My Journey in Attaining Two Professional Certifications, CIPP and CISSP

Much has been written about professional certifications and the arduous preparation involved for exam day. For many people, like myself, studying and test taking are activities which we may have done 10 years or more years ago. In fact, I had taken and passed the state and patent bar exams over a decade ago, and so it had been awhile.

Before joining HIMSS, I was a healthcare and intellectual property attorney in private practice for 10 years. I specialized in transactional matters that involved information technology, health information technology, and intellectual property (i.e., patents, trademarks, copyrights, trade secrets, and confidential know-how). And, before my legal career, I did systems, network, database and web administration for several years.

The Certified Information Privacy Professional (CIPP) and the Certified Information Systems Security Professional (CISSP). I was motivated to take these exams for two reasons:

1. expanding my knowledge base, and

2. being able to demonstrably show that I have a solid understanding of information privacy and cybersecurity.

After all, there are many attorneys who practice in the fields of information privacy and cybersecurity. But, relatively few attorneys have the technical knowledge (and experience) needed to attain credentials, such as the CISSP.

The CISSP generally requires at least five-years of direct, full-time experience in at least two of the eight knowledge domains. Given my experience at HIMSS and my background, I decided that these credentials are ones that I needed to attain.

The following account is my first-hand experience in preparing and passing these exams on the first try.

The CIPP and CISSP exams are nowhere near as rigorous as the state bar or patent bar exam.

• The CIPP for the US Private Sector (CIPP/US) exam is only a 90-question, 2.5-hour multiple choice exam.

• The official textbook for the CIPP exam is the U.S. Private-sector Privacy: Law and Practice for Information Privacy Profession textbook published by the International Association of Privacy Professionals (the same organization which provides the CIPP certification). The book is pretty slim and is just under 200 pages.

• The CISSP exam is only a 250-question, 6-hour multiple choice and innovation question exam (i.e., drag and drop and hotspot questions).

• The official textbook for the CISSP exam is the (ISC)² Certified Information Systems Security Professional Official Study Guide, 7th Edition. The official CISSP textbook is just under 1,000 pages.

No Magic Formula to Prepare for Exams, such as CIPP and CISSP: Some people may say not to read the official books at all to prepare for the exams and that one’s professional experience is all that is needed to pass the CIPP and CISSP exams. Still others may say that all you need to pass these exams is a “boot camp” type of course.

There is no “silver bullet” for exam preparation. Additionally, the time it takes to prepare for these exams can significantly vary from individual to individual. I studied for 7 weeks each for the CIPP and CISSP exams and figured my own way of working through the material and mastering it.

Mastering the Material for the CIPP Exam: I studied the official CIPP/US textbook and a supplemental CIPP/US textbook. The official CIPP/US textbook had a lot of cases, laws, and regulations from the US and around the world (such as Europe and Asia).

Much of the information was interesting, and some of it was easy to understand (such as the Federal Trade Commission’s enforcement authority under the FTC Act Section 5 for unfair or deceptive trade practices and HIPAA).

By studying the material for the CIPP exam, I gained a lot more depth and dimensions to my knowledge about information privacy. Put another way, I felt as if I were working on a jigsaw puzzle and that the puzzle was finally coming together. The supplemental CIPP/US textbook was useful for two reasons:

• Some concepts were simply, but clearly explained, and

• Multiple choice questions were useful in testing my knowledge of what I had studied. I also took some simulated multiple choice questions from a popular test engine.

Mastering the Material for the CISSP Exam: Without a doubt, the material for the CISSP exam is much more voluminous than the CISSP, and it is much more technical. Interestingly, the official CISSP textbook does cover intellectual property law and HIPAA—although, this is a relatively small portion of the textbook.

A lot of cybersecurity professionals do not cover all 8 knowledge domains, and so, the breadth and depth of the material may be challenging for some. I found studying from the official textbook helpful.

Much like my experience in studying for the CIPP, I found that the material in the textbook helped me put information I already had in context. But, I learned some new things too (such as, multipartite viruses).

I supplemented my review with test questions from the CISSP Study Guide, Third Edition textbook by Eric Conrad. I also tested my knowledge with a popular test engine as well. Finally, I took a CISSP boot camp class and sat for the CISSP exam during the last day of the class.

Value of the CIPP and CISSP Credentials: I find value in the CIPP and CISSP credentials every day. Throughout my various professional roles in law, information technology, and now in health IT, I have always had to use multiple domains of knowledge.

In fact, even with an exam as broad as the CISSP with its 8 domains of knowledge, I found, and still find, that I use knowledge that spans across all of those domains in my day-to-day work in the field. As a result, I have no regrets in my journey to become a holder of the CIPP and CISSP credentials.

I hope that this blog post inspires others to take the plunge and reap the rewards of becoming a certified professional.