I passed the CISSP in April of 2021. I studied for 1.5 years, during a pandemic, and I felt totally unprepared walking into the exam, but in the end I passed.
I have already added all the study resources I used to my Newcomer Security Packet (contact me directly if you’d like a beta copy. I still have yet to format a live copy for this site), but given the scope and reputation of this exam, I figured it deserved its own blog post. For one, this will serve to discharge my mind of the remaining fragments of stress and framing related to the exam. More importantly, it will give me a resource to which I can point anyone who might ask me about the overall CISSP experience.
Two quick preliminary things before we begin the proper part of this blog:
Firstly, I owe a big thanks to Cassie. Though I didn’t end up using 100% of the resources she provided to me, I did use a few of them, and her belief and support after passing the exam herself was instrumental in driving me to pursue it in the first place.
Secondly, for those who prefer audio/video information delivery or a more casual atmosphere, I did a cheeky little Twitch stream wherein I talked about my CISSP journey while playing Minecraft.
Now that all of that is out of the way, let’s get started.
In late 2019, shortly after passing my CEH exam, I made the decision to start studying for my CISSP exam. My job was keen on me obtaining this certification, and they were willing to pay for the cost of the exam. The decision having been made, the next step was to craft a study plan. I have a fairly well-established methodology for doing this by now, so let’s describe that a bit.
• I diversify the medium of the content I consume. By that, I mean that I never limit it to just reading or just videos. I try to study from as many formats as I can.
• I never study from the same format back-to-back if I can help it. If I read a study guide, the next thing I do will be watching a video series or taking practice exams, for example.
• I will not move past any media that has practice material until I can consistently get 90% or greater on each section in one pass.
Now, as a caveat, I am not saying that my methods are advisable or empirically sound. In fact, Tarah Wheeler gave a great talk at GRIMMCon 2020 about the marginal utility of study time. This is just the method that has always worked for me.
So, once I decided to take the exam, the obvious question presented itself to me: what study material should I use to prepare?
My answer came in the form of an amalgamation of past study material providers, official material, work-provided material, and Cassie’s suggestions.
The absolute first thing I did was look for any CISSP study material provided by my company. I did have access to one video course through my job, but because it isn’t publicly available, I won’t cover it here.
After completing that video course, I searched up the official study guide, which wasn’t too expensive as an eBook. I read through it completely and went over the chapter quizzes until I was able to complete all chapters in one go with a 90% or greater score for all chapters.
Once I finished with the official study guide, I moved on to PocketPrep, both because I’ve used it before for CEH and because I had already done both video and book-based content up to that point. My view of PocketPrep for CISSP hasn’t changed much from CEH: the interface and the availability of a mobile app really make it worth the cost in my opinion. Additionally, the ability to see which subject areas are your weakness and to create custom quizzes using only flagged questions really help shore up the areas where you aren’t as strong.
Next, I purchased a subscription to Cybrary so I could take the Kelly Handerhan CISSP course. This money was extremely well-spent. Regardless of the content Kelly covers, the framing in which she provides it is absolutely key to passing the exam. I’ll talk about that more a bit later. In the meantime, I’ll just say that the Cybrary course combines video presentations from Kelly’s live classes with eventual practice exams. While the video section can be a bit jarring because Kelly interacts with chat members whose messages you can never see, the framing is invaluable.
Now, because of the pandemic and certain other life events, the Cybrary course itself took what felt like an eternity for me to finish. So, by the time I finished it and passed the practice exams with satisfactory scores, I had very little time before my scheduled exam date. As a result, I moved on to another written resource: the Eleventh Hour study guide. A breezy but dense 200+ page tome, the Eleventh Hour book focuses only on the absolutely essential topics and concepts with zero fluff. Very good for tying together all your loose ends at the home stretch.
This is where I normally would have stopped and ran straight into the exam, but a few last second notes and resources are absolutely worth mentioning here.
To start, Boson. I really, truly love Boson’s practice exams. I wish they supported mobile studying more robustly, but their content and wording is fantastic. I used them for CEH, and I had planned to use them for CISSP, but I ran out of time.
Finally, I panicked. I posted on Twitter about my reservations and hesitations and self-deprecations, and I was provided with two resources that were not originally on my list.
And here we again return to Kelly Handerhan, this time in the form of a video entitled “Why You Will Pass The CISSP”. This video is everything, again not because of the content, but because of the framing. The absolute, most critical piece of advice Kelly (and by extension, myself) can give you is this: in the context of the CISSP, you are not there to fix problems. You are a risk advisor, a counselor to decision makers. You are there to facilitate good, sound, risk-based decision making that will not result in pitfalls to the organization. You support the implementation of processes and procedures, but you don’t implement them. There’s some additional nuance to this short video—such as the value of human life above all else—but the overwhelming message is clear: you are an advisor/manager, not a technician/engineer.
With that context in mind, I turned to the final last minute resource I was pointed toward via Twitter replies: the "CISSP MindMaps" created by Destination Certification. There are effectively 29 videos on this playlist, totalling in at 6 hours combined. I will tell you right here, absolutely every second of this playlist is worth it. If you read the Eleventh Hour book, watch Kelly’s “Why You Will Pass The CISSP”, then finish off with this the week before the test, you will have a much easier time glueing everything together. Where Kelly succeeded in providing a potent razor for generally attacking all questions, the MindMaps playlist offers a way to contextualize and understand the entirety of CISSP as it fits together, painting it as one massive, beautiful puzzle. If you can understand the foundations in the earlier videos, you will begin to see how everything falls naturally, step by step, domain by domain, from the initial concepts discussed.
And those are the things that I studied to prepare for the CISSP exam. I still felt totally unprepared going into it. To make matters worse, the CISSP exam, as of this writing, uses adaptive computerized testing, meaning that while there is a set time limit, there is not a set number of questions. The exam modifies the questions that it throws at you based on your answers; if you seem to be doing well, it throws difficult, high-point questions at you, but if you aren’t doing well, it throws easier, low-point questions instead. So, conceivably, if you do very well, the test can be over very quickly.
This gave me a ton of anxiety, as every time I submitted an answer and another one turned up, I convinced myself more and more that I was failing, at least until one answer triggered the end of the test. I was still convinced I had bombed, and yet, I passed handily. From the replies I received on Twitter after my panic session, it seems that this is by far the norm.
So, if I had to summarize my experience and my advice heading into this exam, I’d do it thusly:
• You’re a risk manager, not a technician. Advise, don’t fix.
• Understand how it all fits together, from the bottom up.
• More likely than not, you will feel totally unprepared. That’s okay.
We have, at last, reached the end of my little CISSP study guide compendium and experience/advice blog post. Please feel free to reach out to me on Twitter if you want to discuss anything regarding the CISSP.
Thank you very much for stopping by, and good luck with all of your future certification/education endeavors!