I have 5 years’ experience as a systems administrator. That’s covered everything from network devices, to incident response, to BCP/DR, to building security systems. Prior to that I was a hedge fund auditor and a legal editor, so I had experience across all the domains and fields of knowledge necessary. I recently took the AWS Security Specialism, and I certainly think there is overlap between the two exams.
I started studying in January. I had
planned to take the exam in March until COVID-19 hit and Ireland went into lockdown. I ended up sick for 80+ days with coronavirus and complications, so I restarted my study 14 days before the exam. I was still in a fair bit of pain.
The evening before the exam in June, my doctor told me to go to the Emergency Department to check my heart, where they diagnosed me with pericarditis as a result of coronavirus. I still did the exam next day, where I passed at 100
questions in 90 minutes. This is not a hard exam if you approach it correctly and you keep your nerve. I recommend
a month or two to cover the material more generally, then sprint for 2 weeks before you take the exam. You will never know everything and it’s possible to overstudy and lose your nerve. If I can do it after 80 days of coronavirus
symptoms and a night in hospital, you can too!
A lot of people say the CISSP is mile wide, inch deep. I’d say it’s more T-shaped:
you must understand risk management and its implications on CIA/DAD triangle in Domain 1.
These underpin everything in the exam. It’s the ring of power to bind the others. It’s not an exam you
can brute force: there’s a degree of judgement you need to pass. There are questions that test your judgement: you’ll get 4 “correct” answers and be asked what’s best per requirements. The correct frame of mind for that is a risk-adverse advisor who checks with management if it’s OK to proceed. But you still need to know the concepts as they will rephrase anything they can to test your understanding.
CISSP I felt has many “words of art” or specific domain language. Ensure you know the meaning between certify/accredit and due care/due diligence and other similar sets of concepts like the ones for
access control (RBAC, RuBAC etc) You will likely be tested on these.
My strategy for learning material is telling yourself a story. Relate concepts in fiction or your life to the domains and
material. I was watching Better Call Saul, noting where Mike (a police officer turned hitman) planned well, analysed risk and advised allies to come out on top against superior foes. For my notes, I gradually boil down my different
sources until I have summaries of the material in my own words. I believe that’s essential if you’re to truly apply the material.
I also use spaced repetition on paper flashcards for important concepts (paper drills stuff into my brain better) and
test myself on topics I am weak on. This works well for crypto and regulations.
The Discord channel is very useful too, great way to learn stuff you’d otherwise never know and get perspectives you
don’t get in a book. For the same reason, I recommend learning languages in the pub and not the classroom!
Be fair to your wife/husband/dog/whatever – they’ll support you throughout and will be willing to talk about the CISSP stuff if you do.
Study smart, not hard. That goes double if you’re married and working full time.
I listened to Kelly Handerhan’s videos on Cybrary. Kelly is easy listening, and she really gets you into the mindset. If there was something unfamiliar, I’d read along with the slides. This gave me my foundation. I went through her lectures twice, once to get a feel, the next to take notes. Kelly is great at flagging exam worthy material and mindset items. This took me up to end of February. In May, I listened to her MP3s as the videos were now behind a paywall. They are just as good, maybe a little drier. Listening to Kelly settles my nerves – I imagined we’re going for a beer after the exam to keep cool.
I read the Sunflower guide once. It’s good condensed material, but it’s not a primary source.
I half-read Memory Palace, can’t comment on it.
11th Hour Study Guide was pretty good, covers things Kelly doesn’t while still being brief. It’ll get you 75% of the way to passing I think. This was my most used resource.
Boson CISSP questions are a great learning tool, but don’t do the exams more than once, you’ll memorize the answers too easily. I was scoring around 70% when I was learning material. I did one test 10 days out and scored 83%. I felt Boson’s more complex questions were similar to the exam material, and some of their straightforward technical questions with only one right answer were also similar to what was on the exam. I don’t think Boson scores will reflect your CISSP exam, but I would at least be scoring 70% so you can claim your money back guarantee on the Boson exams if you fail.
My notes: 50 A4 pages distilled from Kelly Handerhan’s lectures and the Boson explanations. Some things you know, somethings you don’t. It’s the things you don’t know that will catch you out. I have no notes from domain 4, but extensive notes for domain 8 for example. Making your own notes is the key to passing. Ensure you leave space in the margins to link concepts and “illuminate” your notes with small technical diagrams of key exchanges or fun drawings as you review them. A drawing of your wrist strap from the “Kerberos carnival” will tell you the story of authentication better than bullet points.
These questions were very helpful to understand the method the exam uses to create questions. ISC2 are not looking for rote memorization, but the ability to synthesize from two or more domains when you answer: https://community.isc2.org/t5/Certifications/CISSP-questions/td-p/18626
I also recommend the Plan-Do-Check-Act model as a framework for the BCP and SDLC processes on the exam. It’s be to understand and apply the concepts that underpin the processes rather than memorizing the steps for different models.
Mindset, mindset, mindset! Maintain your timing on questions – keep moving, make a call. Be prepared to do 150 questions. If you feel like you’re failing, that’s good. The CAT is throwing hard stuff because you are worthy. Keep going.
Larry’s Spock/Kirk method is very helpful. I recommend extending it by actually writing down the question numbers from 1-150 in the 5 minutes you have to read and sign the NDA and having A B C D in a row. Then you can cross off incorrect answers with Spock and pick what your gut tells you for the remainder: