On March 8th, I passed the CISSP exam with 100 questions in about 110 minutes. Here is my story and study plan, I hope it can inspire you, just as I was inspired by reading the stories of others before me here on SNT..
My background is Masters in Business economics and Computer Science, 24 years in IT: 3 years as onsite supporter during college, 7 years as consultant within ITIL, 7 years as infrastructure manager and system manager, 7 years as freelance infrastructure project manager. Some exposure to CISSP domains during the last 15 years, but never worked full time with cyber security.
My journey started in December 2019 when I asked the CISO in my company what I should start reading if I wanted to get a solid foundation knowledge in IT security. He recommended CISSP and I acquired the AIO book and started reading it during my train commute to work. There was no plan, just an intention to know more. I stopped around April 2020 due to a new job which was taking all of my time. I was not thinking of booking an exam at that point.
But my new job which revolved around cloud suddenly made the CISSP even more interesting and relevant and I rebooted my studying in August 2020 and started following Mike Chapples 16 week plan. I followed that pretty much to point as it fit well with my family and job commitments and around Christmas 2020 I was done with domain 6. That was when I decided to create my own study plan and booked an exam date of March 8th based on that plan. In the first two weeks of January I finished the rest of OSG and then I turned to the question banks. I tried to write my own notes but have to admit that I never read them again after writing them. During and after each test, I wrote a card with topics to look into and after each test or the next day, I would study topics that I felt unsure of. I suggest to save the cards for your final week of studying (explanation below).
Final two weeks leading up to the exam, I took vacation and leave to prepare for exam. Spent 6-8 hours per day so I also had time for my family and to digest everything, 2 hour sprints 3-4 times a day. Approach was to do tests and any subjects I came across where I was not comfortable (regardless of whether I was wrong or right in my answer), I dove into that by reading in AIO, CISSPrep.net super study guide, watching SNT videos or Youtube videos. For me the AIO digital book was very important in this process, as it allows you to quickly search the entire book for a keyword and find relevant sections to read and bookmark. I started out with the paper version of the book but was frustrated by how long it took to look up and read about a subject.
I used a daily mix of technical "normal" questions such as Sybex Official Practice tests and Cybrary (Kaplanlearn) and SNT / Cissprep.net for more difficult questions, making sure to challenge both my knowledge on topics as well as "thinking like a manager"
Destination Certification videos are great at giving a quick high level overview of a domain. I started on the CISSP Process guide (available from SNT website) two days before my exam, which was too late, I wish I had started a week or two before my exam.
Also now during the final week is the time to pick up the cards that you wrote after each test earlier. Take a look at the topic and explain it to yourself. I found that topics on the cards that I previously had a hard time understanding, I was now able to explain - showing to myself the progress that I had gone through and assuring me that I was improving my understanding and cross domain understanding.
Day before exam:
No tests so I wouldn't get freaked out in case I did poorly :-)
CISSP process guide browsing
Destination Certification videos (selected areas)
Focusing on the "CISSP topics you must know" from Luke’s video "1-2 Months Before the Exam" (extended version only available to subscribers), e.g. went through IPsec.
Also went through topics that I found a bit difficult, e.g. Kerberos.
Kelly Handerhan "Why you will pass the CISSP"
Browsing through "How to think like a manager for the CISSP exam" and reading the relevant sections (not answering the questions again)
Kelly Handerhan "Why you will pass the CISSP"
List of resources
Highly recommended, period. Questions are really good at getting you to think. Did not use the videos much, but you get a LOT of high quality content.
Highly recommended. Questions are focused on getting you to think about what is meant and not just what it says - this is accomplished by using wording that you will not see in the books. Downside is that any references are to the CBK.
**How to think like a manager by Luke Ahmed
Highly recommended. This book is short and concise and the focus is not on giving you the right answers, but to teach you how to have the right mindset for the exam (the manager mindset).
In the very beginning I started reading the paper version and loved chapter 1 on Risk Management, chapters 2-3 were OK, but chapter 4 killed me and thats where I stopped. But later in the final 2 weeks leading up to the exam I bought the digital version and used it to look up concepts and read about them - very effective and very good. I'll be keeping this book as the only one.
This was a must for me, but I was very confused by how the content was divided into chapters, that didn't make much sense to me.
A good base to start with, I bought the digital version, which made it easy to flip between test answers and questions using book marks grading my tests.
Highly recommended. The questions are good, but the explanations and references are great, so there is a lot of learning built in.
**Mike Chapple videos on LinkedIn
I used these to get an overview of a domain before reading it and found it easy to follow. Mike Chapples study plan has the reading first and videos afterwards, but I turned that around.
**Cybrary (Kaplan learn) question bank:
Good question, great explanations
References in answers are frequently made to CISSP cert guide and not SYBEX/AIO
Some domains have only few questions (domain 2 has 41, domain 6 has 29 and domain 8 has 67), other domains are 100-193 questions
Only few BEST/FIRST/MOST type questions
I was reminded of this 2 days before my exam and started reading it - and I wish I would have started earlier! I would recommend not to start too early on this as it may not make so much sense when you are starting out. E.g. 5 different versions of SDLC and 5 different versions of BCP process steps are shown, so don't go to this document to find "the one and only truth", but to find an overview and different views from ISO, NIST, ISC and so on. This is really useful and I will keep a copy for my daily work..
Created my own flash cards with everything from port numbers to ISO/NIST documents to OSI levels to firewall types.
**Youtube: Destination Certification
These are great to summarize a domain or a topic, highly recommended
**Youtube: IT Dojo
OK questions but I felt I was spending too much time listening to answers, so I only did around 15 out of approx. 105.
Wentz takes a different approach to everyone else and references his answers with sources outside of the study guides, e.g. NIST documents and vendors websites. Very detailed answers that are some times backed up with his own slides
I started on this and quickly realised that even for a summary book, there was a whole lot missing. Only read 20 pages or so.
**Last Minute review guide
Bought this early on and during my last week I forgot that I had it :-) It's too high level to be of any help IMO.
Used sporadically, read maybe 15 pages.
I found these confusing as I had not written them myself, so decided not to use them.