My CISSP Journey..
I cleared CISSP after about 7 months of preparation. In the hindsight, 7 months is a very long time. You should finish in 3-4 months or else desperation creeps up as you will start getting bored of the topics and very soon, with life itself..:-) .
The Exam is 150 questions to be solved in 3 hours. Since this is a CAT exam, there is no going back on a question and reviewing it. Once answered/submitted, you have no choice of correcting it. The exam takes decisions on the basis of how well or bad you are performing. 100 questions is the first checkpoint. If you are performing really well or really bad you will be given a decision at 100 questions. If 101 question comes up, it could mean that you could be a borderline case and the computer from this point is just giving you more opportunities to pass, all the way upto 150 questions. So, if the exam has not ended at 100, then don't lose heart, it can end at 103 as well.
Out of 100 questions, 25 are unmarked questions i.e you will not be marked on the 25 questions, but you will have no knowledge which of them are unmarked. Hence, you got to keep answering every question as if your life depends on it.
Selected 3 books to prepare. Shon Harris (All in one exam guide), Mike Chappell (Sybex official), Official CBK (Adam Gordon). I had no idea which was good, so I went from one book to another week after week. I learnt that Shon Harris was the best book, because it fired the eagerness to learn more about the topic, not just for CISSP but like “Oh wow!! So, that’s the way this works” kind of interest.
Subsequently, through the time period, I read Shon 4 times, Sybex 2 times, Official CBK 1 time. All in all, I practiced with about 400 questions, here and there from all the 3 books. That’s it. I did not watch videos or audios etc., though I tried couple of them like Kelly, Sari Greene, some sections of Udemy courses etc. I just thought they were all very superficial and just not anywhere close to the Shon Harris book. However, some of them that are available in YouTube like Luke Ahmed, Thor are good for a one time watch. I watch about 3 videos each of Luke and Thor. Maybe I should have heard their videos more but they don’t have much for free (And I did not want to pay, the exam and the books having cost me already so much).
I have a problem. I start with Panic and then steady down in due course. This was not going to help in this exam (or in any exam for that matter). So I did not have a great strategy in preparing but I prepared an exam strategy that worked very well for me. The first thing is that you need to know yourself. As I mentioned that I was very prone to Panic, I decided to fight that.
I decided that I will not look at the clock for the first 20 questions and take as much time required to answer them. By that time I should have settled in the exam pattern and that should handle the panic part. From 21st question, I assumed that I will be able to work faster and aimed for 100 questions in 2 hours (I finished at 1 hr 53 mins). If the questions went beyond 100, I still had good time for the rest. This plan worked in handling my panic very well. Though I could not stick to the plan completely as such, but all in all, I balanced myself.
I did not listen to any of the “Consider this as a management exam and think like a risk manager only” part and just stuck to “Select what is best for the question”. Honestly, you don’t get the time to put yourself into the risk manager’s shoe, eliminate 2 wrong answers and then introspect. Sometimes, all answers look right. I also got a lot of technical questions, even CIDR and IP address type of questions.
Hence, I don’t think there is an expert out there who can authoritatively give you an exam cracking strategy. Honestly, you should just read well, understand the concepts, attempt practice questions and have a strategy to handle yourself in the exam as such. There are a lot of people misleading out there. This exam is not as tough as people make it out to be and that’s the first thing that came to my mind after 40 questions.
The next fact is that there are actually questions that are out of all the CISSP materials available in the market. Even the official CBK. I have no idea why that is the case but thinking positively, maybe ISC2 really wants you to know inside out of your stuff.
Another important thing that comes to my mind. DON’T WASTE YOUR MONEY in all the online tutorials and Udemy, Boson, Sagar Bansal’s video kind of junk. They are very substandard, have hardly any resemblance to the way the exam is and will give you knowledge nowhere close to what the books can give you. In fact, these will only tell you what you have read in the books in a much substandard manner. That many a times will only confuse you. You have to understand that this is a money churning industry now and all kinds of quacks spring up. They cannot help you, Period. Yes, you may come under the illusion that all this knowledge is helping you somehow to prepare, but if you just sit back and think, all of them mostly are only drawing from the books and then representing in the weirdest of manner possible to just make you feel that they are presenting something different. Believe only in the books, practice and experience.
I cleared CISSP in 100 questions at 1hr 53mins on the clock. Everyone can do it. Just follow the right knowledge sources.
My personal Opinion about the exam:-
Having studied and cleared this exam, I can authoritatively say that CISSP is really not worth for people with real passion for cyber security. It can get you onto the interviewing table and then onto the job as well, but that is the incompetence of the interviewers. This is primarily for GRC professionals who generally act like arm chair critics. If you are real passionate and want to get your hands dirty, do something like Cisco or Offensive security, SANS (very costly though) kind of certifications. Even playing around with Vulnhub or HacktheBox is a zillion times better than any of the ISC2 or ISACA courses. They are just using the opportunities created by clueless interviewers who don't know how to assess candidates and think its easy job to screen candidates with these certifications. I have at least a couple of senior people in my organisation with CISSP and spew dirt when they talk. Questions like what is CVE? and what is Patch and Vulnerability Management? is very common from these guys.
But having said this, I will again say, Read SHON HARRIS, multiple times if possible. Its a great book to obtain knowledge and then if you are passionate, go ahead and do real certs that I mentioned (That people made of steel do) and prove your worth.
Congrats on your passing the exam. Great Strategy! I did study Shon Harris once for an in-depth understanding. Read Sybex official study guide twice from exam perspective. Went through questions in Boson and official exam prep questions from ISC2. I may have gone through 700-800 questions. But the exam as everyone said is nowhere related to the questions. The exam had more SDLC related questions. I knew I am not good at this and my experience at my current job helped me answer most of SDLC. Dont panic by looking at the clock. I did not look at the clock for the first 50 questions as I wanted to gain confidence in answering them correctly rather than answering them on time. I followed reddit for similar success stories for strategy and materials I could use to prepare. All of the guidance helped!
I do feel the same, there are people asking for study material, source of material...etc. and I believe there is no a "single" source can cover all topic in CISSP but rest is actually real work experience which enables a professional to pass the exam, the official guide are only part of the reference material. And as well as every individual is unique, unique education, experience, strength and weaskness. So what work for one may not work well for the others.
And but all in all, I would say as a professional, one should know when one is ready or not. The more exams I take, the more I can feel this assurance myself.
I won't say CISSP is an easy exam but when you are ready, then you should be actually comfortable to take the exam.
I still recall the moment my exam end around 104 - 105 questions which means either I am really bad or pass, at the very moment, I cannot tell (as i was taking the CISSP right after the CAT rollout at a couple of months, I really don't know what this actually means at that moment)
The next couple of minutes in waiting time for the testing result printout, I was feeling it took a decade of waiting time for me, holding my breath and waiting for the moment of truth. I would say that's one of the most exciting and scary moments I ever have had.
For the CAT exam strategy, I would say spend more time in the beginning of the exam to maximise the "correct" answer in the beginning is important which secure you position and make you feel more "safe" during the exam. Rest is general exam tactics which includes read the question carefully, keep clam and keep a good timing (don't rush but keep a good pace yourself).
Hope your endorsement and certification process goes well and welcome to the club.
Last but not least:
When the exam ends, the journey begins.