15+ years in the industry, having finally passed this exam today, felt it prudent to give back and share my experience.
My story
- Undertook a 5-day class room course a year ago (2018). For me it was to get an overall understanding of the content and identify which areas I would need to focus on in my further studies. I've always liked the collaborative classroom experience of learning from young, particularly if the instructor and fellow students are all switched on, which thankfully I was lucky that they were.
- I soon after scheduled the exam for later in the year, but then re-scheduled it to early this year as I had barely studied. One bit of advice I would give, even if you're a person who needs to set the exam date goal to motivate yourself, take into account all life matters first. Between many major family commitments, it was clear that 2018 was not the year for me to take the exam, I had bit off too much and could not dedicate the time.
- Approx. 3 months ago decided it was time to get serious as I realised the new date I had set for the exam wasn't going to work either, and so I re-scheduled the exam a second time with a June 2019 deadline. I decided I now had some time (but really not that much more) to dedicate to studying to make my first attempt at this, and hopefully my only attempt.
Pleased to say I today provisionally passed it on my first attempt, and the exam ended after I answered the 100th question. It really is a great feeling when your hard work pays off.
I must admit I know that for many reports that the exam ending after 100 that this means a pass, but I was also aware if the CAT exam thinks there are not enough questions left for your to reach the required 700 of 1000, it will also end early. Read that somewhere. So I was both excited but also in deep fear. Why? Many of the questions scared the hell out of me as they talked about topics and/or terms I had not seen in any of my materials. I read and re-read all items on the screen and just made an educated guess. I wonder if these were the 25 research questions they say are there and not scored? Sure felt like they had to be. Other questions I knew the content but felt I at times second guessed myself expecting that perhaps I had misread the question or a word here or there, and feared I had made a simple mistake.
Materials used
- the 5 day course I mentioned, and these vary in quality around the globe. This course is run by a national training company in my part of the world (hint, the only both country and continent surrounded by water), and the instructor is a well respected security and IT professional who "collects certifications for a hobby". They're not arrogant, they're just really switched on and their "war stories", anecdotes and experience really helped in understanding much of the content but also how the content needs to be understood for how the CISSP exam tests for it. i.e. don't add any context to the questions from your personal experiences that aren't there in the question.
- CISSP Exam Cram (4th Edition)
As part of the course they provided a copy of this book. Instructor felt it was a good summary of the content. Despite a few online reviews saying otherwise, I have to agree, I read it on the way to and from work these past 3 months. There was supposed to be a 2018 5th edition of this book to address the re-arranging of the 8 domains, but it never got released. Still, a solid book with its own practice questions.
- Cybrary's free CISSP course by Kelly Handerhan
Watched more of this in the past fortnight as a refresher and also for tips in how to absorb and remember some of the more hard-to-remember concepts or names/terms, especially around security models and cryptography. I highly recommend this one, Kelly puts things into terms that are easy to understand and recall. I had tried the Pluralsight equivalent (via a free work subscription) but found it very dry, essentially they just reading what the slides would display.
- (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8th Edition and CISSP Official (ISC)2 Practice Tests, 2nd Edition combo
Ok, so the big Study Guide is far easier to read than the actual CBK text book, but the reality is I never got around to reading more than a few pages of it, I just felt time was against me versus the time I had in my life to study. Hence why the two items above I used as my main source of study. If you have the time you should use it, as let's be honest it's from ISC2, so it covers all items that would be on the exam, no gaps. (one would hope)
BUT, between the guide and the practice exams book, these two come with thousands of practice questions to test knowledge and understanding.
What's cool is that by buying these books you can register them at the Wiley test banks site, and get access to the very same questions in an easy, almost final exam like flow, which is far easier than balancing books on your lap. Likewise this platform also provides metrics etc, and has all the answers appear (if you choose) per question. I interchanged doing lots of these questions and the Cybrary videos this past fortnight.
I do agree it is somewhat true the questions in the exam differ from anything you'll find, however I felt that by doing hundreds of the practice questions, it allows you to get the feel for the type of questions and knowledge you would need. The key difference is that the actually exam definitely does do what everyone says, lots of "what is BEST, MOST, LEAST" etc style questions and that it combines lots of concepts into the one question. Which is what you would expect and want from the CISSP exam. To test that you both recall and understand the CBK making you a security professional.
Best of luck to all CISSP candidates and I hope this helps someone.
Congratulations!
Yay! Welcome aboard !
Congrats! I gave and passed my CISSP on 7th June as well.
I had the exact experience as you. The questions were quite different from the practice book. They required a lot of reasoning to find the best answer. It was scary for me because I wasn't sure how am I performing. Practice test book questions were straight forward and were easy in compares to the actual test but as you said it helped in understanding the concept.
Following materials I did use:
Thanks for sharing your experience.
Regards,
Vishal
When you say 15+ years in the industry are you talking about cyber security? Boy if I had that time in the industry I wouldn't bother taking the test. Hopefully you did it for fun rather than pressure from the industry.
I need this certification since I am a Sophomore.
I would hope that companies are intelligent enough to value 15 years over a test with 100 questions.
I don't know, this industry is just weird.
Correct, my first job straight out of university was for one of the then largest software companies in the world, who were also one of the largest anti-virus vendors, and other security products. In those days you could get your foot in the door on the technical helpdesk and work your way into either R&D (which I did) or some sort of sales or technical sales role.
I for years had talked about doing the CISSP exam, but always deferred it for one reason or another. I am a firm believer that do-ers will always rise above people who look good on paper but then fail to understand or explain the most basic of concepts. That said, there is also merit in achieving certs such as this. It shows you like to be tested against a common body of knowledge shared by many in the industry. My view was there was a majority of the domains I was quite strong in, but others not so much purely because my career hadn't required me to be exposed to them as much.
I'm not from the US so we don't use the term sophomore, but I understand what it means. Here is my experience. I undertook my university degree in Computer Science (Bachelor of Computing it was then known, no longer now) with a double major in Software Development and Information Systems in the early 2000s. Even then I knew all this degree would get me at best was a ticket to the dance, in other words an initial interview. They would look at my resume and say tick, they have a degree in this field. That's as far as it would take me. From there it was knowledge that would get me the job. It should also be said I am a firm believer that you don't need a degree to know your stuff, some of the smartest people I've met don't have a single piece of paper to their name. But today as IT and Security has blown to stellar levels, it's far more competitive, and so you need to do all you can to rise above the rest. During my university studies I also got a job at an ISP doing technical support, that introduced me to networking far more than my university degree did.
This is a very long topic, and off-topic now, but it can be said you're not the only one, it's a global problem. My advice is to achieve what certs you can, as it shows you can apply yourself to learn and are eager to do so, but also get as much practical experience as you can. Be that via part-time gigs, voluntary, or small contract roles. If you can show an employer that you self educate, and do whatever it takes to learn the craft of InfoSec (or cybersecurity as is the buzz term now) it should make them sit up and pay attention to what you have to offer.
Thanks for sharing Narsil, appreciate it.
Congratulations! I applaud your use of so many different study guides. That shows how much you wanted this win, and the 100 question exam was the icing on your cake.
Hi,
I started preparing for the CISSP exam, but i am confused right now to chose a best guide to follow/prepare to clear the exam.
There are so many recommendations in web, but right now am confused to chose one. Could some one suggest me best guide for CISSP exam preparation ??
thanks in advance
br,
Ashok