什么是CISSP? (What is the CISSP?)

It is the Certified Information Systems Security Professional certification. It's generally the most widely-recognized, broad certification within information security. Essentially it's an inch deep and a mile wide - a HUGE amount of information grouped into 8 domains:

它是经过认证的信息系统安全专家认证。 它通常是信息安全领域中最广泛认可的最广泛的认证。 本质上,它是一英寸深和一英里宽-分为8个域的大量信息:

  • Domain 1. Security and Risk Management (15%)

  • Domain 2. Asset Security (10%)

  • Domain 3. Security Architecture and Engineering (13%)

  • Domain 4. Communication and Network Security (14%)

  • Domain 5. Identity and Access Management (IAM) (13%)

  • Domain 6. Security Assessment and Testing (12%)

  • Domain 7. Security Operations (13%)

  • Domain 8. Software Development Security (10%)


If you're only going to get one information security certification, this is the one. It's by far the most widely accepted and recognized.

如果您仅要获得一项信息安全认证,那就是该认证。 它是迄今为止最广泛接受和认可的。

你应该得到吗? (Should you get it?)

....maybe. It depends on what you want. In general, certifications are useful for entry level folks who are looking to get a foot in the door, or to understand the lexicon and framework with which people talk about security.

....也许。 这取决于您想要什么。 通常,证书对于希望入门或了解人们谈论安全性的词汇和框架的入门级人员很有用。

They can also be helpful at getting your resume past an initial screening, look impressive to future employers, and potentially add credence to your experience (even better if you don't have much experience!).


It does not mean that you are a 'cybersecurity' expert, and most folks won't see it as that. This particular certification is aimed more at managers than hands-on keyboard folks. This test won't teach you how to operate as a hands-on keyboard SOC (security operations center) analyst. But it will give you some exposure to a broad list of basic concepts.

这并不意味着您是“网络安全”专家,大多数人不会这样认为。 这种特殊的认证更针对管理人员,而不是动手操作键盘的人员。 该测试不会教您如何作为动手键盘SOC(安全操作中心)分析师进行操作。 但这将使您接触到一系列基本概念。

Interested in reading more about certifications? Check out .

有兴趣阅读有关认证的更多信息吗? 查看 。

让我们谈谈细节。 (Let's talk details.)

In order to get the certification, you need at least 5 years of work experience in two or more of the domains. You can substitute a four year college degree or certain certifications from ISC2 for one year of work experience (details ).

为了获得认证,您需要在两个或多个域中至少有5年的工作经验。 您可以用四年的大学学位或ISC 2的某些证书代替一年的工作经验( 详细信息)。

If you don't have the required years of work experience, you can still take the test and become an associate of ISC2. You then have 6 years to gain the required 5 years of work experience.

如果您没有所需的多年工作经验,则仍然可以参加考试并成为ISC 2的助理。 这样您就有6年的时间来获得所需的5年工作经验。

The English version of the test is a 'computer adaptive testing' exam which means you can receive 100-150 questions during the test based on your performance. Computer adaptive testing (CAT) testing means that the test automatically adjusts the questions based on your performance.

英文测试是“计算机自适应测试”考试,这意味着您可以根据自己的表现在测试中收到100-150个问题。 计算机自适应测试(CAT)测试意味着该测试会根据您的表现自动调整问题。

So, for example, if you get a question wrong, the computer will then give you a slightly easier question. If you get a question right, the next question will probably be more difficult. The computer will continue giving you questions until it is able to confidently assess your level of knowledge and terminate the test. This type of testing thus takes fewer questions to confidently assess your level of knowledge.

因此,例如,如果您输入的问题有误,计算机将为您提供一个稍微容易些的问题。 如果您提出正确的问题,那么下一个问题可能会更加困难。 计算机将继续向您提出问题,直到能够自信地评估您的知识水平并终止测试。 因此,这种类型的测试需要更少的问题来自信地评估您的知识水平。

The non-english version is fixed and has 250 questions. You get a maximum of 3 hours for the english test (and 6 hours for the non-english version).

非英语版本是固定的,有250个问题。 您最多需要3个小时进行英语考试(非英语版本则需要6个小时)。

The test is available in English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese, Korean, and Visually impaired. The test is offered by Pearson VUE and is administered by their proctors.

该测试提供英语,法语,德语,巴西葡萄牙语,西班牙语,日语,简体中文,韩语和有视觉障碍的语言。 该测试由Pearson VUE提供,并由其监理人员管理。

The cost is $699 and you need 700/1000 to pass the exam. You can register for the exam on the Pearson VUE website .

费用为699美元,您需要700/1000通过考试。 您可以在通过Pearson VUE网站注册考试。

After you pass the exam, you have 9 months to complete the '',  (unless you're applying for an 'associate of ISC2) which involves getting someone who is an ISC2 certified professional (someone who has an ISC2 credential in good standing, and can attest to your professional experience) to certify that your professional experience claims are true.

通过考试后,您有9个月的时间来完成“ ”(除非您正在申请“ ISC 2协会”),这涉及到获得具有ISC 2认证的专业人员(具有ISC 2的人员)具有良好信誉的证书,并可以证明您的专业经验),以证明您的专业经验声明是正确的。

If you don't know someone who fits this category, you can ask ISC2 to serve as your 'endorser'. Then, your certification is good for life, as long as you pay an annual maintenance fee (currently set at $125 for certificate holders, and $50 for associates) and complete your required continuing professional education credits (CPE).

如果您不认识适合此类别的人,则可以要求ISC 2充当您的“背书人”。 然后,只要您支付年度维护费(证书持有者目前的费用为$ 125,员工为$ 50),并完成所需的继续专业教育学分(CPE),您的证书就会终身有效。

CISSP certification holders are required to submit 120 credits, while associates are required to submit 15 each year.


You can get CPE credits for a variety of activities, such as taking an academic course (1 hour of instruction in a domain = 1 CPE, up to 40), reading a book (5 CPEs per book, with a 250 word description), magazine (5 CPEs per magazine issue, with a 250 word description), or whitepaper (1 CPE with a 250 word description), or attending ISC ^2 events and webinars.

您可以获得各种活动的CPE学分,例如参加一门学术课程(一个领域的1小时教学= 1个CPE,最多40个),阅读一本书(每本书5个CPE,并带有250个单词的描述),杂志(每期杂志5 CPE,描述250字)或白皮书(1 CPE 250描述),或参加ISC ^ 2活动和网络研讨会。

You can find more details on the CPE process .


我的经验是什么? (What was my experience?)

The test took me about 80 minutes and I went through 100 questions before I passed.  


In order to prepare, I did the following over a period of roughly 2+ years. I would study for a week or so, then forget about it for a few months, then come back to it as I had time.

为了准备,我在大约2年以上的时间内做了以下工作。 我会学习一个星期左右,然后忘记几个月,然后在我有时间的时候回到它。

I probably only intensely studied for about a month (meaning I was spending a couple hours on weekdays studying and closer to 6 hours on the weekends). I also knew almost nothing (and had no degree or experience) when I started studying. I initially started studying in the hope it would help give me a framework to understand corporate security - which it did (though I'm not sure it was the best option for that).

我可能只认真学习了一个月左右(这意味着我在工作日花了几个小时学习,而在周末花了将近6个小时)。 当我开始学习时,我几乎一无所知(也没有学位或经验)。 我最初开始研究是希望它能为我提供一个了解公司安全性的框架,尽管它确实做到了(尽管我不确定这是否是最佳选择)。

If you have several years experience working in information security, you could probably just read the 11th hour book a couple weeks before the exam, brush up on unfamiliar topics, try some practice questions, and take the test. I've rated the resources I used out of 10 based on their usefulness in preparing.

如果您有几年从事信息安全工作的经验,则可以在考试前几周阅读第11个小时的书,复习不熟悉的主题,尝试一些练习题,然后参加考试。 我已根据其在准备工作中的有用性对我使用的10个资源进行了评分。

  1. Read the (yeah, the entire thing. Probably don't do that. It's definitely more information than you actually have to know.) 6/10

    阅读《 (是的,整个过程。可能不这样做。绝对比您实际需要的信息多。)6/10

  2. (I watched the old ones, then when she released updated content, I watched the new ones. These are solid, though they're not as in-depth as the exam can be.) 7/10

    (我观看了旧的 ,然后在她发布更新的内容时,我观看了新的视频。这些视频很可靠,尽管它们不像考试那样深入。)7/10

  3. guide (like three times).  8/10

    指南(类似3次)。 8/10

  4. Daily CISSP Question Videos (I watched all of them. Some of them more than once. The guy who runs the series has a really great way of explaining complicated concepts, but I don't think the questions were reflective of the exam questions.) 6/10

    Daily CISSP问题视频(我观看了所有这些视频。其中一些不止一次。运行该系列的人具有解释复杂概念的绝佳方法,但我认为这些问题并不反映考试题。)6/10

  5. Made a million (probably around 1000) flashcards whenever I got a question wrong or ran into difficult concepts. Studied them. Made more (every time I ran into something I didn't know). Studied them again. 10/10

    每当我弄错问题或遇到困难的概念时,就制作一百万张(可能约1000张)抽认卡。 研究了他们。 做得更多(每次我遇到我不知道的东西)。 再次研究了他们。 10/10
  6. Used the to research specific topics I didn't understand. And  asked other people, googled the topics, read blogs, watched youtube videos, etc. 9/10

    使用来研究我不了解的特定主题。 并询问其他人,搜索主题,阅读博客,观看youtube视频等。9/10

  7. Watched , , and on testing mindset. Several times. 10/10

    观看了 , 以及有关测试心态的 。 几次。 10/10

  8. Took all the practice questions in the ISC2 Practice Test book (twice - same link as the study guide). The questions were good, but not necessarily reflective of what the exam questions look like. 7/10

    参加了ISC 2练习测试书中的所有练习题(两次-与学习指南的链接相同)。 这些问题很好,但不一定能反映出考试问题的模样。 7/10

  9. Took all the practice Qs. Took them again and read all of the explanations. These were the single most useful resource. The explanations were great, though the questions were more technical than the exam was. 10/10

    采取了所有练习Q。 再次使用它们并阅读所有说明。 这些是唯一最有用的资源。 尽管问题比考试的技术性强,但解释很好。 10/10

None of the practice questions were perfect representations of the test, but Boson seemed the closest.


The best piece of advice I received before taking it was to look at the answers, and if any of the answers told me to do something (take a system off a network, change a password, perform an account lockout, etc.), to skip it in favor of an answer which involved documenting, instructing someone else, etc.


Getting in the 'CISSP' mindset is key to passing the test. Imagine, for each question, that you're running the security team while it's handling the situation described in the question.

进入“ CISSP”思维模式是通过测试的关键。 想象一下,对于每个问题,您正在运行安全团队,同时它正在处理问题中描述的情况。

What would you do (or what would you tell your team to do)? Turns out I was way, way, way over prepared for the technical concepts (though I was still (mostly) glad I learned the information!).

您会做什么(或您会告诉团队做什么)? 事实证明,我为技术概念做好了准备,尽管我仍然(大部分)很高兴能学到这些信息!)。

Eventually, you just need to book the test - I don't think anyone feels ready when they're preparing (and definitely not when they're taking the test!), but at some point you have to accept that you've done as much as you can. Happy studying!

最终,您只需要预订考试-我认为没有人在准备考试时感到准备就绪(并且绝对不会在参加考试时!),但是在某些时候,您必须接受您已经完成了尽你所能地。 学习愉快!




