This is kind of long – sorry, Firstly about the test as I realize this is what everyone wants to know about the most. My whole experience in front of the screen was about 90-120 min total. I was nervous pressing the submit button on the 100th Q and sort of surprised when it ended there. I felt OK about ½ of the questions… but was not very confident in most of them. Many questions I could eliminate at least one obvious wrong and sometimes two — but it really is figuring out what answer is best., and that is the art of the whole thing. My test-taking experience really wasn’t much different than what most others describe. Stange wordings in the scenarios and the answer choices.
About how I got to this point:
This has been an arduous journey for me – but one I regret not making sooner. My background: I have ~20 years experience of pre-sales technical consulting/sales support for a company that sells and implements hardware and software that processes operational data. This is not a requirement for my work – but I frequently have high-level conversations about security with customers about our products. I like to talk the talk and have always been interested in security, social engineering, and tech. There is lots of talk in my industry (especially by me) about being a “trusted advisor”.. and when I learned about this cert -, I was interested but intimidated (I’ve read multiple stories of folks failing 5/6/7 times before passing yikes!)
Anyway, It’s important to me that my customers know they are dealing with someone who has earned the right to be taken seriously and who is worthy of their attention and can provide assurance and ethical consultation. Larry Greenblat describes it as Jedi Knight stuff…sold. I have no certifications. For what I do – it’s not a requirement. And this is not an entry-level cert. So why would someone do this to themselves if they didn’t have to? Lots of people looking for this are trying to get a job or need it as their employer requires it. I don’t aspire to be a CISO – but I do aspire to be
respected by CISOs, so here I am. Plus — one thing I like to say is that “anybody can do easy”.
Eventually, I concluded the CISSP is the equivalent of a “certified trusted advisor”. So, after much procrastinating and hemming and hawing, I stated down this path about two years ago and decided I wanted to the challenge and the bling and bragging and associated pride and respect — but primarily self-respect. The test itself is not like any practice tests you’ll see (which you should already know).
Although Larry G’s come close questions because they are obfuscated in a way that you have to really focus to determine what is actually being asked and what the answers mean. You cannot memorize lists or tables and pass — you will need the understanding to apply the knowledge correctly.
Since then, I have consumed quite a bit of content. Here is the list and description of what I used to prepare in no
- Shon Harris AIO
- Very comprehensive and probably more detail than you need to pass the exam. Gets into the “how” of things. For example, one thing that sticks out in my memory is they provide a very deep dive on TPMs that goes beyond what a CISSP candidate would need to know. Not a bad a thing but could be more than you need
- This is endorsed by ISC2 – enough said. You are doing yourself a disservice if you don’t read this book cover to cover at least once
- Sybex CISSP Practice Exams
- Get this. It says ISC2 on it — just get and go through them all and read the explanations
- Wiley Test engine
- Comes with your Sybex book. I went through them all.
- Eric Conrad CISSP
- This is the book that Evan Francen teaches from. It is pretty concise and positions itself as only what you need to pass. I liked it and have gone back to it on occasion.
- LinkedIn Pro CISSP class with Mike Chapple
- Mike gave some great visuals about using web proxies and doing SQL injections that really helped things sink in. To me Mike Chapple embodies the prototypical CISSP: he has some impressive chops, credentials, and pedigree – extremely professional. He really is a trusted advisor he is quoted in the news and SM on infosec matters
- FR Secure free boot camp on YouTube (2019 and 2020)
- Evan Francen and his team are out of Minneapolis are and really seem like cool relatable dudes. Evan is a very admirable guy and very “salt of the earth”. He has a lot of interesting stories. He has definitely walked the walk and still does… He has been in the trenches and seen things in the real world that make for some very compelling anecdotes
- 11th Hour
- This is Cliff’s Notes basically. Read through it but would not give ie a great recommendation. Would never be sufficient as your main source
- Simple CISSP by Phil Martin audiobook
- Got this free on Audible
- I like to take long walks and would listen to this as I did so. Guy has a soothing Texas drawl good stuff. There is a companion audiobook for questions which I didn’t do much with
- Larry G weeklong boot camp (prerecorded session)
- Larry definitely knows his stuff and is entertaining. Lots of fun personal asides and war stories. He is quite liberal with exam strategies as well. Highly recommended
- Larry G live personal session
- His questions are probably closest to what the exam entails and I did appreciate the time reviewing with him
- Kelly H Cybrary Bootcamp
- Used this when it was free and it was awesome
- Highly valuable and recommended. Such a cool lady and has a good way of telling you what’s important and what’s not
- Shon Harris MP3 audio files
- freely available
- A bit monotone and dry — you will not get this confused with a podcast. Shon is a pioneer in this field and is a hero. RIP Shon – such a loss she is gone
- McGraw Hill CISSP practice tests
- Great stuff – and free aligns to the 10 domains – but its all the same content
- Study Notes and Theory subscription
- Luke has some great videos I maybe should have started these later on. He does a good job of relating it back to the big picture and reminds you that just knowing nuts and bolts is not enough.
- Adam G QotD on Twitter and Li
- Great content here – an easy way to keep stuff in front of the mind and stay active with concepts. I think I will go there every day as long as Adam posts stuff there. I would really like to shake his hand someday. I can hear his a voice telling me to ANSWER THE QUESTION ASKED – NOT THE ONE YOU WANT TO ANSWER,
- ITPROTV subscription
- Very professional. Adam G is a treasure and wealth of knowledge and extremely generous with his time. He is doing his part and then some to advance the profession. There are two levels of subscription, basic and pro. I switched to Pro because that one gives you access to the Kaplan test engine – which is a great resource. I went through the 2018 accelerated CISSP twice. I would describe it mainly as Adam giving you his take on all the CISSP vocab terms. I would’ve liked more examples to complement the definitions and explanations. I did not use the “Full” CISSP course — which clocks in at > 80 hours IIRC. That, of course, does go deeper.
- Boson test engine
- I did OK with this scoring in the mid-70s to- mid-80s generally. Kind of technical but gives a good explanation of why the right answers is right and why the wrong answers are not. These test your knowledge but not your ability to apply your understanding.
- MFD Labs (YouTube)
- This is a must. I have no clue who this guy is but he is a pro and he has an excellent presentation style and really knows his stuff. Very thorough and links to the why. The downside is that it is all monetized on YouTube – so there are ads. Maybe buying YT pro would get rid of that — but this is excellent. I would guess there might be 50 hours of content here. If this was available offline and indexed/searchable it would be perfect.
- There are two Discord servers that focus on CISSP. One called Certification station is lots of cert focuses. The feedback and interaction from other CISSP candidates here are really awesome. It keeps me in check and allows you to explain concepts to other students who are asking for clarity — which helped me solidify some concepts.
- There might be some bad vibes between the operators of the respective servers for whatever reasons; kind of interesting – perhaps there will be a rap dis track dropped one of these days. But if you are reading this and have not gotten on one yet – the best advice is to probably not refer to one when on the other. I appreciate and respect both for what they are and what they represent – a forum to share, help, and get help – and regardless of the personal stuff – there is access to good quality content for free on both. People are giving back.
- IT Dojo YouTube
- Colin Weaver is a champ. I would love to shake his hand someday. I don’t think he’s put new content out there recently — but watch all his vids — you’ll be glad you did.
- Study Notes and Theory subscription
- I did this for like 3 or 4 months. Luke does a great job of giving you the big picture and understanding the why. He has some wickedly hard tests that are frustrating as heck. I think the best I ever did on one was 70 once. Lots of 50s, and 60s and a 40 — oof. But read the explanations. This is not free. Watched all his videos multiple times.
- Adam G Zoom sessions
- Loved them as they are interactive – he responds to chats live.
- ISC2 overview course.
- This is great stuff. Very high quality. If I could do it all again and start over knowing what I know now. I would probably advocate for buying the self-paced ISC2 class and the Sybex. These are the people that write the exam after all.
- Rob Witcher – Destination Certification (YouTube Channel)
- Rob knows what he’s talking about for sure. His mind-map videos are very high quality with excellent production values. It is a great review and the look and quality of the content rivals some of the paid stuff – easily one of the best-looking CISSP reviews places there is. Standouts for me are the Kerberos flow and Client Hello/TLS handshake videos. Watch these for sure.
- Sunflower PDF
- Didn’t really use this much at all. When I first got started – I thought this might be enough… wrong. I think this was more of a thing a while back.
- Cert Mike cheat sheet
- I bought it but didn’t use it really very high level. Mike Chapple so why not.
- CISSP ISC2 Official Training Guide
- I got this from a friend that attended an in-person ISC2 CISSP training class. The guide itself has all the right stuff but it just isn’t very user friendly at all. Typos and formatting issues abound.
- CISSP ISC2 Flash Cards
- The same source as above more valuable. Pre-printed cards. What might be more valuable is creating your own
- ISC2 apps
- Pocket Prep app
- CISSP Practice Questions app
- CISSP Security apps
- ISC2 apps are the best of the bunch (Pocket Prep 2nd). I would do these whenever I had some downtime.
I’ve heard very good things about Thor Teaches Udemy and CCCure — but as you can see from the above — I already had too much on my plate so just didn’t get to them. I’ve seen some write-ups here where the author looks at time value. If you can buckle down and get the mindset right in 4 mos. Well, then you have a much better ROI than what I have to show for. Best to you and your studies…hope you can accomplish your goal with less effort than I expended. This has basically been a part-time job for the last 2 years while maintaining a full-time job. I intend to hang around on Discord and stay involved and hopefully contribute meaningfully. If any of you ever end up joining the ISC2 Chicago chapter please message me.