So I obtained the Certified Information Systems Security Professional (CISSP) certification and to be honest I found the exam to be very different from what I expected after learning the subject matter from the official resources. Consequently I found the exam quite daunting to pass.
But I did pass the exam so let me recap in this blog how I prepared and how I got to pass the exam successfully. I really owe a lot to the people posting their experience and the sources they used to prepare for the exam. Now it is my time to give back to the community. I hope it is of use to you.
Before I started learning for the CISSP exam I passed the Certified Ethical Hacking (CEH) exam and this really did help me while I was studying for CISSP. CEH is more technical than CISSP but quite a lot of topics from CEH also were covered in the CISSP learning sources. That being said, I do not remember any of the CEH topics coming back at the exam. In fact, it appears to me that none of the CISSP topics I learned intensively came back on the CISSP exam either! More about that later…
First off let me share the sources I used to learn for the CISSP exam.
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide by Mike Chapple, James Michael Stewart, Darril Gibson.
I bought this book because I like to learn from a physical book and use it as the basis for learning the topic. I did not buy and use the CISSP Official (ISC)2 Practice Tests book that you can buy along with the study book. I found the book to be a very pleasant read and it covers all the CISSP topics. Personally I have no negative things to say about this book. I can certainly recommend.
I bought the book for €42,99 online.
Skillset CISSP exam training
I did use Skillset before to train for CEH. I did not find the questions from Skillset particularly representing of the real CISSP exam questions (but which source is?) but I mainly used Skillset as an insurance if I would fail the exam. If you answer all the questions from Skillset (which are a lot, thousands!) and reach 100% readiness Skillset will refund the exam fee if you fail the test. Since the CISSP exam costs a whopping €650.00 (not even close to the fee for the CEH exam for which I paid €1072.03) it gave me a safe feeling that my back was covered. Since I used Skillset before to train for the CEH exam I got a readiness score head start of around 20%.
Since Skillset charges a monthly subscription my strategy here was to use a free Skillset membership at first to reach 100% readiness. After that and after feeling confident for the exam I bought a Pro subscription. The 100% readiness score will than automatically be carried over to your paid subscription. Activation of the Skillset Pro membership is immediate so I upgraded a few days before taking the exam and ended my subscription as soon as I got note that I provisionally passed the CISSP exam.
Reddit CISSP subreddit
A very informative source is the CISSP subreddit. I used it as my main source for finding additional study material and to learn how people prepared for and experienced the exam.
Cybrary CISSP course
I watched all episodes of the Kelly Handerhan course on Cybrary. It is free and did help me a lot to provide a different angle on the CISSP topics I learned from the book. Kelly explains very well and each episode is nicely scheduled so I managed to watch a few episodes each day. The total watch time is 13 hours.
CISSP Study Question of the Day from IT Dojo
Each day IT Dojo will present two CISSP exam questions and explain the correct and wrong answers. The questions themselves are more technical than I met on the exam but the way the questions are phrased represent the real exam questions a little bit (but not fully). I learned a lot from IT Dojo and they added to my overall knowledge and confidence level.
CISSP Practice Question with Spock & Kirk
This video series helped me in understanding how to approach the CISSP exam questions. First the rational Spock will analyse each answer and reject the ones that are not correct. This results usually in two answers left. Then captain Kirk will look at the remaining answers and choose the best one based on subjective gut feeling.
In my experience this is the way you can best approach the CISSP exam questions for most of the time there is no single obviously correct answer. First filter rationally and then let your subjective feeling decide. The trick here is that this subjective feeling is of course based on you subconsciously knowing a lot about the subject at hand. This knowledge was gained by studying long, hard and focused.
I did not find any practice exams that simulated the spirit of the real exam but the following ones are quite good anyway:
Kelly Handerhan – Why you WILL pass the CISSP
I watched this video at least three times as it is really helpful to put you in the right mindset for the exam. Kelly explains the type of questions present on the exam and gives helpful tips on how to approach these. Watch this again just before you take the exam.
First of all I studied the book front to cover. After that I finished Skillset to 100% readiness and watched a lot of IT Dojo episodes and Kelly Handerhan’s Cybrary video series. I scheduled the exam a few weeks ahead and as the exam date approached I watched Spock & Kirk and Kelly Handerhan’s Why you WILL pass the CISSP video. I often browsed the CISSP subreddit for other material and advice.
I was very focused on this task and spent around three hours a day during four months. During weekends more.
At the day of the exam I arrived early at the test center so I had ample time to enlist at the reception, visit the bathroom and drink some water. At the test I put in the ear plugs that were provided by the test center. I took a chewing gum and a grape sugar tablet with me in case I needed some energy.
The test is adaptive and has somewhere between 100 and 150 questions depending on how your ability to correctly answer the questions. The available exam time is 180 minutes. There were maybe a maximum of five questions that I felt 100% confident about but the rest felt like a guess to me and as I neared question 100 the question were impossibly hard to answer. To add to that I was a little time starved. When I reached question 100 I was hoping that this was it but then I got question 101… I reasoned to myself to not focus on that disappointment and struggle on while I was here anyway. After answering question 101 and pressing Next the computer seemed to pause and than a message appeared telling me the test was finished and I could pick up the transcript at the reception. It did not tell me whether I passed or failed. At that point I was confident I failed and that they choose not to tell you in case you would smash up the computer and furniture in anger or disappointment.
I left the examination room and went down to the reception and they printed out the result. It said something like
Congratulations! [more text but no actual mention of passing the test]
In the print they stated that they have to do a psychometric analysis and that I will be notified of the result. This confused me, I seems I have passed but was I really?
The next day I got the following email message from email@example.com.
Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP®) examination. By passing this examination, you have completed the first of two steps toward earning your CISSP credential!
In this email it was explained that the next step is to complete the endorsement process, which you should do within nine months of your exam date. I asked a friend of mine with CISSP certification to endorse me. I also asked two of my former managers if I could mention them as a reference. After my endorser sent in the documentation I got an email stating
This email confirms that (ISC)2 has received your endorsement documentation and have placed it in queue to be reviewed.
In the eighth week after applying for endorsement I got this liberating email saying
Congratulations! Based on your examination results, application review and acceptance of your endorsement, the (ISC)² Board of Directors has awarded you the CISSP Certification.
I received the CISSP Welcome Kit by snail mail exactly eight weeks after I got endorsed.
The long road had ended and a new one just began. Now I just hope they will remind me to pay the yearly fee of $85,00 so my certification will not expire. I would surely not like to do the exam again.
I must admit that if I had failed I would not have had a clue on how to prepare any better for this exam. I guess the best you can do is to study hard and spend a lot of time rehearsing the best you can. This knowledge all builds up to a kind of gut feeling which will make you choose the correct exam answers in a magical way. Study hard and after that just put trust in yourself to pick the right answer on the exam.