cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
abhattac5
Newcomer III

Passing the CISSP - My Experience (Oct 2021)

 

PASSING THE CISSP IN EIGHT MONTHS – MY EXPERIENCE

 

(Please give a kudo if you found this helpful - thank you!)

 

With the grace of God and a lot of support from close family and friends, I finally passed the CISSP examination and got certified this year.  Like for many of you are still studying for it, this experience was time-consuming, difficult, and humbling.  Also like many of you who have passed the test and gotten the credential, it was also gratifying and self-affirming.  Needless to say, I am very grateful to make it through.

 

The following is a rundown of what worked for me, which may hopefully inform those of you studying for this very difficult challenge.  Before I say anything else, please reassure yourself – passing this test *absolutely can* be done, and *YOU CAN PASS* too!  You just need determination, discipline, an organized plan, and the confidence – believe in yourself!

 

 

**Background Notes**

 

Professional Certifications Background

  • CPA (2010) – bought self-paced course along with study materials (very hard, took ~2yrs).
  • CISA (2015) – bought study guide and quiz bank, all self study (not easy, but possible with a plan).
  • CFE (2018) – bought full live course with testing at the end of each day (wonderful experience).

 

Related Work Experience

  • Started career as a financial auditor (3yrs).
  • Worked as a credit analyst at a bank (1yr).
  • Mostly worked as a bank examiner specializing in reviewing IT (~14yrs total).

 

Motivation for attaining CISSP

  • Interest in deeper knowledge base in CBK, which can be applied every day as an IT auditor.
  • Instant credibility with bankers, colleagues, infosec industry counterparts, and superiors.
  • Differentiator between myself and most others in my organization (most don't have CISSPs).
  • Informal requirement for many employers – many related jobs more or less require it.
  • ISC2 resources and professional network that would open up with certification.

 

Materials That I Used (most found here - https://www.isc2.org/Training/Self-Study-Resources)

  • CISSP Official Study Guide (softcover)
  • Sybex Online Test Bank (online, goes with official study guide) - https://testbanks.wiley.com/
  • CISSP CBK (hardcover)
  • CISSP Practice Tests (softcover)
  • CISSP for Dummies (softcover)
  • CISSP phone app for practice tests (through app store)
  • CISSP phone app for flashcards (through app store)
  • Quizlet phone app (through app store) – searched for / found many good sets for CISSP flashcards

 

 

**Test Notes**

(both short and long version)

 

Study Protocol (the short story)

  • Mindset:  While I studied on and off for three years, it wasn’t really in an organized way until earlier this year.  The Covid-19 Pandemic forced me to work from home, which gave extra motivation for me to finally get serious.  So by March, I came up with a plan and buckled down.
  • Period:  Serious study from March 2021 to October 2021 (about 8 months).
  • Normal Weekday Time:  one block reviewing new material for 2 to 3 hours every day (Mon-Thu), break on Friday (for chores, errands, other needs).
  • Normal Weekend Time:  two blocks of 4 hours reviewing new material on Saturday (am/pm), followed by one 4 hour review block on Sunday covering all that I read the previous week (am), with rest of Sunday to prep for workweek.
  • Flashcards:  Would go through those in the CISSP phone app during lunch and on any off time where I was unproductive – I also found quite a few good sets on the Quizlet phone app.
  • Final Months Before Exam:  Within about 5 months from starting, I went through the Dummies book and Official Study Guide.  Then I started doing all the Sybex questions and practice tests (online) as well as the CISSP phone app practice tests / questions.  By about 5 weeks before my test date, I had gone through all of those and was scoring in the 70s-80s.  The last few weeks before the test was spent identifying weak areas, reviewing the study guide / my notes / the flashcards for those, and then trying to retake those questions until I was able to answer most correctly.
  • Test Day / Results:  It took me about 2hrs 15min to complete the test (they give you 3 hours if you need it), and I was given all 150 questions allotted.  The result was printed and ready right after I left the room.  A lot of hard work, but truly a great feeling seeing the printout!
  • Total Time:  best guess is about 700 hours (20-30 hours a week for ~8 months).

 

Study Journey (the long story)

The first thing I did was read through the CISSP for Dummies book, which was easy to read and had some practice questions too.  I didn’t consider it to be very hard, but I also didn’t think it alone would be enough to pass the test.  Nevertheless, it’s something I didn’t regret, because the introduction to getting in the habit of reading, getting a routine going, and slowly familiarizing myself with the material was helpful to do.  Having additional questions to practice with certainly didn’t hurt either!

 

The next step was to dig right in to the Official Study Guide.  Very dense reading that wasn’t the most enjoyable thing I’ve ever read, but the book was very comprehensive.  In my first runthrough, I probably would spend a week getting through about two chapters at most.  Some chapters (eg, encryption / certificates) were tough because I didn’t have much of a professional background in them, so they took a whole week.  In other cases (eg, management-related, ethics, BCP), I had more professional experience with those topics, so I went through them much faster.  By the end, I had read through everything and gone through all of the end-of-chapter questions several times.  At that point, I was beginning to forget some of the things I had reviewed early on, so it took about two more review weeks to reinforce some of the earlier chapters before moving on.

 

The next step for me was to take as many practice tests as I could.  There are a few available through the Dummies book, a few through the Sybex portal that you get through the Official Study Guide, and the ones you can buy separately through the book and the app.  I had to be careful about the app purchases in particular because they are subscription based – if you know how much time you have ahead of time, you can buy the subscription for just the time period needed to save some money (for me, that was about 5 months by the time I got around to the app, so I got the 6 month plan for US$35).  Every week, I did at least two practice tests and then reviewed the topic areas that I got the worst scores on.  For questions that I had trouble with, I made sure to “flag” them to revisit.  Once I was through all of the practice tests available, I went back over the chapters of the Study Guide in which I scored the worst (predictably, encryption was probably the hardest) or had the most flags.  I kept doing this until about a month before.

 

The final month was also, as you can imagine, the most hectic one.  Most of my time here was spent on review – of flashcards mostly, and practice questions from the app by topic areas.  I went through all of my flashcards and the practice questions.  Then I took a few more of the practice tests as I had time to.  By the last week of the test, I still wasn’t where I needed to be – the online posts and stories all seemed to say that scoring in the 90s on practice tests was essential, but the best I could do was the mid to high 80s for most of mine.  I kept going right until I hit the second to last day – taking a quiz or test, flagging hard questions, and following up review on areas where I got things wrong.

 

The two days before the test were definitely nerve-wracking, but I tried to tread as lightly as possible.  It just wasn’t productive to ruminate or regret too much, and it wasn’t going to help by cramming either.  So I just did a lot of light reviewing – key tables from the Official Study Guide, flashcards, and self made summary notes, followed by rounds of targeted questions on the app.

 

Test Day – Getting There

The date I got was on a weekday (Wednesday), so I made sure that I took the two days before that off from work – that way, I also got a weekend off to finish my studying too.  My test was mid-morning, so I made sure that the night before, I got plenty of rest.  I had gone to bed by 9.00pm the night before and woke up at around 7.00am, giving me 9-10 hours of sleep and a very refreshed feeling.  I had planned my route to the test center (about 40 minutes away from home by car) the previous weekend, so I was able to easily deal with traffic and other potential problems by starting 90 minutes in advance and getting to the testing center about 45 minutes ahead of time.  I spent 15 minutes in the car relaxing and running through some of the hardest things I had trouble on that I had written down on a few flashcards.  Then I entered the Pearson VUE test center.  They verified my two forms of ID first, then checked me in.  I was asked to take a picture, then take a hand / vein scan, and then put all my things in a locker (phone, wallet, etc).  I was glad I wore a fleece under my jacket, as they asked me to take that off too.  (The temperature was comfortable, but not warm.)  Your ID is the way you identify yourself, so that’s all they let me take into the testing room.  Then I went down the hallway to the door to the testing room.  A second person then inspected my glasses.  Then she made me pat myself down to prove that nothing contraband or not allowed was in my pockets.  She also took another vein scan to verify my identity.  Once she was okay with me, I was given a laminated page / tissue / dry erase marker, escorted to a computer, and sat down to the test.  A few clicks later (disclaimers, information, etc), I was testing!

 

Test Day – The Test Itself

The questions were an even mix of things I had studied throughout the Official Study Guide, with many questions being easier and many being harder than what I had initially expected.  There were questions that I could answer that seemed to come right from my experiences at work, in which the fact pattern would be about hypothetical scenarios that seemed very realistic.  There were also questions that were very technical – when the Official Study Guide mentions “memorization charts” or literally says “this is a common test topic”, they aren’t kidding, so memorize those!  All that drilling with practice tests and practice questions really seemed helpful, as I can’t say anything was all that surprising even if hard.   And difficult many of the questions were!  Most were not as technical or in the weeds as I had expected, but many really forced you to think through the situation and whittle down your answer logically.  Strangely, I was going through rather quickly at about a question a minute for most of them, with a few taking a little longer.  At least 15 or 20 questions, though, were really hard stumpers where I either took a good 3 or even 4 minutes (if I thought I remembered even a little) or I just guessed and moved on.  Then I got past question 100; online, I had read somewhere that because it was computer-adaptive, sometimes the test ends at 100 questions or 150 questions or somewhere in between – so as I got closer and closer to 150, I was getting nervous.  By the time I had reached about 2 hours and 10 minutes, I was at #149, and just about done.  “Maybe I hadn’t given enough time to the questions, given that I had 3 whole hours?  There’s just no way I could have passed that!  Oh well, too late now”, I thought.  Finally, I answered #150 and moved on to the final screens.  I then finished, raised my hand, and was escorted out.  After doing another hand scan and giving back my laminated paper / dry erase pen to the person at that second door, I walked to the main reception desk, where the result was waiting upside down.  The Pearson person who had checked me in gave me the paper as I got to the desk.  Fully expecting to not pass, I overturned the paper and had one of the biggest surprises in recent memory – “Congratulations!” being the operative first word on the page.  Truly one of the most awesome things you can feel as an infosec professional.

 

 

**Reactions / Test Post Mortem**

 

Things That Helped / I Liked

  • Practice Tests and Questions – probably the number one thing that made all the difference.
  • End of Chapter Practice Questions – after each section, very very helpful to reinforce; for all review periods, very helpful to keep reinforcing.
  • Flashcards – whenever I was bored or distracted, these were a useful way to use otherwise dead time to go over material.
  • The Official Study Guide – even though it’s long, at least one good read through it is well worth it if you are serious about passing.

 

Things I Should Have Done Differently

  • More App Questions – I didn’t really use the app to do more section-based practice questions. until I got through everything.  What would have been better is if I had done these *and* the end-of-chapter questions after finishing each chapter.
  • CISSP CBK (no practical need) – Even though I bought it, I never once used this book.  (After the test, I found that it was actually a very thorough resource.)  It may be helpful to have around as a reference for some people, but I honestly didn’t need it during my study period.
  • More Study Materials – After taking the exam, I found out about materials like the Eleventh Hour CISSP Study Guide and the All-in-One CISSP.  I really hadn’t given these any thought during studying.  Eleventh Hour may have been a good resource to have around to cram more efficiently towards the end.  All-in-One could have provided even more practice questions and tests to further reinforce things.  Those are definitely worth considering in any study plan.

 

Is a Live Class / Online Class Worth It?

These are options that are very expensive compared to just a few books / apps / test banks.  However, some of my friends and colleagues who passed the exam swear by them.  My thought was that I needed a flexible option that I could do at my own pace, and most of these classes or bootcamps are live classes (not to mention some cost US$3,000-$4,000 for a week of training).  I also tend to study better on my own with no distractions or pressure to get through things just because of something like a class schedule.  For some, such instruction may be more effective, and may have saved me some time had I tried them.  A happy medium may be the ISC2 Self Study class (US$850), which is more self paced and fully online.  However, in my opinion, my own experience shows that these live classes aren’t absolutely necessary – if you have a plan and are willing to put in the time / effort, you can do this on your own (and for a lot less money). 

 

 

**Final Thoughts**

 

The main theme that I hope to impart here is preparation.  This was one of the hardest tests I’ve ever taken.  The questions were in my opinion more or less fair, but they certainly challenged you to really know and apply the information from the study materials.  Understand the scope of the testing materials.  Plan out a start and end goal.  Make sure you give yourself enough time to study the material, quiz yourself on it constantly, and reinforce areas that you may be weaker in.  Use flashcards to fill downtime or offtime that is otherwise not productive.  Do practice questions after every section and any opportunity.  Take as many practice tests as possible.  And keep your mind and spirit positive, healthy, and focused.

 

Hopefully all that was helpful for you.  I wish you all the best in your study journey to passing the CISSP and attaining certification.  Never give up and you will make it - GOOD LUCK!

 

 

 

2 Replies
Reymu
Viewer

I had a similar experience with Sec+ 501, on its final day before 601 version replaced it. Failed the A+ three times already in person, and with the fearmongers pressuring for masks and all, decided to study for Sec+ at home where wouldn't be bothered.

 

Anyway, I purchased ITU videos for this exam as well as Mike Myers' Sec+ vids on Udemy and as many free practice exams, quizlets, and so on as could find.

 

Basically planned a week-by-week. Sit through the videos concerning the exam objectives, read the material, see if it makes sense. Not a bad idea, but that was treating it as college exam--it took me around 4 months of this before light bulb moment. "Of course! I know can't pass Sec+, but couldn't put in words. Every time I did practice exam, didn't even reach 70%. Why? Cause I'm just plodding, not going for the logic in the question. Duh!"

 

After that eureka moment, I noted a few details

  • The videos are bare bones. Concept and term, yeah, but no logic. Big clue!
  • Practice exams you can easily repeat and end up memorizing the answers. Uh, the folks who built these exams take care to update with new questions and keep it very random.
  • IT exams have reputation (or per my experience, the A+) for being very difficult. What makes it tough? Question logic.
  • And the classic know-how with any question: If you don't fit together the information given, you will never answer it correctly.

Once realized that, my final 2 months turned into not just reading the information, but also coming up with my own questions. Invent a scenario where given 3-4 details, ok, now what logic train do I have? Applying this took some patience, but paid off.

 

Passed Sec+ on first try. I believe got 12 more correct answers because focused on the question logic.

 

It also makes sense: cybersecurity folks must be self-driven. They can hardly get a certification and think that's that, no more studying needed. Exams teach this, but it's something you must figure out.

 

Hope this helps! My approach was about 6 months of part-time study. Ignored former parent who was impatient for me to get it done because it eradicates self-confidence to take and fail an exam when you know you're not ready.

cisspsach
Viewer

Thank you for taking the time to share your CISSP journey and valuable pointers. Very useful!