You've read a few books, or a single book, cover to cover.
You've taken over 3,000 practice questions.
Your non-copyright-infringing PDF notes are always within reach.
You know about securing data in motion, your knowledge of cloud computing topics is solid and your network security concepts may not all be there, but you've accepted this risk. You've also accepted the very real possibility of getting software development questions on the exam and getting every single one of them wrong. You will compensate this with your strong knowledge in all the other topics which you have studied and actually understand.
Yet, you still are not sure if you will pass. Failure looks like a real possibility even with all the hours of studying. Here are the types of people who experience this type of exam stress: everyone around the globe!
I've been a CISSP instructor for about 5 years now engaging with students all over the planet on a daily basis. India, Japan, Canada, Philippines, Ghana, Pakistan, Bangladesh, USA, Brazil, Mexico, Nigeria, U.A.E, Israel, China, France, Belgium, Morocco, Vietnam are just some of the countries with people on their journey to the CISSP. Even remote islands like the Maldives.
They all share the same trait: nervous as heck about their CISSP exam.
What To Do 1-2 Months From Your CISSP Exam
At this point 40% of your time should be reading and 60% should be practice questions. You don't want to "remember" concepts, you want to "understand" the concepts. Whenever possible try to ask "why"? As in, why are we encrypting data in motion? Why do we use IPSec? Why do we need to have a BCP/DRP? Why does a foreign key in a database exist?
Handwriting your notes is also excellent. Connecting your brain with what is being written on the paper with your hand motions is going to be helpful during your exam. If a topic comes up, your brain will remember writing about it in your notes. Writing makes things easier to recall and understand because you remember the effort, the toil.
Now is also when you should be churning out and trying to get at least 80% on practice exam questions. Now is the time when you know your weakest domains, and you start to spend 1-2 hours per day dedicated on those domains. If you are not getting 80% on practice exams (especially the extremely difficult ones from the Study Notes and Theory Member's Portal), believe me when I say it is OKAY.
Don't worry about how you're doing in my test or any other practice test, the important part is to understand why the choice is correct, and why the other choices are incorrect. That's it. The exam is going to be measuring your skill based on the number of questions you get correct and how it affects the exam's algorithm on determining your skill, it's not based on percentages.
You should be doing more practice exam questions than reading. Your reading should be linked to what practice exam questions you got wrong. If you didn’t know what the Tranquility Principle is, time to read up on the Identity and Access Management domain. If you didn’t know some elements of PKI, then it's time to hit up the Security Engineering domain. The same thing if you have any doubts about IPSec, AH, and ESP, hit Domain 4: Network Security. Any topic you find you do not know fully, focus right on that topic until you get it.
In these last few months you should be fairly confident of the material, but trust me, you’ll still get things wrong in practice exam questions, but you’ll feel less bad about it. You might’ve eliminated 2 answers, and had a 50% chance of getting the answer right. If this is the case, you’re on a good track to take the exam. Eliminating two choices right away is a good sign of your understanding of what is blatantly a wrong choice.
Just remember, it is natural at this point to feel like you have studied everything possible, but still miss practice exam questions and encounter new terms. This is the crucible of the CISSP, and a deep reflection of how it is in the real information security industry.
Try a sample of my own practice questions if you're interested:
Here are some other free resources that help right before taking the exam, click the link to download:
These last two are really important documents:
CISSP Process Guide On the CISSP exam you have to think like a manager. Managers don't fix the immediate issue, they fix the "process". In order to fix the process, you have to know the process. The real exam will present you a scenario, and you will be tested to see where in the process there was a failure. The Process Guide is by no means an official list of processes, no document really provides that. It's just the general steps and some things to glance or skim through as you supplement your other studies.
Bottom line, if you know the process you know how to fix and recognize it when it's broken.
The PDF summaries I carried with me everywhere before the exam, right up until I walked into the testing center.
Important Topics To Understand
Below are some big topics I would consider as "must-know" for the exam. Not because they are actually on the exam or some new CISSP topic, but because they serve as a good measure of understanding the smaller topics.
Confidentiality, Integrity, Availability
Everything in the CISSP revolves around upholding one or more of these core concepts.
Digital Signatures
The topic of digital signatures is good to know because it requires understanding asymmetric encryption, hashing, and nonrepudiation. If you know about digital signatures completely, then you probably have a good understanding about the entire cryptography domain itself.
BCP/DRP
To uphold availability, we must have both BCP and DRP in place. It is a big component of Domain 1: Security and Risk Management, as well as a critical topic to know for not only the CISSP exam, but your real security career.
SDLC
Much like BCP/DRP, the SDLC is another process to completely understand. Security for application, website, or systems must begin at one place: the beginning. Keep this in mind when going through the SDLC.
Public Key Infrastructure
This is not only just about cryptography, but also things like Certificate Revocation List, certificate management, certificate authority, registration authority, and public/private keys.
2-Factor Authentication
One of the strongest authentication methods which goes into the forms of what you know, what you have, and what you are. But it is not just about three simple concepts, but the mechanisms which fulfill these concepts.
VLANS
VLANs can be considered a low-level technical topic, but it serves a higher-level security consideration. They are used to separate LANs, and in the process of learning about them, lots of other topics must also be learned i.e. routers, switches, duplex settings, subnets, Layer 2 MAC addresses.
VPN
VPNs are one of the best ways to encrypt data in motion. They are also a great way to truly understand which components of cryptography goes where i.e. Diffie-Hellman, symmetric encryption, hashing, asymmetric encryption, pre-shared key, certificates, AH, and ESP.
Data Owner/Data Custodian
Understanding who owns the data along with who takes care of the data, branches your knowledge out to classification labels, data handling techniques, types of backups, storage types, and who has the highest responsibilities over the data.
Good luck.
P.S. As of March 22, 2024 my CISSP course has helped pass over 3,600 CISSPs, with a good chunk of them being those who took the course 1 month from their exam.