RE: CISSP Examination Practices ?

["David Harley" <david.a.harley () gmail com>]

> It was a  generallization.

Exactly my point. And that's why it's misleading.

> The CISSP is a maagement exam.

I disagree. It's a broad-rather-than-deep security certification for
information security professionals, which is often particularly suitable for
managers in the security field, but it's also perfectly suitable for someone
with specialist expertise who wants/needs to prove they have a reasonable
amount of knowledge in the other domains. It's certainly not a management
exam in the same way that an ITIL qualification is, for instance. 

> If you focus on learning all the technical matters of each of 
> the domains (though commendable and useful) would not 
> necessarily mean you'll ace the exam.

There, I agree. In fact, I wouldn't regard every CISSP question I've ever
seen as technically correct, though (ISC)2 do go to some lengths to make
their questions as good as possible.

> When answering many of 
> the questions, you need to put a manager's "hat" on and that 
> means you have to weigh things up on a budgetary basis, or 
> policy basis, or HR/Legal/compliance basis, or Employee 
> safety basis; as well as weighing up the more technical 
> security pros and cons.

You can't go very deep technically on a multi-choice question. I think you
seriously overestimate the degree to which these are "different" to security
knowledge as it's measured by (ISC)2. 

If you're saying that security professionals who qualify for CISSP may see
things differently to freelance vulnerability researchers, for example, I
won't disagree, but I don't think the exam particularly reflects that. It's
not what I'd call a management exam, and I've taken a few of those.

> I hope that helps clarify the matter.

Likewise. 

--
David Harley CISSP :)