Hi everyone! I passed the CISSP exam November 9, 2020. So much has happened in the 4 months since that moment that it has been hard to stay focused, but I really wanted to write this to encourage others.
A little about me: I have over 10 years of combined experience as an ISSO, security auditor, and COMSEC custodian. I have a bachelor’s degree in computer networking and the Security + and ITIL certifications; but, I failed the CISSP exam 4 times. This last time, the 5th time, I passed, only after answering all 150 questions in about 2 hours and 58 minutes.
Not passing the CISSP exam is rough. I cried a lot, I was exhausted, and pissed at myself. I thought I had studied enough and I had attended a couple of traditional CISSP boot camps. I kept thinking “mile wide, but only 1 inch deep”, right? So, I must admit that I didn’t study the first 4 times like I did this last time.
The first time I took the CISSP exam, was around 2011 when it was the 250 questions 6 hour standardized test style exam. Then I took it 2 more times, still 6 hours and 250 questions, but now on the computer with drag-n-drop questions. Finally around 2019, hearing that the exam had changed to 3 hours and up to 150 questions, I tried again, but failed again.
Then around the end of 2019, I heard about Udemy courses and found Thor Pederson’s CISSP boot camp and Jason Dion’s Network + and ITIL boot camps. Thor mentioned Luke Ahmed’s Study Notes and Theory, so I signed up. Luke mentioned Mohammed Atef, whose site is called Infosec4TC, and somebody here on SNT, mentioned Kaplan, so I purchased both of those online courses too. Finally, my coworker mentioned Boson, so I got that one too. I downloaded several NIST publications, many study guides, and bought several books, including Luke’s “How to think like a Manager for the CISSP Exam”.
Then I studied by reading all the books and taking online practice tests. I wrote down every practice question that I answered wrong. I copied charts and diagrams from books and sites, then recreated them on 2’ x 3’ sticky easel pad paper and then hung them all over the walls in my house so that everywhere I looked I would see a CISSP concept.
I watched and re-watched videos from SNT, Udemy, Infosec4TC, ThorTeaches, and Jason Dion. I watched Kelly Handerhan’s video that explains Kerberos very well using the county fair analogy; Max Quasar, also on YouTube, compared quantitative risk analysis to Spock and qualitative risk analysis to Cpt. Kirk. I even watched a couple of videos on quantum cryptography, a documentary on Alan Turing, and a documentary on the Top Secret Rosie’s. I had a CISSP app, Quizlet, on my phone, that I would quiz myself throughout the day whenever I was waiting in a line, or at the hair salon (pre-COVID 19).
The point is, I intentionally immersed myself into preparing for the exam this time and it worked for me. Mnemonics are great, and real life experience does help, but you really have to study for this exam. Get out the highlighter, take notes (I filled 3 spiral notebooks). Yes, I had to memorize some concepts, like the steps in the BCP and all the Common Criteria EALs, in order. About a month before I took the exam, I got up at 5:00 AM every day and would take a 25-question practice exam before going to work. On weekends, I would take 3-hour practice exams, mask on, all throughout the day, until I fell asleep or got a headache, whichever came first. Lastly, almost every night before the exam, I prayed to God and asked for the discipline to study and that if it be His will, to let me pass the CISSP exam.
Here is a list of the books and online resources I used to study for and pass the CISSP exam.
Books: I read each of these books at least once and then cross referenced them to get different points of view and descriptions of the domains.
1. Shon Harris AIO, 6th and 8th edition
2. Sybex, Official ISC2 CISSP study guide, 7th and 8th editions
3. Pearson, CISSP study guide, 3rd edition
4. Official ISC2 CBK, 5th edition: I used it as my guide on what best to focus on. It doesn’t explain concepts very well, so you need other detailed resources to check against it. 5. Luke Ahmed’s “How to think Like a Manager for the CISSP Exam”.
6. Eric Conrad 11th hour, 3rd edition: The thin one. Used it the night before my exam to go through my weakest domains. Also had it in the car and reviewed the end of chapter questions about an hour before I went into the test site.
Online Practice Test Engines: I either purchased access to these test engines or access came with one of the books mentioned above. Each provides very detailed answer explanations and links to references used. The test engines also lets you customize your exam and sort results to help you study.
1. https://certify.cybervista.net/products/isc2/certified-information-systems-security-pro-practice-test/ -- Kaplan practice exams.
2. https://www.pearsonitcertification.com/search/index.aspx?query=Cissp+All-In-One+Exam+Guide -- Pearson practice exams access comes with the book.
3. www.boson.com -- I purchased the 1 year license.
4. https://hub.totalsem.com/ -- This is the Shon Harris AIO access that comes with the book.
Online Resources, Courses, and Videos:
1. www.studynotesandtheory.com/signup -- Luke Ahmed is the best instructor. He’s a firewall engineer, but knows his audience. Lots of free stuff on his site, but I subscribed to get access to all of the videos, practice questions, flashcards, and memory games. Use promo code "LATENIGHTSTUDY" to get 15% off any of the subscriptions.
I also joined the SNT Facebook group. The energy of everyone on the SNT FB site is awesome and folks there post helpful content and are very encouraging to each other.
2. www.udemy.com - I bought Thor Pederson’s, CISSP all 8 domain boot camps. Also purchased Jason Dion’s, Network+ and ITIL boot camps.
3. https://infosec4tc.teachable.com/p/cissp-exam-preparation-training- Mohammed Atef is a thorough teacher. His site has a lot of reference material, diagrams, and demonstrations.
4. https://www.cybrary.it/course/cissp/ -- It used to be free, not sure if it is anymore. Kelly Handerhan has some of her best videos for free online like “Why you will pass the CISSP.”
5. https://csrc.nist.gov/publications/sp800 -- To download several NIST guides.
To those who have fallen short of passing the exam, more than once, know that you are not alone. I know the exam is about to change in less than a month, but listen, as someone who has taken multiple versions of the CISSP exam, trust me, just study. Study a lot. If you have to reschedule, DO IT. Having to start over is so much harder than just paying that rescheduling fee for a later test date. Be honest with yourself, focus, and do the work…you got this.