top of page

How Ian Cracked His CISSP Exam

Long story short: I’ll tell you what resources I used, how I used them, and finally end on some advice to give yourself the best chance to pass first time around. This turned out to be a little lengthy, but I didn’t write it if it wasn’t important. Besides, if you think this is hard to read, just WAIT till trying to read a CISSP book.


Sybex CISSP Official Study Guide — Very in-depth and full of LOTS of info.

Giant book, but breaks each domain down into multiple chapters.

Sybex CISSP Practice Tests — Good to take these when you’ve read the other books and taken their practice tests. This will determine when you’re ready for the actual exam.

Shon Harris — Also very in-depth like Sybex, neither of which are a leisurely read. Recommended to pick one and stick to it, but I wanted to over-prepare so I read both.—One-Guide-Seventh/dp/0071849270/ref=sr_1_1?ie=UTF8&qid=1472478748&sr=8-1&keywords=Shon+Harris

Eric Conrad CISSP Study Guide — Much shorter, less detailed, and easier to read. Good to pair this with one of the All-in-Ones listed above.

Eric Conrad’s 11th Hour — Even more condense version of the study guide. Recommended to read the day before the test to round out all the knowledge.

CISSP Video Series — Kelly Handerhan has an awesome video series that is short, sweet, and to the point. She makes the concepts clear and easily digestible. FREE! It also has lots of great write-ups on some cutting edge stuff, so it’s a good read even after CISSP.

Facebook CISSP group — StudyNotes and Theory is a place where a lot of people come together to ask questions, tell stories of how they passed (or failed), and can give you a glimpse of different perspectives. Seems like the majority of them are not native English speakers, but globally speaking, English isn’t the dominant native language. I met a US guy there and he had just taken the exam, so he gave me a lot of personalized advice and resources suggestions that helped me so much. Request to join. If nothing else, you’ll get some CISSP practice questions show up on your feed.

Reddit CISSP — Similar to Facebook, but less active. Mostly a repository of stories like this giving resources and study method recommendations, and a little Q&A. Met some good people here too, who gave me their notes which have helped tremendously.

–How I studied–

11 weeks was my prep, start to finish. No bootcamp, no bullshit. If I skipped a day studying, I made up for the next day by studying longer. Every single hour counts, and by procrastinating or taking it lightly, you’re only hurting your own chances of passing. ISC2 would love nothing more than for you to fail and come back again — it’s more money in their pocket. You CAN pass first time, but it will take dedication. Your timeframe may differ, and that’s fine, but remember that the longer you draw this process out, the less fresh the info will be at any given time, leading to forgetting things and having to study redundantly.

  1. I started with just Harris’ 7th. Took me about 6-7 weeks, but I read that mother cover-to-cover, taking the End-of-Chapter tests in the book AND on the CD (they’re different), as well as the Flash drag-n-drops (they are on the real exam). I won’t lie, it was a bitch to read, but I used my commitment to finishing it as a gauge of my commitment to pass. If I wanted to pass the exam, then I wanted to finish the book. But I wouldn’t race through the exam, so I didn’t race through the book. Read the whole thing, highlight, and take notes. Can’t emphasize taking notes enough, especially hand-written. Studies show that getting your motor cortex involved helps retain information better. It’s true. Also, keep track of your progress on the practice tests (specifically what you missed). I’ll come back to that.

  1. Soon after starting Harris, I found out about Kelly’s series on Cybrary. So I would watch her video series on the particular domain I’m going to read about, get exposed to it in laymen’s terms and visualized (I’m a visual person), and THEN read the chapter that dove way deeper. The videos contextualized what the chapter was about, giving it a sense of familiarity, making it easier to get through. I’ll come back to other ways I used the video series.

  1. About half-way through Harris, I then got the Sybex Study Guide and Conrad’s Study Guide. I applied this next method to FOUR domains at a time, using it to give myself a “mid-term” assessment (There are 8 domains. 4/8=1/2). After doing the mid-term, I then went back to steps 1 and 2 for the second half of the Harris; once I finished that, I re-applied this step to that second half. My methodology on this might seem strange, but follow me here.

After completing first four domains in Harris, I read Conrad’s (short) chapters on those first four domains, NOT taking the Conrad end-of-chapter tests. Instead, I took the Sybex end of chapter tests for the corresponding domains (Sybex breaks down each domain into multiple chapters) WITHOUT reading the Sybex chapters in depth (maybe a quick glance). Why, you might ask? Well, Sybex and Harris are considered All-in-Ones (AIOs), i.e. long and detailed as hell. I read Harris already, so I was NOT going to read another 1300 pg textbook. Hypothetically, I should be able to answer the Sybex questions without reading it, since I read one AIO already, and supplemented it with Conrad’s SG.

The goal here was to ID what I know, what I don’t know, and what I don’t know I don’t know. So–by taking the Sybex end-of-chapter tests without reading the chapters, I figured out what Harris and Conrad didn’t teach me, and went back into the Sybex chapter and read, highlighted, and took notes on those things I missed or needed refreshing. In the end, at the very least I glossed over only a little bit in Sybex, and ended up reading a whole lot more. I practically read Sybex cover-to-cover, but not with the fine-toothed comb I used for Harris. That’s why this method is smart: it maximizes coverage and quickly ID’s knowledge gaps.

Don’t forget to KEEP TRACK of your progress. Knowing what you missed on the Harris & Sybex tests is crucial to the next step. Also, Conrad’s EOC questions are easy as hell and there aren’t many. I was getting 90%+ correct on those. Waste of time, but good confidence boosters, imo. You may wonder why I only did first half then second half at a time. Reason being I wanted to review the first half before moving onto the second half, at which point I would probably have forgotten a lot. The more you can review repeatedly, the more likely you won’t forget, provided the time between reviews isn’t too long.

  1. So after reviewing what I know I know and what I (now) know I don’t know, I realized there were things I missed in the Sybex questions that I SHOULD have known from Harris/Conrad. A lot of info didn’t get absorbed the first go-around. EXPECT IT. We can only retain so much at a time, and some nights will be less forgiving than others. So I went back to Kelly’s videos, and re-watched the concepts that I was fuzzy on. Super helpful. Then, I went back and reviewed the questions I missed. Keep in mind, by this point, I took these tests weeks ago, so while the questions aren’t entirely ‘new’ to me, I didn’t have the correct answer memorized anymore. When I reviewed what I had missed, I got the majority of them right. And I wasn’t answering from rote memorization, I was answering CONCEPTUALLY. This is a critical point that I will touch more on in the advice section. All in all, I was landing around 77% +- 4% on both Harris and Sybex, which is what you want to shoot for. But, I was answering these questions after JUST reviewing the whole chapters/domains in-depth. It was time to move on to the next phase.

  1. Enter Sybex Practice Tests. A book dedicated to practice questions, both for individual domains (100 questions each) and two 250 question overall tests (mock exams). That’s 1300 UNIQUE questions total. Best investment I made. By the way, I got the Kindle version for less than the paperback, and used the corresponding website to take the tests online, and it comes with all the metrics you need to know (time total, time per questions, feedback, pie charts, etc). Now I’m at the point where I should know, or at the very least have been exposed to, any information that could be asked. So I shifted from being “in the weeds,” to going big-picture. By that, I mean I was only reviewing notes, looking at study guides that are only a few pages long, highlighting the most important points. So I’m not longer reading whole chapters before testing on it (much easier because the info is fresh), but rather using what I’ve absorbed the prior 10 weeks to guide me. This is a lot harder, but it gives you a more accurate experience. In the exam, you have no help, no resources, and you will NOT have just read all the chapters prior to walking in. You’ll review small, concise study guides, and you just have to know the rest. Landed around 77% +- 3% on each individual domain, keeping track of the missed and retroactively studying up on those using whatever resources I want. Notice I’m in roughly the same scoring range as when I was reading the chapter THEN taking the test. Means I’ve retained the minutia. I’m also doing some questions from CCCure now, which is important because these questions aren’t coming from a single text. It’s big picture knowledge that forces a conceptual understanding. You really HAVE to understand the concepts, not just memorize questions from the book to do well here. The poor English in some questions gives you a realistic understanding barrier that the test WILL give you.

  1. I know not everyone played sports, but here’s my analogy. Up to this point we were in practice doing DRILLS. Drills are designed to force small, but fundamental, pieces into your brain so that they’re muscle memory. Well Steps 1-5 is all about drilling. First you start small, and then you drill up comprehensively. You figure out what you’re bad at, and you hone in on those pieces, while also focusing on the stuff you’re MOST likely to see on the exam. You increase the scope of the drills as you go. So while you start out doing the mundane and boring, it all plays into creating a tapestry of interconnected knowledge and will (hopefully) click one day in your mind. Towards the end of it, you’re drilling multiple fundamentals at once, getting them to work together to get you towards whatever goal they’re designed to achieve. So day one is passing and trapping the ball standing still. Basics.

Then you’re running while passing and trapping. Then you’re being defended, and you have to pass and trap without losing the ball, and moving it forward to the goal. Finally, it all comes together: The scrimmage. Last few days, I’m taking mock exams from Sybex Practice Tests and Harris (TotalTester CD).

This is like scrimmaging. Either I learned the fundamentals, or I didn’t. The big game is too soon to go back and re-learn what I failed to do earlier in the clinic. This is why every hour counted. At this point I have to make both my strengths and weaknesses work for me, and you can only doing that by KNOWING your weaknesses. Use the mock exams to ID what specifically you’re bad at (questions with double negatives, “all but which of the following”, extraneous information, etc) and be aware of it so when you see it on the exam, you know to stop and remember your mistakes on the mocks. You also want to pace yourself during these, to see how quick or how slow you are on your 360 min goal. Aim for <1 min per question. More on that next.

  1. D-day has arrived. Recommended to not spend the day prior endlessly studying and trying to make up for what you failed to grasp early on. It’s too late for that. It’s time for general review and relaxation. You don’t want to be stressed. You want a healthy dinner, good night’s sleep, and a protein-rich breakfast. You get six hours to test, and some people use all the time they are given. If so, that will mean multiple bathroom breaks and even possibly lunch. Test time doesn’t stop ticking, so the more you spend doing other things, the less time you have to test. If you take no breaks whatsoever, I think it equates to around 1 min and 45 sec per question. Adding in reviewing flagged questions, bathroom, snacks, it is more like 1m30s per. And that leaves you little to no buffer to take a break just because your mind is melting (it will), and will push you right to the end of the six hours. So realistically, to be safe, you want to shoot for 1 min or less per question. Sounds easier than it is though, and that’s why you need to practice your pace.

All in all, it’s said you should put about 200 hours into studying. I didn’t monitor exactly how many I put in, but averaging 3 hrs/night for 11 weeks is approx. 200 hrs. There’s no getting around it, or shortcutting. The test is a no-shit psychometric test that doesn’t ask trivia questions; it asks scenario-based application questions where you have to know the technologies inside and out in order to know how to BEST apply it from the MANAGER-level perspective.

PROTIP: NO book will ask you questions that prepare you for that. The test bank is a unique beast that is completely comprehensive and highly conceptual. Any practice test you take can mimic that to a point, but a lot of it will be trivia. That is NOT a bad thing: you have to know the trivia before you apply it (you can’t play a game if you can’t pass a ball), and these practice tests get you in a good place. But if you have played sports, you know, there are no drills or scrimmage that prepare you 100% for the real game, but the more you practice, the better you play. Same logic applies.


  1. Know you can. Positive imagery is powerful. Visualize yourself getting through each chapter, practice test, and ultimately passing the exam. Make it a reality in your mind, and then do the steps necessary to make it a reality to everyone else. It’s not Tony Robbins woo-woo, it’s a fact of life. If even you can’t see yourself succeeding, it probably won’t happen.

  1. Work at your own pace. You need to have a fairly compressed timeframe to maximize memory retention, but don’t overdo it because you’re getting impatient–you WILL burn-out. Rome wasn’t built in a day. It takes persistent, methodical study habits over the course of months, but if you stick to the regime, it will pay dividends. You just have to find the balance between going too fast and too slow, and keep yourself in the middle-ground. Implement the system and monitor results, making corrections as needed. Rinse, repeat. Review as often as you can to keep it fresh.

  1. Take horror stories with a grain of salt. A lot of people fail. It’s a hard test. No question. But like most things in life, failure is often a result of poor preparation on the person’s part, NOT the inherent insurmountability of the goal. Reality is, a lot of people also pass, and they don’t make the test unfairly difficult just to be dicks. They want qualified professionals. If you apply the study habits and system I’ve laid out, and stick to it, I can virtually guarantee your success. The CBK (core body of knowledge) is a thing; there are only so many things within it that are testable. Do your research, put in the hours, and trust the method.

  1. Keep the “right” perspective. CISSP isn’t about trivia, it’s about managerial perspectives on securing costs and IT business applications. So while you’re studying, don’t aim to memorize facts or processes, but seek to understand WHY a certain technology is best used in certain scenarios–its pros and cons–and the driving force behind processes (i.e. what they’re trying to achieve). If you maintain this perspective throughout the studying process, you will simultaneously be practicing the managerial perspective aspect of the test which is arguably the most crucial element.

  1. Failure is delayed success. Worst case scenario is: you fail. What then? Well, you can retest in 30 days. And guess what, you just had the best preparation for the next test you possibly could: YOU TOOK THE DAMN TEST ALREADY! Test is $600 and takes up to six hours, whereas bootcamps are in the thousands of dollars and take a week. ISC2 will tell you cost/benefit analysis reigns supreme in decision-making, and by that logic, by taking the test you achieved far more test experience AND spent less time and way less money. That’s a win-win-win. If you fail, it will give you a breakdown of your weak areas. Use that information to correct your knowledge gaps, go back in a month, and rock it. Remember, a failed CISSP exam is cheaper, quicker, and more informative than a bootcamp.

Hope this helps, and while I know not all of you will be testing soon (or at all), if you ever decide to go down this road and would like to ask for advice or an endorser, hit me up.

Good luck, have fun, and don’t die.


bottom of page