What do you think?
Rate this book
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide
The only Official CISSP Study Guide - fully updated for the 2021 CISSP Body of Knowledge
(ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 9th Edition has been completely updated based on the latest 2021 CISSP Exam Outline. This bestselling Sybex Study Guide covers 100% of the exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, knowledge from our real-world experience, advice on mastering this adaptive exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.
The three co-authors of this book bring decades of experience as cybersecurity practitioners and educators, integrating real-world expertise with the practical knowledge you'll need to successfully pass the CISSP exam. Combined, they've taught cybersecurity concepts to millions of students through their books, video courses, and live training programs.
Along with the book, you also get access to Sybex's superior online interactive learning environment that
Over 900 new and improved practice test questions with complete answer explanations. This includes all of the questions from the book plus four additional online-only practice exams, each with 125 unique questions. You can use the online-only practice exams as full exam simulations. Our questions will help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam. More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam New for the 9th Audio Review. Author Mike Chapple reads the Exam Essentials for each chapter providing you with 2 hours and 50 minutes of new audio review for yet another way to reinforce your knowledge as you prepare. All of the online features are supported by Wiley's support agents who are available 24x7 via email or live chat to assist with access and login questions. Coverage of all of the exam topics in the book means you'll be ready
Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security
(ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 9th Edition has been completely updated based on the latest 2021 CISSP Exam Outline. This bestselling Sybex Study Guide covers 100% of the exam objectives. You'll prepare for the exam smarter and faster with Sybex thanks to expert content, knowledge from our real-world experience, advice on mastering this adaptive exam, access to the Sybex online interactive learning environment, and much more. Reinforce what you've learned with key topic exam essentials and chapter review questions.
The three co-authors of this book bring decades of experience as cybersecurity practitioners and educators, integrating real-world expertise with the practical knowledge you'll need to successfully pass the CISSP exam. Combined, they've taught cybersecurity concepts to millions of students through their books, video courses, and live training programs.
Along with the book, you also get access to Sybex's superior online interactive learning environment that
Over 900 new and improved practice test questions with complete answer explanations. This includes all of the questions from the book plus four additional online-only practice exams, each with 125 unique questions. You can use the online-only practice exams as full exam simulations. Our questions will help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam. More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam New for the 9th Audio Review. Author Mike Chapple reads the Exam Essentials for each chapter providing you with 2 hours and 50 minutes of new audio review for yet another way to reinforce your knowledge as you prepare. All of the online features are supported by Wiley's support agents who are available 24x7 via email or live chat to assist with access and login questions. Coverage of all of the exam topics in the book means you'll be ready
Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security
- GenresNonfiction
1205 pages, Kindle Edition
Published June 16, 2021
321 people are currently reading
101 people want to read
About the author
Mike Chapple
105 books35 followersMike Chapple, Ph.D. is teaching professor of information technology, analytics, and operations at the University of Notre Dame's Mendoza College of Business. Mike's past experience includes serving as Executive Vice President and CIO of the Brand Institute and as a cybersecurity researcher at the U.S. National Security Agency and U.S. Air Force.
Mike is a cybersecurity certification expert. His books and video courses have helped millions of students successfully pass their certification exams. He is the author of over 30 books, including the Official CISSP Study Guide and other books covering the Security+, CySA+, PenTest+, and CISM certifications.
Mike runs the CertMike.com website as a portal to his certification preparation resources, including books and video courses on LinkedIn Learning.
Mike is a cybersecurity certification expert. His books and video courses have helped millions of students successfully pass their certification exams. He is the author of over 30 books, including the Official CISSP Study Guide and other books covering the Security+, CySA+, PenTest+, and CISM certifications.
Mike runs the CertMike.com website as a portal to his certification preparation resources, including books and video courses on LinkedIn Learning.
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 17 of 17 reviews
January 29, 2025
I started on version 7 of this book and ended on version 10. It took a while to get through the whole thing but I learned a lot.
July 7, 2021
When I was at E&Y, Mike Ressler, one of the most intelligent people I’ve had the pleasure to work with, would answer clients when asked if we were CISSP certified with the quip “no, but focus on our experience.” After we all took the CISSP exam and passed, his answer was updated to “of course we’re certified - but focus on our experience.”
For those that have yet to obtain the gold standard of information security certifications, the 9th edition of the (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide by Mike Chapple, James Michael Stewart, and Darril Gibson (Sybex) will certainly fit their bill.
The CISSP examination has been called a mile wide and an inch deep. At over 1,200 pages, the guide covers the width of the myriad CISSP 8 domains of security. The book also comes with online access to test prep questions, flashcards, and more.
For those looking for a single reference that can take them from their study to the exam center to passing the CISSP exam, this Official Study Guide is their go-to guide.
For those that have yet to obtain the gold standard of information security certifications, the 9th edition of the (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide by Mike Chapple, James Michael Stewart, and Darril Gibson (Sybex) will certainly fit their bill.
The CISSP examination has been called a mile wide and an inch deep. At over 1,200 pages, the guide covers the width of the myriad CISSP 8 domains of security. The book also comes with online access to test prep questions, flashcards, and more.
For those looking for a single reference that can take them from their study to the exam center to passing the CISSP exam, this Official Study Guide is their go-to guide.
November 24, 2021
Great resource for the 2021 exam
December 1, 2023
Useful study guide for (ISC)2 CISSP. Good overview of a wide range of InfoSec concepts.
Notes
Security Governance Through Principles and Policies
CISO reports directly to senior management (CIO, CEO, board of directors). CSO is sometimes used as alternative to CISO, but CSO is often position under CISO, focused on physical security. Information Security Officer (IS) is sometimes used as alternative to CISO, but can be used for position under CISO.
CIO ensures info is used for biz objectives. CTO ensures hardware and software supports biz functions.
Security control frameworks
• COBIT: InfoSec goals and requirements from ISACA
• NIST 800-53: recommendations on security & privacy controls
• NIST Risk Management Framework (RMF): mandatory requirements for federal agencies
• NIST Cybersecurity Framework (CSF): operational activities for critical infrastructure and commercial organizations
• ISO/IEC 27000: international standard for organizational security
• ITIL: recommendations for optimizing IT to support biz
Personnel Security and Risk Management Concepts
Risk frameworks: NIST Risk Management Framework (RMF), ISO/IEC 31000, ISO/IEC 31004, COSO, Risk IT, OCTAVE, FAIR, TARA
Cryptography and Symmetric Key Algorithms
Key space: range between key with all 0s and all 1s
Kerckhoffs's principle (Kerckhoffs's assumption): cryptographic system should be secure even if everything about system (except key), is public knowledge.
Definitions
• Cryptography: art of creating and implementing codes/ciphers
• Cryptanalysis: study of methods to defeat codes/ciphers
• Cryptology: cryptography and cryptanalysis together
• Cryptosystems: specific implementations of codes/ciphers in hardware or software
Codes: cryptographic systems of symbols that represent words or phrases; sometimes secret, but not necessarily meant to provide confidentiality; work on words and phrases.
Ciphers:cryptographic systems meant to provide confidentiality by altering and/or rearranging characters or bits; work on individual characters, bits, blocks.
Symmetric key encryption is often 1,000 - 10,000x faster than asymmetric.
Digital signature technology: sender creates message digest by using a hashing algorithm, then encrypts digest using private key. To verify signature, recipient decrypts message digest using sender's public key, then verifies decrypted message digest is accurate.
PKI and Cryptographic Applications
• To encrypt message, use recipient's public key.
• To decrypt message sent to you, use your private key.
• To digitally sign message, use your private key.
• To verify signature on message sent to you, use sender's public key.
Link encryption encrypts all traffic by creating secure tunnel between 2 points. Encrypts all data, including header, trailer, address, routing data. Usually at lower layers of OSI model.
End-to-end encryption protects communications between 2 parties, and is performed independently of link encryption. Doesn't encrypt header, trailer, address, routing data. Faster but more susceptible to eavesdroppers than link encryption. Usually at higher layers of OSI model. TLS and SSH use.
With homomorphic encryption, when you perform computation on encrypted data, you get a result that, when decrypted, matches result you would have received if you had performed computation on plaintext data.
Security Vulnerabilities, Threats, and Countermeasures
Observable: identified fact of occurrence (e.g., presence of malicious file, usually accompanied by hash).
Indicator: observable along with hypothesis about threat.
Microservice: One element, feature, capability, business logic, or function of web app that can be used by other web apps.
Elasticity: expansion or contraction of resources to meet processing needs; usually refers to hardware.
Scalability: ability to take on more work or tasks; usually refers to software. A scalable system must be elastic, but an elastic system doesn't need to be scalable.
Vuln DBs: exploit-db.com, cve.mitre.org, nvd.nist.gov
Secure Network Architecture and Components
Non-IP protocols (e.g., IPX, AppleTalk, NetBEUI) should be blocked because most firewalls can't perform content filtering on them, and they can be encapsulated in IP.
Oblivious DoH (ODoH) adds DNS proxy between client and DNS resolver so that identity of client is isolated from DNS resolver, providing anonymity and privacy.
Cellular service is generally only encrypted between mobile device and transmission tower; they're plaintext when transmitted over wires.
Most modern devices labeled as modems (cable, DSL, wireless, etc.) are routers, not modems, because they don't modulate between analog and digital.
Internal segmentation firewall (ISFW): firewall between internal network segments or company divisions, to prevent malware spread.
MDR: Focuses on threat detection and remediation, but isn't limited to endpoints. Service that monitors IT environment in real-time to detect and resolve threats. Often a combination of technologies, including SIEM, network traffic analysis (NTA), EDR, IDS.
EPP: Variation of EDR that is more active than passive, and focused on prediction, prevention, detection, response.
XDR: collection of technologies into single solution, often including EDR, MDR, EPP. Not limited to endpoints. Often includes NTA, NIDS, NIPS functions.
Prefix "S" in name of protocol usually indicates use of SSH (which has "S" as 1st letter). Suffix "S" in name of protocol usually indicates use of TLS (which has "S" as last letter).
Controlling and Monitoring Access
Permissions, rights, privileges
• Permissions refer to access granted for an object and determine what user can do with it. In this context, permissions and access rights are synonymous.
• Rights refer to ability to take action on an object.
• Privileges are combination of rights and permissions.
Password-salting algorithms: Argon2, bcrypt, PBKDF2
Security Assessment and Testing
SOC audits
• SOC 1: assesses org's controls that might impact accuracy of financial reporting
• SOC 2: assesses org's controls that affect security and privacy of info in a system; results are confidential
• SOC 3: assesses org's controls that affect security and privacy of info in a system; results are intended for public
• Type I reports: auditor checks org's paperwork to ensure controls are reasonable and appropriate
• Type II reports: auditor checks org's paperwork to ensure controls are reasonable and appropriate, and checks functionality of controls
COBIT describes common requirements that orgs should have regarding info systems.
ISO 27001 describes standard approach for setting up InfoSec management system. ISO 27002 goes into more detail on specifics of InfoSec controls.
NIST Security Content Automation Protocol (SCAP)
• Common Vulnerabilities and Exposures (CVE): naming system for vulnerabilities
• Common Vulnerability Scoring System (CVSS): scoring system for severity of vulnerabilities
• Common Configuration Enumeration (CCE): naming system for system configuration issues
• Common Platform Enumeration (CPE): naming system for OSs, applications, devices
• Extensible Configuration Checklist Description Format (XCCDF): language for specifying security checklists
• Open Vulnerability and Assessment Language (OVAL): language for describing security testing procedures
Preventing and Responding to Incidents
Smurf attack: amplification attack that floods victim with ICMP echo packets; old and now rare attack
Fraggle attack: amplification attack that floods victim with UDP packets
TLS decryptor: Often a standalone hardware appliance, but can be within IDPS, NGFW, or other appliance. Intercepts TLS handshake between internal client and Internet server and inserts itself in middle. APTs often encrypt traffic on client before exfiltrating it, so TLS decryptor (or IDPS) cannot decrypt it.
Playbook: document/checklist that defines IR actions
Runbook: automatically implements actions in playbook
Machine learning: Part of AI. Refers to a system that can improve automatically (learn) through experience. Starts with rules/guidelines (whereas AI starts with nothing and learns rules).
Investigations and Ethics
Cybercrime types
• Military and intel
• Business
• Financial
• Terrorist
• Grudge
• Thrill
• Hacktivist
APTs can act on behalf of nation-state, organized crime, terrorist group, or other sponsor.
"Suicide hackers" attack without attempting to avoid getting caught.
Software Development Security
Expert system (type of AI) components
• Knowledge base: if/then statements containing human knowledge
• Inference engine: uses logic and fuzzy logic to analyze info in knowledge base to draw conclusion based on experience
ML
• Supervised learning: machine is given dataset and "correct answers" (labeled data), and algorithm develops model
• Unsupervised learning: machine is given dataset without "correct answers (unlabeled data), and algorithm develops model independently
Neural network: Chains of computational decisions attempt to imitate human reasoning. AKA deep learning or cognitive systems. Extension of ML.
Notes
Security Governance Through Principles and Policies
CISO reports directly to senior management (CIO, CEO, board of directors). CSO is sometimes used as alternative to CISO, but CSO is often position under CISO, focused on physical security. Information Security Officer (IS) is sometimes used as alternative to CISO, but can be used for position under CISO.
CIO ensures info is used for biz objectives. CTO ensures hardware and software supports biz functions.
Security control frameworks
• COBIT: InfoSec goals and requirements from ISACA
• NIST 800-53: recommendations on security & privacy controls
• NIST Risk Management Framework (RMF): mandatory requirements for federal agencies
• NIST Cybersecurity Framework (CSF): operational activities for critical infrastructure and commercial organizations
• ISO/IEC 27000: international standard for organizational security
• ITIL: recommendations for optimizing IT to support biz
Personnel Security and Risk Management Concepts
Risk frameworks: NIST Risk Management Framework (RMF), ISO/IEC 31000, ISO/IEC 31004, COSO, Risk IT, OCTAVE, FAIR, TARA
Cryptography and Symmetric Key Algorithms
Key space: range between key with all 0s and all 1s
Kerckhoffs's principle (Kerckhoffs's assumption): cryptographic system should be secure even if everything about system (except key), is public knowledge.
Definitions
• Cryptography: art of creating and implementing codes/ciphers
• Cryptanalysis: study of methods to defeat codes/ciphers
• Cryptology: cryptography and cryptanalysis together
• Cryptosystems: specific implementations of codes/ciphers in hardware or software
Codes: cryptographic systems of symbols that represent words or phrases; sometimes secret, but not necessarily meant to provide confidentiality; work on words and phrases.
Ciphers:cryptographic systems meant to provide confidentiality by altering and/or rearranging characters or bits; work on individual characters, bits, blocks.
Symmetric key encryption is often 1,000 - 10,000x faster than asymmetric.
Digital signature technology: sender creates message digest by using a hashing algorithm, then encrypts digest using private key. To verify signature, recipient decrypts message digest using sender's public key, then verifies decrypted message digest is accurate.
PKI and Cryptographic Applications
• To encrypt message, use recipient's public key.
• To decrypt message sent to you, use your private key.
• To digitally sign message, use your private key.
• To verify signature on message sent to you, use sender's public key.
Link encryption encrypts all traffic by creating secure tunnel between 2 points. Encrypts all data, including header, trailer, address, routing data. Usually at lower layers of OSI model.
End-to-end encryption protects communications between 2 parties, and is performed independently of link encryption. Doesn't encrypt header, trailer, address, routing data. Faster but more susceptible to eavesdroppers than link encryption. Usually at higher layers of OSI model. TLS and SSH use.
With homomorphic encryption, when you perform computation on encrypted data, you get a result that, when decrypted, matches result you would have received if you had performed computation on plaintext data.
Security Vulnerabilities, Threats, and Countermeasures
Observable: identified fact of occurrence (e.g., presence of malicious file, usually accompanied by hash).
Indicator: observable along with hypothesis about threat.
Microservice: One element, feature, capability, business logic, or function of web app that can be used by other web apps.
Elasticity: expansion or contraction of resources to meet processing needs; usually refers to hardware.
Scalability: ability to take on more work or tasks; usually refers to software. A scalable system must be elastic, but an elastic system doesn't need to be scalable.
Vuln DBs: exploit-db.com, cve.mitre.org, nvd.nist.gov
Secure Network Architecture and Components
Non-IP protocols (e.g., IPX, AppleTalk, NetBEUI) should be blocked because most firewalls can't perform content filtering on them, and they can be encapsulated in IP.
Oblivious DoH (ODoH) adds DNS proxy between client and DNS resolver so that identity of client is isolated from DNS resolver, providing anonymity and privacy.
Cellular service is generally only encrypted between mobile device and transmission tower; they're plaintext when transmitted over wires.
Most modern devices labeled as modems (cable, DSL, wireless, etc.) are routers, not modems, because they don't modulate between analog and digital.
Internal segmentation firewall (ISFW): firewall between internal network segments or company divisions, to prevent malware spread.
MDR: Focuses on threat detection and remediation, but isn't limited to endpoints. Service that monitors IT environment in real-time to detect and resolve threats. Often a combination of technologies, including SIEM, network traffic analysis (NTA), EDR, IDS.
EPP: Variation of EDR that is more active than passive, and focused on prediction, prevention, detection, response.
XDR: collection of technologies into single solution, often including EDR, MDR, EPP. Not limited to endpoints. Often includes NTA, NIDS, NIPS functions.
Prefix "S" in name of protocol usually indicates use of SSH (which has "S" as 1st letter). Suffix "S" in name of protocol usually indicates use of TLS (which has "S" as last letter).
Controlling and Monitoring Access
Permissions, rights, privileges
• Permissions refer to access granted for an object and determine what user can do with it. In this context, permissions and access rights are synonymous.
• Rights refer to ability to take action on an object.
• Privileges are combination of rights and permissions.
Password-salting algorithms: Argon2, bcrypt, PBKDF2
Security Assessment and Testing
SOC audits
• SOC 1: assesses org's controls that might impact accuracy of financial reporting
• SOC 2: assesses org's controls that affect security and privacy of info in a system; results are confidential
• SOC 3: assesses org's controls that affect security and privacy of info in a system; results are intended for public
• Type I reports: auditor checks org's paperwork to ensure controls are reasonable and appropriate
• Type II reports: auditor checks org's paperwork to ensure controls are reasonable and appropriate, and checks functionality of controls
COBIT describes common requirements that orgs should have regarding info systems.
ISO 27001 describes standard approach for setting up InfoSec management system. ISO 27002 goes into more detail on specifics of InfoSec controls.
NIST Security Content Automation Protocol (SCAP)
• Common Vulnerabilities and Exposures (CVE): naming system for vulnerabilities
• Common Vulnerability Scoring System (CVSS): scoring system for severity of vulnerabilities
• Common Configuration Enumeration (CCE): naming system for system configuration issues
• Common Platform Enumeration (CPE): naming system for OSs, applications, devices
• Extensible Configuration Checklist Description Format (XCCDF): language for specifying security checklists
• Open Vulnerability and Assessment Language (OVAL): language for describing security testing procedures
Preventing and Responding to Incidents
Smurf attack: amplification attack that floods victim with ICMP echo packets; old and now rare attack
Fraggle attack: amplification attack that floods victim with UDP packets
TLS decryptor: Often a standalone hardware appliance, but can be within IDPS, NGFW, or other appliance. Intercepts TLS handshake between internal client and Internet server and inserts itself in middle. APTs often encrypt traffic on client before exfiltrating it, so TLS decryptor (or IDPS) cannot decrypt it.
Playbook: document/checklist that defines IR actions
Runbook: automatically implements actions in playbook
Machine learning: Part of AI. Refers to a system that can improve automatically (learn) through experience. Starts with rules/guidelines (whereas AI starts with nothing and learns rules).
Investigations and Ethics
Cybercrime types
• Military and intel
• Business
• Financial
• Terrorist
• Grudge
• Thrill
• Hacktivist
APTs can act on behalf of nation-state, organized crime, terrorist group, or other sponsor.
"Suicide hackers" attack without attempting to avoid getting caught.
Software Development Security
Expert system (type of AI) components
• Knowledge base: if/then statements containing human knowledge
• Inference engine: uses logic and fuzzy logic to analyze info in knowledge base to draw conclusion based on experience
ML
• Supervised learning: machine is given dataset and "correct answers" (labeled data), and algorithm develops model
• Unsupervised learning: machine is given dataset without "correct answers (unlabeled data), and algorithm develops model independently
Neural network: Chains of computational decisions attempt to imitate human reasoning. AKA deep learning or cognitive systems. Extension of ML.
December 9, 2022
Miles wide..
After finishing the book I indeed feel confident to know something of possibly everything in the wide arena of the information security.
I hold back one star while rating the book as I feel it's readability can be improved. Firstly, there are too many repetitions, which, if culled, could probably make it shorter by atleast 100 pages. Secondly, the authors should review their target readers.. it is mostly people having some relevant background, who would generally comprehend an idea/ term having read once, esp commonly used idea/term. There is no need to frequently give references to future/ back references in 20 words or so.. I often found my flow getting off-roaded due to this. This distraction can be removed by letting readers refer the Index, atleast for common/well known ideas.
After finishing the book I indeed feel confident to know something of possibly everything in the wide arena of the information security.
I hold back one star while rating the book as I feel it's readability can be improved. Firstly, there are too many repetitions, which, if culled, could probably make it shorter by atleast 100 pages. Secondly, the authors should review their target readers.. it is mostly people having some relevant background, who would generally comprehend an idea/ term having read once, esp commonly used idea/term. There is no need to frequently give references to future/ back references in 20 words or so.. I often found my flow getting off-roaded due to this. This distraction can be removed by letting readers refer the Index, atleast for common/well known ideas.
September 4, 2023
Read cover to cover in preparation for the exam. Skimmed probably 30%. It’s not perfect: some subjects required auxiliary research outside of the book because there either wasn’t enough information in the text or the information wasn’t clear. I also don’t understand why the book outline doesn’t match the exams seven domains. This creates unnecessary confusion and I think exam prep would be more efficient if the official study guide were laid out in parallel. Overall, however, I do think this resource is required reading for the exam and I did take away a lot from its use. I anticipate using it as a reference source in the future as well.
Read
June 7, 2024Save your money and buy the Destination Certification book instead. Much shorter, much easier to read, and a better value. I like reading to the point I've been on GoodReads for most of my life, and even that made this book a slog. DestCert's book is ~1/3 of the length and at least x3 engaging. Provisionally passed on 6/7/2024 at question 100.
December 3, 2021
Much better than that gold book, and it's relevant to the actual test.
April 15, 2022
Couldn't have passed my CISSP exam without it. Best material available, I recommend it highly for anyone studying for the CISSP.
May 25, 2025
Brain tried to implode a couple times trying to take all the information in, but very detailed and broken down in prep for the exam.
Now, it’s on to flash cards and practice exams.
Now, it’s on to flash cards and practice exams.
January 9, 2022
Very useful tool to understand the content of (ISC)2's CISSP certification. It is very well explained, it rushes to solve the doubts that just raise in your head (I guess they have done a good work in getting feedback from students) and unless other official study guides it is very student-oriented. It offers also references to official sources, like the ones from NIST. Highly recommended.
As an improvement, I missed more diagrams. It is true that texts were mostly clear enough, but sometimes I thought it would be quicker to understand with a visual diagram. It is weird because some of the figures that appear through the book are too evident and pointless, and some other I would consider critical are not there. It also lacks an acronym annex, and this is a recommendable feature because they are extensively used throughout the study guide and tests. I had to use a search engine instead.
Considering it covers global IT Security domains I find it very US-centrist, but this is to blame the CISSP certification itself and not the authors of this wonderful study guide.
As an improvement, I missed more diagrams. It is true that texts were mostly clear enough, but sometimes I thought it would be quicker to understand with a visual diagram. It is weird because some of the figures that appear through the book are too evident and pointless, and some other I would consider critical are not there. It also lacks an acronym annex, and this is a recommendable feature because they are extensively used throughout the study guide and tests. I had to use a search engine instead.
Considering it covers global IT Security domains I find it very US-centrist, but this is to blame the CISSP certification itself and not the authors of this wonderful study guide.
December 3, 2021
This is essential reading if you want to earn your CISSP. I read the All-in-One 8th edition and when the objectives came out, I purchased this to hit the highlights of the new content. A lot of this exam is based on management experience and experience in the security field, but this is a great overview for an exam that is a mile wide and an inch deep. I also watched Mike Chapple’s series on LinkedIn learning. Between the book, the videos, and experience, I am proud to say I passed the exam on my first attempt.
December 4, 2023
Professional reading that I am *SO* very glad to have finally got out of my "Currently Reading" category. Pretty much "does what it says on the box," however it does contain significant errors, some explanations are unclear, it is unnecessarily verbose and belabors subjects. I now have to reread some sections, do some practice tests and sit the exam so after that we'll see how effective it actually is. It's been a necessary but not fun read and I'm glad to be done with the initial read through.
July 24, 2021
Since this book is for the CISSP exam the real test will be whether on passes or not. I take the test in a few days and I hope to be one of those who pass. That being said...
I did find this book simple to understand and easy to read. Much better than say the actual official Book of Knowledge which explains things in as complicated way as possible.
I did find this book simple to understand and easy to read. Much better than say the actual official Book of Knowledge which explains things in as complicated way as possible.
August 30, 2022
Pretty much a must read for any hope on passing the exam. Minimum read the chapter summary’s, take the practice questions, and review problem areas.
FYI for what it’s worth some other great resources IMO (passed first try at 175 ? in 90 min)
Official app
Luke Ahmed Think Like a Manager
11th hour CISSP
YouTube you will pass the CISSP
YouTube mind maps
YouTube inside cloud and security
FYI for what it’s worth some other great resources IMO (passed first try at 175 ? in 90 min)
Official app
Luke Ahmed Think Like a Manager
11th hour CISSP
YouTube you will pass the CISSP
YouTube mind maps
YouTube inside cloud and security
November 20, 2021
The most updated study guide to prep for the CISSP exam. Finished the book!! It quite thick but chock full of great material on IT security. I hope I've read enough to pass the CISSP exam.
January 14, 2023
Basically read this from cover to cover and took all the review tests at the end of the chapter. I took the exam and passed in Jan 2023. Definitely great to pair with an app with test questions.
Displaying 1 - 17 of 17 reviews