I really don't like learning for exams. Don't get me wrong. i do like learning new things, just the exam bit makes it a bit unpleasant. And this was certainly the case of my CISSP effort. Some comments follow.
Study
As mentioned earlier, I used two books. Although it was probably was excessive for the purpose of the exam, I used Security Engineering for basic crypto (which I always wanted to know more about). For everything else I used CISSP Certification, which is the book I can highly recommend. It is fair to say that it covers pretty much all the topics of the exam; there were few questions there that were not covered in one of the sections in the book. What's also important, the book is a quite well written. It gives lots of good examples when explaining concepts and hits the right level of detail.
The way I studied was to go through each section of book once, making notes and NOT doing tests at the end of each chapter. I flipped through some topics and spent more time on others like physical security, computer architecture and operating system security, I didn't know well enough. After reading throuh the book I did go through test on the CD that was attached with the bookand then I took tests at CISSP OSG site. This turned out to be quite important because I realised I forgot most of the details required by the exam.
My feeling is that for candidates who have required 3 or 4 years of experience, the book should be enough to pass the test. I think it would be difficult to pass without studying anything, but bootcamps are probably an overkill.
Test
The test was not hard but it was long and tedious. Halfway through I had real problems concentrating on questions. As far as the content goes, Andrew Briney's recent article at ISM gives a fair account of that:
"Out of the 250 questions, the slight majority are fact-oriented questions....These questions are straightforward, well-written questions with clearly delineated answers. If you do your homework, you'll answer most of these questions without any problem.
Another large chunk of questions are straightforward interpretive questions. They set up a scenario in which you have to determine the best course of action. ...
The remaining questions are difficult, but for different reasons. Half of these are legitimate questions about obscure facts, or legitimate interpretative questions where the answer just isn't clear. These are good, tough questions. You just have to know the answer or be able to dope it out.
However, there's a chunk of questions that are difficult for all the wrong reasons. They're poorly worded, misleading or simply evasive"
Overall I didn't find the exam too hard. The reason why, is that the requirement to have 65% correct answers is quite low and gives one quite a good margin for one's mistakes and knowledge gaps. So I hope (though I can't be sure before I get the results) that I passed.
Certification
Only after I finished the exam, it struck me how pointless the ceritification is. There is an advantage that it forces one to go through many things one would not force oneself to go through. It can help with payrise, new jobs and similar things. But that's about it. I doubt I will ever use most of the knowledge I learnt for the exam. On the opposit, I am quite sure I will forget most of the details I learnt in a month's time. And the thing is that I won't mind. In areas I work in, I either need knowledge that is much much deeper or I don't need any knowledge at all.
So my final view is that if CISSP certifies something, it is the fact that you know a bit about security and that you went through pains to study for the exam. Nothing more and nothing less.
11:58:29 PM 
