ISSEP Pass - Review

I passed the ISSEP exam and must say that what I have heard about it being an extremely difficult exam holds true to me. This was the only (ISC)2 exam I've taken where I wasn't sure if I passed or not when I ended the exam. Thankfully, my folded-up paper said congratulations.

Below is a review of the ISSEP exam and my studies used to get there along with my assessment of things you really need to know to even stand a fair chance. It is a long one. Even though there are only four domains, there is an incredible amount of information you are expected to know. I apologize in advance if I leave anything out.

Resources used:
Official Guide to the ISSEP CBK (2005)
The actual documents themselves (covered in the ISSEP exam objectives and CBK)

The Official Guide to the ISSEP CBK (2005)
I found that the Official Guide to the ISSEP CBK (2005) was a very outdated, but, valuable asset. I read through the entire book, and revisited the Systems Engineering (SE) section many times for clarity. It is well-written and flows nicely. I don't think anyone should attempt this exam without it. There is supposedly a newer edition coming out in the near future. Note that once it comes out that it will likely mean the exam objectives have changed, since they are anticipating big changes and don't want to publish a new ISSEP book with a short shelf life. Always pay attention to the most recent exam CIB for the exam you are going to attempt.

The Actual Documentation
It is important to note that preparing using the documentation itself is extremely valuable. There really isn't a substitute to reading and preparing using the actual documents. I wouldn't recommend attempting this exam without reading through the documents themselves and having a thorough understanding of each applicable one. However, if you are able to get through this daunting task, you will be well off and stand a good chance on this exam.

Review:
The objective of this review is to assist others who desire to prepare for and attempt this exam. For me, one of the most difficult parts of the preparation for the ISSEP was the fact that there is so little information out there about it and not many sources to pull from. Hopefully, this review will help change that. Enjoy!

C&A
One of the four domains of the ISSEP is C&A. My initial thought was to prepare for the CAP and pass that exam and that this would serve as preparation for this domain of the ISSEP. This assertion was correct and served extremely well for this domain. My review of the CAP itself can be found here. One important thing to note, after taking both the CAP and ISSEP, is that the CAP did not seem to focus on NIACAP or DIACAP at all (only the RMF), while the ISSEP still includes all of the above. This caught me off guard on my exam, though I was able to at least power through the DIACAP questions and make good attempts on the NIACA questions thanks to my direct experience with DIACAP. If anyone is interested in taking the ISSEP, I highly recommend that you consider the CAP exam first and add studies of NIACAP and DIACAP as well. You should know the entire RMF inside and out and be able to identify any given activity or task as well as understand where it stands in relationship to other activities and tasks. You also need to know how it relates to the SDLC phases. These are all musts for both exams. If you do this, you will be prepared for the CAP and the C&A domain of the ISSEP.

Systems Engineering
Next, I will address the SE domain. This is, as you probably guessed, the bulk of it. As others before me have said, you must know the IATF inside and out or you simply will not pass. Similarly to the RMF, you must know it so well that you understand every single activity and task, how they relate to each other, how they support each other, what happens in each and every activity and task, as well as how to assess the effectiveness at each step and how that step supports C&A. I know it probably sounds difficult to master and dedicate to memory. That's because it is. It is possible though. You really do need to know it completely inside and out. However, if you do manage to know it on that level, you will be able to answer the questions effectively and confidently. It is also important to spend a good deal of time mastering the DoD Architectural Framework (AF) and the Defense Acquisition System (DAS).

USG IA Related Policies and Issuances
You also have to know the policies, laws, and regulations that apply. To keep this short, I will say that there are many on the list that I used to study and I did read through them all. Most of them I read through in their entirety, but, not all of them, and I still missed some documents that appeared on my exam. Here is a list you should study and know before your exam. Please note that this list is not all-inclusive and that you should extend your studies beyond this list to cover any additional documentation you feel is important to the ISSEP exam. I think this is everything, but, I apologize if I left anything out:

- CJCSI 6510
- DoD 5000.1
- DoD 5000.2
- DoD 5100.0
- DoD 5220.22
- DoD 8100.1
- DoD 8100.2
- DoD 8500.1
- DoD 8500.2
- DoD 8570.1
- CNSSP 14
- CNSSP 15
- CNSSP 22
- CNSSI 1253
- CNSSI 4009
- CNSSI 4011
- CNSSI 4012
- CNSSI 4013
- CNSSI 4014
- CNSSI 4015
- CNSSI 4016
- NIST SP 800-12
- NIST SP 800-14
- NIST SP 800-18
- NIST SP 800-25
- NIST SP 800-27
- NIST SP 800-30
- NIST SP 800-34
- NIST SP 800-35
- NIST SP 800-36
- NIST SP 800-37
- NIST SP 800-39
- NIST SP 800-47
- NIST SP 800-53
- NIST SP 800-53A
- NIST SP 800-59
- NIST SP 800-60
- NIST SP 800-64
- FIPS 140-2
- FIPS 197
- FIPS 199
- FIPS 200
- OMB A-130
- OMB M-99-18
- OMB M-00-13
- OMB M-01-08
- OMB M-02-01
- OMB M-03-19
- EO 13231

Technical Management
I only spent five hours reading through the technical management domain and skimmed through the DOD PMBOK. I recommend that you spend more time than this on this section if you are not familiar with it. This section is the shortest and least challenging of the domains, in my opinion.

Summary
To make a long story short, you need to spend a significant amount of time preparing for this exam and really know your stuff. There were many questions where I was only able to answer them due to my related work experience. I highly recommend you only take this exam if you truly have the experience to match the required knowledge. If you have the experience and spend ample time studying and preparing, you can be successful. The exam may have a really low pass rate, but, it is not impossible.

I believe that covers everything, but, I will add topics and items if I remember anything additional. Please feel free to comment or ask questions. I look forward to seeing and helping others who attempt this challenging exam. It is a very rewarding experience to conquer this one. On to the endorsement process, yet again!

At the time of this writing, only 915 people are ISSEP certified. I am hopeful that this number will grow as it gains more attention and recognition from the industry.

Find more posts tagged with

Comments

broli720

Great review and thanks for the feedback.

moyondizvo

Congrats Jonnyg, nice work and great review ...

Jegga

Great work, and congratulations on the pass! By the way, long time reader of the forums, just never posted. As one of the 915, I know how difficult this exam was and, for me, it's been the most difficult I've ever taken. Certainly not impossible, but one has to know not only the domains but how they intertwine.

Good thinking on taking (passing) the CAP before going after the ISSEP. It's a perfect tool to help you get prepared for the C&A domain. Not the only tool, mind you, but definitely one to take advantage of. It always helps to add more letters behind your name as well.

Best wishes on your next challenge.

5ekurity

Congrats on the pass, that is quite an accomplishment!

Jonnyg

Thank you, all, for the congratulations! Preparing for the ISSEP is quite the undertaking.

I forgot to mention that the total prep time I used for this exam was three months, including the studies for the CAP (approximately one month). Also, I felt that they do give you ample time to take this exam. There are 150 questions and they give you three hours to finish the exam. I was able to finish the exam in two. I felt the questions were pretty straightforward and fair. They are styled a lot like the CISSP and CAP exam questions. Some people may feel that is a bad thing, but, I feel that they all fairly assess your knowledge of the material outlined in their respective CIB.

As far as the next challenge, I am not sure. I am considering the ISSMP or ISSAP. I figure that would be a good transition. Any suggestions?

cyberguypr

Congrats! Superb write up. Thanks for sharing.

sigsoldier

Congrats man! Thanks for the great review.

I hope to be there one day. I am following your strategy and am studying for the CAP right now. I will probably wait for the next Official Guide to the ISSEP CBK to be released before I begin studying though.

kzc

Good job, Jon. I was pleased to hear you passed. The ISSMP is a quick kill, costs less than the CISM (both initial and AMF), fulfills the same 8570 requirements, and is more convenient to schedule. I did a write-up on it a while back, and can help guide you further if you want (except my contract expires in about 2 weeks, so I'll be in unemployed freak-out mode for a while, and my availability is likely to be limited).

Jonnyg

cyberguypr wrote: »

Congrats! Superb write up. Thanks for sharing.

Thank you! I appreciate that.

sigsoldier wrote: »

Congrats man! Thanks for the great review.

I hope to be there one day. I am following your strategy and am studying for the CAP right now. I will probably wait for the next Official Guide to the ISSEP CBK to be released before I begin studying though.

Thank you! That isn't a bad idea, though, most of the changes are coming to the C&A domain from what I have gathered. If you are doing the CAP now, you will know the C&A domain for the ISSEP. If time isn't an issue, you may want to consider knocking out the ISSEP after that while the C&A knowledge is fresh and before the CIB changes. Either way, I'm sure you will be fine. Feel free to send me a message if you have any questions on either cert.

kzc wrote: »

Good job, Jon. I was pleased to hear you passed. The ISSMP is a quick kill, costs less than the CISM (both initial and AMF), fulfills the same 8570 requirements, and is more convenient to schedule. I did a write-up on it a while back, and can help guide you further if you want (except my contract expires in about 2 weeks, so I'll be in unemployed freak-out mode for a while, and my availability is likely to be limited).

Thanks, kzc! I should have put a note in the initial post, but, kzc has passed the ISSEP as well and was a substantial help in determining a good study path. Very, very helpful. I agree with your assessment regarding the ISSMP compared to the CISM. It seems like that would be a wise choice. I just need to get my hands on the book, now. Also, that would complete the entire 8570 chart for me.

Thanks again!

kzc

Jonnyg wrote: »

I just need to get my hands on the book, now.

Rent it for $18. It'll give you a month or two to study. It's more time than you'll need.

Official (ISC)2® Guide to the ISSMP® CBK® ((ISC)2 Press): ISC)² Corporate, Harold F. Tipton: 9781420094435: Amazon.com: Books

Jegga

Taking the ISSMP next week myself. I agree with kzc, that a month or two is really all you need to study. Rent or buy the book (I bought mine, just to keep as a reference) and you should be in good shape. I feel pretty confident about passing the exam.

Jonnyg

Jegga wrote: »

Taking the ISSMP next week myself. I agree with kzc, that a month or two is really all you need to study. Rent or buy the book (I bought mine, just to keep as a reference) and you should be in good shape. I feel pretty confident about passing the exam.

Good luck! I am interested to hear how you do and what you recommend as a study path for this exam. Is the book the only reference you used?

rosadod

Jonnyg I'm a little confused... you say you used the ISSEP CBK and actual documents themselves. Do you mean the documents from the reference section of the CIB? For the SSE section, what was your main study materials? Was it the CBK and the IATF v3.1 or that and a combination of that and other references from the CIB? I would assume you used a combination of the CBK, DoD 8500 series and SP-800-37 as your main resources for the C&A portion. I've done C&A the last 4 years (DIACAP and RMF) so I should be fine there... I'm really trying to narrow my focus on the SSE section study materials. I'm starting my studies this weekend and want to test by Sep 1. Any additional tips would be appreciated.

Jonnyg

The ISSEP CBK is a great tool to help prepare for the SSE section to supplement the IATF. These should be your two primary resources for the SSE portion. You also need to know and understand the other documents I have listed in the original post. Having the C&A experience will help with that domain. You still need to study and prepare for it, though. The main advice I can give you is to spend quality time with the documents listed above. They should be your primary tools. It also helps to spend time with the glossary sections to familiarize yourself with the terms these documents use. A lot of it should be redundant, but, it will help reinforce ideas and terms you already know as well as allow you to pick up ones you may not currently know.

What is your current study plan?

rosadod

Ok. Thanks... good stuff. I've actually decided to start studying for the ISSAP instead.

asadzz

Congrts on passing such esteemed exam. Good work!.

I like to appear in the exam as well, I'm non-us citizen living in Pakistan and currently preparing for the exam. Looking at your review, there was one thing in particular I want to get second opinion or review whcih is regarding your mention of official CBK-ISSEP book. As according to ISC2 when recently checked , I was told not to use this book for preparation because it doesn't reflect the true definition or full-fill the requirements of passing this exam.

As for me going through the CIB material which in terms of pages goes upto 6000+ seems impossible task, as between these documents there is no guidance-line which you can follow; like the relationship or the connection between each document with another document from a different domain is non-existent. I'm sure in real-exam you are suppose to know and answer the questions as you entire thing summarized in your head in just one-line. The arrangement of the material e.g PKI infrastructure, use of AES for federal systems etc.

I'm not sure which CIB should get more emphasis, and its nearly impossible to go back and revise these 6000 pages. I was thus wanted to know from you if i follow the CBK book only would i be able to make it through.

Also, i was thinking of buying /registering for live webex which is of 2000 dollars, plus the promise a free course in case you failed.

Kindly, help me /advise me the best course of action for passing the exam, considering the above constraints.
Thanks

Jonnyg

Are you saying that (ISC)2 told you not to use the Official Guide to the ISSEP CBK (2005)? My recommendation on the book is above in the original post. Some of it is outdated, however, a lot of it remains relevant, despite its age. I recommend using it as a source. Perhaps whoever told you to not use it for study meant not to use it as the only source. If that were the statement, I would agree. It should be used alongside the actual documentation and experience in the field.

I'm not sure what you are referring to in regards to the CIB 6,000+ pages. The documentation I feel is relevant to know for this exam is listed in the original post as well.

bobloblaw

Well done. That's an intimidating concentration.

zxbane

Is there any word on when the updated CBK for this is coming out? I want to pursue this route but would rather wait for the updated materials/exam.

Cyberscum

YAY!!! GJ and great write up.

Kinda late to the party I see...

sigsoldier

zxbane wrote: »

Is there any word on when the updated CBK for this is coming out? I want to pursue this route but would rather wait for the updated materials/exam.

According to this link the new book will be out April 2015.
Official (ISC)2 Guide to the CISSP-ISSEP CBK, Second Edition by Susan Hansche | 9781439823279 | Hardcover | Barnes & Noble

zxbane

Thanks for the link sigsoldier. I guess I will hold off on studying until then, unless I do as the OP did and pursue the CAP first to cover the C&A domain which seems wise anyways.

I wonder if the exam itself will be overhauled around the same time as the release of the v2 CBK.

Jonnyg

Thank you for the congratulations! In regards to the book release date, I wouldn't bank on it being accurate. It seems to keep being pushed back according to this post. With my experience, the old ISSEP book (2005) was still useful on the domains outside of the C&A domain. If the ISSEP is something you want to pursue, then I would recommend not relying on the new book unless you have time to wait on more official concrete release date details.

cgrimaldo

Thanks for the write-up. San Antonio is a hot-bed for DoD jobs and this looks like something I might pursue.

Jonnyg

Good luck if you decide to pursue it!

dou2ble

Congrats on passing this! I got 687 after studying for 3 months and attending the ISC2 class. What hurt me the most was not memorizing all the IA Regs you have listed. Some questions I'm positive I would've passed had I known all IA Regs by number and title. I'm taking it again in a couple weeks.

asadzz

dou2ble wrote: »

Congrats on passing this! I got 687 after studying for 3 months and attending the ISC2 class. What hurt me the most was not memorizing all the IA Regs you have listed. Some questions I'm positive I would've passed had I known all IA Regs by number and title. I'm taking it again in a couple weeks.

im going to give exam in two weeks. I have read worth 8000 pages of CIB ref and CBK. I'm not sure I understand what you meant by IA regs pls elaborate.

good luck for retake.

lamont29

I am so happy to have read your analysis of this test. I will take a 'chill pill' and allow myself some time before I jump on this one then. Even though I have experience in this domain, it's not like I was taking notes along the way. I did not know exactly how far along in IA / IS career path that I was going to eventually traverse. I am learning and gaining a lot through my networking and collaboration via this site.

userav

Congrats!