This past week I sat for the (ISC)2 CISSP exam and passed on my first attempt! With the entire preparation and test taking experience still fresh on my mind, I felt I should take time to document my experience and study approach similar to when I sat for the CISA exam last year.
What is the CISSP Exam like?
The CISSP exam is long, ringing in at 250 questions. I am a fast test taker and it still took me nearly three hours to complete. This is due to many of the questions I was presented with requiring a fair amount of critical thinking and judgement calls.
This is in contrast to the CISA and Microsoft exams I have taken where the key is to learn the ISACA or Microsoft point of view on a subject and answer accordingly- even when you may disagree with the point of view! This is due to the broad nature of the CISSP exam and the eight domains it covers.
Other test takers have stated that the CISSP material is a mile wide and in inch thick. They are correct.
Nature of the Questions
In my testing experience, the CISSP questions were typically more aligned to what a manager, consultant or advisor would experience with highly technical questions sprinkled in occasionally to keep you on your toes.
The majority of the questions are multiple choice and ask you for the best answer, meaning there might not always be a definitive right or wrong answer in the mix.
The point being, this is not an exam you can really “pump and dump” for. Memorize all the mnemonic devices you like, but if you don’t understand the substance or context of what it is you’re memorizing, you will struggle.
Test Taking Experience
I sat for my exam at a Prometric testing center. The test was computer based (CBT) and available to be taken multiple times a week at different times a day. This is consistent with the experience of taking the majority of exams offered today with the exception of the ISACA test taking experience which only allows you to sit for an exam a few times a year and requires a stroll down memory lane where you will find yourself sharpening your #2 pencils and filling in the little bubbles of a Scantron sheet.
CISSP Test Prep and Study Plan
There are a TON of resources available to study for the CISSP exam, and now that the exam has come and gone, I realize a lot were not all that helpful. If I were to do it all over, I would distill down my study materials to only a few key items.
The Sybex CISSP Official Study Guide
The Sybex CISSP official study guide is thick and long, but very readable. I liked the study guide because it offered a lot of real world context to the subject matter and helped me understand the big
picture of how a certain subject fits into the overall realm of Information Security. This was extremely helpful for subject matters and domains I had no previous professional experience with.
The book is also very reasonably priced and Sybex also offers a free digital copy of the book, an online test bank and online flashcards to accompany the book, making it a no brainer to purchase.
CCCure Quiz Engine for CISSP
The CCCure CISSP Quiz Engine site is deceptive. The website is dated and it has a spammy URL (FreePracticeTests.org, when there is in fact nothing free about the site), but the content is great for directing your CISSP study efforts.
The reason the site is so useful is that many of the questions promote additional study through the explanations. My only serious criticism is that some of the material appears to be dated and over represented in the practice tests, only to never show up a single time in my mix of CISSP questions (I’m looking at you TCSEC…), but I have no problem stating that I would not have passed the CISSP without it!
My approach was to start in ‘Study Mode’, tackling questions from all domains on the hardest question setting and practicing 50 questions at a time until I discovered my weak areas. Then I started directing my study efforts to specific domains where I was weaker and supplementing weak areas with reading in the CISSP study guide.
I studied until I consistently scored above 80% in each respective domain. On average, I completed at least 50 questions a day, five days a week for three months until I decided to sit for the exam.
CISSP Crib Sheet
I found a few different CISSP crib sheets floating around in various forums. I settled on one in particular by Maaren de Frankrjiker and used it to keep me fresh on key concepts. Maaren’s summary aligns to the old CBK Domains, but is still completely relevant.
The CISSP Summary by Maaren de Frankrjiker, CISSP and revised by Christian Reina, CISSP can be downloaded directly here.
The CISSP is a challenging exam, definitely more so than the CISA. But with the right study materials and work ethic, I feel the exam is reasonable and attainable.
Passing the CISSP will not make you a Cyber Security expert, or really an expert of anything for that matter. Instead, I look at the exam as being a great foundation and launching point into thinking more critically about Information Security.
I learned a ton over the coarse of my studies and it has already enhanced my performance on IT security audit engagements!
Good luck and leave additional questions in the comments.