My CISSP Journey
On the 4th of October, I finally took and passed the CISSP exam after bumping it twice. Let’s talk about my experience in studying and taking this exam.
About 10 years experience in the IT industry. Helpdesk, retail (technology sales), web developer, systems administration, security analyst, security consultant.
- Bachelor’s degree in Network Security
- Diploma in Systems Administration
- Certificate IV in Database Administration
- CCNA Cyber Ops
I began studying for this exam as soon as I got the notification from Offensive Security that I had passed the OSCP. I was in Macau at the time on an engagement for work, and used the evenings to study some practise exams. This was in April this year.
Prior to this, one of the course modules for my Network Security degree pretty closely followed the CISSP ciriculum and the instructor for this class was a CISSP, so I was familiar with most of the concepts already.
I tried to study as much as possible but this isn’t a very fun exam to study for. I decided to book the exam for August to give me more motivation. As August got closer, I felt that I wouldn’t be ready for the exam so I bumped it to September. Again, I knew I wasn’t prepared so I bumped it to October 4th, this time I decided that I was definitely not going to pay the $50 USD to reschedule the exam and told myself it was locked in. I ramped up my study, and crammed during the final week.
- CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide – 7th Edition (2017)
I purchased this book for my Kindle back in 2017 as it was an optional book to suplement one of the course modules for my Network Security degree. Note that there is now an 8th Edition available, so you may as well get it.This is the official book (commonly referred to as the Sybex Book) and as such, it covers the entire CISSP CBK in excruciating detail. The problem with this is book is that it is incredibly dry. It tries not to be, with some anecdotes and attempts at some light humour, but there is only so much that can be done with the CISSP material so this is a chore to get through. I tried to complete this book over 6 months but only ended up getting to 53%. After that, during my last few days before the exam, I went over the Chapter Reviews and Practise questions.I do think that this book is a must – even if you’re not planning on reading the entire book, it’s a great resource to supplement other material as a reference on topics that you need to go deeper on.There book also comes with access to the access to the Wiley Test Bank questions (see below).
Link (note – get the latest version avaialble): https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119042712
- Simple CISSP Exam Guide – Phil Martin (Audio Book) (2018)
I picked this up as the only audio book I could find on the subject. I accidentally picked up the old version and after listening to it twice, once at 1.5x speed and again at 1x speed during work commutes, I discovered the updated version for the new exam and used a free audible credit and listened to most of it again.As with the book, the material is extremely dry, but I think Phil does as good a job as possible. I probably only took in a fraction of this as I find it hard to focus on it, but the important thing is that every time I was paying attention, I was either learning something new or reinforcing something I already knew.I recommend this to anyone who commutes to work by car or is unable to read during their commute.
Link (new): https://www.audible.com/pd/Essential-CISSP-Exam-Guide-Updated-for-the-2018-CISSP-Body-of-Knowledge-Audiobook/B07JVVMBTF?pf_rd_p=ba4c82a7-7c50-42e3-8a6a-89ab98524e7a&pf_rd_r=HABJ96MESSDWN7P56FW8&ref=a_pd_Simple_c5_PN_1_2
- Essential CISSP Test Questions – Phil Martin (Audio Book) (2018)
I used one of my Audible credits to purchase this book after listening to the Simple CISSP Exam Guide (above). In this book, Phil reads out questions and then reads out the answer. There is no multiple choice. I personally didn’t get much out of it and probably only listened for 40 minutes in total, so I can’t recommend this style of learning unless you’re out of CISSP to listen to on your commutes, and if you do, maybe just listen to Simple CISSP again.
- CISSP Study Guide – 3rd Edition – Eric Conrad (2015) I purchased this book on Kindle and read a few chapters. It’s the latest version and unfortunately, was published in 2015 so does not reflect the latest version fo the exam. The good news, however, is that none of the information in this book will contradict the exam, so everything you learn here will be valid. I got this book to see if I could read the entire thing before my exam but hadn’t left enough time for myself despite it being significantly shoter than the Sybex Book.
- 11th Hour CISSP – Third Edition – Eric Conrad (2015) This is another very heavily recommended book. I did read a bit of this book, but again, it was printed in 2015 so it may miss out of some of the new material. I actually think this is too shallow and found the Sybex Chapter reviews to be more to detailed but still shorter. If you believe that you already know the CBK very well and just need a few reminders, this may be helpful, but if you’re using this as your primary resource, I don’t think it will cover enough.
- Sunflower PDF This document attempts to be a cheat sheet for the CBK. I think it would have been great for those who put it together. Everyone recommends this, so it might be good to read over and zero in on anything that you don’t know completely using the Sybex book.
- Boson Exams
I purchased the Boson Exams for the Boson Exam Engine. It costs $99 USD but you can usually get a discount coupon. Find /u/BosonMichael on Reddit and ask him if you can’t find it.
These exams are great – there are 5 exams with 150 questions each. Every question has detailed explainations as to why each question is right or wrong, and points you to the section of the Sybex Book if you need to read more about it. Many people say that the questions are way too technical for the exam. I think my exam was pretty technical, however I think either way, this is a great resource because you SHOULD understand all the concepts on a technical level anyway.
I did these exams sporadically during the 7 months or so that I was studying for the exam.
- Eric Conrad’s exams
These exams aren’t as well known as the Boson exams, however I found them probably the most accurate to the exam. There are two exams and they are 250 questions each. This is because, as with all the other Eric Conrad material, it’s following the old exam format. There are a few errors/duplicates in the second exam to watch out for.The web application that runs the exam is very old and cumbersome, and you may need to open some security holes in your browser to make it work. Also, sometimes the entire website went down while I was taking the exam. I think these are very worthwhile exams to take to see where you are at.From memory, if you get the answer wrong, it tells you why the wrong answers are wrong, but if you get the answer right, it just tells you that you’re right but not why.
Note: there are also some podcasts by Eric Conrad. I didn’t listen to them, but I tested and found that they still work. I found a very old blog post (2013) that details how you can download these podcasts to listen offline: http://certcircus.mintrix.net/2013/07/27/more-study-help/
- Wiley Test Bank
You get access to this test bank with the Sybex book. It’s a bit hard to actually find the link to get these for some reason. Anyway, the code comes inside the book somewhere towards the start. You can redeem it here: https://testbanks.wiley.com/WPDACE/Products
Note that it while it says ‘Eighth Edition’, I used the code from my Seventh Edition and it worked.
The test bank has all of the Chapter Review questions plus a lot more (I think about 1300 all up).
- CISSP STUDY app
This is the official ISC2 app and I’m pretty sure most or all of these are from the same questionbank as the Wiley Test Bank. It’s nice to have this on the go, but you have to pay for it again even if you have already purchased the book. I used this a lot on the bus and other random times when I had a few minutes.
Link (Android): https://play.google.com/store/apps/details?id=com.learnzapp.wileycissp&hl=enLink (iOS): https://apps.apple.com/us/app/official-isc-cissp-study/id1064359987
- Kelly Handerhan Cybrary CISSP Course
I’m sure that this video course is the single most recommended study resource for the CISSP. It’s great. Kelly is entertaining and does a good job of explaining most of the important concepts.I first watched the old videos I think recorded in 2015, and then I watched the ‘new’ 2018 videos later. I think I watched the new ones through a nearly two times.
For some reason the Cybrary app seems to have disappeared from the Play Store. I think it’s because when I tried using it, it was really buggy and for some reason I could only find the old video course. I could only watch from my PC.
For some reason, both were free to watch.
- CBT Nuggets
I got a one month subscription to CBT Nuggets to access their CISSP course, as I’ve used them when studying CCNA/CCNP material previously for my degree and found the videos to be great. However, for CISSP, they are no where near indepth enough. I would not recommend these videos at all.
- ITDoJo Question Of The Day – CISSP
I watched a decent amount of these and found them to be pretty good to give a deep dive on explaining answers to questions.
- Why you WILL Pass (CISSP Mindset)
This is a very recommended video about the mindset you should have when taking the CISSP exam. I suggest watching it, as it probably saved me during the exam.
I booked by exam for 4PM on a Friday, so that I could have a drink afterwards either way. When I had the day off work because I was quite sick the entire week so spent most of the week hating life while cramming. I actually learned a few things that came assisted me in the exam while on the bus to the exam center because I was targeting a few things I hand’t looked into previously.
I got to the exam center about 40 minutes early. After being signed in, the lady asked me if I wanted to start early. I was happy to start and get it over with. After being lead to the exam computer, I used the ear plugs to drown out noises from other people taking exams. After starting the exam, I was unsure how I was going to do. I kept remembering the “think like a manager”, “big picture”, and “end game” mindset that everyone talks about, and there were a many times where I very reluctantly chose an answer based on this thinking rather than a more seemingly straight forward answer.
My exam was actually quite technical, where it definitely helped to have delved quite deep on some of the subjects.
I also used the CAT format to my advantage – I knew that if I got a question wrong, I would get drilled on it. With a question where I was torn between two answers, I encountered a similar question later in the exam and decided that I mustn’t have answered correctly the first time. Others may be able to leverage this as well.
At no point during the exam did I feel like I was killing it. Just about every question I narrowed down to two answers, and you could easily make a good argument for either of them being correct. I felt like I was arguing symantecs with myself, and answered many questions the way I felt ISC2 wanted me to answer them rather than what may more accurately align with my experience or expectations.
The exam stopped after 100 questions with probably about 30 or 40 minutes to go. I had budgeted my time for 150 and was surprised. My first thoughts were that I must have failed. I waited silently to be lead out of the exam room, but no one came to get me so I left the room and the exam center people let me go and get my things out of the locker while one of them went to get the print out. I wasn’t sure how to feel at this point while I waited for the results. I had heard that if you’re handed one piece of paper, you have passed, and if you’re handed two pieces of paper, you’ve failed. I heard the exam center staff person approaching with what I can only describe as simply the sound of one piece of paper. He handed it to me and I quickly scanned the page, seeing the message that I had passed. The exam center team congratulated me and I left extremely relieved.
My study was all over the place, I used just about all of the materials listed above in paralell rather than in any set order. It may make sense to work out a study plan similar to the following:
- Read the Sybex Book, taking the chapter exams at the end of each chapter (use the online exam engine if you wish.
- Complete the additional exams from the Wiley Test Bank. Make a list of all questions you got wrong and read the paragraph/section of that topic in the Sybex book.
- Watch the Kelly Handerhan video course.
- Take each of the Boson exams, reading the explainations to all questions you get wrong.
- Read the 11th Hour CISSP book leading up to the exam.
- Take both Eric Conrad’s practice exams (500 questions) and make a note of what you get wrong, then read about that topic in the Sybex book.
- Watch Kelly’s ‘Why you WILL pass the CISSP’ video.
- Take the exam.
If you stuck to this, you would have read the most detailed book, the most brief book as a refresh (because it takes so long to read the Sybex book), watched the best video course where Kelly explains everything to you in a way more easy to digest way, and completed about 2500 exam questions.
As soon as I walked out of the exam center, I started thinking about what to do next.
CISM? – My understanding is that there is a decent amount of overlap between CISSP and CISM, so it may make sense to persue this certification next while my CISSP study is still fresh. I’ve started putting some study material together already, starting with Phil Martin’s Essential CISM audio book.
Security+? – This exam shouldn’t be too much trouble to get and might not do much for my career, but it might be nice to focus on an easier certification after passing the OSCP and CISSP this year.
CCNA Route and Switch? – Would be good to add a networking certification to my CV and could probably achieve within a few months without too much effort.
PMP/CAPM/Project+? – I’ve slowly started studying the PMBOK and plan on adding a project management certification to my resume at some point.
Focus on my own projects for a while? – There are plenty of other projects I’d love to get time to work on – such as Cuckoo sandbox that I have pretty much working, but needs a lot more before it’s stable. It would be nice to have a break from all the studying over the past four years as well.