Book Review: CISSP Cert Guide (Pearson IT Certification, 1st Edition)

As an instructor I’m faced with the choice, over and over, of a thick, detailed textbook versus a more concise one. Thinner would be the easier choice, except that some authors manage to make their thicker books easy, even breezy reading. Other thick books are just … thick. Many of the A+ texts, for instance, go much, much deeper into details than the test they cover does.

This book, which is for the 10-domain test, strikes a very good balance. At 470-odd pages of actual reading material (less Glossary, Index and front matter), it’s a reasonable size for the cert courses I teach. I found it easy to cover 50 pages an hour, though I’ve got over 20 years’ experience with this area so not much slows me down. But I’ve dealt with many (many) books filled with page after page of thick, hard-to-read and hard-to-comprehend text, so many that the slimmer, more terse books tend to make me cautious. This one’s slim and terse and absolutely readable.

Tight texts like this work by using short, declarative sentences. They state facts, explain simply, and provide solid nuggets of useful information, but they also don’t supply many examples, don’t try to explain things using scenarios, and don’t provide much if any historical context. If you’re already the kind of network professional you’re supposed to be to test for this certification, this won’t be a problem. A couple of paragraphs of discussion can cover Kerberos just fine – for the initiated. If you’re trying to “leverage” your way to a higher certification (and it pays to know that if you can’t document five years’ experience, you get an “associate” certification), though, this may not be the book for you. Actually, if you haven’t done the real groundwork, this isn’t the certification for you, either.

One very strong point about the Pearson IT cert texts is the sample questions and tests. I’ve seen too many questions in sample tests from several sources that are mangled, ungrammatical, ambiguous or just plain incorrect, but not here. As a long-time technical editor, I appreciate the good, clear, concise questions and the use of multiple plausible answers that made me slow down and think before choosing. The chapter-end questions and sample tests also seem very much in what I’d label “(ISC)2 style” – there is little or no sneakiness about them, unlike the questions common on some certifications I could name but won’t. They’re short and clear: What’s the second step in a Business Impact Analysis? On which layer is the Internet destination address added? And you either know the answer or you don’t, simple as that.

It was a little sad that the CD that came with my book had some kind of manufacturing defect that looked a little like a tire had run over the edge of the disk, rendering it useless. Ironically, it really was useless: since I already have the Pearson test engine installed, the enclosed license code did the trick all by itself, downloading the latest version of the test and activating it. From there it was all joy for me. With any luck this was a sheer fluke no one else will run into.

Where I did see some weakness in the text was in the tables and diagrams. Personally, I never like matrix tables: a crosswalk of administrative controls against access control categories means almost nothing to me unless something entices me to look carefully at the rows of Xs. This type of table is often necessary for compliance documentation, but it makes for pretty dull reading in a textbook. And diagrams are best if they show relationships and flow. Eight gray bubbles in a row do NOT illustrate the complexity of the ticket-granting process, for instance. From my own experience writing textbooks, I know this is a tough area. Personally, I cheat: I hire a graphic designer and build the simplest, clearest flow diagrams we can make. And fortunately, in this case, not all the graphics are tables and rows-of-bubbles diagrams. Some, for instance the software development models, are pretty good. In fact seeing the waterfall model as an inverted view of the agile model gave me an interesting moment.

A really good glossary and index are gold for most of my students. You know how this field is: the acronyms are like a bowl of Alpha-Bits, and the nomenclature is thicker than the nearest competitor (psychology). In this book the glossary and index cover over 120 pages, which is to say a quarter the size of the reading proper. For a lower-level text it would be too much. For this cert it’s enough, but not too much. These things are not easy to build, and you’ll appreciate them when you’re scratching your head: where the heck did they define this?

I’d be confident to teach from this text immediately, and I’d be confident taking the test after reading this. At this point I’m still evaluating books for teaching the CISSP going forward, but the certification is looking like a winner because of the demand I’m seeing for it in the sectors I serve: labs, bases, government and education. For this class of student, this book is just about ideal.

Full disclosure: I get textbooks for review from several sources, in this case from Pearson IT Certifications ( I also work for a certifying organization (ISECOM), participate in building certifications (the OPST and SAI), write textbooks and teach at two universities (UNM and NMSU), so while I’m not the usual test subject, I am frequently the instructor.

* * *