A year ago, I looked at the CISSP and thought it looked unattainable.
I chalked it up as a “long-term” goal, maybe in 5 years.
But after passing the CEH and PenTest+ in 2018, I gained more confidence and decided to dive in.
Everyone’s shared stories helped me immensely in my journey, and maybe I can help you, too.
You Have to Want It
Do not take this commitment lightly.
Passing this exam was a ton of work and I pretty much lived and breathed this stuff for 5 months straight. I have a full-time job and a family, so to make this work I had to give up gaming, movies/TV, and other time wasters.
You can always make time. Someway, somehow. I listened to audiobooks while doing boring things like commuting to work and handling household chores. I did practice questions on my phone while waiting in lines. Any spare moment that I could find was dedicated to studying.
My Background
I did not have a formal infosec background. I have always had an interest, all the way back to playing with MS-DOS viruses in the mid 1990s. But until recently I’ve only ever been a software developer.
My experience was limited to only a few domains of the CISSP. I primarily build, deploy, and secure web apps in PHP/MySQL hosted in Linux environments. Topics like risk management, physical security, business continuity planning, and security models like Bell Lapadula and Clark Wilson were all new to me.
There was much to learn to pass this exam.
Main Resources Used
There is no shortage of study material for this exam and most of it is reasonably priced for self-study. Many people stated, and I agree, that studying from multiple resources is the key to passing this test.
Re-reading the same textbook probably won’t do it for you. Diversify!
The CISSP Subreddit
I followed everyone’s pass/fail stories for months. There’s also a link to a Discord chat group on there somewhere.
Books
I read these cover to cover on a cheap 10″ Android tablet.
| Name | Pages | Link | Usefulness |
|---|---|---|---|
| Sybex CISSP Official Study Guide, 8th Edition | ~1100 | Link | 4/10 |
| Syngress CISSP Study Guide, 3rd Edition | ~600 | Link | 9/10 |
| 11th Hour CISSP | ~200 | Link | 7/10 |
The main books most people choose between are the Sybex book above, and the CISSP All-in-One by Shon Harris.
I chose the Sybex book as it was highly recommended by recent test takers, but I have to say that I disagree with the majority on this one. I did not think it was worth the time investment. It seemed to jump all over the place, with no real flow, and kept repeating itself without adding new insight.
The Syngress book by Eric Conrad was superior to the Sybex book in every way, despite being a few years older.
I ran out of time before I could read the big Shon Harris book. But I still got some use out of it by CTRL+F through the digital edition looking for the “exam tip” and “note” blocks. And slowly reading all the end of chapter summaries. This seemed to be a solid strategy and I picked up a lot of key content in a minimal amount of time.
Videos
| Name | Hours | Link | Usefulness |
|---|---|---|---|
| CISSP Free Course on Cybrary.it | 13 hours | Link | 10/10 |
| Larry Greenblatt: CISSP with Spock and Kirk Playlist | ~ 2 hours | Link | 9/10 |
| Larry Greenblatt: CISSP 2018 Exam Tips | 36 mins | Link | 9/10 |
| Kelly Handerhan: Why you WILL pass the CISSP | 17 mins | Link | 11/10 |
I watched the Cybrary course above while taking notes. Kelly Handerhan explains it all simply and clearly, and kept my interest even while talking about dry topics. It was one of my most important resources for passing, without a doubt. It was hard to believe this was free. Thanks, Kelly!
The shorter videos above by Larry and Kelly above were also a must watch. I recommend watching them at the beginning of your studies and then again right before you write the exam. They put you in the right mindset to pass.
Audio
| Name | Hours | Link | Usefulness |
|---|---|---|---|
| Simple CISSP by Phil Martin | 17 hours | Link | 6/10 |
| Simple CISSP Exam Questions by Phil Martin | 18 hours | Link | 4/10 |
| CISSP Free Course on Cybrary.it | 13 hours | Link | 9/10 |
| Shon Harris MP3s | — | Link | 6/10 |
You may have noticed I listed the same Cybrary course again here. They offer a free MP3 download of the course at the bottom of the page after you enroll. Kelly Handerhan’s course was so good it was worth a second listen through on my commute.
Practice Tests
| Name | Questions | Link | Usefulness |
|---|---|---|---|
| CISSP AiO Total Tester | ~1600 | Link | 7/10 |
| Sybex Practice Tests Book, 2nd Edition | ~1300 | Link | 8/10 |
| Sybex Main Book Bonus Exams | ~900 | — | 5/10 |
| Boson Exam Engine | ~750 | Link | 10/10 |
| Skillset.com | ??? | Link | 4/10 |
I did thousands of practice questions. None of them managed to simulate the style of questions on the real exam but that didn’t matter much. Without experience in some of the domains, practice tests were the best way of reinforcing what I’d learned.
The Sybex and Boson testing engines remember your previous test attempts. This lets you re-take the tests and only face the questions you got wrong the first time around. I thought it was worth the time going through these “incorrect only” filters on the tests at least once.
Boson sort of simulated the style of questions on the test, with lots of “BEST”, “MOST” type questions that make you compare various possible answers. I think it was the highest quality test engine and worth paying for. There’s almost always a 15-25% discount available, check Reddit.
I have no idea how many questions I answered on Skillset.com. There was a lot, maybe a few thousand, but the UI is setup for you to bang through them quickly. The question quality was just OK, and I’ve rated them 4/10 above, but I still recommend them for a whole other reason entirely…
Skillset Insurance
The quality of the Skillset questions are lower than the competition, for sure, but they do offer one thing that was incredibly useful. That is their insurance.
They’ll buy you a new exam voucher AND refund your subscription fee for the month if you happen to fail your CISSP exam. That is, as long as you are “100% ready” for the exam as determined by their test engine. It’s a bit time consuming but it’s very doable.
Having that safety net was worth it for me, despite the fact that I passed the exam on the first attempt. The insurance saved me a couple more months of obsessively studying, and helped me relax while taking the test.
A couple tips for Skillset:
- If you already have an active pro subscription, you can take their skills assessment to start at a higher readiness level.
- Some of the Skillset cert options (such as CISSP and CEH) share content. If you complete one, you’ll start with increased readiness on the other. I started CISSP at 40% readiness from the skills assessment previously mentioned and from the CEH content overlap.
- You need to answer some of the short answer questions to reach 100% or higher readiness. Make sure to do this at least one week before you write your exam, as it takes time for your answers to be graded by other students. Answering 5 questions was enough for me to reach 103% readiness.
My Exam Experience
Question Style
It started off frighteningly difficult.
This was nothing like the practice tests, where you might simply have to define a term or identify a type of security control.
The exam questions had layers of depth to them. They expected you to apply your knowledge of the concepts, weigh your options, and make the best choice from several debatable answers. You needed to read between the lines and consider things like risk, cost, time, proper procedures, and so on.
Every question was a mind-bender at first.
The Adaptive Test Engine
If you’ve been reading up on the CISSP, you know they’ve replaced the old 6 hour test with a new adaptive test. You can get anywhere from 100 to 150 questions. The test ends whenever the exam engine is certain that you will pass or fail.
You need to score as “proficient” or higher in all 8 domains to pass. The engine is designed to uncover your weaknesses and grill you on them. And it did for me.
Things got a little bit easier as the test progressed. But like most people that pass, I wasn’t feeling great about my chances. I thought I was borderline passing or failing and figured the battle would go right to the bitter end.
When the exam ended suddenly at 100 questions, I was surprised. And then cautiously optimistic as I thought there was no way I was doing poorly enough to just straight up fail at 100.
I took a deep breath, walked over to the printer and saw those beautiful words: Congratulations, you have provisionally passed…
Exam Tips
Some of the most useful advice for me was:
– Larry Greenblatt’s advice to read each question like a lawyer reviewing a service contract. Look for little words that may make an answer incorrect.
– Kelly Handerhan’s suggestion that unless the question states otherwise, you are a “risk advisor. Don’t fix things!”
– Treat every question like it was the first. You can’t go back and change your answers, so just move on and don’t stress if you realized you made a mistake earlier.
How to know when you’re really “ready”
You’ll never feel truly ready. I didn’t. A decent benchmark is scoring at least in the low 70s on your first attempts on Boson tests. I did a new Boson test once a month during my studies for this purpose.
But just get started
I wasted too much time at the beginning looking for more hints, more resources, the most optimal way to study, and so on. What I should have been doing was getting down to it and studying!
There’s so much CISSP material out there that you’ll never run out of new things to try.
The resources on this post should get you started. Pick some and buckle down, you’ll be glad you did.
Don’t forget to “think like a manager.” They weren’t kidding about that one.
You can do this. You got this.
I’m looking forward to hearing your success story.
