Hello everyone, thanks for reading my write-up of my journey to CISSP certification. Let’s get right to it.
I tested 21 July and started writing this guide that day so when I say “today” I mean 21 July.
I’ve been mulling around getting CISSP certified for about 2 years. I actually bought the Sybex and Shon Harris books 2 years ago, and they had been collecting dust ever since. I never got around to it because I didn’t have a real motive for it. I initially wanted it just so I could say I had it. It wasn’t until I felt it was my only way out of IT that I decided to really go for it.
I’ve been an IT systems technician for 4 ½ years and although it’s a comfortable job that does deal with InfoSec a lot, I’m tired of it. I need to move on and challenge myself on a higher level.
I’ve been attending WGU’s IT Security program and got my CCENT in mid-June this year, which really helped me cut down on study material for CISSP.
2 weeks ago (8 July 2017) I decided I was going to buckle down and get my CISSP done.
T minus 2 weeks
I was getting ready to travel to another branch of my company where I was being sent to help support my peers because they had just lost some folks and were understaffed. They sent me out there for 2 weeks and I figured I could use my extra alone time after work to study for CISSP. My plan was to study for the 2 weeks and then come back, review, and test after about a month or two of additional study.
On 8 July 2017 I bought Eric Conrad’s 11 th hour on Amazon in order to get an overview of the testable material. It arrived on 10 June as I was getting ready to leave for a business trip for 2 weeks. I put it in my bag, and stupidly forgot to bring the Shon Harris or Sybex guide with me on this trip. This turned out to be good for me because it allowed me to focus solely on sucking up every tiny detail in the 11 th hour because it was my only study material for the whole first week.
So off I went on 11 July on my trip. Lucky for me, when I got to the office they actually didn’t have a ton of work for me and allowed me to study most of the day… for 2 weeks. And hence this is why I was able to make the crazy decision to study for and take the CISSP within 2 weeks.
The first week of study
The first week I read the 11 th hour cover to cover. I then went back and put tabs on pages where major concepts were discussed (BCP/DRP, SDLC, ARO, etc…). I also took a few practice tests on the Sybex Official App. The practice tests served to guide me towards the concepts where I was weak in knowledge. I consistently scored 60’s on my practice exams during this week. On average I would do four 50 question practice exams every day after reading a couple chapters of 11 th hour.
I studied for 6-10 hours a day. At work I would get 4-6 hours of study and the rest were after work when I got back to my hotel.
The Saturday (15 July) of the first week I scheduled the test for the next Thursday. I figured I was on track to be ready for it, but could reschedule if necessary (it’s only $100 to reschedule).
The second week of study
Second week I went and bought the Exam Cram 2 nd Edition CISSP Study Guide. I figured since I already have Shon Harris and Sybex at home I shouldn’t buy another copy. The Exam Cram guide turned out to have a lot of the missing information that I didn’t get with the 11 th hour. I didn’t read it 100%, but I read most of it while focusing on my weakest areas.
The few concepts that I found on practice exams that neither book covered I just looked up online. 11 th hour and ExamCram do a good job of telling you what’s on the test and explaining the concepts, but sometimes it’s not enough. So, I googled a lot of things, I downloaded ISO standards and NIST standards to read through, and I also downloaded visual aids for things like key exchanges and the TCP connection/disconnection process.
I also did tons of practice exams. I did the McGraw-Hill online exams, I did full length exams on the Sybex app, and did all three of the Boson practice exams.
I tested on Thursday of the second week.
The day before I rested a lot, tried not to look at anymore study material as much as I could, and watched the movie Sneakers (which actually helped me on a question or two on the test!!). If you haven’t seen it, it’s a great hacker/InfoSec movie.
The morning of the test I just focused on mnemonics for things like BCP steps, CMMI, and SDLC lifecycle. I wrote these down on my erasable board as soon as I sat down for the test. The actual test was more of a test of mental endurance than anything else. If you studied well, no question is insanely hard. It’s a matter of looking for keywords in the question to decrypt
what it’s really asking you and then deducing the correct answer.
Around question 120 I started having trouble focusing. I had to reread the questions over and over just to understand what they were asking. This is how I knew I needed to take a break soon.
I took a 10 minute break at question 150. I went to the bathroom, ate a protein bar, and drank some water. I came back in and looked at the question on the screen that I had answered before the break and almost laughed out loud as I realized that I had answered completely wrong because my mind was so fuzzy. I went back to around question 120 and found another couple of questions I answered way off due to fatigue. Luckily the adrenaline started pumping
around question 200 in anticipation of getting my test result, and thus I didn’t have as much of a hard time staying focused.
I flagged about 50 questions. I only changed about 4 and only because I was absolutely sure of the change. The ones where I was 50/50 I left unchanged.
Once I finished my final review I proceeded to take 20 solid minutes to accept my fate since I was sure I failed. After those 20 minutes I decided to just click submit and see what happens.
Luckily, I went to the reception desk and saw a single sheet of paper on the printer signaling that it was a pass (fails are apparently always 2 pages according to people who previously failed).
It was a crazy journey and it went by super-fast. I don’t recommend it to anyone that hasn’t had IT experience because I already had about 30-40% of the material down due to my job in IT and studying for CCENT the month before CISSP.
Review of study material
Review of 11 th hour: Reading this book ended up being the greatest decision I could’ve made as it not only gave me the overview I sought, but helped me to learn how all the concept worked together without delving into the nitty-gritty details of each concept.
ExamCram: Very helpful. Whereas Shon gives too much info and 11 th hour gives barely enough, ExamCram gave me the perfect amount of explanation on each subject. I used it as my secondary book to look up concepts and expand on what I learned on 11 th hour.
Sybex Official App: Great study app for practice exams. I took 50 questions at a time during the week with one or two full 250 question tests thrown in there. I was scoring 80’s consistently on these practice exams before moving on to Boson practice exams.
Shon Harris: I barely read anything in the Shon Harris book. It seemed way too detailed for what the practice questions were asking. I already have networking and IT systems experience so I really didn’t need the technical stuff, so I passed this one over.
Boson practice exams: I can’t speak highly enough of these exams. I took the first one on the Friday of the first week, the second on the Monday of the second week and the third on the Tuesday of the second week. They are a bit tougher than the questions on the exam, but that’s a good thing. The highest score I got on the Boson exams was 78% on the third one, and it was
then I knew I was ready for the real thing.