I just passed the CISSP exam today on the first attempt with about a month of dedicated study all together. I kept feeling like I should have put more time into studying but I just felt like I was ready. You can pass this exam as well if you prepare properly.
Since I'm using a similar hero post image as the other CompTIA success posts I've done, I have to mention that just passing the CISSP exam isn't enough to get CISSP certified. I still need to find someone to endorse me, wait like 2 months, and then pay the AMF before I'm official.
Update 9/26: Woohoo, just got the provisionally passed email. Now, onward to the endorsement process.
Update 10/7: Double woohoo, I asked one of my mentors to endorse me and she agreed! Now I wait…
Update 1/6/20: A little over 3 months in and still no CISSP certification. This endorsement process has proven to be quite a lengthy process. Check out the post on my delay with the endorsement process to see what the deal is.
Study Materials Used
I bought a book that I read cover to cover (it's only 200 pages), 11th Hour CISSP 2nd Edition. It's written well and is fun to read, but it is a ton of content packed onto each page. If you know nothing about information security, a lot of the terminology will go right over your head. I'm familiar with a good portion of the material and even noticed a few things I forgot I studied when skimming the book the morning of the exam.
By this point I've done IT work for about 15 years or so, with the last 5 being specifically in security. I also have an MBA with honors (Beta Gamma Sigma) and actively study business, personal finance, and digital enterprises. So, this exam's material was right up my alley. I don't know every domain extremely well, but I'm able to work through the issues.
Additional Study Materials
I used the following materials to prepare for this exam:
- Full CISSP Course Path by Mike Chapple on LinkedIn Learning
- I was planning on picking up Mike's Official Practice Test book, but never got around to it
- All in one CISSP audios by Shon Harris
- This content is based on the old exam setup with 10 domains, but her explanations are excellent
- Boson CISSP exam package
- Practice exams
- Practice lab
The Boson prep package was interesting. They were more technical and do not match the content of the exam. What they did match was exam style and question structure, which really helped me get into the mindset of the exam. The questions I mostly kept missing were the tricky ones that I didn't fully read all the way. I took 4 practice exams before I had a passing score.
Alternative Study Recommendations
I did not use the official Sybex book but I've heard good things. I also heard good things about Essential CISSP by Phil Martin. Essentially, he explains things pretty well. I purchased the audiobook to go through but unfortunately I ran out of time and didn't get to use it to study with.
Essential CISSP Chapters
If you do go with the Essential CISSP (which is recommended), you'll find there is a lack of chapter information so it may be hard to keep track where you are. Here's that info:
- Security and Risk Management Domain
- Confidentiality Integrity Availability CIA
- Authentication Authorisation and Auditing (AAA)
- From Vulnerability to Exposure
- Administrative Technical and Physical Controls
- Security Frameworks
- Computer Crime Law
- Policies, Standards, Baselines, Guidelines and Procedures
- All About Risk Management
- Modelling Threats
- Assessing and Analysing Risk
- Managing Risk
- Business Continuity and Disaster Recovery
- Personal Security
- Security Governance
- Asset Security Domain
- Information Life Cycle
- Information Classification
- Layers of Responsibility
- Retention Policies
- Protecting Privacy
- Protecting Assets
- Data Leakage
- Protecting Other Assets
- Security Architecture and Engineering Domain
- System Architecture
- Computer Architecture
- Operating Systems
- System Security Architecture
- Security Models
- Systems' Evaluation
- Certification vs Accreditation
- Open vs Closed Systems
- Distributed Systems Security
- A Few Threats to Review
- The History of Cryptography
- Cryptography Definitions and Concepts
- Types of Ciphers
- Methods of Encryption
- Types of Symmetric Systems
- Types of Asymmetric Systems
- Message Integrity
- Public Key Infrastructure
- Key Management
- Trusted Platform Modules
- Attacks on Cryptography
- “The Author Talks about some aspects of physical security”
- The Site Planning Process
- Protecting Assets
- Internal Support Systems
- Communication and Network Security Domain
- Open System Interconnection Reference Model
- TCP/IP Model
- Types of Transmission
- Networking Devices
- Intranets and Extranets
- Local Area Networks
- Wide Area Networks
- Metropolitan Area Networks
- Multi Service Access Technologies
- Remote Connectivity
- Wireless Networks
- Network Encryption
- Network Attacks
- Identity and Access Management Domain
- Security Principles
- Identification Authentication Authorisation and Accountability
- Access Control Models
- Access Control Techniques and Technologies
- Access Control Administration
- Access Control Methods
- Implementing Access Control
- Monitoring and Reacting to Access Control
- Threats to Access Control
- Security Assessment and Testing Domain
- Audit Strategies
- Auditing Technical Controls
- Auditing Administration Controls
- Management Review
- Security Operations Domain
- Operations Department Roles
- Administrative Management
- Assurance Levels
- Operational Responsibilities
- Configuration Management
- Physical Security
- Secure Resource Provisioning
- Network and Resource Availability
- Preventative Measures
- Managing Incidents
- Disaster Recovery
- Recovery and Restoration
- Liability and its Ramifications
- Software Development Security Domain
- Defining Good Code
- Where do We Place Security
- Software Development Life Cycle
- Software Development Models
- Integrated Product Team (APT)
- Capability Maturity Model Integration
- Change Control
- Programming Languages and Concepts
- Distributed Computing
- Mobile Code
- Web Security
- Database Management
- Malicious Software
These 2 videos below also helped with preparing for the exam as well:
Why you WILL pass the CISSP by Kelly Handerhan
I did not go through Kelly's CISSP course on Cybrary but I've heard great things. You can download her entire free CISSP course in audio form here.
CISSP Exam Tips – Understanding Semantics and Context by Larry Greenblatt
Spock certifies and Kirk accredits. Ha, genius.
Keeping the Confidence
So what did I do to mentally prepare for this exam?
If you recall the last exam I passed on the first try, I made a note to myself, naming myself as newly CompTIA CySA+ certified. I was very specific about my intention and I think that played a huge role in getting me prepared for the exam. I didn't write a note to myself this time. But I did create this post, announcing my intention publicly to become CISSP certified in 2019. Not only that, I also told a few people around me as well. I have never made a public declaration in this manner before.
I feel good about the exam. Half of the exam I knew pretty well and the other half I had to work through. I'm extremely happy to keep the “passing on first attempt on all certifications streak” alive.
Just like with other exams, I created my own CISSP study notes. Much like before, I created the notes before the exam to make sure the concepts were fresh in my mind.
The exam was pretty much exactly how I was expecting it to be, except it had a bit more in-depth technical network admin stuff than I was expecting. Luckily, I know that stuff pretty well.
As always, I should have prepared a little more but I just felt like I was ready so I didn't study as much as people normally would. I don't regret this decision since I can always look up information I'm fuzzy on or consult with someone else if I ever need to.
- Review the CISSP exam objectives if you haven’t already.
- Get a good book, an audio book/notes, AND a video course.
- Set a study schedule and plan a date for the exam.
- Buy the exam voucher from Pearson Vue.
- Schedule the exam through Pearson Vue.
- Take practice questions and practice exams. Even if the exam questions are not the same content, you at least get the practice of context and answer elimination.
- Review material that's still fuzzy to you. Watch YouTube videos, review concepts on Wikipedia or other pages, and improve.
- This certification is as much an English test as it is a information security test.
- Read the question, eliminate 2 answers (1 is an obviously wrong choice).
- Re-read the question before selecting the final choice.
- Watch out for catchy words like MOST, LEAST, ALL BUT, EVERYTHING EXCEPT, and double negatives. If you speed through reading like I do, these are tough ‘gotchas'.
- The exam is Computerized Adaptive Testing (CAT). Just because you don't finish at 100, doesn't mean you failed or are close to failing. The exam wants you to prove yourself. You can still pass after 150 questions.
- Know your stuff and be sure to practice!
Basically, stick what you hear about the exam and you will be fine. Take off your tech hat and think like a manager. Although, you can work through the exam pretty well, you still need to know the fundamentals to give you a fighting chance.
You need to apply critical thinking and your experience when going through the questions. There will be multiple tricky questions so don't rush, pay attention, and read carefully. Don't be surprised to see a few questions that may have two close answers. They may even be right answers, but going through the elimination process will give you the correct answer.
If you slack on policy, SDLC and frameworks, you will get creamed. They may seem like no-brainers in theory, but application and order of steps are important. Even though these topics are taught at the end of most educational materials, don't let off the gas. They are important.
Lastly, if you don't use your scratch pad at all during the exam, no problem. If you didn't finish the exam at 100 questions, no problem either. Whether you finish at 100 or 150 questions, the important thing is you pass.
Have you passed the CISSP exam yet? If so, what do you think of these tips?