Rabei Hassan, CISSP-ISSAP, CCSP, shares his tips that can help you prepare for the (ISC)² exams, particularly the CISSP. Hassan is a senior cybersecurity consultant at EY, based in Sydney, Australia. With more than 18 years of experience in various IT fields, he has managed end-to-end implementations for ISMS based on ISO 27001. Hassan has developed information security risk management frameworks for various entities, and has extensive experience with project and program management.

1. Don’t jump to conclusions.

Read each question carefully. Think about it, analyse it, and finally, answer it. Even, if it seems to be a simple or easy question, I would advise you to read it at least three times, and give yourself at least a few seconds to think about it.

The questions are written in a way that requires you to read them carefully, and analyse before answering.

For example, if I put the word “attack” in a question about the cloud, what would be the first thing that comes to your mind? You will likely think I’m asking about the attacks that could happen to your service(s) hosted in the cloud, while the question might be about attacks generated from the cloud.

2. Expect the unexpected.

Some questions might ask you to link two different terms or topics that you had not thought were related. You may get a question introducing you to a scenario that is not directly related to IT or information security, asking you to link it to a term related to information security.

For example, you could be introduced to a scenario-based question talking about “Blood Test” and the answers are around false positive or false negative. Usually, you understand these terms in the context of IDS/IPS, but what if you were introduced to a scenario that is not related to IT or information security, would you be able to differentiate between these terms correctly?

3. Manage your time carefully.

The CISSP exam contains 250 questions and let us assume you got 5, 10 or even 20 continuous difficult questions in the beginning, typically what might happen? You might panic, and you could lose your self-confidence. Manage the situation as you would in the field and remain calm. The ability to remain calm under pressure and make the best choices is key for an information security professional.

4. Know the orders of processes or the activities

Let us assume we are talking about risk assessment. What would be the first step? Identifying risks or identifying resources that are within the scope of the assessment then identifying threats and risks relevant to those resources?

Many questions are not just about checking your knowledge and skillset, but also your mindset and your understanding of the scenarios.