PASSING THE CCSP IN TWO MONTHS – MY EXPERIENCE
(Please give a kudo if you found this helpful - thank you!)
Earlier this week, I finally passed the CCSP examination provisionally, and am awaiting certification pending the application / endorsement process. While not nearly as difficult as the CISSP, the experience was not an easy one, and took me a solid two months to get through. It was nevertheless a wonderful thing to finally attain this certification, and I’m grateful and humbled to have reached it.
Here is a rundown of what worked for me, which hopefully will inform those of you just starting out or formulating your study plan. It goes without saying – you can pass this test, even if it’s not the easiest thing. You just have to believe in yourself! Follow a plan, be disciplined, and have confidence!
**Background Notes**
Professional Certifications Background
* CPA (2010) – bought self-paced course along with study materials (very hard, took ~2yrs)
* CISA (2015) – bought study guide and quiz bank, all self study (not easy, but manageable)
* CFE (2018) – bought full live course with testing at the end of each day (wonderful experience)
* CISSP (2021) – bought self study materials and question bank (difficult, but possible with planning)
Related Work Experience
* Started career as a financial auditor (3yrs)
* Worked as a credit analyst at a bank (1yr)
* Mostly worked as a bank examiner specializing in reviewing IT (~15yrs total)
Motivation for attaining CCSP
* Many banks and service organizations moving to cloud, opening up need for resources
* Vendor agnostic and industry-wide recognition applicable to any environment
* Further differentiation with colleagues (most in the IT ranks don’t have CISSPs or CCSPs)
* ISC2 resources and professional network opens up with certification.
Materials That I Used (most found here - https://www.isc2.org/Training/Self-Study-Resources)
* CCSP Official Study Guide (softcover)
* Sybex Test Bank (online, goes with official study guide)
* CCSP Official Practice Tests and Study Questions (softcover)
* CCSP for Dummies (softcover)
* CCSP phone app for practice tests (through App Store), along with flashcards in app
**Test Notes**
(both short and long version)
Study Protocol (the short story)
* Mindset: While I tried to study on/off for about six months starting at around Nov 2022, I really didn’t buckle down to study until about mid April 2023, with a test date in the final week of June 2023.
* Period: Serious study from about mid April 2023 to late June 2023 (about 8 weeks / 2 months).
* Normal Weekday Time: one block reviewing new material for 2 hours every day (Mon-Thu), break on Friday (for chores, errands, other needs).
* Normal Weekend Time: two blocks of 4 hours reviewing new material on Saturday (am/pm), followed by one 4 hour review block on Sunday morning covering all that I read the previous week (am), with rest of Sunday to prep for workweek.
* Flashcards: Would go through those in the CCSP phone app during lunch and on any off time.
* Overall Approach / Timeline: Within about 2 weeks from starting, I went through the Dummies book and related study questions about twice. Then it took about 2 more weeks to go through the Official Study Guide and its related end-of-chapter questions. Then I started doing all the Sybex questions and practice tests (online) as well as the CCSP phone app practice tests / questions. By about 2 weeks before my test date, I had gone through all of those and was scoring in the low to mid 80s. The last 2 weeks before the test was spent identifying weak areas, reviewing the study guide / my notes / the flashcards for those, and then trying to retake those questions until I was able to answer most correctly.
* Test Day / Results: Out of the 4 hours allotted, it took me about 2hrs 30min to complete the test, and I was given 150 questions to answer. The result was printed and ready right after I left the room. A lot of hard work, but truly a great feeling seeing the printout!
* Total Time: best guess is about 200-250 hours (20-25 hours a week for ~2 months).
Study Journey (the long story)
First, I read through the CCSP for Dummies book twice, cover to cover. It was a pleasant read and included 2 tests, flashcards, and some practice questions online. As such, while not that hard, it was definitely not enough by itself for the exam. However, as it turns out, it covered many concepts (eg, FIPS 140-2; EALs for the Common Criteria) much better than the Official Guide, so it was essential reading and very important for preparedness!
Next, I focused quite a bit on the Official Study Guide. Not as dense as the CISSP study guide, but not exactly an easy read either. During my first runthrough, I read maybe a chapter per weekday and up to three during full weekend study days – so I was able to get through it cover to cover in a week (but at the expense of any other activity). This time, because I had already gone through the CISSP, it wasn’t as technically challenging, even as some concepts in the application security and operations areas were tougher than, say, legal and compliance (given my background). I was able to get through the book cover to cover twice, which was probably good enough to establish a baseline for questions.
Thereafter, I took my final four weeks to do rounds and rounds of questions and practice tests. I used both the CCSP phone app and the Official Practice Tests and Questions softcover book – all in, I was able to complete maybe 850 questions from the book and ~1000 questions (both practice tests and review questions) in the app. The book has 6 chapters (100q each) and 2 practice tests (125q each), while the app has so many questions that it’s hard to get through all of it (8 practice tests with 100 questions each, plus several hundred questions for each of the 6 domains). I made sure I purchased the app with enough time for my review window (I bought 6mos for ~US$35; you can also do monthly for ~US$15). I flagged all the questions I missed, and repeated each until I was able to understand the reasoning behind each answer.
For the final 3-4 days before the test, I reviewed all the flashcards I had to start. Then I kept reviewing and re-reviewing any questions I missed several times in the app and in the Official Practice Tests book. The day before, I went over all the flashcards I had one last time, with emphasis on the topics I had a harder time with or related to the questions I had kept missing the most.
Test Day – Getting There
My test was on a Monday, so I made sure I took the prior Thursday and Friday off from work. That gave me four days of uninterrupted time to study beforehand. I made sure to schedule my test in the afternoon, which gave me the whole morning to sleep in a little, relax, do a final flashcard review, and get myself psyched up. I went to sleep at around 9.00pm and got up around 7.00am for every day that I had taken off before the test day, so I felt really rested and alert on test day. I planned my route to the test center (about 25mins away), and made sure to get there 30mins early just in case.
Then I entered the test center, after which the process was identical to when I taken the CISSP. I made sure to bring a snack (some trail mix) and a bottle of water with me. They verified two forms of IDs with photo and signature (this is key!), checked me in, took a hand/vein scan, and put all of my things (wallet, keys, phone, snacks, water bottle) in a locker. The test center was cool, so I wore a fleece with a half-sleeved shirt and cargo pants, which was enough to be comfortable. They checked me again once I got down the hallway, provided me a laminated sheet with a dry erase marker, and sat me down at my computer workstation. After clicking through all the disclaimers and agreeing to the ethics policy, there came the first question!
Test Day – The Test Itself
The questions were either easier or harder than what I had expected. Several were as straightforward as the phone app questions, which were generally more concept based and didn’t have as much verbosity; especially towards the beginning, there were quite a few on the exam in which you knew pretty quickly, answered in 30 seconds with great confidence, and moved on. However, several were long multi-part questions, as the Official Practice Test book leaned towards. There were many more questions than expected which were really difficult, with concepts and criteria that I had never seen before – something like 20 of them really threw me for a loop, for which I probably spent a good 3 minutes on some. There were also many questions from charts and lists that I had seen in the study guides, so I’m very glad that I had memorized those. With great confidence, I can say that all the drilling and practice questions / tests were worth it, and had prepared me well to anticipate the kinds of things asked about. The exam set gave me the full 150 questions to answer, with 240 minutes to do so. It was necessary to take bio-breaks and one snack break, so I was really glad I had thought to bring the snacks (which I ate within the test center in full view of the front desk staff). They also had extra water, so that was helpful. Once I got to Question 150, it was quite the relief that I had finished in 2hrs 30min, with time to spare. After I walked out of the testing room, the front desk staff handed me the results letter upside down. Much to my relief, it started with “Congratulations!” and described the next steps. Truly a great feeling!
**Reactions / Test Post Mortem**
Things That Helped / I Liked
* Practice Tests and Questions – the number one thing that made the difference.
* End of Chapter Practice Questions – very helpful to keep reinforcing.
* Flashcards – really useful way to use otherwise dead time to go over material; I also made a few of my own for particularly tough topics that I had to memorize (eg, ISO and NIST standards, IaaS vs Saas vs PaaS responsibilities by layer, EALs for Common Criteria, REST vs SOAP APIs, STRIDE / DREAD / PASTA / ATASM threat models, etc).
* Combining Resources - *Both* the Official Study Guide and CCSP for Dummies were essential, as some concepts were covered better by one vs the other. Especially for things like authentication standards, FIPS 140-2, the Common Criteria, and federated identity (among others), it felt like the Dummies guide went in to more detail. For most other concepts, the Official Guide was more detailed.
* Building in Buffer Time – there were many, many questions in the practice banks that were way more technical than in the Study Guides (eg, ITIL roles, common versioning format, OWASP Top 10 issues, OECD privacy standards, etc). It slowed me down to research these concepts, but I'm glad I had the time to go over these topics before the last few days that preceded the test itself.
Things I Should Have Done Differently
* More App Questions – I didn’t really have the time or energy to go through every question, so I focused on my problem domains. I really should have done every question I could (~1500 Qs for the domains).
* More Study Materials – After taking the exam, I found out about materials like the All-in-One CCSP. All-in-One in particular could have provided even more practice questions and tests to further reinforce things. Those are definitely worth considering in any study plan.
**Final Thoughts**
As with the CISSP (but in less time), the key was planning and preparation. Not the hardest test ever, but definitely not an easy one all the same. While many questions seemed to be a lot harder than in the practice materials, most were consistent with the study guides and practice questions. The key is to understand the domains covered, have a plan with study milestones, build in enough time to study and get through multiple sets of practice questions and practice tests, and use flashcards to fill time and reinforce concepts especially if hard. Cover all of the material, and do as many practice questions as is possible under your timeframe. Above all, stay positive, stay focused, and be confident!
Hopefully all that information will be helpful for you. I wish everyone all the best on your journey to passing the CCSP and getting certified. Keep moving forward – GOOD LUCK!
