I just passed the CISSP exam today on the first attempt with about a month of dedicated study all together. I kept feeling like I should have put more time into studying but I just felt like I was ready. You can pass this exam as well if you prepare properly.

Since I'm using a similar hero post image as the other CompTIA success posts I've done, I have to mention that just passing the CISSP exam isn't enough to get CISSP certified. I still need to find someone to endorse me, wait like 2 months, and then pay the AMF before I'm official.

Update 9/26: Woohoo, just got the provisionally passed email. Now, onward to the endorsement process.

(ISC)² CISSP Provisionally Passed Email

Update 10/7: Double woohoo, I asked one of my mentors to endorse me and she agreed! Now I wait…

(ISC)² CISSP Endorsement Queue Email

Update 1/6/20: A little over 3 months in and still no CISSP certification. This endorsement process has proven to be quite a lengthy process. Check out the post on my delay with the endorsement process to see what the deal is.

Study Materials Used

I bought a book that I read cover to cover (it's only 200 pages), 11th Hour CISSP 2nd Edition. It's written well and is fun to read, but it is a ton of content packed onto each page. If you know nothing about information security, a lot of the terminology will go right over your head. I'm familiar with a good portion of the material and even noticed a few things I forgot I studied when skimming the book the morning of the exam.

By this point I've done IT work for about 15 years or so, with the last 5 being specifically in security. I also have an MBA with honors (Beta Gamma Sigma) and actively study business, personal finance, and digital enterprises. So, this exam's material was right up my alley. I don't know every domain extremely well, but I'm able to work through the issues.

Additional Study Materials

I used the following materials to prepare for this exam:

The Boson prep package was interesting. They were more technical and do not match the content of the exam. What they did match was exam style and question structure, which really helped me get into the mindset of the exam. The questions I mostly kept missing were the tricky ones that I didn't fully read all the way. I took 4 practice exams before I had a passing score.

Alternative Study Recommendations

I did not use the official Sybex book but I've heard good things. I also heard good things about Essential CISSP by Phil Martin. Essentially, he explains things pretty well. I purchased the audiobook to go through but unfortunately I ran out of time and didn't get to use it to study with.

Essential CISSP Chapters

If you do go with the Essential CISSP (which is recommended), you'll find there is a lack of chapter information so it may be hard to keep track where you are. Here's that info:

  1. Security and Risk Management Domain
  2. Confidentiality Integrity Availability CIA
  3. Authentication Authorisation and Auditing (AAA)
  4. From Vulnerability to Exposure
  5. Administrative Technical and Physical Controls
  6. Security Frameworks
  7. Computer Crime Law
  8. Policies, Standards, Baselines, Guidelines and Procedures
  9. All About Risk Management
  10. Modelling Threats
  11. Assessing and Analysing Risk
  12. Managing Risk
  13. Business Continuity and Disaster Recovery
  14. Personal Security
  15. Security Governance
  16. Ethics
  17. Asset Security Domain
  18. Information Life Cycle
  19. Information Classification
  20. Layers of Responsibility
  21. Retention Policies
  22. Protecting Privacy
  23. Protecting Assets
  24. Data Leakage
  25. Protecting Other Assets
  26. Security Architecture and Engineering Domain
  27. System Architecture
  28. Computer Architecture
  29. Operating Systems
  30. System Security Architecture
  31. Security Models
  32. Systems' Evaluation
  33. Certification vs Accreditation
  34. Open vs Closed Systems
  35. Distributed Systems Security
  36. A Few Threats to Review
  37. The History of Cryptography
  38. Cryptography Definitions and Concepts
  39. Types of Ciphers
  40. Methods of Encryption
  41. Types of Symmetric Systems
  42. Types of Asymmetric Systems
  43. Message Integrity
  44. Public Key Infrastructure
  45. Key Management
  46. Trusted Platform Modules
  47. Attacks on Cryptography
  48. “The Author Talks about some aspects of physical security”
  49. The Site Planning Process
  50. Protecting Assets
  51. Internal Support Systems
  52. Communication and Network Security Domain
  53. Telecommunications
  54. Open System Interconnection Reference Model
  55. TCP/IP Model
  56. Types of Transmission
  57. Cabling
  58. Networking
  59. Networking Devices
  60. Intranets and Extranets
  61. Local Area Networks
  62. Wide Area Networks
  63. Metropolitan Area Networks
  64. Multi Service Access Technologies
  65. Remote Connectivity
  66. Wireless Networks
  67. Network Encryption
  68. Network Attacks
  69. Identity and Access Management Domain
  70. Security Principles
  71. Identification Authentication Authorisation and Accountability
  72. Access Control Models
  73. Access Control Techniques and Technologies
  74. Access Control Administration
  75. Access Control Methods
  76. Accountability
  77. Implementing Access Control
  78. Monitoring and Reacting to Access Control
  79. Threats to Access Control
  80. Security Assessment and Testing Domain
  81. Audit Strategies
  82. Auditing Technical Controls
  83. Auditing Administration Controls
  84. Reporting
  85. Management Review
  86. Security Operations Domain
  87. Operations Department Roles
  88. Administrative Management
  89. Assurance Levels
  90. Operational Responsibilities
  91. Configuration Management
  92. Physical Security
  93. Secure Resource Provisioning
  94. Network and Resource Availability
  95. Preventative Measures
  96. Managing Incidents
  97. Disaster Recovery
  98. Insurance
  99. Recovery and Restoration
  100. Investigations
  101. Liability and its Ramifications
  102. Software Development Security Domain
  103. Defining Good Code
  104. Where do We Place Security
  105. Software Development Life Cycle
  106. Software Development Models
  107. Integrated Product Team (APT)
  108. Capability Maturity Model Integration
  109. Change Control
  110. Programming Languages and Concepts
  111. Distributed Computing
  112. Mobile Code
  113. Web Security
  114. Database Management
  115. Malicious Software

Mindset Videos

These 2 videos below also helped with preparing for the exam as well:

Why you WILL pass the CISSP by Kelly Handerhan

I did not go through Kelly's CISSP course on Cybrary but I've heard great things. You can download her entire free CISSP course in audio form here.

CISSP Exam Tips – Understanding Semantics and Context by Larry Greenblatt

Spock certifies and Kirk accredits. Ha, genius.

Keeping the Confidence

So what did I do to mentally prepare for this exam?

If you recall the last exam I passed on the first try, I made a note to myself, naming myself as newly CompTIA CySA+ certified. I was very specific about my intention and I think that played a huge role in getting me prepared for the exam. I didn't write a note to myself this time. But I did create this post, announcing my intention publicly to become CISSP certified in 2019. Not only that, I also told a few people around me as well. I have never made a public declaration in this manner before.

I feel good about the exam. Half of the exam I knew pretty well and the other half I had to work through. I'm extremely happy to keep the “passing on first attempt on all certifications streak” alive.

Just like with other exams, I created my own CISSP study notes. Much like before, I created the notes before the exam to make sure the concepts were fresh in my mind.

The exam was pretty much exactly how I was expecting it to be, except it had a bit more in-depth technical network admin stuff than I was expecting. Luckily, I know that stuff pretty well.

As always, I should have prepared a little more but I just felt like I was ready so I didn't study as much as people normally would. I don't regret this decision since I can always look up information I'm fuzzy on or consult with someone else if I ever need to.

Study Tips

  1. Review the CISSP exam objectives if you haven’t already.
  2. Get a good book, an audio book/notes, AND a video course.
  3. Set a study schedule and plan a date for the exam.
  4. Buy the exam voucher from Pearson Vue.
  5. Schedule the exam through Pearson Vue.
  6. Take practice questions and practice exams. Even if the exam questions are not the same content, you at least get the practice of context and answer elimination.
  7. Review material that's still fuzzy to you. Watch YouTube videos, review concepts on Wikipedia or other pages, and improve.
  8. This certification is as much an English test as it is a information security test.
    1. Read the question, eliminate 2 answers (1 is an obviously wrong choice).
    2. Re-read the question before selecting the final choice.
    3. Watch out for catchy words like MOST, LEAST, ALL BUT, EVERYTHING EXCEPT, and double negatives. If you speed through reading like I do, these are tough ‘gotchas'.
  9. The exam is Computerized Adaptive Testing (CAT). Just because you don't finish at 100, doesn't mean you failed or are close to failing. The exam wants you to prove yourself. You can still pass after 150 questions.
  10. Know your stuff and be sure to practice!

Conclusion

Basically, stick what you hear about the exam and you will be fine. Take off your tech hat and think like a manager. Although, you can work through the exam pretty well, you still need to know the fundamentals to give you a fighting chance.

You need to apply critical thinking and your experience when going through the questions. There will be multiple tricky questions so don't rush, pay attention, and read carefully. Don't be surprised to see a few questions that may have two close answers. They may even be right answers, but going through the elimination process will give you the correct answer.

If you slack on policy, SDLC and frameworks, you will get creamed. They may seem like no-brainers in theory, but application and order of steps are important. Even though these topics are taught at the end of most educational materials, don't let off the gas. They are important.

Lastly, if you don't use your scratch pad at all during the exam, no problem. If you didn't finish the exam at 100 questions, no problem either. Whether you finish at 100 or 150 questions, the important thing is you pass.

Have you passed the CISSP exam yet? If so, what do you think of these tips?

Pin It on Pinterest