CISSP Exam Experience
I provisionally passed the CISSP exam today, and thought I’d detail my study process, material used and exam experience, along with some advice and tips.
My exam ended after 90 minutes at the 100th question, which thanks to the Computerised Adaptive Testing system, generally means one of two things; you completely aced it or completely flunked it. Thankfully in my case, it was the former.
I initially booked the exam for 31st May, as I wanted to do it as late as possible before the format changes on 1st of June. However, after being reminded a few weeks ago that I have tickets to see Kerbdog on the 28th of May, I brought the exam forward to the morning of the gig, allowing me to go on the lash with no pending exam hanging over my head, and no risk of having the distinction of failing the CISSP due to a 3-day hangover. This is the kind of shit you need to consider.
It’s worth noting that previous study can have a big impact on how much you need to learn for the CISSP. That’s one thing I really enjoyed about the CISSP, it encompasses a broad range of knowledge, so previous study and experience can really reduce the body of work to get through. In terms of previous certs that I have, the ones I found most relevant and allowed me to skip over a number of sections were the CCNA, RHCSA, CEH and Security+.
I started off mid-March with the (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition | Wiley . I wanted to approach it quite casually to get an overview of the knowledge required, so I began reading through it with no defined study structure. I didn’t take notes, mark any sections, read daily or try to commit anything to memory. It was just a casual read, and I actually quite enjoyed it. Sure, it’s a bit long and dry, like a lot of these official guides, but it’s full of practical and useful information. A lot of stuff clicked reading this book. I highly recommend it as a starting point and reference during later study. It’s a little tempting to presume the chapter summaries might be “get-CISSP-quick” shortcuts, but they’re not. They’re really just a reminder of what you should have learnt by reading the chapter, and aren’t much use in isolation. The end of chapter questions aren’t worth more than a quick attempt either.
After reading that, I put together a 4 week structured study plan. It was about 2 hours per weekday, and 4 hours per weekend. I didn’t keep to this particularly well for the first 2 weeks, but the final 2 weeks I hit my study targets just about every day.
I next moved onto Eleventh Hour CISSP®, 3rd Edition [Book] (oreilly.com) , a much shorter read than the OSG. This book I did mark (digitally); I highlighted anything I didn’t know confidently, or anything I felt I needed to commit to memory (orders of processes, tables, standards etc.). I read through the highlighted sections a number of times. When I felt I knew the highlighted information, I removed the highlight, so each subsequent review became shorter and focused more on my weak areas. Yes, the book is showing its age, I was surprised there was no updated version (as far as I’m aware!), but the vast majority of information is still relevant.
Next was some video review, which was a nice respite from walls of text. The only one I used was CISSP MindMaps / Domain Review – YouTube and yes, it’s as excellent as you may have read elsewhere. I watched this through about 3 times; one in normal study conditions, and then twice over the course of a few weeks in my car while commuting to/from work. I really wanted to find an audio-based CISSP review, as it’s great to be able to utilise commute time productively, and this was turned out to be excellent for that. There’s only two or two occurrences where information on the screen isn’t discussed verbally by Rob, but it’s not of any consequence.
Next I moved onto practice questions, starting with (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests, 3rd Edition | Wiley . I thought these were very good, as I have low expectations of official practice exams. Now with experience of the actual exam, I think these were closest in terms of how the real exam questions are phrased and presented. I would have liked more exams; one per domain and 4 full practice exams might sound like plenty, but repeating exam questions can get you into a false sense of confidence. Still, this was a great resource, and the explanation was good for the majority of questions.
CISSP Practice Exam | Boson was next. I’ve read many times online that these are “too technical”. I don’t feel they’re too technical, I just feel they ask about the technical side of the exam very directly. There were only a handful of questions on the exam that were so direct, but the technical knowledge is still required to make an educated decision on the more abstract questions. Anybody advising to dismiss Boson because they’re “too technical” is really missing the point I feel, and you’ll be missing out on a great study resource by skipping them. I really enjoyed the Boson tests, the software is very good (works exactly like the exam, though there are a few frustrating aspects of how you can review incorrect/marked questions), the answer explanations are excellent, and it’s decent value for money. Again though, more tests would have been welcome! I was getting 70-80% on first attempts, and 90%+ on the 2nd attempt. Don’t use Boson as an exam sim and then forget about it, use it to create a personalised “weak area” study plan. During each exam, I marked every question I got wrong AND every question I got right but which I felt I fluked/didn’t fully understand. This gave me a nice condensed summary of my weak areas with explanations to study further, similar to highlighting the Eleventh Hour material. I would say Boson was my biggest study aid after the Official Study Guide.
My final study material was Cissprep.net. A week or so before the exam I started getting worried that I was concentrating too much on the technical side and not enough on the managerial side. After a bit of research into which exam sims phrased questions most like the actual exam (admittedly about 20 seconds of Googling…), I saw Cissprep recommended a number of times. $25 for 17 exam banks? Why not! Ah…save your money for some celebratory pints after you pass. These will make you feel unnecessarily worried about your preparation for the exam. I was getting 40-50% average on these. Sure, they reflect a certain amount of ambiguity that is present in the real exam questions, but often that comes from the poor formatting and incorrect grammar, rather than being a real reflection of exam question format. You might get value from these exams kicking you in the face and making you realise that the exam is NOT going to ask you polite questions like Boson, but I still think the Official Practice Tests are closer and should be enough to make you realise what to expect. Give Cissprep a miss.
And, of course, the obligatory Why you WILL pass the CISSP – CyberTrain.IT 10-min Series – YouTube. Apparently if you don’t watch this video right before you sit the exam, Kelly herself descends from the cyber-heavens on wings of shredded SSDs, striking you down with mind-numbing anxiety, to the extent that you refuse to partake in the biometric registration process at the exam center, citing data privacy concerns, and thereby forfeiting your exam. It’s worth a watch, gets you sharp and in a good frame of mind, but it’s not a magic pill, you obviously still need to know your stuff.
I don’t have a whole lot to say about the experience itself, from a practical point of view it’s a very, very simple exam; all my questions were “choose one of four”, no multiple-choice, no drag & drop, no exceptionally log questions or case studies, no need for the calculator. There was one question with very suspect spelling/grammar, so I presume that was a experimental question.
I was surprised by how much time I had. Don’t rush the questions, especially the first 100. Pace yourself; for every single question you will have time to read the question, read the answers, re-read the question now with the answers in mind, and time still to consider the best option. For every question you feel like you’re spending an eternity on, you’ll come across a question you’ll breeze through in 10 seconds, so remember that it will average out. Don’t go in thinking you have 1 minute per question, you will put undue pressure on yourself on the questions that need more time than that to ponder.
The exam felt “easy” at the start. After the first 3 questions I was actually grinning to myself and began reflecting on which flavour of Monster I was going to get for the drive home. 10 questions later and I was thinking of excuses to give to friends and which organ to sell to pay for the re-sit. But things seemed to even out as the exam went on. I finished at 100 questions after 90 minutes, I was 60% sure I failed, so was very happy to have received the printout with a pass.
If you are taking the exam, best of luck!