My own three month journey ended the other day in success passing the CISSP (Certified Information System Security Professional) certification test. Thought I’d outline my study strategy as a whole, what really helped, what was a waste of time and some other tips and tricks I learned along the way. If this guide helps one Security Professional pass the CISSP then it was well worth the time in putting together.
If you’re reading this article you probably already know what CISSP is, however if you do not, here is a high level overview. CISSP certification covers eight domains of Cyber Security, you’ll hear people say CISSP is 10 miles wide and and inch deep which is very accurate. You don’t need to be an expert in all eight domains, but you do need to be fluent enough in each one of them to know Processes, Protocols, Frameworks, Laws, Regulations, Workflows, the list goes on. For example: you need to know details on the Network OSI model, Layers, what devices and protocols operate at each layer. You do not need to dive in to a TCP packet and describe each bit in each section as traffic flows. Acquiring CISSP Certification “in theory” proves you have general knowledge on Security design, implementation and management of a cybersecurity program.
The eight security domains and exam weights as of 2018-2021 are as follows;
Note: the domains/weights may be updated at some point in 2021
Timing is an important consideration for scheduling the actual test. Summer/fall are always busy times for me, so it made sense to start studying in December and schedule the exam for end of March. Unless you know it all already you need ample time to study, do not cut yourself short here. Life happens, things come up that will cut in to the study plan, make sure to add some extra padding to your timeline.
I deviated a little from the overall goal of CISSP in the beginning. CompTIA Security+ is actually somewhat similar to CISSP, granted I would rate it as not as difficult. Security+ focuses on eight Security domains, slightly different in domain structure but its all about repetition so how they differ doesn’t matter, its retaining the information that counts. From mid December to Jan 10 I studied for Security+ as a practice exam. Studies consisted of reading the 11th HR CISSP Study Guide book as well as InfoSec Institutes CompTIA Security+ course by Mike Meyers which I highly recommend both. InfoSec Skills runs $35/month with unlimited access to self paced courses (bootcamps are not included in that subscription). A few weeks of studying down and passed the Sec+ exam without difficulty, if nothing else it was a confidence booster while building for CISSP.
What works for me may not work for everyone, but I prefer to pound in the information repeatedly with multiple methods, videos, books, hand written notes and flashcards. I also don’t work Domains 1 through 8 in order for each method.
A random study example week:
Monday: Read on Domain 2 for an hour, highlighting and taking notes
Tuesday: Watch videos on Domain 4 for an hour
Wednesday: Create flashcards for Domain 5 and study
Thursday: Read on Domain 3 for an hour, highlight and take notes
Friday: Videos on Domain 2 for an hour
Saturday: Create flashcards for Domain 6 and study
The point of rotating above is I’m not concentrating on all Domain 1 and then moving on, so three months from start point I’ve forgotten what was studied. By randomizing studying, reading about X domain one day, then watching videos maybe 3 weeks later on it, and Flashcards later I’m continually reviewing the information, touching all senses.
There were a number of resources that were very helpful to passing the CISSP exam. Here is what I used and an explanation of each;
11th Hour Study guide: This was a great high level quick and dirty resource. By itself alone it doesn’t give enough information to pass each subject, but it does a great job summarizing ideas and hitting key points. I ended up reading this twice, first time during prep for Security+ while highlighting important info, then the second time the week before the CISSP exam. At $20 for a paperback copy it is well worth the cost.
(ISC)2 CISSP Official Study Guide & Practice Tests Bundle Second Edition: Want to get real down deep in the weeds, this is the book to do it in. Packed full of detail on every aspect of Information Security this is a great resource to lean on. This was read front to back one time, was where majority of my Flashcards and hand written notes came from, and each domain ends with a 20 question quiz. $50 used or $57 new, again well worth the price in my opinion.
InforSec Skills: There are a lot of subscription based learning sites out there now days, Udemy, Pluralsight, Lynda and the list goes on. I used InfoSec Skills due to its large library of classes included in its monthly subscription for $35. The class named “(ISC)² Certified Information Systems Security Professional (CISSP)” is 17hrs worth of CISSP videos, enjoyable to watch, informational and again would recommend.
CISSP® Self-Paced Training Seminar: Don’t Waste your money on this! The other trainings mentioned so far I highly recommend, which I can not do so with the official ISC2 Self Paced Training Seminar. Coming in at around $800 I was expecting this to be the know all be all of courses and alone by itself be sufficient to pass the exam. It was very high level, did not contain the detail that was expected, and the instructor said “I think” way too many times for my comfort. You are the instructor teaching a class, on the pertinent information to pass an exam, you need to know, not just think. At one point he said, I believe I’m correct but you can look it up on your own. That is not okay and ISC2 should be embarrassed they put this product out there, my end of course review did not hold back those feelings.
CISSP MindMaps: If you do a search for CISSP MindMaps on Youtube you’ll find 29 very well put together videos made by Destination Certification split up by domain. I utilized listening to these in the last week of study as a nice review while driving.
Discord: Winding down to the last week of study someone on Twitter pointed me to the Certification Station Channel #CISSP. Where I didn’t utilize it a lot I can see the value in the channel to assist in tracking down additional training resources, Exam QnA channels and general discussion on the exam.
On to test day, since you are required to sign an NDA prior to the Exam I can’t discuss anything in detail, but I can give some tips as what to expect. First and foremost make sure your two forms of ID are ones they accept. I was a little concerned as my drivers license has my shortened name, not legal name, so I ended up using my Passport as my primary ID and Military ID as my second form. Do not overlook this, they take security VERY seriously and if you do not have proper ID you will not be able to take the exam.
The exam timer does not stop, utilize the restroom directly before the exam, total time allowed is 3 hrs which is plenty, but best to be safe than sorry.
Lastly the questions are tricky, read the question, read the answers, re read the question, choose an answer, then triple check. Read it all one last time and make sure it is exactly what they are asking. Many questions have multiple correct answers, however there is one answer that is the best answer, take your time and be read carefully.
Is CISSP worth it? It all depends on the situation you are in, for me yes it is worth it. I learned a lot in the process of studying, a lot I will use again, some I won’t. Where it really pays for me is for some reason HR seems to be dead set on CISSP being a requirement for many job postings, so wit that being said its a HR filtering bypass tool that will at least get your resume a second look.
Does CISSP mean you are a security God, No, Far from it, its just a tool in the tool belt to utilize
WeisterCreek InfoSec 4/1/2021