I took it just after the consolidation from 10 to 8 domains in 2015. I'd reached that point in my career where folks were asking me why I didn't have one, so I decided to go sit for it to stop them from asking. It look about 1hr45 minutes with a water and bio break. Unfortunately, you only find out your score if you failed, so I don't know how well I actually did, but I did well enough to pass and that's the important bit with the exam.

I did have the benefit of employer-paid-for test prep via SANS, which I thought was excellent, and helped organize the info in my head rather well. I used their GISP prep exams and the GISP as essentially preps for the CISSP itself. The training is expensive, but I think its worth it if you can get it.

I did the CSSLP on my own in 2016 without any prep and passed that on my first go out as well. (I like that material more than CISSP generally, as it is more directly relevant to my life)

Back in 2012 I did one month of self study before I got out of the Air Force.  Passing my first time really helped me get the first job after Air Force retirement.

Passing the CISSP exam is always a great experience that sticks to one's mind, for sure! Nothing particular in my case, but one of the best days in my (professional) life!

I had done a massive amount of planning regarding studying for my CISSP.  After I signed-up for the seminar and exam, I immediately ordered the Shon Harris books and study guide.  I decided I had enough time to spend a week per CBK Area before going into the seminar.  After a couple weeks of taking copious notes and researching the areas I didn't feel comfortable, my father died.  Everything kinda fell apart after that.  I had to fly out of state to make arrangements, plus I had my regular work duties.  I took my study materials with me, but spent maybe a few hours during the three weeks I lived out of a casino hotel room.  Those hours were wasted.  I couldn't keep anything in my head, so I just gave it up and figured I'd just roll with the punches.  All told, I spent two solid weeks studying before the seminar and exam.

Now, my recommendations are as follows:

• With pencil in hand, quickly read through the chapters and take notes.  If you're taking more than a page of notes per chapter, that's too much.
  • Eliminate notes that are detail.  The certification is broad knowledge.
  • If you can't get down to a page, finish the rest and come back to it.
  • If that fails, read-up on the Area and come back to it.
• Remember, "An inch deep and a mile wide".
• Take the seminar.
  • You're paying for it, so get value out of it.  Ask questions to clarify concepts.
  • Other people are paying for it, too, so be mindful of their investment.
  • If you have to ask what a SDLC program or federated authentication systems are, you aren't ready.
• If you don't have good industry experience, the CISSP won't prepare you for a security job.
• Schedule your exam to immediately follow the seminar. Don't worry.  If you really don't feel prepared, you can reschedule it, but squeezing in on the Saturday exam is really difficult.
• Keep a small stack of the flash cards with you at all times.  You'd be surprised about how many times a day you have the opportunity to use them.
• Use both sides of the flash cards.  Really.
• If you drink, make sure you Google Map the nearest decent bar to your testing center.  Pass or fail, you're going to want one.
• Nobody I know thought they passed the test until they got their results.  It's that bad.
• If you don't pass, it's not the end of the world.  The cert wouldn't mean anything if everyone passed the first or even second time.

Got mine in 2016.

The strongest lingering memory from actually taking the test was a sort of "road hypnosis" of multiple chocie "a...b..c... next" for hours. I had a plan to take breaks, drink water, eat some snacks, every X time or Y questions, and just fell into the rhythm of answering...and powered straight through the whole thing.

As others have said, I really didn't have a good sense of if I had passed or not. I knew I got most of it right, but the questions have enough uncertainty in the "best answer" area, to leave one in doubt.

I passed, so that was cool.

I tell other folks studying for it, to make sure you know specific definitions for terms, like the differences between Authorization and Authentication. Don't skip past things like that while studying thinking "Yeah, that's the 'auth' thing."  The other advice was to think like a Manager, not a technologist. You are solving a *business* problem, and the technologies are your tools. The tech isn't the answer, it's the means to a solution.

I actually took the exam way late.  I probably could have been grandfathered in. I was doing malware research when I noticed that, in security related communities (this was early days, in terms of the Internet, so there weren't many), there were these messages asking for questions for a new exam this group was building to try and find out whether people who claimed to be security experts actually knew what they were talking about.

I thought about sending in some of my material.  But the thing was, most security people, at that time, didn't think computer viruses had anything to do with security.  (I had already been turned away from presenting at a security conference because "computer viruses only infected micros."  I gave the person a half-dozen examples of viral programs spreading on mainframes and minis, and there was this long pause and finally, "Oh.  I didn't know that."  But they still didn't let me speak.)  So I didn't get in touch.

Over the years I was doing more and more security consulting, and I was starting to think I should take the exam and find out if I knew what I was talking about, in terms of security.  I had only really researched in the malware field.  I was, however, reviewing all the security literature I could get my hands on (there wasn't an awful lot in those days) and posting the reviews online.

By the time I actually did go for the exam, I had reviewed around 300 books.  I also took the ISC2 seminar, which, in those days, was eight days long.  The seminar group all knew each other, since we were all members of the Vancouver Security Special Interest Group (SIG), which had been going for 18 years at the time.  (These days the ISC2 Vancouver Chapter meets with the Van SecSIG.)  We all had at least ten years worth of experience.  (After about the third day, my wife asked if I was learning anything.  I thought it over and replied that, no, I wasn't learning anything new, but we were all having a lot of fun swapping war stories.)

When I wrote the exam (paper based, in those days), I found I got bored easily, and started zoning out.  I took almost the whole six hours.  After I got out, I just sat for about half an hour, decompressing.

I passed.