Passed the CISSP exam today. The test ended at question 125 with about 80 minutes left from the 240 minutes allocated time.
I've found the exam to be very hard...one of the hardest if not the hardest I've taken so far. I realized during the exam that my preparation was not the best so I'm sharing few details here, hoping that it will help you with your exam attempts.
My background: 12 years in RO Navy, from which about 4 in general Infosec and Infosec Management. MAC, Dedicated Systems mode, need to know, etc where easy for me. Also TEMPEST related stuff, as it was part of my responsibilities.
6 years in the private sector, with different roles as a Network Security Engineer, Cyber Security Architect, Information Security Engineer, Information Security Analyst - SOC, incident response, platform administration, MSS Team Lead etc.
I started to prepare for the exam in July. Concentrated on the CISSP sudy materials for 4 months as follows:
1. Sybex OSG 9th Edition - read it 3 times + reviewed the details I've found most difficult in the last 2 days before the exam.
2. Shon Harris - 8th Edition - used it to clarify some of the topics which were not clear in the OSG.
3. 11th Hour CISSP - Audiobook. Listened to it 2 times while running / walking to work. Also bought Essetial CSSP Exam Guide by Phil Martin (audiobook). I don't know about the PDF / Printed version but I don't recommend the Audio Book. A total waste of my money because of the poor way in which the book is organized.
4. Pete Zerger's course on Youtube + all the slides behind the course. Went through it 3 times while running / walking to work. I mostly use it as an audiobook but watched part of the slides for part of the material (security models, crypto, think like a manager). The course is great but has some mistakes in it: crypto, system modes.
5. Part of the slides offered in the FRSecure CISSP bootcamp. I've found them kind of verbose and all over the place, plus lots of slided filled with stuff (dad jokes, details about the authors, etc). Gave up on after reading the Domain 1 slides but I still wish to thank the authors for the effort.
6. Thor's Udemy Courses - Domain 1&2 and Domain 3&4 Bootcamps. I've found them to be very good but could't finish all of them because I ran out of time (found that I had access to them in the last week before the exam, with Udemy Business - the company I work for has a subscription - KUDOS).
7. SNT everything CISSP related that I could find on Youtube.
8. CISSPrep practice tests. Gave up on them after about 150 - 200 questions as I've found them horrible (big mistake).
10. The official CISSP App - I recommend the App instead of the Practice Tests book or the Wiley platform.
11. The BOSON Practice tests.
12. Practice questions and discussions in the SNT Facebook Group and Thor's Group.
13. Prabh's Coffee Shots
How I studied:
Started with the Wiley platform initial assessment test - 40 questions - and scored about 60%.
July - September - focused as much as I could on the theory. Read the OSG, listened/watch to the SNT youtube videos, listened/watched Pete's course, listened the 11th Hour CISSP audiobook.
For your study process, it's very important to select a study mode that best fits your way of learning. I learn very well by listening on the go to different materials. I find reading a book very borring, so reading the OSG was torture for me.
Basically, every day I woke up in CISSP study mode. Listened to stuff on my way to work. Had youtube videos on one of my screens during repetitive, easy tasks at work, read through the chapters at home and listened to some more CISSP stuff in the evening while running or walking int the park.
Once I finished the first chapters I started reviewing them before proceeding to chapters 11 - 21. Once I've finished this review I continued with the last 11 chapters. After finishing the OSG, I started to review the chapters in reverse order from 21 to 15 and from there, started again from chapter 1 to 21. During this period I also listened to Prabh's Youtube CISSP list.
October - went through all the tests that came with the OSG in the Wiley app. After finishing these, went through all the tests in the Practice Test book, using the Wiley app. After finishing the practice tests, I created a custom test using only the questions with wrong answers. After each test, I went through all the questions: both the ones I've answered correctly and the ones I haven't answered correctly. I went through part of the tests in Study mode and part of them in Exam mode.
2 weeks before the exam I discovered the app - kind of too late because I had already finished all the tests at that moment.
In the second week of October I went whrough the BOSON tests. 2 in study mode 2 in exam mode. After each test in exam mode, went through all the explanations behind the questions.
2 weeks before the exam I restarted reviewing the OSG.
Las week before the exam I went through Thor's Domain 1-4 bootcamps. I also took 2 sets of his Hard questions on Udemy. Also, I went again through the Boson exams, in Exam mode, reviewing all the explanations after the test.
Last day before the exam I listened to Luke's Think Like a Manager Youtube Material, went through SDLC, CMM / CMMI, Crypto & Hashing algos, Wifi (1-6) Stuff, EAP, Cabling stuff, Fire Estinguisher types, RMF Steps, NIST CSF Steps, Incident Response steps, Change, Configuration & Version Management.
Today, woke up ad 5:45 AM (army style) and arrived at the office at 6 30. Went again to all the wrong answered questions from the Boson exams and headed to the test center at 9 30. Started the test at 10 AM.
Now, what I wish I would have done better.
Instead of going 2-3 times through the BOSON questions:
1. Use all the practice tests from CISSPrep. In my opinion, these are the most "exam mode" questions I have used. Very weird formulated. Very hard.
2. Use SNT practice questions. I would have bought them but because of lack of time, it wouldn't have been money well spent. Even though I didn't use them, I've seen part of them shared by Luke in the SNT group and I consider them a proper exercise for the exam, because the way the questions I've read were formulated, makes you to read them very carefully.
3. The same conclusion for Thor's hard questions. Even though I do not agree with part of the answers and explanations behind some of the questions I've gotten wrong in his tests, the questions are really useful for both testing your knowledge and getting familiar with the exam questions format.
Instead of going 3 times through some of the materials used as theory, I should have allocated more time for practice questions and review the concepts that were not clear based on the practice tests results.
4. Use the practice tests in Exam mode. Develop a clear strategy for taking breaks, going through the questions that I haven't any idea what they are about. I've found the exam very difficult. Each question frustrated me. Total emotional torture. I should have taken more breaks and I've found that after 80 questions in a row, I got to a point where I was reading and wasn't making any sense from what I was reading. Breaks are mandatory, so add them to your practice tests.
When I got to question 125, I've found myself wishing only to end the test. It did not matter for me anymore if I passed or failed. I was really tired. The first thing I've asked the exam supervisor when I got out of the exam room was when can I reschedule my next attempt. I didn't expect to pass as, even though I was scoring 80-90% at the Boson tests / 65-71% Thor's tests / >90% for the official practice tests, after the exam, I couldn't be sure of any of the answer I've given.
I wish everyone the best of luck with your CISSP endeavors.
Also, I wish to thank Luke Ahmed, Thor Pedersen, Prabh Nair, Pete Zerger for their efforts and contribution to advancing the profession, an also everybody in this group that added question examples, gave an answer or expressed their opinion about a CISSP topic.