Provisionally passed on 26 October, 2021. Please excuse any typos, run ons, or grammatical errors. Hopefully, this help at least one person.
I started my journey, informally -- at the end of March with the Free ISC2 CISSP Review Course (on ISC2 website) and was not doing too well on the end of chapter/module assessments. I continued my studies by casually flipping through the Shon Harris and OSG8E books and taking end of chapter tests. I also started watching video (YouTube) from about May timeframe and by then everything in the videos started sounding familiar. I started taking more practice test and things started to warm up nicely but then I plateaued. Even with an undergraduate degree in CS and a Master of Science in Cybersecurity, I was still struggling. I should know all this, I told myself – because I used several CISSP books during my graduate studies; however, I still didn’t truly understand the material.
June has now turned into July and August is fast approaching so I decided to reverse engineer the questions in the OSG. Whoever wrote this book (Mike Chappelle et al.,) had to have followed a process/steps. So I scrutinized each question as thoroughly as I possibly could. Kept asking, why? Why? Why?
Then I figured out that each of the CISSP domain is its framework, but overlapping and complementing each other. How could I have not known that? Furthermore, it’s an English exam, bummer. Got to know your synonyms and the meaning of words, which can well be the difference between passing and failing. With a cloud of skepticism hanging over me, decided to schedule my test around mid-August. I decided to add the 11th Hour audio book and listened every chance I had, in the car, shower, to put me to sleep, first thing in the morning, to cement the concepts that were evading me.
The first week of September, I tasked my co-worker with asking me random questions from a Shon Harris 4th edition book, circa 2008. I knew the concepts were the same with the exception of updated technologies. I figured at this point nothing in my books should be a novel idea, and I was about 90% there. Since I never read any one book cover-to-cover, a few new ideas may have escaped me. I say all this to say that, everyone absorbs and retains information differently. Fine out what works for you and stick to it.
More importantly, DO NOT go into the EXAM trying to find similar questions like those you have seen or done before. Couple of examples, if you know how cryptography works, it doesn’t matter how it is worded, you will be able to pick the best answer. Every question can be attributed to the CIA triad. If you know the formula for quantitative risk analysis, it’s easy to answer a question when asked. Know your steps, your processes and how they interconnect.
The exam, in my opinion was NOT hard, the questions just did not look familiar and for good reason. But I trusted that I studied the concepts and processes and knew all the basics. With that, I was able draw conclusions from questions even when they were not asked clearly. I attribute that in me trying to understand the WHY in every question, even if I had seen it 20 times before. Why was it written this way, what is the take away, what MUST I learn, how can use that technique to answer similar questions? I will stop rumbling on, because I will end up writing a book. Also, I am not a good test taker, but I prepared adequately.
Here are some of the resources I used before getting the new OSG9E, I could have used OSG7E and still pass. However, if you are going to be a CISSP, you need to stay current, that’s why there’s a new edition, IMHO.
• Luke Ahmed’s CISSP Exam Preparation SNT (where I had the most fun)
• Shon Harris AIO 7th Edition (pass down from a friend)
• Mike Chappelle CISSP – LinkedIn Videos
• O’Reilly CISSP Sari Greene course/videos
• 11th Hour CISSP from Conrad (Audible)
• ISC2 CISSP OSG, 8/9th edition (Hard Copies)
• ISC2 Course – CISSP Review (free on ISC2 website)
• YouTube Videos - Destination Certification, Prabh Nair, IT Dojo, Kelly’s (October 2021) course
• Wiley Test Bank (All questions)
• NIST – Microservices (800-204), Securing Web Transactions TLS (1800-16), Cyber Supply Chain Risk Management (800-161 draft), Data Integrity - Protecting Assets against Ransomware (1800-25), Blockchain (NISTIR 8301), Cybersecurity & Enterprise Risk Management (NISTIR 8286), IoT Baseline (NISTIR 8259A), 5G Cybersecurity (1800-33A), Securing IIOT (1800-32), Trusted Cloud – IaaS (1800-19C), Implementing Zero Trust Architecture (ZTA)...