Studying For and Taking the CISSP Exam

Update: As of December 6, 2019, I am fully and officially certified by (ISC)2 as a CISSP.

---

I provisionally passed the CISSP exam on October 26, 2019. This post details my reasons for studying for this particular exam, the methods and materials I used, and lessons learned. This was my first attempt, and I provisionally passed right at the 100-question point, which is the minimum number of questions you are presented with on this adaptive exam.

The exam automatically adjusts the level of difficulty with each new question in order to gauge your proficiency with the subject matter. You are presented with a minimum of 100 and a maximum of 150 questions before the testing engine determines if you’ve passed or not.

Even though security hasn’t been the focus of my career in I.T. as of yet, I found this exam to be very interesting and I am glad I invested the time in studying for it. After my second CCIE R&S lab attempt this past June, I was ready to take a break from studying for those particular topics and instead try to expand my horizons a little bit more. I briefly studied for the AWS Solutions Architect Associate exam (which led to me moving my website to AWS), and I also started to keep my eyes open for new job opportunities as I mentioned in my last post.

What ultimately led me to the CISSP was seeing a decent number of government contractor jobs in the areas I was thinking of relocating to, and I wanted to keep my options open. Before this, I was not aware of the fact that many of these government jobs require you to have certain baseline certifications depending on the level or classification of your role (DoD 8570). Frequently, you can get hired with the provision that you must obtain an appropriate certification within six months. However, I thought having one of these certifications coupled with my existing experience could potentially give me an advantage over someone who did not yet have the appropriate certification.

I have known about the CISSP for several years but previously hadn’t given it too much consideration since security hasn’t been my focus. I knew the CISSP carries a certain higher level of recognition for some organizations, and so I believed (incorrectly) that it would require a CCIE-level of effort to obtain it.

Toward the end of June, I started studying for the CompTIA Security+ exam. It was shortly after that I noticed many of the same topics are covered on the CISSP. I spent some time researching and I realized that with a little bit more effort I could obtain a much more valuable certification, especially since I have enough experience to meet the full requirements.

The CISSP requires five years of professional (e.g. paid) experience in at least two of the eight topic domains of the exam, or four years if you have a bachelor’s degree or already have other particular certifications like the Cisco CCNP. I have both, but you can only subtract one year off the five-year minimum for this. For the government contractor jobs, the CISSP carries much more clout and fills in the check box for a much larger number of levels in the DoD 8570 than the Security+ exam does. That was enough motivation for me.

I’m not at all trying to discredit the Security+ certification. It was just that my previous professional experience made obtaining the CISSP a real possibility and it happens to carry a higher level of professional value in direct comparison. In fact, the more I studied for the CISSP, the more I realized just how much I have already been exposed to the vast subject matter. This proved to be invaluable to me as I was more easily able to envision certain people from my past (and frequently myself as well) carrying out particular roles and tasks covered by the topic domains.

Ultimately, experience is what makes the difference on this exam, along with good reading comprehension. It is said that the CISSP is a managerial exam, not a technical one, and that the topic scope is an inch deep and a mile wide. In other words, you need to know a little about a lot.

There are indeed very technical topics covered on this exam and you will need to know some of the details to correctly answer the questions without guessing. However, the biggest mistake that most people with very technical backgrounds make when approaching this exam is to look for the technical answer. This is very much a business-oriented exam, and the organization is what needs to be central to your thought process the entire time.

This is the first certification exam I’ve taken in my career where the primary focus wasn’t on the technology itself. When I began studying, this approach was all I knew, and I quickly came to the conclusion that there would be no feasible way I could fully absorb the entire scope of topics to the level that I am used to doing without putting in a CCIE-level of effort. That level is not required to pass this exam.

I spent some time reading about other people’s experiences taking the exam and I noticed some commonalities between those who passed and those who failed. Frequently, those who failed simply had the wrong approach to studying, and often went into the exam with the wrong mindset. Those who passed often studied “just enough”, went into the exam with the right mindset, and were able to deduce the correct answers through experience and good reading comprehension. Experience is extremely important on this exam, but having the correct mindset and good comprehension is critical.

I estimate I spent roughly 100 total hours studying for this exam. I started studying casually for about a month at the end of June. I realized one of the hurdles for me with this exam was that it contains a lot of terminology I was unfamiliar with. I created several flash cards to drill some of the terms and concepts into my mind. This was when I was still taking the more technical approach that I’m used to, and I didn’t feel like I was progressing too much. Then things changed in my life, including getting a new job working at Cisco and moving a couple hours away, so I stopped studying for the CISSP to concentrate on my new position.

One of my original reasons for wanting to get the CISSP was to hopefully help in getting a new higher-paying job. This became unnecessary after I was hired to work at Cisco. However, shortly after writing my last post, it occurred to me that during the years I spent with my former employer, I was both exposed to and directly involved with many aspects of the CISSP. This was almost entirely due to the size of the enterprise and the position I held.

Cisco and the financial customer whose network I am currently working on both completely eclipse my former employer in scale. I realized it may be a decent amount of time before I am once again directly exposed to so many of the CISSP domains simultaneously. I knew I needed to take advantage of the experiences I have had while they are still fresh in my memory. That was when I decided to fully commit to taking and passing the exam. But I would need to change my approach.

There are many resources available to study for the CISSP in every format imaginable, including instructor-led bootcamps. I gathered all of the resources together that were available to me, most of which were included with my career-critical $99/year membership at acm.org, which includes access to O’Reilly Safari. Safari has many CISSP materials including books and videos. I also paid for the Boson CISSP practice exams.

One issue I’ve had in the past when studying for any particular certification is wading through the glut of available training resources. Reading about other people’s experiences, I know this happens to many people, and we try to absorb everything from all that is available. After all, logic says that more information is better, right? This time, I decided to try the “just enough” approach instead.

Back in June, I started with the 8th edition of the Sybex official study guide. This is a very thick book, and I had no intention of actually reading the whole thing. I know from past experience that this is a potentially useless activity, as I am very unlikely to actually retain the vast majority with the level of necessary detail. Instead, I started by completing all of the chapter questions as a way of determining what I already knew, and what I needed to dig deeper on. If you register the book with Wiley, you can access their online testing engine.

I additionally encountered the “Sunflower” document, which initially helped to bound some of the exam scope, but I found myself referring to it less once I decided to get more serious about taking the exam.

I also viewed Kelly Handerhan’s excellent free CISSP video course. Kelly is very entertaining and does an excellent job of helping to narrow down the topic scope and depth. She, along with Larry Greenblatt, were very instrumental in getting me into the right mindset for taking this exam. Once again, correct mindset is absolutely critical for this exam! The last primary resource I used toward the end was Sari Greene’s CISSP crash course on Safari. Her slide deck is excellent for review just before taking the exam.

Once I had a firm overview of the material established and I knew what I needed to work on, I started taking practice tests. I used the full tests included with the Sybex 8th edition study guide, the Sybex official practice tests, and the Boson tests. As I took each practice test, I would mark the questions that I had to guess on. After each test, I would review the marked questions along with the ones I answered incorrectly, and make flash cards out of them.

When making the flash cards, I did not simply put down the displayed question and answer, because there is no point in memorizing practice questions. Instead, I made sure I was grasping the topic being covered by rewriting the flash card in my own words as I understood it.

When taking both the practice exams and the real exam, frequently a multiple-choice question becomes distilled down to two extremely similar options. Knowing and understanding the often slight difference between the two options is what will make you successful. Due care and due diligence is the classic example here. Just like acquiring any body of knowledge, repetition and gaining a deeper level of understanding with each pass is key, which is why flash cards have become a critical part of my learning process over the years.

In the end, I found every single practice exam to be much more technical in nature than the real exam, but I realized after provisionally passing that this is a necessity. The whole point of a good practice exam is to gauge your readiness, and not necessarily train you on the material itself. A good practice test will reveal your weak areas, which indeed may be pure technical knowledge.

To that end, I thought all of the Sybex and Boson practice tests were good, but they are not completely reflective of the real exam. Unfortunately, you have to spend $699 to find out for yourself, which very much adds to the stress of taking this particular exam. Losing that money to a failed attempt is no doubt frustrating, especially if you paid for the exam yourself, as I did. I thought the Boson exams were most similar in style (but not necessarily content) of the real exam.

Taking this exam itself was also somewhat of a new experience for me. I have taken many certification exams over the past twenty years, but this is my first one that was required to be taken at a Pearson Professional Center. At a regular Pearson testing center (typically a college or technical training center), they tell you to arrive 15 minutes early, but it has been my experience in the past that it usually takes less than five minutes from entering the testing facility to sitting down and taking your exam. Not so at the PPC.

When registering for the CISSP exam, the instructions say to arrive 30 minutes early. This is actually very important! The intake process at the PPC is much more rigorous, including multiple palm print scans. Additionally, because there are fewer PPCs, there are more people there to test. Many professions outside of IT use PPC testing. In my group, there were about 20 people. Only three of us were not in medical scrubs. All of this adds to the processing time, so it really is important to arrive at least 30 minutes early as the instructions say.

Most of the practice exams I took had 150 questions, and I very frequently finished them in less than an hour. The CISSP exam is between 100 and 150 questions, and you have 3 hours to complete them. Though I passed every single practice test I took (and I didn’t take any of them more than once), I often missed questions due to going over them too quickly and not reading carefully enough. Most of the time, I really did know the correct answer, but missed a key word or phrase somewhere.

During my final few practice exams, I made a conscious effort to slow down and make sure I was truly comprehending the questions and answers. This alone consistently added a full 10% to my total score! I used the same approach when I took the real exam. I read everything extremely carefully and made sure I really understood what the question was after.

I broke down the phrasing of each question and re-worded it myself when it was particularly complicated. And as others have said, it was not uncommon for all of the answers to actually be correct, but one of the answers would encompass the others. This is where good reading comprehension, and not just pure technical knowledge, is critical to passing this exam.

I provisionally passed the exam at 72 minutes and 100 questions. So that’s about $7.00 per question if you want to look at it that way. I am happy to say I believe there were perhaps only two questions for which I didn’t recall seeing their topics covered in the training material and I had to guess on.

Throughout this post I’ve been careful to say that I have provisionally passed. This is because unlike most other IT certifications, there is a process of verification before officially becoming a CISSP. I had to have my membership endorsed by another (ISC)2 member, along with providing proof of my credentials and experience. The results of my exam could also still be audited, and it will be four to six weeks from now before I am granted the official title, providing everything checks out.

I am grateful that I spent the time to take this exam. I really feel like I’ve gained something very valuable, which cannot be said for some of the other certifications I’ve worked toward over the years. I am grateful for the experience and exposure I gained with my former employer which helped get me to this point. I am also very grateful to Vincent Schuele for taking the time to discuss the CISSP with me, provide motivation on the feasibility of passing, and for sponsoring me after my provisional pass of the exam. Thank you.

Here are some of the resources I used to study for this certification:

• ACM.org membership
• Sybex Official Study Guide, 8th Edition
• Sybex Official Practice Tests, 2nd Edition
• Official (ISC)2 Guide to the CISSP CBK, 5th Edition
• Boson CISSP practice exams
• “Sunflower” Guide
• Kelly Handerhan’s CISSP course
• Kelly Handerhan: Why you WILL pass the CISSP
• Larry Greenblatt: CISSP 2018 Exam Tips
• Sari Greene CISSP Crash Course
• Anki for creating flash cards

Many certifications have a certain amount of mystique surrounding them, especially more senior (and expensive) exams. I hope this post has helped to make things a little clearer for you. Good luck in your studies!