I studied SSCP for 2 weeks, and passed about a month ago. Have been in the IT industry for more than a decade. Mainly playing the “senior management” role / risk advisor to clients and internal projects when it comes to the security aspect. Lots of experience with software development, project management, consulting.
– 2 weeks of videos – Adam’s Accelerated CISSP course (thank you Mountain Sherpa @ThatCisspGuy)
– 2 week of practice and note-taking… in chronological order…
- ITProTV ~850 questions (scored ~80%)
- Boson ~750 questions (scored 80% – 85%)
- McGraw-Hill (WHAT?! FLASH PLAYER?!) for 5 domains (~90% for most domains, 69% for one of them)
- Lots of discussions on the Discord channel (especially with @L0st1nC0d3 explaining D4 stuff)
- Detailed dive into 11th Hour D3 with @morticcio and @JokeySmurf
- Skimmed through Sunflower notes and SNT Process Guide
Made a lot of notes using content from the sources above.
The Big Day - Taking the test
- Mentally prepared to fail. People advise against it. It works for me. Expect the worst, hope for the best.
- Delayed by an hour before I could enter
- First few questions were doable, with straightforward answers. Calmed my nerves.
- Planned to go for a break at 110 questions (expecting the worst again)
- Most of the first 40 questions were relatively low-level. Short questions, mostly easy pickings. Averaged 15-20 seconds on a question, moved on.
- Most of the next 40 questions were tougher. Longer questions, options needed to be thought through. I could only eliminate 1 out of 4 in most cases. They mainly seemed “all possible” or “all wrong”. Didn’t spend more than 2 minutes on a question. Picked one that seemed the most correct, hoped for the best, moved on.
- Last 20 questions became easier again. Last 5 questions were particularly straightforward for me. I knew that I got them correct, so when it ended at 100, I knew I passed.
- Completed in 60 minutes, which means about 36 seconds per question on average. I tried taking longer but was really confident in most of the answers. Different for each person. Don’t attempt, it’s not a contest.
- I had about 90% of the questions that were process-centric. It’s important to know the “why” and “how” of the core concepts, not just the “what”. Applies especially for the ones you know almost for sure are going to come up because they’re so core to CISSP.
- Almost none of the “technical” knowledge that I had studied really hard for was even remotely relevant – but that’s my experience. It doesn’t mean this will happen to you too.
- About 10% of the questions touched on terminology I was unfamiliar with. I noticed this with SSCP too.
- As reflected by most others, the questions were mostly very clear on what they wanted (I had my doubts on my understanding of 1 or 2 questions) and they were not there to trick you.
- My (and many others’) most feared domain… I had 2 tough questions in Domain 4, then very little else on it afterwards. It demonstrated to me again, the importance of understanding “why” and “how” rather than “what”. Most of what I assumed to be “basic concepts” from this domain weren’t even tested.
- I feel like the if I took the exam a week ago, I would’ve given the same answers that I gave today.
- “Mile Wide, Inch Deep” applies to all concepts, except what I assumed as the “basic concepts” of each domain. For those, I personally recommend to “Dig Deep”.
Q & A
Q: What helped the most?
A: Creating my own notes. I **HIGHLY encourage** you to do it too. Not just highlight and copy/paste. Distilling them into the form you see there required an understanding of “how” and “why”, which I fortunately picked up. If I had to study for this again and take more notes, I’d go even deeper into the “how” and “why” of the **basic** concepts (READ: NOT every topic). All you great folk in this channel helped immensely as well – it’s where I honed the mindset to dissect a question in the way that it needs to be. All the practice turned out to be invaluable.
Q: Which set of practice papers would you recommend?
A: Honestly, there was none that was consistent with what I experienced. So there are 2 things that they can be used for… to help you dissect questions to understand the mindset, and to identify the weak areas. I thought that the ones I used were sufficient
Q: How did you find 11th hour / sunflower notes?
A: They didn’t help me as much. Doesn’t mean they won’t help you. I found my own notes better because they were made and tailored for me.
Q: Did SSCP help?
A: In terms of understanding some concepts before I even started studying for CISSP, yes. In terms of answering the types of questions on the CISSP exam, not really.
Q: How different was SSCP from CISSP?
A: SSCP had a lot more technical questions. It was a more direct application from the distilled notes to answering the questions. CISSP was a lot less of that and a lot more of indirect applications. If I were to quantify it, I’d say that with any instructional + only the details in my notes (not the process of creating it, but just referencing it), I’d score very high in SSCP. With the same context (instructional + referencing the notes), I’m not sure I would pass.
Q: Your recommendations seem to be different from some of the others. Should I listen to yours?
A: Absolutely not. My experience was based on ONE test of 100 questions. It doesn’t validate my knowledge of CISSP, nor does it validate all my knowledge on the topics in CISSP. The domains are wide, the question bank is huge. Be as prepared as you can be.
Conclusion - Recommendations
As everyone has said, your role is a risk advisor, not a technician.
We often hear “Mile Wide, Inch Deep” for CISSP, but I would like to add – FOR BASIC TOPICS, DIG DEEP.
It’s important to understand the “process” for basic topics – the “why” and “how”.
Using the example of a SIEM (which is NOT a basic topic in CISSP), you know what it is, but…
- When do you need it?
- Let’s say you decide that you need it, how is that decision made? Qualitatively? Quantitatively? Why?
- Who would be the one usually spotting that it’s needed and recommending so? Who makes the decision? Why?
- Who will be operating it? What kind of access controls are required? How are they defined? What are the steps involved? Why?
- Who will be auditing it? Should it be internal or external? What’s the benefits / disadvantages to each?
- How does this fit into Continuous Monitoring efforts? Who will be creating the relevant policies for it? Why?
- Who will be implementing them? What are the steps to doing so? Who approves / certifies / accredits that and when? Why?
- What are the potential supply chain issues with it? Who evaluates them? How are they evaluated? Why?
- When are the risks of implementation evaluated? Who evaluates them? How are they evaluated? Why?
- Where does it get implemented in the architecture? What are the advantages / disadvantages?
- What could be the security-related issues with it? How are they mitigated?
- What are the privacy-related issues with it? Which clauses in the GDPR / other laws? How are they mitigated?
Apply this style of questioning to the basic topics, and you get CISSP questions that kill.
Adam Gordon constantly suggests – Answer what the question asks, not what you THINK it’s asking. Nothing else exists outside the context of the question.
Kelly Handerhan suggests – think of the end game. Which option demonstrates the ultimate purpose?
Larry Greenblatt suggests – let Captain Kirk and Spock decide. What answers can be eliminated? Which answer is more likely?
Don’t struggle with too many practice questions. Focus more on the understanding of the topics and analysis process of the options.
A note from the editors
Hi Lance, Congratulations an passing the exam, and sharing your thoughts with us, and being a very valuable and highly respected asset to our community!
We hope that this community will also help other in achieving the Gold Standard of Information Security Professionalism. I’m glad that the Discord discussions everyone took part in, helped you pass.
Keep up the good work!