I passed CISSP in April 2019, I just wanted to share my experiences and how I was able to be successful first time. With the hope this may be of use to someone who is aiming to achieve CISSP also.
Please feel free to ask me any questions and I will do my best to answer them.
I didn’t think the overall process was too bad, I was lucky enough (being ex military) to get a cracking deal on a bootcamp (which included the exam) from BlueScreen IT. The bootcamp gave me that initial study intensity and the focus on which parts of the book were the more important bits to know inside and out.
Then for me it was a case of touching up on areas I knew I wasn’t strong at and then finally starting to do practice exams and then touching up further on weak areas.
I think this exam does depend quite a bit on your experience and the knowledge you have already... no one is ever going to know all 8 domains like the back of their hand straight away, and for me it was more the managerial side of things I lacked but I was all over the technical stuff having worked in IT support and infrastructure roles before my dedicated security role.
I think it would be easier coming from a technical background because the cryptography and network communications would be quite heavy if you didn’t already have a good level of understanding. The security engineering domain I thought was a bit middle ground between a risk management/assurance and technical standpoint. That domain held no prisoners and was one I put a lot of effort into.
So in summary the process isn’t as bad as some people make out but it is very experience/background dependant I think.
Exact materials used and when:
I want to start by saying I achieved Comptia CySA+ a few months before starting my studies for the CISSP, I would say it definitely helped as there was some cross over, equally I think the Sec+ and any other “lower level” certifications would help in preparation for the CISSP.
But step one were the Kelly Handerhan Cybrary videos - purely as an overview and summary before I went on the bootcamp.
Sybex CISSP official study guide book was used on the bootcamp, we didn’t read it cover to cover and I actually never read it cover to cover afterwards either. I guess the advantage of the boot camp was that our instructor picked out the important parts of the book and focused on them and elaborated and presented them in a more easily understandable manner. This was the only book I used.
CISSP Sunflower notes https://docs.wixstatic.com/ugd/dc6afa_fc8dba86e57a4f3cb9aaf66aff6f9d22.pdf
- read these in depth in the week after my bootcamp. Made notes on the topics I didn’t know so much.
It was at this point - (so 2 weeks in) that I booked my exam for a month in the future. That really gave me the focus and a bit of somewhat welcomed pressure to really get my head down and study.
After I had read the CISSP sunflower notes I started doing the Sybex online practice questions that you get free with the book. You get all the review questions from the book plus 6x 150 bonus questions. These questions are very much fact based and don’t really get you in the CISSP exam answering mindset.
I also bought the Boson CISSP practice exam suite which was $99 (look for promo codes on their FB and Reddit posts)- you get 5x 150 questions but the best part about Boson exams is the extremely detailed explanations of each answer.
The Boson questions are more similar to what you may find on the actual exam than the Sybex ones but are by no means the same. They test your CISSP mindset better than just throwing fact based questions at you like Sybex ones do. I took one exam each weekend to try and see if I was improving, I progressively improved throughout, I started at a failure score of 66% and my final and best score was 78% don’t worry if you’re not getting in the 80’s or 90’s percentages as it obviously didn’t make a difference for me. I would expect you to be getting above 80% in the Sybex ones though by the time you’re ready to take the exam.
A tip with any practice exams you do... don’t drill the same ones over and over! I didn’t actually take any practice exam more than once as then I would be trying to memorise practice Q’s and not actually be learning the material.
I saw a few posts of people that had failed the CISSP and somewhere in them was usually “I was getting >90% on the practice exams and was answering 400 questions a day” well that is the issue! Use the practice exams as an aid to point out your weaker areas that need more work.
As I went through the practice exams I would take notes of areas I needed to study further. I would then either look back in the book or google or a combination of the two. This kept me from just purely doing practice exams and being able to mix it up with further reading and practice exams here and there.
Whenever I was driving I also listened to YouTube videos of CISSP, I found a guy on YouTube who gave excellent detail in the domains he has covered thus far, I think it’s a work in progress but he’s upto domain 7 (or certainly in the process of covering domain 7 at the point of writing this) https://www.youtube.com/channel/UCIbeWc3tjvGgTS2uV5D2BUw
I did periodically skim the sunflower notes again and again until it all pretty much made sense to me.
Apart from the bootcamp I rarely studied any longer than 2 hours in any one day including weekends. I did study pretty much everyday though. Usually about 45 minutes during my lunch break and an hour or so in the evening.
In total it took me about 6 weeks of actual study. I did spread the Cybrary videos over about a month before I took the bootcamp but it was more leisurely viewing than anything so I’m not classing that as part of my study.
I booked my exam for a Tuesday at 12pm, I took both Monday and Tuesday off of work. On the Monday I tried to memorise a few of the cipher suites and block/key sizes, and some other similar data which you will never commit to long term memory. I didn’t want to hit it too hard in fear of overwhelming my brain and potentially forgetting other important things so again I didn’t study for more than 2 hours on the day before my exam.
I didn’t look at any material on the day, I played my favourite playlist in the car on my 2 hour drive up to the test centre and just tried to clear my head and get in a positive mindset, it made me laugh when I read someone had listened to “Eye of the Tiger” beforehand for motivation but I skipped the cheesy Rocky music and stuck with my firm favourites.
I got a good night sleep the night before, on the day I ate a bigger than normal breakfast. I ate this quite early because I was conscious I needed to eat just before I went in for my exam, so I grabbed a light lunch after I had parked up and just before entering the exam centre.
The exam centre was very busy as it was also a driving theory test centre, I asked to be seated at a terminal where I was least likely to be disturbed and had to wait 10 minutes for that terminal to be free but it was well worth it.
My exam technique has always been to not spend too long of a time on questions, I don’t like to give myself the chance to doubt myself. I only take longer on the questions where I either don’t know the answer or it is overly complex.
At the 50 question point I had a little break, I got some water, went to the loo and then went back and resumed my test.
After just over an hour I answered my 100th question and the exam ended. I actually thought I had failed at that point. Legend has it that it will stop the test at 100 questions if it thinks you only have a 5% or less chance of passing (if any more questions were to be asked) or it stops the test at 100 questions if you have a 95% chance or more of passing (if anymore questions were to be asked).
Was I asked 99% of the stuff I studied up on? No not really! Do you still need to study it all? Yes, because the exam engine knows what areas you are weaker on and will pound you with those questions until it is satisfied you know that domain.