for the CISSP, including the Shon Harris book and CCCure.

Okay now this is the trick for passing the first time:

1. IMHO, a seventh topic should be added to the CISSP-ISSAP curriculum - Operations Security. So go over that topic from your CISSP. Operations Security is the common sense that ties everything together.

2. Use common sense on the exam. There is enough time for critical thinking

3. Do not panic over difficult or ridiculous questions. Maintain your composure for the easier ones. I believe the most difficult questions may be experimental and do not count.