- Why the Open-Book Format Changes Everything
- What GIAC Actually Permits in the Exam Room
- Building a GICSP-Specific Index That Actually Works
- Domain-by-Domain: What to Prioritize in Your Binder
- Understanding the Question Format Before You Tab Anything
- What Not to Bring (and Why It Hurts You)
- A Compressed Prep Schedule Mapped to GICSP Domains
- Frequently Asked Questions
- GICSP allows printed materials only - no electronic devices, no internet access during the 3-hour, 82-115 question exam.
- A hand-built index organized by GICSP domain name is more valuable than any single reference book you bring.
- You need a 71% minimum passing score; raw tab-flipping without deep domain familiarity will cost you too much time.
- CyberLive hands-on items cannot be answered by flipping pages - they require practiced, applied ICS knowledge.
Why the Open-Book Format Changes Everything
The moment candidates learn the GICSP is open-book, many assume the hard work is done. It is not. The Global Industrial Cyber Security Professional exam is open-book in the strictest, most disciplined sense of the phrase: printed materials only, no smartphones, no tablets, no laptops, and absolutely no internet access. Whether you sit through ProctorU remote proctoring or at a Pearson VUE testing center, the rules are identical and non-negotiable.
More importantly, the open-book policy is not a safety net. It is a time trap for unprepared candidates. With between 82 and 115 questions to answer in exactly 3 hours, you have an average of roughly 90 seconds to 2 minutes per question. Hunting through an unindexed stack of printouts to find where you wrote about Modbus function codes or ISA/IEC 62443 zone segmentation will devour that margin fast. The candidates who pass are the ones who use their printed materials as a confirmation tool, not a primary learning source.
This is why open-book strategy for the GICSP starts weeks before exam day - not the night before when you are assembling tabs in a panic. The format rewards candidates who understand how ICS environments work, how OT and IT security principles diverge, and how industrial protocols behave under attack. If you are still building that foundation, visit the GICSP practice test platform to benchmark your current knowledge across all seven domains before you decide what to print.
What GIAC Actually Permits in the Exam Room
GIAC's open-book policy for the GICSP is specific: you may bring any printed or handwritten materials you choose. Books, printed slide decks, handwritten notes, printed practice test explanations, and custom reference sheets are all fair game. What you cannot bring includes any device capable of connecting to a network, storing digital files, or displaying a screen.
Practically speaking, most high-scoring candidates bring a combination of the following:
- A primary reference binder containing printed course notes (typically from SANS ICS410 material, if they completed that training)
- A custom-built master index - typically 5 to 15 pages - listing key topics, protocols, and concepts with the exact binder page number where the content lives
- Printed cheat sheets for ICS-specific protocols: Modbus, DNP3, PROFIBUS, EtherNet/IP, OPC, and ICCP
- Printed reference diagrams for the Purdue Model / ISA-95 architecture levels
- A printed summary of NIST SP 800-82, IEC 62443 zone and conduit model, and NERC CIP requirements relevant to your weak domains
The SANS ICS410 course - which GIAC recommends as the primary training path and which typically costs around $8,780 when bundled with the exam attempt - provides comprehensive printed materials that form the backbone of most candidates' binders. That bundle also includes two GIAC practice tests, which you should print and annotate, because the explanations become part of your reference set.
Building a GICSP-Specific Index That Actually Works
Your index is the single most important artifact you bring to the exam. A generic index copied from someone else's blog will not map to your binder's page layout. Your index must be built by you, from your own materials, organized around the seven GICSP exam domains.
How to Structure the Index
Start with a column for the topic or concept, a second column for the domain it belongs to, and a third column for the exact page or tab in your binder. Sort the final index alphabetically within each domain section so that you can find "Demilitarized Zone (DMZ)" under ICS Network Security Monitoring or "Consequence-driven cyber-informed engineering" under Attack Surfaces without guessing which chapter it fell in.
Critical index entries for GICSP candidates include:
- Protocol function codes (Modbus read/write coil codes, DNP3 data object types)
- ISA/IEC 62443 security levels and zone definitions
- NIST SP 800-82 Rev 2 vs Rev 3 differences and scope
- Purdue Model layers and what lives at each level
- Common ICS vulnerabilities: default credentials, lack of authentication in legacy protocols, flat network architectures
- NERC CIP standard numbers and their scope (CIP-002 through CIP-014 at a high level)
- Incident response phases as applied to an OT environment, not a traditional IT SOC
- Physical security controls specific to substations, control rooms, and remote terminal units
Key Takeaway
Build your index yourself. A personalized, domain-organized index pointing to your exact binder pages is worth more than any pre-packaged study guide you can download, because it reflects your own material layout and the concepts you personally needed to look up during practice.
Domain-by-Domain: What to Prioritize in Your Binder
The GICSP covers seven official domains. Each demands different types of printed reference. Below is a breakdown of what to include per domain, based on the depth and question style each area typically demands.
Domain 1: ICS Components, Architecture, and Protocols
This domain is heavily technical and is one where your printed references earn their weight. You need quick-access diagrams and protocol summaries.
- Purdue/ISA-95 reference architecture diagram (printed, laminated if possible)
- Protocol comparison table: Modbus, DNP3, PROFIBUS, EtherNet/IP, OPC-UA vs. OPC-DA
- Definitions of PLC, RTU, HMI, DCS, SCADA - and how they interconnect
- Serial vs. Ethernet-based communication characteristics
Domain 2: ICS Security Governance and Risk Management
Framework-heavy domain. Bring printed summaries, not full documents - you cannot flip through a 300-page NIST publication in 90 seconds.
- NIST SP 800-82 summary: scope, key recommendations, differences from 800-53
- IEC 62443 structure: parts, security levels (SL 1-4), zone and conduit model
- NERC CIP applicability table (which standards apply to which asset types)
- Risk assessment methodologies: consequence-based vs. likelihood-based
Domain 3: ICS Network Security Monitoring and Incident Response
Questions in this domain often present scenarios. Your notes should cover OT-specific IR adaptations, not generic IT playbooks.
- OT incident response phases with ICS-specific considerations (availability over confidentiality)
- Passive vs. active network monitoring tradeoffs in ICS environments
- Log sources available in OT environments (historian logs, HMI event logs, network captures)
- Indicators of compromise specific to ICS (unexpected polling intervals, rogue Modbus masters)
Domain 4: IT/OT Convergence and Security
This is where traditional cybersecurity professionals sometimes over-rely on IT knowledge. The exam tests convergence friction points specifically.
- Differences in patching cycles, uptime requirements, and change management between IT and OT
- Common integration vectors: data historians, remote access solutions, enterprise resource planning (ERP) connections
- Security risks introduced by IT/OT convergence: lateral movement, protocol translation gateways
Domain 5: ICS Attack Surfaces and Methods
Attacker-perspective domain. Your printed reference should map attack techniques to specific ICS components - not generic MITRE ATT&CK Enterprise entries.
- MITRE ATT&CK for ICS matrix: key tactics and techniques (Impair Process Control, Inhibit Response Function)
- Notable ICS incidents: Stuxnet, INDUSTROYER/CRASHOVERRIDE, TRITON/TRISIS - attack method summaries
- Supply chain attack vectors for industrial hardware and firmware
- Engineering workstation attack paths as a pivot point into the control network
Domain 6: ICS Security Controls and Countermeasures
Defensive controls mapped to the ICS lifecycle. Bring a reference that matches control types to Purdue Model layers.
- Network segmentation techniques: data diodes, firewalls, DMZ design for OT
- Application whitelisting rationale and limitations in ICS environments
- Patch management strategies: compensating controls when patching is not feasible
- Vendor remote access controls: jump hosts, VPN policies, session recording
Domain 7: Physical Security for ICS Environments
Often underestimated, this domain covers cyber-physical security for substations, control rooms, and remote assets with specific environmental considerations.
- Physical access control layering: perimeter, building, control room, cabinet
- Tamper detection for field devices and RTUs
- Environmental controls: HVAC, power conditioning, physical surveillance in ICS contexts
- Personnel security and insider threat considerations for OT environments
Understanding how these domains interact also shapes what you study first. Before finalizing your preparation strategy, review GICSP Prerequisites and Experience Requirements 2026 to assess which domains align with your existing IT or OT background - that gap analysis should determine how much binder space each domain gets.
Understanding the Question Format Before You Tab Anything
The GICSP exam includes both standard multiple-choice questions and CyberLive hands-on practical items. This is a critical distinction that most open-book strategy guides ignore entirely.
CyberLive items present candidates with a simulated environment - a virtual machine, a network topology, or a command interface - and ask them to perform a task or analyze output to answer the question. These items cannot be solved by consulting your binder. There is no tab you can flip to that will execute a Wireshark filter, interpret an OPC server log, or identify an anomalous Modbus poll in a live packet capture. CyberLive questions test applied skill, not memorized content.
For standard multiple-choice items, questions are scenario-based - they describe an ICS environment, present a problem or decision point, and ask which response is most appropriate. These are not definition recall questions. Your binder helps when you need to confirm a protocol behavior or a framework requirement, but the answer selection still requires understanding the operational context of the scenario. This is why practitioners with 1 to 5 years of ICS or IT experience - the experience level GIAC recommends - consistently outperform candidates who studied purely from books.
What Not to Bring (and Why It Hurts You)
| Material Type | Allowed? | Why It Helps or Hurts |
|---|---|---|
| Printed course notes (e.g., ICS410 slides) | ✅ Yes | Core reference if well-indexed and tabbed by domain |
| Handwritten notes and summaries | ✅ Yes | Highly effective; the act of writing reinforces retention |
| Printed NIST/IEC/NERC documents in full | ✅ Yes (printed) | Wastes time to flip; print 2-3 page summaries instead |
| Laptop, tablet, or phone | ❌ No | Prohibited; will result in exam invalidation |
| Pre-built index from someone else's blog | ✅ Yes (it's printed) | Ineffective - page numbers won't match your binder |
| Unorganized stack of printed slides | ✅ Yes | Wastes time; no index = slow lookup = failed questions |
| Printed practice test answer explanations | ✅ Yes | Excellent; annotated explanations capture exact reasoning |
The most common mistake candidates make is bringing too much material that is too poorly organized. A 600-page binder with no index is worse than a 150-page binder with a precise, domain-mapped index. Aim for depth in your reference sheets, not volume.
A Compressed Prep Schedule Mapped to GICSP Domains
You have a 120-day activation window from purchase to complete your exam attempt. Most focused candidates use 6 to 10 weeks of active preparation. Here is how to map that time to the GICSP domains specifically, accounting for binder-building alongside content mastery.
Architecture, Components, and Protocols (Domain 1)
- Build protocol reference sheets: Modbus, DNP3, EtherNet/IP, OPC
- Draw and annotate the Purdue Model from memory; print final version for binder Tab 1
- Complete practice questions focused on ICS component identification and protocol behavior
Governance, Risk, and Frameworks (Domain 2)
- Produce 2-page summaries of NIST 800-82, IEC 62443, and NERC CIP for binder Tab 2
- Map each framework's scope: which applies to energy sector, which to general ICS, which to federal systems
Attack Surfaces and IT/OT Convergence (Domains 4 & 5)
- Study MITRE ATT&CK for ICS; print key tactics with ICS-specific examples for Tab 4
- Review Stuxnet, INDUSTROYER, TRITON attack chains and summarize attack method per incident
- Document IT/OT convergence risk scenarios: historian bridges, remote access, ERP integration points
Network Monitoring, IR, Controls, and Physical Security (Domains 3, 6 & 7)
- Build OT-specific IR checklist for binder (availability-first decision tree)
- Summarize DMZ design patterns and data diode use cases for OT network segmentation
- Add physical security layer diagram: perimeter to cabinet for Domain 7 tab
Index Finalization, Practice Tests, and CyberLive Readiness
- Compile and alphabetize your master index; cross-reference all seven domain tabs
- Complete full timed practice exams; annotate missed questions and add gaps to binder
- Spend dedicated hours in ICS lab environments to build CyberLive hands-on confidence
For deeper guidance on whether your background qualifies you to sit - and how to calibrate how much preparation each domain requires given your experience - read GICSP Prerequisites and Experience Requirements 2026 before committing your study calendar.
Frequently Asked Questions
Yes. GIAC permits any printed or handwritten materials. Physical books, printed slide decks, handwritten notes, and printed reference sheets are all allowed. Electronic devices of any kind are prohibited regardless of whether you test remotely via ProctorU or on-site at a Pearson VUE center.
The GICSP consists of 82 to 115 multiple-choice questions, including CyberLive hands-on practical items. The time limit is 3 hours. The minimum passing score is 71% for attempts activated on or after November 19, 2018.
CyberLive items place you in a simulated environment - such as a virtual machine or network interface - and ask you to perform a task or interpret live data. These questions test applied skill and cannot be answered by consulting printed materials. You must practice hands-on ICS scenarios during your preparation, not just study content from books.
A shared index is nearly useless because page numbers in your binder will not match the page numbers in someone else's. Your index must map to your exact materials. Building it yourself also forces active recall of every topic you include, which directly strengthens your exam performance beyond the reference value alone.
Use the GICSP practice test platform in two modes: first without your binder to identify genuine knowledge gaps, and then with your binder open to practice fast lookup under time pressure. Both modes build complementary skills - the first builds the depth that CyberLive questions demand, and the second trains you to use printed materials efficiently within the 3-hour window.
Ready to Start Practicing?
Test your GICSP knowledge across all seven domains - ICS components, governance, attack surfaces, network monitoring, and more - before you ever print a single page. Identify your weakest domains now so your binder reflects exactly where you need the most support on exam day.
Start Free Practice Test