Can I Still Study The Old Shon Harris Book for the New Exam?

The MOST common question I’ve noticed since the new 2015 CISSP exam was released is:

“Security Engineer, can I still study the old Shon Harris AIO 6th Edition book for the new exam?”

The answer is a resounding YES!  In fact, I must insist you read that first before picking up any other study material, including the new official book.

Here’s a link to the old and new CISSP exam domain mapping: Old vs New CISSP CBK Domains

I’ve been reading through the new Official CISSP Guide to the CBK, Fourth Edition and I’ll tell you what, it does not even come CLOSE to the amount of awesome information and explanations found in the Shon Harris book!  The Shon Harris book is THE DEFINITIVE book to study for the CISSP exam!

It is one of the two books I used while studying for the exam, you can read the post here: The Only 2 Books I Used for the CISSP Exam

The new official book is a little flawed in my opinion.  It kind of talks about a technology topic, but when it does, it talks about it as if you already know the concept.  Let me give you an example between the new official guide, and the old Shon Harris book.

Official CISSP Guide to the CBK 2015


CISSP Official Guide to the CBK 2015, page 402

I can’t stress the importance of knowing the role key length plays when you’re studying the Cryptography domain.  Key length is the basis of all cryptography, the ability to crack a key, renders secrets useless.  So you want a strong and complicated key length! The above excerpt from the official book goes into a single paragraph about key lengths, almost dismissing it’s importance in cryptography.  Sure, it mentions that “The resistance to successful attack against the key and the algorithm, aspects of their cryptographic security, is of concern when choosing key lengths“, but wow this is put so lightly that it really doesn’t hammer the concept into your brain like it should!  Let me give you a quick real life example below.

Real-Life Example of Key Length

When I’m implementing site-to-site VPNs at work, a customer may say that they want their pre-shared key to be “123password123“.  As a security company, we CANNOT encourage such a symmetric key! We make a strong case against using such a simple key and suggest something else like “LSKJDF)FBN@#Y_*DSJ)#FJ@_!SJF:KLMS)D(*_KS_@MV**“, this is a much harder key length to crack don’t you think?!  Customers can be transferring intimate business and financial information back forth through their encrypted VPN tunnel.  If this tunnel is compromised by way of a simple key, and as we’re their managed security company, we could be blamed and investigated by the FBI.  Serious stuff guys! If the customer insists on using a simple key however, we make sure it is written down in our logs that the customer wanted a smaller key, despite our security concern.

Shon Harris AIO CISSP Exam Guide, 6th Edition

Look how beautifully Shon explains the power of a key strength, starting from the very simple definition of a key.  Then goes on to explain keyspace, and then the different strengths of key sizes.  She spent a lot of time writing this book so anybody who is new to cryptography can read it.  Ask yourself which one would you rather read when studying this tough topic?  You just can’t get this kind of personalized writing in the new official CISSP book!


CISSP Exam Guide Shon Harris AIO 6th Edition, page 766

Frankly guys, I find the new CISSP book poorly and hurriedly written just to make some money.  Sorry ISC2, that’s just my opinion.

Hope this explanation helps everyone out about the new vs old CISSP study guides!