I’ve been working for (ISC)2 for almost 5 years and over the years I’ve met many CISSPs at (ISC)2 and industry events. In our conversations I'll often ask them about their experience taking and passing the CISSP exam, as it’s a huge accomplishment and everyone I’ve heard from remembers the day they found out that they passed.
One story that has stuck with me is about a member who was taking the exam back when it was paper-based testing and about half way through his exam he realized that two pages were stuck to one another, so all of his answers from then on were off. He luckily was able to erase and adjust all of his answers in time and he later found out that he passed. Talk about a nerve-wrecking experience!
I’d love to hear your story…
I took it just after the consolidation from 10 to 8 domains in 2015. I'd reached that point in my career where folks were asking me why I didn't have one, so I decided to go sit for it to stop them from asking. It look about 1hr45 minutes with a water and bio break. Unfortunately, you only find out your score if you failed, so I don't know how well I actually did, but I did well enough to pass and that's the important bit with the exam.
I did have the benefit of employer-paid-for test prep via SANS, which I thought was excellent, and helped organize the info in my head rather well. I used their GISP prep exams and the GISP as essentially preps for the CISSP itself. The training is expensive, but I think its worth it if you can get it.
I did the CSSLP on my own in 2016 without any prep and passed that on my first go out as well. (I like that material more than CISSP generally, as it is more directly relevant to my life)
Back in 2012 I did one month of self study before I got out of the Air Force. Passing my first time really helped me get the first job after Air Force retirement.
Passing the CISSP exam is always a great experience that sticks to one's mind, for sure! Nothing particular in my case, but one of the best days in my (professional) life!
I had done a massive amount of planning regarding studying for my CISSP. After I signed-up for the seminar and exam, I immediately ordered the Shon Harris books and study guide. I decided I had enough time to spend a week per CBK Area before going into the seminar. After a couple weeks of taking copious notes and researching the areas I didn't feel comfortable, my father died. Everything kinda fell apart after that. I had to fly out of state to make arrangements, plus I had my regular work duties. I took my study materials with me, but spent maybe a few hours during the three weeks I lived out of a casino hotel room. Those hours were wasted. I couldn't keep anything in my head, so I just gave it up and figured I'd just roll with the punches. All told, I spent two solid weeks studying before the seminar and exam.
Now, my recommendations are as follows:
The exam itself was brutal. I took it before the CAT. I was done in 45 minutes and panicked. I took another 45 minutes to go over all my answers and ended-up changing one, only because I obviously misread the question. When I turned it in, I sat with my head between my knees, just waiting for a sad head shake, while waiting for the results. When the examiner said, "Congratulations," I assumed he was messing with me.
If you can get down to 3 answers, you're probably doing okay.
Always keep in mind, it's the "most right", not just the first "well, that's right".
I had questions with three somewhat right answers.
I had questions where none of the answers was 100% right (or so I think).
Some questions aren't in the book.
Got mine in 2016.
The strongest lingering memory from actually taking the test was a sort of "road hypnosis" of multiple chocie "a...b..c... next" for hours. I had a plan to take breaks, drink water, eat some snacks, every X time or Y questions, and just fell into the rhythm of answering...and powered straight through the whole thing.
As others have said, I really didn't have a good sense of if I had passed or not. I knew I got most of it right, but the questions have enough uncertainty in the "best answer" area, to leave one in doubt.
I passed, so that was cool.
I tell other folks studying for it, to make sure you know specific definitions for terms, like the differences between Authorization and Authentication. Don't skip past things like that while studying thinking "Yeah, that's the 'auth' thing." The other advice was to think like a Manager, not a technologist. You are solving a *business* problem, and the technologies are your tools. The tech isn't the answer, it's the means to a solution.
I actually took the exam way late. I probably could have been grandfathered in. I was doing malware research when I noticed that, in security related communities (this was early days, in terms of the Internet, so there weren't many), there were these messages asking for questions for a new exam this group was building to try and find out whether people who claimed to be security experts actually knew what they were talking about.
I thought about sending in some of my material. But the thing was, most security people, at that time, didn't think computer viruses had anything to do with security. (I had already been turned away from presenting at a security conference because "computer viruses only infected micros." I gave the person a half-dozen examples of viral programs spreading on mainframes and minis, and there was this long pause and finally, "Oh. I didn't know that." But they still didn't let me speak.) So I didn't get in touch.
Over the years I was doing more and more security consulting, and I was starting to think I should take the exam and find out if I knew what I was talking about, in terms of security. I had only really researched in the malware field. I was, however, reviewing all the security literature I could get my hands on (there wasn't an awful lot in those days) and posting the reviews online.
By the time I actually did go for the exam, I had reviewed around 300 books. I also took the ISC2 seminar, which, in those days, was eight days long. The seminar group all knew each other, since we were all members of the Vancouver Security Special Interest Group (SIG), which had been going for 18 years at the time. (These days the ISC2 Vancouver Chapter meets with the Van SecSIG.) We all had at least ten years worth of experience. (After about the third day, my wife asked if I was learning anything. I thought it over and replied that, no, I wasn't learning anything new, but we were all having a lot of fun swapping war stories.)
When I wrote the exam (paper based, in those days), I found I got bored easily, and started zoning out. I took almost the whole six hours. After I got out, I just sat for about half an hour, decompressing.
0-15I liked it so much I passed twice.
The first time was in 2010, and the second just last year when I figured I might need it again.
I did it straight after the review seminar at company campus - we had an in-house course though people from outside showed up for the exam. I was probably done in a couple of hours, reviewed and felt ok about it, passed, certified and then didn't bother till 2017.
The second time around was actually longer slightly over two hours, mostly due to the machine not refreshing quickly enough, anyway by that time I was pretty much feeling OK about things so was quite chillax about it all.
I saw a 45-minute time frame in the thread from John for a completion, which is very impressive - do-able I think, assuming you were getting question that you could nail in 10-15 seconds, but even so Kudos, I'm pretty sure if I had tried to speed run it in that time and stuck with answers I'd have been going for a resit.