Starting at the end: I passed the CISSP exam in February 2023 at my first attempt after two hours and 125 questions. I appreciated all the available knowledge reading how other people cracked the CISSP so here is the story of my journey.
My background
I hold a M.Sc. in Computer Engineering. I was born and graduated in Spain, moved to Sweden 2002. I have been working in the IT Industry for the last 20 years, the first 5 years as a software engineer and afterwards as an IT Architect (different roles but mostly as Solution or Enterprise architect). Both as consultant and as customer. IT Security has often been part of my everyday worklife and I had experience within all the CISSP domains but Domain 4 was absolutely my weakest one. Last but not least I am passionate about technology in depth so it was really important changing the mindset to "think like a manager" from the beginning.
Why the CISSP?
My million-dollar question. This certification is going to cost you time, effort, money and to sacrifice valuable leisure time. So you need well-motivated reasons to convince yourself on those gray days when you struggle studying or feel tired or are tempted by funnier things. There are many different answers to the question and finding my own solid arguments helped me a lot.
My study plan
I did my due diligence based on the vast CISSP info available online. I made a study plan based on the template from Thor Pedersen (ThorTeaches) and after a careful analysis I estimated a total of 350 study hours.
I decided not to join an bootcamp but buy books and web resources instead. The savings gave me the possibility to agree with my boss studying during work hours (every Friday under 15 weeks, a total of 120 hours).
So I had 230 hours left to schedule in my spare time. My kids are living with me on a biweekly basis, almost no study those weeks but recharging my batteries when possible. My "free" odd weeks I planned 20-25 hours study time (16 on weekends, the rest upon availability). I left 1-2 weeks for unforeseen events.
That implied I needed ten odd weeks resulting in a definitive five calendar months period. Nailed and ready.
I made an Excel sheet with all the details and committed myself to be 100% loyal to it. The plan was flexible and I reviewed it after several milestones, mainly prioritizing what to deliver in my fixed hours.
Why am I writing all these details? Because the process building the plan was critical to me. The study plan gave me a safe ground for the long journey reducing the stress radically. I knew what I should do, when, how, and the confidence that I would cover the whole CISSP comprehension in a reasonable manner.
The most important point: I planned generously enough time sleeping, exercising physically, eating well and having fun when not studying. Otherwise I do not think I could manage these months with full-time work and a lot of studying.
My biggest challenges
Challenge number one: the CISSP scope is huge. I absolutely agree with the sentence "CISSP is a mile wide and an inch deep" but many study materials are actually "a foot deep" (or deeper) which feels ok anyway because my goal was not just passing the exam but becoming a better IT Professional. Regardless of your previous experience or how deep you go, the extent is enormous and you have to understand (not just memorize) everything and to know why and how to apply every concept. I aimed to simplify this process as much as possible from the beginning. My main focus was creating a clear structure with my own study notes correlating the ideas and facilitating the constant reviews which are needed afterwards when training with the practice questions. I explain how I did below.
Challenge number two: the English language. It is crucial to decompose the questions, understand what it is being asked and interpret keywords and linguistic details probably under four exam hours. My English is poor and my brain is already confused with both Spanish and Swedish so I was aware this would be a significant issue. My best way to mitigate it was to train extra practice questions, I set my goal to 5000 questions (as hard as possible).
No more planning, time to work!
Now I will describe how I worked through two phases (study and practice questions) as well as the study materials I used. I include my subjective rating of these materials from 1 (worst ever) to 10 (best ever).
Study phase (about 200 hours), in the following order:
ThorTeaches material. I started not reading at once but watching ThorTeaches domain videos to get an overall picture. Thor is great explaining and the subscription includes useful PDF lecture notes where I wrote down my own additions. Rate: 8.
Pete Zerger's exam cram in YouTube. His videos are plenty of good tips and the presentation downloads fitted perfectly in how I wanted to summarize the scope. Rate: 9. Sybex Official Study Guide (OSG), 9th edition. From cover to cover. I felt that OSG gives a fair compromise between width and depth. Some chapters where a little bit harder/not so well explained and just this reading period was the most boring but necessary. Don't give up! Anyway, my overall experience is that OSG is more reader-friendly than many drier books I read in College. Rate: 7. Own OSG study notes. At the same time I was reading the OSG I wrote down my study notes summarizing with my own words and my structure. Totally I got 140 A4-pages as summary notes. To reinforce my memorizing I highlighted all these pages afterwards and I scanned everything to get my own digital OSG notes.
Eleventh Hour CISSP. From cover to cover. Good as a complementary source. It explains the concepts briefly, helped placing the pieces in place. Rate: 8. Luke Ahmed's Study Notes and Theory. There were many YouTube resources for my weak points. Anyway I felt like I needed a little bit more so I subscribed to Study Notes and Theory. It was a really wise decision, Luke has amazing videos (a lot) not only about the crucial eye-opener "think like a manager" mindset but also domain correlation and different practice questions explained. Specially I would recommend his videos about PKI (incredibly easy to understand) and Kerberos (deeper details, but so valuable to grasp everything about it). Rate: 10. Prashant Mohan's "The memory palace". An excellent summary, it fitted so well with my notes. I appreciated how he ties the CIA triad to everything, I tried to follow the same approach with almost every concept. Rate: 9. Own PowerPoints. What I did with all the materials above? I created 8 different PowerPoint presentations, one per domain. I pasted everything related from every source in my own structure: my highlighted PDF OSG notes, Thor's lecture notes, Zerger's presentations, fragments from 11th hour and Memory palace, screenshots from Luke's and other videos, plus other resources like Sunflower notes or Lance Li Sheng key tables/charts/flows (truly great also!). All these hung together and I got a "line of argument" for the whole CISSP, my brain did not think anymore that the extent was so enormous (despite of these PowerPoints were quite big for the larger domains) but controllable. If I needed to clarify deeper notions in the future everything was already in the PowerPoints and it was really fast to seek there.
Own condensed study notes. My last step in the study phase: I went through my summarized PowerPoints, I explained the concepts for myself and I summarized these in brand new study notes. Totally 56 handwritten A4-pages. This was my main goal managing the CISSP huge scope. All the mile-wide books, materials and sources were now condensed in 56 very friendly pages for my brain. I highlighted these to favor my photographic memory, scanned to digital PDF notes and got it ready as my main knowledge support for the practice questions. It was quite a job producing it but the whole process helped me to understand and memorize in the right way instead for just trying to remember and forgetting things. And the act of writing in many steps above assisted me to reinforce the knowledge. This was also an insurance in case I did not pass the exam: if I would need to prepare a second attempt all my own materials were ready and it would be much faster to brush up than reading all the materials again from the beginning. Practice questions phase (about 150 hours estimated, 200 hours in reality)
I promise you that this phase is much funnier than the study phase!
You can develop your own strategy analyzing questions and sharpen it training again and again. Every session is a challenge and the improvements are palpable.
I tried to simulate the real exam as soon as I could. I began with 30 minutes practice questions sessions, then one hour sessions, then two hours sessions with a little break, and lastly three hours sessions when the exam was close. It was tiring but necessary for my endurance with both tricky questions and the English language.
I reviewed all my answers, both right and wrong. Understanding why and how to use the concepts. Twist and turn with the keywords. Not just accepting the right answer but explaining/convincing myself why the wrong answers were not correct (this was decisive on the exam).
My condensed study notes were extremely useful here. It took just seconds to find the idea and the context. The more I trained questions, the easier I could recall the condensed content without effort.
I did not change these notes longer, instead I saved any extra notes from the questions and videos below in a separate OneNote notebook that I reviewed again one week before the exam.
After regularly scoring 80% in the "easy-medium" questions I booked my exam almost two months ahead.
Here are my question sources, amount, average scores and rating:
Easy-medium (total: 2600 questions)
CCCure. Really technical questions, many community submitted. The "pro" questions were not so hard. It does its job but the other alternatives below were better. I did 500 questions averaging 85%. Rate: 5.
Sybex Official Practice Tests, 3rd Edition. Better than expected. The format reminded of some real exam questions but not so extensive explanations. Sybex/Wiley offers a smooth digital portal when buying the physical book. I did all the 1300 questions and averaged exactly 80%. Rate: 7.
ThorTeaches. Solid questions when reviewing the individual domains. I did 700 questions before I moved to "hard" below averaging 80%. Rate: 7.
Deluxe CertMike practice exam. I took this a couple of days before the exam to simulate it. Total 100 questions, I got 88%. Similar to Sybex questions but with certainly good explanations. Rate: 8.
Hard (total: 2200 questions)
ThorTeaches. Really technical and deliberately difficult but truly useful for the preparations, I realized that it can be hard with keywords and wording. I did all the 500 questions averaging 63%. Rate: 7.
Luke Ahmed's Study Notes and Theory. The best and most important material in my studies. Luke's practice questions are genuinely well done with tough scenarios, challenging language, managerial approach, several valid answers, tricky reasoning, yes, as the real exam! Huge and great explanations about why and how. The exam questions were truly tough but not tougher than Luke's in my opinion. So every minute I spent sweating and fighting and squeezing my brain with these was more than worth it. I did all the 875 questions averaging 64%. Rate: 10.
Wentz Wu "question of the day". Tricky questions (some of them really hard), useful with often strategic explanations. Some answers were explained from a NIST perspective rather than a CISSP CBK approach. I managed to do only 125 questions averaging 60%. Rate: 8.
Boson. Quite technical but with comprehensive explanations for further study. The format of the questions could remind of the exam. I bought these to simulate ten/five days before the real exam but with hindsight I should have taken them earlier to make more use of the detailed descriptions. I completed the 700 questions averaging 76%. Rate: 8.
Videos with practice questions (unsure how many questions, 200 perhaps?)
Prabh Nair's "Coffee shots". I watched all the 48 videos and they are terrific. Both the technique to decompose questions and how he explains the subjects. A fantastic help in my last preparations. Rate: 9.
Colin Weaver's "IT Dojo". Too technical but Colin is really good and his videos force you to apply the concepts. I managed to watch only 25 videos. Rate: 7.
When the exam is getting closer
The Facebook groups for both Luke and Thor have ongoing interesting posts about how others are preparing and experiencing the exam.
Reddit's CISSP sub is fantastic. There are lots of active users telling how their exams went and how they cracked the CISSP.
And of course all the Luke stories in this "how to crack the CISSP" that you are reading just now.
Many of the proficient creators above have videos about getting ready and the tactics approaching the exam. I liked Larry Greenblatt and Kelly Handerhan videos too.
On the exam
My initial strategy was to spend 72 seconds per question and take three breaks (10-minutes each, after 50 questions in a row). With a slower pace at the beginning to get a kinder CAT-curve.
But it went faster than that, I believe that training so many practice questions made the exam "easier"/"faster". But I will not be cocky, the exam was as sweaty as it gets!
And finally, was my initial plan accurate?
Almost. Last month I invested additional 50 hours in reviewing, practicing more questions and several videos I did not plan first (Prabh's coffee shots) so the total came to 400 hours.
There is no right or wrong when approaching the exam, only you know the best way and strategy for yourself to study, learn, grasp the CISSP concepts and prepare for the exam.
You can probably spend much fewer hours than me if English is your mother tongue or if you want to stay one inch deep instead of one foot.
I want to express my deepest gratitude to all the authors above for your commitment to producing such high-quality materials!
You advance the profession and you have made possible my exciting CISSP journey!
Good luck with your own journey!
Pedro
P.S. My beloved study notes are pictured above.