I just passed the CISSP exam today on the first attempt with about a month of dedicated study altogether. I kept feeling like I should have put more time into studying, but I just felt like I was ready. You can pass this exam as well if you prepare properly.

Since I’m using a similar hero post image as the other CompTIA success posts I’ve done, I have to mention that just passing the CISSP exam isn’t enough to get CISSP certified. I still need to find someone to endorse me, wait like 2 months, and then pay the AMF before I’m official.

Update 9/26: Woohoo, I just got the provisionally passed email. Now, onward to the endorsement process.

ISC2 CISSP Provisionally Passed Email

Update 10/7: Double woohoo! I asked one of my mentors to endorse me, and she agreed! Now I wait…

ISC2 CISSP Endorsement Queue Email

Update 1/6/20: A little over 3 months in and still no CISSP certification. This endorsement process has proven to be pretty lengthy. Check out the post on my delay with the endorsement process to see what the deal is.

Study Materials Used

I bought a book I read cover to cover (only 200 pages), 11th Hour CISSP 2nd Edition. It’s written well and is fun to read, but it has a ton of content packed onto each page. If you know nothing about information security, much of the terminology will go right over your head. I’m familiar with a good portion of the material and even noticed a few things I forgot I studied when skimming the book the morning of the exam.

By this point, I’ve done IT work for about 15 years, with the last 5 specifically being security. I also have an MBA with honors (Beta Gamma Sigma) and actively study business, personal finance, and digital enterprises. So, this exam’s material was right up my alley. I don’t know every domain exceptionally well, but I can work through the issues.

Additional Study Materials

I used the following materials to prepare for this exam:

  • Full CISSP Course Path by Mike Chapple on LinkedIn Learning
    • I planned on picking up Mike’s Official Practice Test book but never got around to it.
  • All in one CISSP audios by Shon Harris
    • This content is based on the old exam setup with 10 domains, but her explanations are excellent.
    • Update: The link to these audios is down (https://www.mhprofessionalresources.com/sites/CISSPExams/exam.php?id=AccessControl). This YouTube playlist of Shon Harris CISSP videos reflects her content.
  • Boson CISSP exam package
    • Practice exams
    • Practice lab

The Boson prep package was interesting. It was more technical and did not match the content of the exam. What it did match was the exam style and question structure, which really helped me get into the mindset of the exam. The questions I mostly kept missing were the tricky ones that I didn’t thoroughly read. I took four practice exams before I had a passing score.

Alternative Study Recommendations

I did not use the official Sybex book, but I’ve heard good things. I also heard good things about Essential CISSP by Phil Martin. Essentially, he explains things pretty well. I purchased the audiobook to go through, but unfortunately, I ran out of time and didn’t get to use it to study.

Essential CISSP Chapters

If you do go with the Essential CISSP (which is recommended), you’ll find there is a lack of chapter information, so it may be hard to keep track of where you are. Here’s that info:

  1. Security and Risk Management Domain
  2. Confidentiality Integrity Availability CIA
  3. Authentication Authorisation and Auditing (AAA)
  4. From Vulnerability to Exposure
  5. Administrative Technical and Physical Controls
  6. Security Frameworks
  7. Computer Crime Law
  8. Policies, Standards, Baselines, Guidelines and Procedures
  9. All About Risk Management
  10. Modelling Threats
  11. Assessing and Analysing Risk
  12. Managing Risk
  13. Business Continuity and Disaster Recovery
  14. Personal Security
  15. Security Governance
  16. Ethics
  17. Asset Security Domain
  18. Information Life Cycle
  19. Information Classification
  20. Layers of Responsibility
  21. Retention Policies
  22. Protecting Privacy
  23. Protecting Assets
  24. Data Leakage
  25. Protecting Other Assets
  26. Security Architecture and Engineering Domain
  27. System Architecture
  28. Computer Architecture
  29. Operating Systems
  30. System Security Architecture
  31. Security Models
  32. Systems’ Evaluation
  33. Certification vs Accreditation
  34. Open vs Closed Systems
  35. Distributed Systems Security
  36. A Few Threats to Review
  37. The History of Cryptography
  38. Cryptography Definitions and Concepts
  39. Types of Ciphers
  40. Methods of Encryption
  41. Types of Symmetric Systems
  42. Types of Asymmetric Systems
  43. Message Integrity
  44. Public Key Infrastructure
  45. Key Management
  46. Trusted Platform Modules
  47. Attacks on Cryptography
  48. “The Author Talks about some aspects of physical security”
  49. The Site Planning Process
  50. Protecting Assets
  51. Internal Support Systems
  52. Communication and Network Security Domain
  53. Telecommunications
  54. Open System Interconnection Reference Model
  55. TCP/IP Model
  56. Types of Transmission
  57. Cabling
  58. Networking
  59. Networking Devices
  60. Intranets and Extranets
  61. Local Area Networks
  62. Wide Area Networks
  63. Metropolitan Area Networks
  64. Multi Service Access Technologies
  65. Remote Connectivity
  66. Wireless Networks
  67. Network Encryption
  68. Network Attacks
  69. Identity and Access Management Domain
  70. Security Principles
  71. Identification Authentication Authorisation and Accountability
  72. Access Control Models
  73. Access Control Techniques and Technologies
  74. Access Control Administration
  75. Access Control Methods
  76. Accountability
  77. Implementing Access Control
  78. Monitoring and Reacting to Access Control
  79. Threats to Access Control
  80. Security Assessment and Testing Domain
  81. Audit Strategies
  82. Auditing Technical Controls
  83. Auditing Administration Controls
  84. Reporting
  85. Management Review
  86. Security Operations Domain
  87. Operations Department Roles
  88. Administrative Management
  89. Assurance Levels
  90. Operational Responsibilities
  91. Configuration Management
  92. Physical Security
  93. Secure Resource Provisioning
  94. Network and Resource Availability
  95. Preventative Measures
  96. Managing Incidents
  97. Disaster Recovery
  98. Insurance
  99. Recovery and Restoration
  100. Investigations
  101. Liability and its Ramifications
  102. Software Development Security Domain
  103. Defining Good Code
  104. Where do We Place Security
  105. Software Development Life Cycle
  106. Software Development Models
  107. Integrated Product Team (APT)
  108. Capability Maturity Model Integration
  109. Change Control
  110. Programming Languages and Concepts
  111. Distributed Computing
  112. Mobile Code
  113. Web Security
  114. Database Management
  115. Malicious Software

Mindset Videos

These 2 videos below also helped with preparing for the exam as well:

Why you WILL pass the CISSP by Kelly Handerhan

I did not go through Kelly’s CISSP course on Cybrary, but I’ve heard great things. You can view her entire free CISSP course here.

CISSP Exam Tips – Understanding Semantics and Context by Larry Greenblatt

Spock certifies, and Kirk accredits. Ha, genius.

Keeping the Confidence

So, what did I do to prepare for this exam mentally?

If you recall the last exam I passed on the first try, I made a note, naming myself as newly CompTIA CySA+ certified. I was very specific about my intention, and I think that played a huge role in getting me prepared for the exam. I didn’t write a note to myself this time. But I did create this post, announcing my intention publicly to become CISSP certified in 2019. Not only that, I also told a few people around me as well. I have never made a public declaration in this manner before.

I feel good about the exam. Half of the exam I knew pretty well, and the other half I had to work through. I’m extremely happy to keep the “passing on the first attempt on all certifications streak” alive.

Like with other exams, I created my own CISSP study notes before the exam to ensure that the concepts were fresh in my mind.

The exam was pretty much exactly how I expected it to be, except it had a bit more in-depth technical network admin material than I expected. Luckily, I know that stuff pretty well.

As always, I should have prepared a little more, but I just felt ready, so I didn’t study as much as people normally would. I don’t regret this decision since I can always look up information I’m fuzzy on or consult with someone else if I ever need to.

Study Tips

  1. Review the CISSP exam objectives if you haven’t already done so.
  2. Get a good book, an audiobook/notes, AND a video course.
  3. Set a study schedule and plan a date for the exam.
  4. Buy the exam voucher from Pearson Vue.
  5. Schedule the exam through Pearson Vue.
  6. Take practice questions and practice exams. Even if the exam questions are not the same content, you at least get the practice of context and answer elimination.
  7. Review material that’s still fuzzy to you. Watch YouTube videos, review concepts on Wikipedia or other pages, and improve.
  8. This certification is as much an English test as an information security test.
    1. Read the question and eliminate 2 answers (1 is an obviously wrong choice).
    2. Re-read the question before selecting the final choice.
    3. Watch out for catchy words like MOST, LEAST, ALL BUT, EVERYTHING EXCEPT, and double negatives. If you speed through reading as I do, these are tough ‘gotchas.’
  9. The exam is Computerized Adaptive Testing (CAT). Just because you don’t finish at 100 doesn’t mean you failed or are close to failing. The exam wants you to prove yourself. You can still pass after 150 questions.
  10. Know your stuff, and be sure to practice!

Conclusion

Basically, stick to what you hear about the exam, and you will be fine. Take off your tech hat and think like a manager. Although you can work through the exam pretty well, you still need to know the fundamentals to give you a fighting chance.

You must apply critical thinking and experience when going through the questions. There will be multiple tricky questions, so don’t rush. Pay attention and read carefully. Don’t be surprised to see a few questions that may have two close answers. They may even be right answers, but going through the elimination process will give you the correct answer.

You will get creamed if you slack on policy, SDLC, and frameworks. They may seem like no-brainers in theory, but the application and order of steps are important. Even though these topics are taught at the end of most educational materials, don’t let off the gas. They are important.

Lastly, no problem if you don’t use your scratch pad during the exam. If you didn’t finish the exam with 100 questions, no problem. Whether you finish at 100 or 150 questions, the important thing is you pass.

Have you passed the CISSP exam yet? If so, what do you think of these tips?