What do you think?
Rate this book
ISC2 CISSP Certified Information Systems Security Professional Official Study Guide
The CISSP objectives this book covered were issued in 2018. For coverage of the most recent CISSP objectives effective in April 2021, please look for the latest edition of this (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition ( 9781119786238).
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.
Along with the book, you also get access to Sybex's superior online interactive learning environment that
Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam. More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam Coverage of all of the exam topics in the book means you'll be ready
Security and Risk Management Asset Security Security Engineering Communication and Network Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 8th Edition has been completely updated for the latest 2018 CISSP Body of Knowledge. This bestselling Sybex study guide covers 100% of all exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, real-world examples, advice on passing each section of the exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.
Along with the book, you also get access to Sybex's superior online interactive learning environment that
Six unique 150 question practice exams to help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam. More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam Coverage of all of the exam topics in the book means you'll be ready
Security and Risk Management Asset Security Security Engineering Communication and Network Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security
1826 pages, Kindle Edition
Published April 11, 2018
661 people are currently reading
251 people want to read
About the author
Mike Chapple
105 books35 followersMike Chapple, Ph.D. is teaching professor of information technology, analytics, and operations at the University of Notre Dame's Mendoza College of Business. Mike's past experience includes serving as Executive Vice President and CIO of the Brand Institute and as a cybersecurity researcher at the U.S. National Security Agency and U.S. Air Force.
Mike is a cybersecurity certification expert. His books and video courses have helped millions of students successfully pass their certification exams. He is the author of over 30 books, including the Official CISSP Study Guide and other books covering the Security+, CySA+, PenTest+, and CISM certifications.
Mike runs the CertMike.com website as a portal to his certification preparation resources, including books and video courses on LinkedIn Learning.
Mike is a cybersecurity certification expert. His books and video courses have helped millions of students successfully pass their certification exams. He is the author of over 30 books, including the Official CISSP Study Guide and other books covering the Security+, CySA+, PenTest+, and CISM certifications.
Mike runs the CertMike.com website as a portal to his certification preparation resources, including books and video courses on LinkedIn Learning.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 29 of 29 reviews
November 30, 2019
I don't put much stock in certifications, but . . . In the last couple of years I've had to correspond with the CISOs of numerous companies, asking them to fill our security questionnaires, assessing their worthiness to be a business partners on security grounds, and so forth. And one thing I see is that a lot of these people have the CISSP credential. I have a related cert, Security+, but this one -- the Certified Information Systems Security Professional -- is what people seem to recognize as the one that has some meaning and value. So I decided to pursue it. The quantity of information reminds me of what is required for a master's degree. The exam used to be 6 hours and you had to get 70% or 75% of the questions right. Now it is adaptive and takes about 3 hours but that's still a big chunk of time. It's also not cheap: At $700, it's not one that I want to take twice. And people apparently fail. The Facebook group devoted to the CISSP exam is littered with posts from people who have significant experience in technology and yet have failed once, twice, etc.
This book seems to be the standard guide for getting it done. It's about 1,000 pages. I actually started with the 7th edition, and then, when trying a practice exam for the newest version of the exam, noticed a startling number of concepts not in that edition; so I bought this one, and indeed it is more current and up-to-date, even containing a citation of the great DevOps novel, The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win.
I read the whole thing except for the last two chapters (on programming and software security) where I took a gamble and went straight to the chapter-ending quizzes, where I did OK. (More at the end on skipping chapters regarding what you think you know.) And yet this book is not enough: Based on what I read online, everyone does practice exams, online question drills, watches YouTube videos. (Tip: The primary author, Mike Chapple, has a decent video series regarding the CISSP on LinkedIn Learning [formerly Lynda.com] on this material -- though thinner.) This all suggests to me that there isn't a lot of intellectual coherence to the certification. But what can you do? ¯\_(ツ)_/¯ As a former professor, I'd suggest breaking the whole thing up and requiring, say, 5 out of 7 tight subjects for the cert.
So what about this book? It is maddening. It is loaded with useful information. For example, in a 40 page chapter, its compressed account of how to understand and manage risk seems to be about as good as anything out there (I've read a few) in such a brief compass. Elsewhere in the book, you will learn about business continuity planning and disaster recovery, security governance, cryptography, ethics, secure software development, and on and on. The book can most certainly serve as a reference and is worth keeping on your desk after your period of close study. The vast range of this book and certification suggest to me that our organizations are so profoundly insecure that there is a fantasy that it can all be understood and managed in one role. Under the hood, I think you could almost get by with a reading of the documentation for NIST 800-53 and a few other federal guidelines. Oh, that's something else I should mention: Some 25% of the book, I'd wager, comes out of Fed World: You learn a lot about military security classifications, hardened servers, etc.
Each chapter is followed by some 20 review questions, and they are pretty shallow. This is too bad, because supposedly the cert exam itself has questions that go somewhat deeper and ask for judgement and differentiation. (This is why people use supplements such as the questions from Boson.) The book is incredibly passive-aggressive. On the hand, the tome expects you to memorize the steps in both the SW-CMM and IDEAL software development models (and use the rather peculiar mnemonic "I ... I, Dr. Ed, am low(w)" [don't ask] (p. 887). Would you ever not look this kind of thing up were it ever relevant to your job? Me, neither. Elsewhere the book pointedly describes some detail and then says: The exam won't ask you for this level of information. On the other hand, there is detail you are going to have to know. For instance, the DES cryptography algorithm has 5 modes, and one of them is tolerant of a block being transmitted incorrectly, so that such errors are not propagated which would break decryption of the remainder. That's OFB mode. Remember that. You're welcome. You pretty much have no option but to try to memorize everything. And some of it is, at this point in 2019, genuinely "who cares?" The book seems to want you to know about WEP, but the real message should simply be to destroy any wifi devices that still use WEP. The book would be some 20% shorter were truly obsolete technologies left out. (They could replace all that stuff with an advisory that if you are evaluating something defined through acronyms you don't know . . . look 'em up!)
This kind of unevenness in approach to detail is maddening, and eventually you just go "f it" and try to keep as much in your head and hope for the best.
Another crazy thing about the book is that there are long lists of things you should do for various things, that seem to be in some order, but the order is not apparent. So, for example, on p. 67 there is a bullet list of some 30 "threats and vulnerabilities": Viruses . . . disgruntled employees . . . natural disasters . . . buffer overflows . . . This is ridiculous. How about grouping these things? This pattern is ubiquitous in the book. I pity the reader who doesn't already have a leg up on this material.
Now, as to skipping chapters if you think you know the topic. Don't do it. The bad news is that even for a topic you know, security world has a somewhat different vocabulary, and you are going to have to know their way of understanding things. For instance, they will use inkhorn/academic terms for concepts that of course you once knew through that vocabulary: While you know that a table's size in rows is a sometimes interesting metric, you're going to have to remember that the term is art is the "degree" of the table. After many years of programming, you probably have seen timing errors, where a timestamp on a file is checked, but then the file is changed before you use it and the timestamp is stale. Well, this is called a TOCTTOU or TOC/TOU vulnerability. Oh, you didn't know that? Well it's in the practice quizzes. You will have to know the different between a Gantt and a PERT chart. Etc.
I suppose I'll update this review if/when I pass the test. For now all I can say is that reading this doorstop has probably kept me from reading 6-8 books that would be more important and valuable for my life and career.
This book seems to be the standard guide for getting it done. It's about 1,000 pages. I actually started with the 7th edition, and then, when trying a practice exam for the newest version of the exam, noticed a startling number of concepts not in that edition; so I bought this one, and indeed it is more current and up-to-date, even containing a citation of the great DevOps novel, The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win.
I read the whole thing except for the last two chapters (on programming and software security) where I took a gamble and went straight to the chapter-ending quizzes, where I did OK. (More at the end on skipping chapters regarding what you think you know.) And yet this book is not enough: Based on what I read online, everyone does practice exams, online question drills, watches YouTube videos. (Tip: The primary author, Mike Chapple, has a decent video series regarding the CISSP on LinkedIn Learning [formerly Lynda.com] on this material -- though thinner.) This all suggests to me that there isn't a lot of intellectual coherence to the certification. But what can you do? ¯\_(ツ)_/¯ As a former professor, I'd suggest breaking the whole thing up and requiring, say, 5 out of 7 tight subjects for the cert.
So what about this book? It is maddening. It is loaded with useful information. For example, in a 40 page chapter, its compressed account of how to understand and manage risk seems to be about as good as anything out there (I've read a few) in such a brief compass. Elsewhere in the book, you will learn about business continuity planning and disaster recovery, security governance, cryptography, ethics, secure software development, and on and on. The book can most certainly serve as a reference and is worth keeping on your desk after your period of close study. The vast range of this book and certification suggest to me that our organizations are so profoundly insecure that there is a fantasy that it can all be understood and managed in one role. Under the hood, I think you could almost get by with a reading of the documentation for NIST 800-53 and a few other federal guidelines. Oh, that's something else I should mention: Some 25% of the book, I'd wager, comes out of Fed World: You learn a lot about military security classifications, hardened servers, etc.
Each chapter is followed by some 20 review questions, and they are pretty shallow. This is too bad, because supposedly the cert exam itself has questions that go somewhat deeper and ask for judgement and differentiation. (This is why people use supplements such as the questions from Boson.) The book is incredibly passive-aggressive. On the hand, the tome expects you to memorize the steps in both the SW-CMM and IDEAL software development models (and use the rather peculiar mnemonic "I ... I, Dr. Ed, am low(w)" [don't ask] (p. 887). Would you ever not look this kind of thing up were it ever relevant to your job? Me, neither. Elsewhere the book pointedly describes some detail and then says: The exam won't ask you for this level of information. On the other hand, there is detail you are going to have to know. For instance, the DES cryptography algorithm has 5 modes, and one of them is tolerant of a block being transmitted incorrectly, so that such errors are not propagated which would break decryption of the remainder. That's OFB mode. Remember that. You're welcome. You pretty much have no option but to try to memorize everything. And some of it is, at this point in 2019, genuinely "who cares?" The book seems to want you to know about WEP, but the real message should simply be to destroy any wifi devices that still use WEP. The book would be some 20% shorter were truly obsolete technologies left out. (They could replace all that stuff with an advisory that if you are evaluating something defined through acronyms you don't know . . . look 'em up!)
This kind of unevenness in approach to detail is maddening, and eventually you just go "f it" and try to keep as much in your head and hope for the best.
Another crazy thing about the book is that there are long lists of things you should do for various things, that seem to be in some order, but the order is not apparent. So, for example, on p. 67 there is a bullet list of some 30 "threats and vulnerabilities": Viruses . . . disgruntled employees . . . natural disasters . . . buffer overflows . . . This is ridiculous. How about grouping these things? This pattern is ubiquitous in the book. I pity the reader who doesn't already have a leg up on this material.
Now, as to skipping chapters if you think you know the topic. Don't do it. The bad news is that even for a topic you know, security world has a somewhat different vocabulary, and you are going to have to know their way of understanding things. For instance, they will use inkhorn/academic terms for concepts that of course you once knew through that vocabulary: While you know that a table's size in rows is a sometimes interesting metric, you're going to have to remember that the term is art is the "degree" of the table. After many years of programming, you probably have seen timing errors, where a timestamp on a file is checked, but then the file is changed before you use it and the timestamp is stale. Well, this is called a TOCTTOU or TOC/TOU vulnerability. Oh, you didn't know that? Well it's in the practice quizzes. You will have to know the different between a Gantt and a PERT chart. Etc.
I suppose I'll update this review if/when I pass the test. For now all I can say is that reading this doorstop has probably kept me from reading 6-8 books that would be more important and valuable for my life and career.
June 4, 2023
Computers were a mistake
August 23, 2018
This was helpful toward passing the exam. This and the Boson practice exams were my two best resources.
January 6, 2021
This was the reference I used to pass my CISSP. More info than needed for the exam however very well put together
Read
April 14, 2025😮💨
February 23, 2023
It has the advantages of being comprehensive and the official study guide. I really liked how chapters overlapped and referred back to each other, which helped remind me of material I’d read previously. The summary, exam essentials, and review questions were also brilliant at reinforcing what was covered in a chapter. These elements seem to have been cleverly designed to achieve that revision throughout.
However, it was pretty turgid at times - and I read it cover to cover - without much in the way of illustrations and the relatively sparse real-world examples were generally sanitised to the point that they weren’t particularly memorable or enlightening. It’s good, but there’s room for a bit of improvement.
However, it was pretty turgid at times - and I read it cover to cover - without much in the way of illustrations and the relatively sparse real-world examples were generally sanitised to the point that they weren’t particularly memorable or enlightening. It’s good, but there’s room for a bit of improvement.
December 22, 2024
This book truly lives up to its reputation—it contains what feels like millions of facts. When a colleague warned me, “Don’t read this book; your head will explode,” I didn’t fully understand what he meant. Now, having read it, I do. The book covers an astonishingly wide array of cybersecurity topics, providing an excellent overview of the field.
Each topic is described in just enough detail to grasp the essentials without going too deep. Instead, the book includes plenty of references for those who want to dive deeper, which is a great feature. The sheer breadth of material is both its strength and its challenge—it’s comprehensive, but it can feel overwhelming.
To make it manageable, I approached it at a slow pace, reading about two chapters per week and giving myself time to process the massive volume of information. This method worked well for me, as it allowed me to absorb the content without feeling burned out.
While the book is fantastic for preparing for the CISSP exam, I think it’s also valuable for anyone looking to gain a broad understanding of cybersecurity. It’s not just a study guide—it’s a comprehensive resource for the field. For the exam, I’ll definitely need to re-read certain chapters and focus on specific areas, but this book provides a solid foundation.
In summary, this is an excellent book for both CISSP aspirants and anyone interested in a wide-ranging overview of cybersecurity topics. Just be ready for a lot of information and give yourself the time to let it all sink in.
Each topic is described in just enough detail to grasp the essentials without going too deep. Instead, the book includes plenty of references for those who want to dive deeper, which is a great feature. The sheer breadth of material is both its strength and its challenge—it’s comprehensive, but it can feel overwhelming.
To make it manageable, I approached it at a slow pace, reading about two chapters per week and giving myself time to process the massive volume of information. This method worked well for me, as it allowed me to absorb the content without feeling burned out.
While the book is fantastic for preparing for the CISSP exam, I think it’s also valuable for anyone looking to gain a broad understanding of cybersecurity. It’s not just a study guide—it’s a comprehensive resource for the field. For the exam, I’ll definitely need to re-read certain chapters and focus on specific areas, but this book provides a solid foundation.
In summary, this is an excellent book for both CISSP aspirants and anyone interested in a wide-ranging overview of cybersecurity topics. Just be ready for a lot of information and give yourself the time to let it all sink in.
July 29, 2025
Mike Chapple’s CISSP Official Study Guide was the cornerstone of my certification journey. Dense, precise, and remarkably well structured, it served as my single source of truth throughout the 74 days I dedicated to preparing for the exam.
The clarity in how complex topics were broken down made all the difference, especially when navigating areas where other resources often fall short. This book gave me the confidence and foundation I needed to pass the CISSP on my first attempt.
Highly recommended for anyone looking to not only pass the exam, but deeply understand the material.
Thank you, Mike, for creating a resource that truly delivers.
Chen Mike Aloni
The clarity in how complex topics were broken down made all the difference, especially when navigating areas where other resources often fall short. This book gave me the confidence and foundation I needed to pass the CISSP on my first attempt.
Highly recommended for anyone looking to not only pass the exam, but deeply understand the material.
Thank you, Mike, for creating a resource that truly delivers.
Chen Mike Aloni
Read
September 30, 2020Lengthy book. Covers a breadth of topics in the 8 information security domains. This book is a must read for anyone looking to tackle CISSP certification. I recommend also getting the practice exams to test your knowledge. This book will prime you for the topics covered on the exam, but don't take the usual technical exam route of trying to memorize the material. You really have to know the content and the domains to be successful on the exam.
August 4, 2023
Listening to this on audiobook made me realize how verbose it is. It's hard to listen to just because there are so many words. Were the authors just trying to make a longer book so it sells better for people who expect to have to read a lot to pass the exam? Eleventh Hour CISSP did not have this problem, and is much more listenable.
November 5, 2018
A terrific bible of Information Security. A must-read for anyone in the field.
February 25, 2021
One of my senior recommended me this one.
https://www.hi8security.com.au/servic...
https://www.hi8security.com.au/servic...
April 4, 2021
This is the only CISSP book worth reading. It is very thorough albeit a bit on the dry side (really, what did you expect?) ... I think it's a must-read for anyone studying for the CISSP exam.
April 12, 2021
One of many great resources on the road to the CISSP.
September 5, 2021
Good read. Would even go back and read again as a refresher on the cloud technologies section.
February 4, 2022
Essential reading for anyone looking to attempt their CISSP exam.
July 13, 2023
I give it 5 stars now... Might change it after the test.haha.
March 11, 2025
completed the audiobook for this book today. got to read this again and probably again in prep for the exam. please pray for me.
March 12, 2025
Good but dry
March 14, 2025
At some points I was ready to quit my job, move to Peru, and become a goat herder, but I'm super happy I made it to the end!
April 7, 2025
Toooo much content, 1000 pages reviewing all aspects of Cybersecurity. Contents are well presented and written, but I'm sure you don't need that much detail for passing CISSP!
December 15, 2025
If you need to get this certification, great book. If you don’t, go read something worthwhile like Plato instead. I had to read this book.
January 4, 2026
Don’t recommend unless necessary it was not a fun girly pop read
January 1, 2024
(Actually read the 9th but didn't want to be the only review)
Best resource to prepare yourself for the exam imo.
Best resource to prepare yourself for the exam imo.
This entire review has been hidden because of spoilers.
November 9, 2025
The longevity of this read is something to be scoffed at, as the next generations of this book are already in the works. The mismatched domains makes this read a jittery nightmare at best. Repetition was meant for pianists, whom I am not, and be it repetition at least try my brain at a difficult concept. I will not be recommending this for my students.
March 24, 2020
Excellent book for CISSP prep!
April 1, 2021
This book is an excellent reference for infosec practitioners. It was central to my test plan, and I still reference it on occasion to brush up on concepts.
July 14, 2022
This was a great book and primer to getting my CISSP certification. It gave me firm understanding of all the major domains needed to pass the test.
January 26, 2025
prefer the shon Harris book
Displaying 1 - 29 of 29 reviews