My personal experience with the CISSP by Jason Dyke.
Disclaimer — Please Read
Throughout my research of the CISSP I commonly saw questions from people wanting to know “How long did you study for?”, “What materials did you use?”, “Were your materials enough?”, etc. In reality, everyone’s knowledge level is different and everyone’s exam will be different. There is no silver bullet for the CISSP that translates into a guaranteed passing score and only you know where your strengths and weaknesses lie. This blog alone will not guarantee a passing score, but I hope it better prepares you or helps in some way. All the opinions in this blog are my own, and do not represent (ISC)² and should not be treated as such.
What is the CISSP?
The Certified Information Systems Security Professional (CISSP) is one of the most coveted and sought after security certifications in the world by organizations large and small. Globally recognized, only around 88,000 people in the world have passed the exam and fulfilled the additional requirements to become an official (ISC)² CISSP. The CISSP is geared towards managers, consultants, architects, C-level executives or anyone looking to break into the security industry. In addition to passing the exam, “you must also have at least five years of cumulative, paid work experience in two or more of the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK)”. If you do not have the work experience you can still take the CISSP and apply for the Associate level until you gain the necessary requirements. The CISSP is made up of 8 domains, which form the Common Body of Knowledge:
Domain 1. Security and Risk Management
Domain 2. Asset Security
Domain 3. Security Architecture and Engineering
Domain 4. Communication and Network Security
Domain 5. Identity and Access Management (IAM)
Domain 6. Security Assessment and Testing
Domain 7. Security Operations
Domain 8. Software Development Security
To find out if the CISSP is right for you, view their official video here. If you are looking to break into the Government Sector, the CISSP is a hard requirement for some positions. For non-government work, the CISSP is highly sought after in candidates as well, but it is not a hard requirement for select positions similar to government opportunities.
What is Computerized Adaptive Testing?
Before I began to study for the exam, I wanted to learn more about the exam itself. In 2018, (ISC)² introduced Computerized Adaptive Testing (CAT) for all English CISSP exams. As the name suggests, CAT adapts to your answering abilities to tailor the exam to truly challenge your mastery of all areas of the CBK. The basic flow is as follows: your first question in each domain will be rated as a relatively easy challenge. If you answer that question correctly, your next question in that domain will be more difficult, and so on. If you answer incorrectly, the next question will either be at the same level of difficulty or easier. This trend continues for each domain until you have sufficiently displayed your competency of that domain.
The CAT is a good thing. It might seem like you now have to know more than previously (when it was a linear 250 question exam), but in reality, CAT allows you to pass the exam in 100 questions in less time. The CAT mandates the same knowledge as the older linear format and creates a more enjoyable testing experience (if such a thing exists…).
What Do I Need to Pass?
In total, the exam is 150 questions and three hours long. Due to the exam leveraging CAT, you can pass in only 100 questions and potentially finish the exam in under an hour! The ability to pass by only answering ⅔ of the exam is due to the way CAT handles competency and the domains as isolated CBK scores. A good way to think about the CISSP is that you have 150 questions and three hours to display competence in all 8 domains, but once you show competence in one domain, that domain is complete for the rest of the exam. You may end up having the last 10–20 questions be on one single domain as the CAT works to establish your competence in the final domain that has yet to be passed. Included in those 150 questions are 25 experimental non-scored questions. If you run into a foreign concept or a question that just seems off, chances are it isn’t scored.
You may have heard that you need a score of 700/1000 in order to pass. This quantitative passing score can be a little misleading, as the 700 represents the “cut score”. The cut score is determined by a select group of Subject Matter Experts’ (SMEs) recommendations for a passing score. Each question is weighted differently based on its difficulty so the traditional method of thinking “I need 105 questions right to pass” is invalid. You only need to display competency in each domain to pass and this can be accomplished in as little as 100 questions.
My Study Materials Used
Each person learns differently, and each exam is going to be different by nature of the CAT. You won’t find a golden step-by-step process on passing the CISSP, and your best shot at passing is to find your own personal strengths and weaknesses and focus on where you are weakest. Remember, you must show competence in ALL domains of the CBK. Do not let that discourage or intimidate you as the CAT does its best to help you to pass. My studies involved only a few core resources:
Cybrary Kelly Handerhan CISSP Videos: https://www.cybrary.it/course/cissp/
Eleventh Hour CISSP Study Guide: https://www.amazon.com/Eleventh-Hour-CISSP®-Study-Guide/dp/0128112484
(ISC)² CISSP Official Study Guide and Practice Tests (bundle): https://www.amazon.com/gp/product/1119523265
My Exam Preparation
Note Throughout my studies I kept running notes in Google Docs. Everyday I would re-read my notes from top to bottom, it ended up being close to 35 pages by the time I took the exam.
I first began to study by watching the Cybrary CISSP videos. The instructor, Kelly, does a great job of simplifying the domains and presenting them in a memorable way that is a great introduction to the CISSP material. I would spend about an hour a night watching as many videos as I could but at the same time verifying the information “stuck”. If something did not make sense or I could not remember it by the end of the night or next morning, I would watch the section again or look for external information through google.
After Kelly’s Cybrary videos were completed, I moved on to the Eleventh Hour CISSP Study Guide by Eric Conrad. Based on previous research I found online, this book is recommended to read once at the beginning of your studies and then the very last week before your exam as a refresher. I ended up reading this book once and then never again. I enjoyed the read, as it went one step more in depth than Kelly’s videos, and showed me how much more was potentially on the exam. This book is short, close to 200 pages, and is an easy read in a week or two. Do not rush reading the book as simply finishing it provides little to no value if you do not remember the content. Similar to the Cybrary videos, if the next day I could not remember the content I read, I re-read it. Personally, I have a tendency to speed read and obtain a high level of understanding of the books I read, but this book should be used as study material and I had to adjust my reading style. One of the biggest hurdles of my study prep for this exam was to slow down and really dig in and try to understand the material.
I believe this to be a critical key to my success on the exam — the CISSP is NOT a technical exam and is framed from a managerial standpoint. If you know the definitions and have a good grasp on the concepts involved with the material, and can identify when a concept fits into the presented situation, you have a great chance to pass the exam.
After the Eleventh hour book, I dug into the enormous (ISC)² official study guide. This book is basically an encyclopedia of CISSP and is not meant to be read front to back. Instead of reading the study guide, I redeemed the digital coupon code from the practice tests book to better simulate the real testing experience. In total, there are over 2000 practice questions between both books, which are more than enough to test all areas of the domain to give you a great overarching practice exam experience.
Each night, or every other night, I would take a 125 to 150 question practice exam. The practice exams can be configured to provide feedback whether you get the question right or wrong. After each exam, for each question I got wrong or each question I guessed and got right, I would make a note on my google doc to dive deeper into that area. That is where the official study guide came in handy. I treated the official study guide as reference material for areas I needed more experience with. If I needed further information outside of what the study guide provided, I would consult the internet, but in reality that only happened a couple times.
I was consistently scoring 65–70% on the practice exams which definitely had me concerned based on what I was seeing from other candidates. Regardless, I kept to my study habits and spent about two weeks on practice exams and read my notes daily. I never did end up scoring above an 82% on the practice exams, but in hindsight, they were definitely more technical and in-depth than the exam questions. To reiterate, this is not a technical exam: the practice questions should be viewed by the concepts on which you’re being tested and not your technical ability to remember mathematical formulas. Additionally, I would say that the practice questions accurately represented the cadence and length of the real exam questions.
Pearson Vue is the exam center for (ISC)² for my area. They offered Saturday times which was very convenient, since that day I could focus 100% on the exam. My exam was scheduled for 8 AM and I arrived 30 minutes earlier as suggested. For day-of prep, I woke up at 5 AM and read my notes one last time in addition to one final practice exam. For all of my exams, I like to take one practice exam the day of so I go into the real exam warmed up and already in the correct mindset.
Two forms of ID are required in addition to submitting to a palm vein scan. The scan was a new one for me; it’s also used if you need to leave the exam for a bathroom break (re-scanning when you come back in), in addition to checking the vein template database to verify you are not taking the exam for someone else or have already taken it under a different name. I suggest you eat a nice breakfast, avoid a lot of caffeine (for me that always makes me speed through questions), wear comfortable clothes and TAKE YOUR TIME. From my experience, three hours is plenty of time for the exam even if you have to answer all 150 questions.
Tips and Tricks
Your goal should be to only answer 100 questions, but do not become discouraged if you have to answer more.
Once you answer a question, avoid losing focus on the next question by thinking about a previous answer. Answer the question, clear your mind, and move on.
You cannot mark questions for review so your best bet is to guess (although they do not officially tell you what happens if you leave it blank).
The exam covers the concepts and application of concepts but does not dig deep in any one area.
If you are having a difficult time remembering a list of sections for one concept, come up with a mnemonic to remember. For the OSI Layer, “Please Do Not Throw Sausage Pizza Away” is my favorite.
You are provided a whiteboard and dry erase marker. Use that to write down your mnemonics or any other concepts that you have had struggles remembering. There is plenty of room to write down anything you deem necessary.
Every exam has different questions but the same difficulty level. All exams use statistical data to evaluate the difficulty and keep variations to a minimum.
The scores you get on practice exams should not be a benchmark for how prepared you need to be for the exam. Only you know your level of mastery of the concepts. Try to refrain from comparisons.
(ISC)² FAQS: https://www.isc2.org/Frequently-Asked-Questions
CAT FAQs: https://www.isc2.org/register-for-exam/exam-scoring-faqs
Reddit CISSP: https://www.reddit.com/r/cissp/
CISSP 2018 Update FAQ: https://www.isc2.org/Certifications/CISSP/Domain-Refresh-FAQ
The information presented in this article is accurate as of October 17, 2019. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.