top of page

How Thanh Cracked His CISSP Exam

I provisionally passed CISSP at my first time, after three months of studying, CAT based, after 100 questions. I would like to thank my family, my colleagues, Telegram group Buddy CISSP’s and friends from this group, Mr Luke Ahmed with his resource page Study Notes and Theory and his Facebook page with the same name. I also would like to thank Mr Thor Pederson for his free practice questions and courses in Udemy and Ms Kelly Handerhand for her excellent, free training video in Cybrary (*). “If you keep practicing and thinking like a CISSP, you will be deserved to get it”. It is a belief since the time I started to find information about this certification, and I do keep it daily and gradually make it be a habit. Then as to follow one canon of the code of ethics to advance the profession, I would like to share the experience of studying, practicing and taking the exam of CISSP. Hope that could help other in the way of preparation and have a good result taking the test.

From friend’s suggestion to keep a useful note, I would like to present it with DO and DON’T. It starts with exam experience to who are ready, and if you have more time preparation, there are some thoughts on methodology in studying and practicing below. M1: On the exam date. The exam is a series of making decisions to choose 1 out of 4, and beside (1) knowledge bases that you earn so far, there are two more essential skills of (2) context recognition and (3) reasoning process. DO • Do review your notes, sunflower, or glossary at about 1 hour earlier, then let your mind be rest in few minutes before the exam. • DO determine your strategy, aka time management, before taking the test.

My strategy is to have steady moves, staying with each question until the answer brings satisfaction. The key points are in practice when you can track the time spent on each item and find the range that the possibility to get the right solution is the most. • DO recognize the context that scenarios (if any) and questions bring to you.

Each question context, including information from the question and answer choices, set up an environment either it is a meeting review for a BCP meeting, or it is inside a law court, or in a conversation to determine a technical solution, to focus on which tenet of the CIA triad, etc. To “feel” the context and in what “role” you are subjected to be will help to find the BEST, MOST decision. • DO categorize the information given to you (especially in scenario-based question), and make reasoning based on the meaning of the full sentence instead on the keywords.

In various notes (**) you might find the order of the concepts and the underlying metrics are the four canons of ISC(2) code of ethics. Similar to practice the concept of “preponderance of the evidence”, categorizing and putting in priority of the given information will help to compare between logical choices. DON’T

1. DON’T be panic and getting nervous if you think that you did make a mistake but accept it. 2. DON’T be comfortable with familiar phrase, instead, check all the other keywords with prudent perspective 3. DON’T ignore caring for your body well. Under a stressful test, when your mind works hard, it also causes your body to feel cold or thirsty. Ask your local testing institute if drinks are available or you could bring your bottle. M2: One day before the test

1. DO take enough sleep, rest and go out, DON’T just stay in a corner. Your mind needs time to consume the knowledge that you push it in. It is mandatory. The day before the test, together with my two boys, I went out to watch and to celebrate our national football team under 23 in the AFC U23 championship. The traffic jam told me about the DDoS problem, and the lanes are lattice levels. Concepts are everywhere under the eye of security professional. M3: (Around) 15 day before the test DO 1. DO start making your summary of all topics.

The glossary is a handy resource with just enough definition. The chapter summary is an excellent way to construct the relationship between terms. Write down all necessary procedures, like Risk Assessment, BCP, DRP, Incident Handling and list down all team structure and role. 2. DO make a table of WHAT WHO WHEN WHERE WHY HOW. It is to understand and map the each process’s goals to the related solutions, technology and people. 3. DO practice in exam format and track the time spent, to find the best way to utilize your capability.

It would be a concentrated time, and you might need one or two days on leave from your works to prepare for the exam. 4. DO be extraordinary intensive in a group like Budding CISSP’s, accept all challenges, answer all questions, do at various speed, and making explanation whenever you can. Thanks to the group to help me on that, there are many people like @Dawood, or @Vaibhav Pathak who are willing to settle the question for me even there are just only two of us are online. DON’T

1. DON’T afraid of doing wrong in practice. Note your answer, the way you are reasoning to that solution. Whatever it is wrong or right, know why you are wrong and why you are right.

M4: Still have time. DO 1. DO build your study plan and set a commitment to it. There is advice in detail from Jeremiah Walker (***). The exact timeline changes with the individual. Just a compliment note: make a realistic plan and estimate enough resource for each task. For example, the domain 8 – Software Development Security, takes me 15 video parts, 28 slides, 74 pages in Sybex Official Study, summary time, doing exercises, revised summary and update relationship.

With an estimation of reading and making a note for 1 page in about 10 minutes, my plan set around 1200 minutes for this domain, equivalent to 10 days with 2 hours per day. This method worked well for me, and after 63 days I finish the study phase, moving to practice stage.

2. DO practice change management to your plan if the result is not as expected. You can adjust the time unless it affects to your registered exam date.

3. DO respect. DON’T

1. Don’t make notes of copying the words from book to your record. Instead, compress and make it shorter for you to understand without sacrifice any piece of information.

The following are links and resources for my study - Sybex CISSP ISC2 Official Study Guide - Syngress CISSP Study Guide - Cybrary Kelly Handerhand Video - Sybex CISSP ISC2 Official Practice Test - Udemy Thor’s CISSP Practice question 2018 (1-4) - McGraw Hill Professional Practice Question - Telegram Buddy CISSP - NIST Cyber Security Publications - NIST SP 800 (*) Links to the resources • Cybrary instruction video of Ms Kelly Handerhand • Thor’s Teacher page ($) ($, and another exam 2, 3, 4) • CISSP – The Study Notes and Theory (**) Links to the useful notes • Sunflower • CISSP Concepts in order, Randy Nguyen, The Study Notes and Theory (***) Link to the CISSP study plan guide • CISSP Plan, Jeremiad Walker Finally, CISSP is a certification, a technical evaluation for you - a security professional and it requires accreditation processes from society, principals, senior managers and from yourself.

30 Jan 2018 Thanh Nguyen


bottom of page