Disclaimer: This is an opinion piece from my personal perspective. I advise candidates to read other strategy guides and come to their own conclusions. I will not be held personally liable or responsible for exam fails. Reader-beware and perform your own research and exercise due diligence in your preparation.
What is CISSP?
So hopefully people have already done their homework on this part before reading this post but just in case….
From the ISC2 website (Source: CISSP| (ISC)² ), CISSP is described as “the world’s premier cybersecurity certification”. While there are several cybersecurity certification out there, CISSP is certainly a well-recognised and respected certification. Different views exist on the most appropriate certification for individuals, there is a common view that for those who work or wish to pursue management roles in cybersecurity that ISC2 CISSP is an appropriate certification. The certification is not just restricted to those working in management roles, and the ISC2 website gives information related to those roles that could benefit from CISSP certification.
I’m hoping that these tips help new and repeat players to the CISSP exam. In this article I will present my strategy and whether it works for you will depend on your background, capabilities and experience. Thankfully there are multiple articles out there related to CISSP preparation and I would encourage you to read many blogs/articles that you can. In this way, you will be able to refine your own strategy and approach to the exam.
The one caveat (in my opinion) is that there are no short-cuts for this exam and a degree of effort will be required. There will be those with strong cybersecurity knowledge with potential to breeze through the exam with limited prep time. However, be aware that this exam has the potential to catch even seasoned professionals out. Read the book (even skim read) and check practice questions first even if you are very experienced would be my advice. This will ensure that you at least know what you are up against.
I’m not working in cybersecurity full-time and don’t claim to be an expert. I have passed the exam and had foundational learning prior to attempting CISSP from my IT degree, professional studies and other learning. I have done quite a few different tech certificates and would encourage people to get experience doing this to help prepare for sitting the CISSP exam. I don’t restrict myself to doing top-tier certifications only and I think any practice represents good practice (as long as the knowledge/information is sound).
I did this exam prior to the most recent refresh. Having reviewed some of the updates, the following advice still stands. The only exception to this is the books I used (you’ll benefit from latest refresh) and the analysis tables from official book (which I suspect is close enough)
Passing score and other related information (taken from https://www.linkedin.com/pulse/my-cissp-examstrategy-prep-tips-derek-buchanan)
To pass the CISSP you need a score between 700–1000. Pass rates are not published, but according to speculative sources <= 50%. The exam is described by some sources as having an adaptive mechanism whereby with each correct answer you will get more difficult questions and if you miss questions then you will get easier questions. A large question bank ensures that you shouldn’t have the same questions at successive sittings.
Keep in mind the following:
- if you are tracking between 700–1000 (likely much higher than 700) at 100 question mark that it is probable that you will finish early and pass the exam
- if you are on a trajectory that means that >700 is still achievable you will have 50 more potential questions to pass (unless see below)
- if the trajectory means that you are unlikely to achieve 700 (e.g. you are sitting on 500 with no possibility of higher score) then the exam will finish early and you will need to re-sit at a later point. This can occur at any time (e.g. could be question 70 or question 124).
Here is a link to ISC2 FAQ re: exam scoring that is the official source — Exam Scoring FAQs | (ISC)² (isc2.org)
This is a tough exam due to it’s breadth. Spend time formulating a strategy that works for you and spend enough time to study. A week for most people won’t suffice and often people will spend 6 months studying for this exam. Shorter time frames are possible but reliant on background knowledge.
My CISSP Exam Strategy
I had a relatively short preparation time frame (for myself) and sat this exam a little over 2.5 months. Ideally, I would recommend taking your time as opposed to cramming this exam. If you have 6 months where you can study intensely (rather than super intensely) I think is way better.
Strategy was quite simple in the end:
- use every available moment to study (that I wasn’t doing anything else), start with a chapter a day (where possible) — some chapters took few days and some a week due to other busyness. Many days awake till 2–3 am then wake at 6am then goto work
- Do practice tests once finished reading book (ended up being very close only 2 weeks) and do as many questions as possible, look at explanations/reasons and read any material I didn’t understand
If I had more time I would have read the official course book 3 times, but only had enough time for once.
- I had several connections who had done CISSP and I reached out to ask some questions (recommendations on books/courses etc). I have self-funded — so didn’t have $$$$ to spend on boot camps etc.
- There were people also who posted their CISSP exam completion — I connected with those who posted tips and messaged me for their recommendations. These people had a longer prep phase (6 months), which in retrospect would have made me better prepared/confident.
- Initially I tried to do online courses, including through Cybrary, but quickly realised that I needed to know far more detail. If you have time and money then maybe use Cybrary. They had a really good course that I trialed when they were running a ?1 week promo.
- An important tip was to do lots of practice tests after reading the book. Probably for the last 2 weeks I was doing between 200–400 questions / day. I would read around questions/areas that I was uncertain/forgotten. I would have liked to do more but work a super busy job and finishing up post-grad studies (with assignments) and other stuff
- The main book that I would recommend really is the official Sybex CISSP study guide. Some people don’t recommend (plus it’s 1000 pages), but to be honest, a lot of the detail is there already. It’s got a weird set-up where modules are combined for chapters and some material sooner/later. There is no escaping covering all material (and extra) from this book.
- Other books that I used were 11th Hour CISSP and CISSP for dummies. I used the CISSP for dummies book just as an alternate source to cover topics I didn’t quite get (e.g. Bell La Puda / Biba / Clark-Wilson models and orange book)
- Test books included CISSP practice exams by Harris & Ham. Official Practice tests from Chapple and Seidl. Boson was the other source. (link to Boson — Network Simulator — IT Practice Exams — Training | Boson)
- I also had this course and practice tests from Mohamed Atef. He gave some helpful tips and prep content — https://infosec4tc.teachable.com/p/the-ultimate-information-security-certificates-bundle/
- The CISSP sunflower was the item that was recommended from the course teacher. This was probably one of the more valuable resources. Sunflower-CISSP.com
- Last points to mention is that I had good knowledge from teachers at university covering general concepts and an excellent paper on network/security and privacy with hands-on couple of years back at uni. Recently completing certificates for Alibaba and Microsoft and other professional certs for the last year also lessened the gap if that helps. Keep in mind that you may have your own experience that lessens or increases the gap.
Note: this is from pre-May 2018 for Official CISSP study guide but likely that it still applies. I think this is a good way to think about prepping from the book.
A suggested order for the book by domain is: 5,6,8,2,4,1,7
I have provided 2 tables that give an idea of domain cover and number of pages. I would suggest that you run your own math on the latest edition but to me, this is one of the most logical ways to understand which domains are the highest point scoring first.
A Deeper Dive!
A Deeper Dive!
CISSP exam adages
- “A Mile-Wide and an Inch-Deep”
The ISC2 CISSP exam is recognised as an exam that can be incredibly challenging dependent on experience and background.
The exam is sometimes referred to in some social media commentary as being “a mile-wide and an inch-deep”. In reality, the exam certainly requires broad coverage of many cybersecurity topics and whether the exam could be considered “an inch-deep” would be dependent on your background knowledge and perspective. In my opinion, all exams should be treated with respect and learning only “inch-deep” could lead to trouble. A safe path is to learn the material well and to know as much as you can in any specific area. Being over-prepared will help you in the long run, and better to know that you’ve tried your best, rather than being under-prepared (and potentially missing the exam)…
2. Think like a Manager!
It is worth stating that some non-ISC2 sources suggest taking a “management” rather than “technician” view to answering exam questions (e.g. think like a manager). I suspect you’ll need both views (leaning more toward management view).
Therefore you’ll need to perform a balancing act. When faced with management-flavored questions you’ll need to flip into this type of thinking to answer the questions. The pure technical questions, you’ll need to adopt this approach. See my suggestion further below around management vs. technical thinking.
A suggestion for prep — talk to your colleagues:
If you’re pure management (and non-tech)— it would be worthwhile to check thinking on technical questions with technical colleagues (e.g. what’s a good way to understand OSI model or vulnerability assessment/pen test etc)
If you’re pure technical (and non-managment) — it would be worthwhile to check on management colleagues on the management type sections/questions (e.g. what’s the thinking around disaster recover or business continuity
Following on from this general theme, I’d suggest to develop both management and technical perspectives (dualism in thinking) to work out the right answer. Aligned with this is to take a pause at the start of each question (not too long though) to actually consider — what is the question really asking?
This will ensure that you “respond” rather than “react”. It will ensure that you don’t rush in and put in the first answer that comes to mind as there will be those questions that could catch you out. There are those questions that are straight-forward but also those questions that require critical thinking in the exam. So make sure that you don’t rush in and miss an answer that if you’d taken your time then you would have answered correctly.
Quote from Viktor E Frankl about responding (vs. reacting)
“Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom.”
- Striking the right balance for timing with study prep
So a challenge for this exam is remembering and retaining all the “mile-wide” content for the exam. Cramming is not ideal, but to a certain extent is needed. There is a huge amount of knowledge to retain and if your timeframe is too long then you may find that you’ll begin to haemorrhage some of the key details. You need just the amount of tension that you’ll be stressed enough that you’ll have attention to detail while allowing your pacing to change between slow running and sprinting (back and forth). Don’t run at this one for too long either as you may find yourself subject to burnout.
If you’ve watched the Olympics, I’d suggest that an appropriate way to prep for this exam being best analogous to the 10,000m runners. You want to have a timeframe that isn’t too far that you never leave the start line, you need to have a fast pace that you can maintain with a fast sprint at the end. For the average person (I think I fall into this category) you don’t want to be sprinting from start to finish like I did — it’s not healthy and this is about winning the race without wrecking you life in the process…
So with a reflection on the ‘sprint’ approach (not recommended) that I did is the following:
For 2.5 months I spent every waking moment (when not working) studying for the CISSP. I’ve got a busy life already and this prep was on top of full-time+ work. I wear a few different hats and for me getting ready for my work day starts at around 7am and could finish on a good day at 8pm or >11pm on a bad one. If I had a 15 minute break at work I’d read or find practice questions to do. When my work finished this is when study would begin and I would study until 2–3am every day — leaving <4 hours for sleep. It’s not good and I wouldn’t recommend…. but if you were super time constrained then it can be done. Even though I was turning up to work and doing stuff, CISSP remained my main priority to complete.
2. Use more than one resource but don’t use every resource
This is my opinion. You can end up getting way too many books/courses and not doing them. Part of the critical thinking required is that you can work out what books/courses that you need.
Keep in mind, that what works for others may not work for you. Keep in mind that what you are being assessed on for the exam is an ability to answer questions correctly. While CISSP more broadly isn’t the exam, for the examination it does relate to the exam questions.
Knowing yourself is also very important as I’ll attempt to explain’
Quote from Sun Tzu’s Art of War (translation)
“Know yourself, know your opponent. Fight 100 battles, win 100 battles.”
So the above is a very loose translation from the book. Importantly if you know yourself and your learning style then I think you may do better for this exam. If you are more of a visual learner then try and use more visual resources (but don’t neglect reading). If you are more a reader — then focus more towards reading resources. Match your study to your learning style and have the right amount of resources that CISSP study doesn’t feel like an impossible task.
3. Practice tests/exams
Ok — so this is a super important one in my opinion. Do practice tests at the same time/day that you will when sitting the exam. Do it to exam conditions. Make sure that you are passing well. This relates to the concept of cognitive frame. Like Pavlov’s dog, you can condition yourself to a state of readiness, so that when exam day rolls around that it just feels like a practice session. As mentioned above, do as many practice questions that you can.
As usual, make sure that you are able to relax on exam day. You’ve done everything that you can by this stage, and trying to learn more probably won’t help at this stage. Certainly revise notes if needed. Ensure that you are reasonably hydrated and take a positive mindset into exam.
- Be in the moment — don’t look forward or back
So this is absolutely critical. It’s a mindset and you have to develop it when doing practice exams. For the exam you cannot go back and review questions.
Be in the moment
You have one opportunity to get the question correct, and this is at the time that you answer the question. Make a mistake and the opportunity is lost. You cannot get fixated on any incorrect answers as you must always be answering the question in front of you.
Don’t think ahead
You also cannot think ahead. As soon as you start thinking about whether the exam would exit due to perceived wrong answers, then this will make thinking more difficult and slow you down.
This exam is going to mess with your head. Anxiety levels are going to be high and if you’re like me, then you are going to make mistakes. Don’t let this bother you and again just focus on the exam in front of you.
I would suggest that if your are unfamiliar with mindfulness concepts — then this might helpful to look at for your exam sitting.
As mentioned, having the right mindset is everything. To a certain extent, this is a pressure test. You need to manage any anxiety.
100/150 question finish line
The 100 or 150 question finish lines also needs to be put aside. Don’t think about whether you are on the trajectory. Stay in the moment. This is imperative. If you hit 101, don’t worry. You are still sitting the exam (and not exited out) and therefore you have a chance. Again, focus on the question at hand.
2. Watch the clock
So this is also critical — you need to manage your time. Do this during your practice tests and do timed sessions. Although it seems like there is a lot of time, if you spend too long on a question you may eat away on available time.
This comes from practice.
Similarly, don’t race through questions. Instead take a ‘pause’ so that you can consider the question and respond rather than react.
Practice enough that you get an idea
3. Read the exam question
As mentioned earlier, look at the exam question. What exactly are they asking. It may not be what you think. Take a mini-pause and contemplate what is needed.
4. Unfamiliar or difficult questions — the process of elimination!
So this is a biggie. When faced with unfamiliar questions — do not just randomly choose an answer. Use the process of elimination. Look at the answers, which answers are incorrect or not possible. You may find that you narrow the field considerably (e.g. 4 possibles down to 2 possibles). Once you’ve done this then take a calculated guess. See point 1-3 above. Answer the question and then forget the question as it no longer matters once you’ve answered.
Similar to my other articles, I would mention the following:
- If you pass — congratulations! you’ve made it! Celebrate your efforts as you usually would. You are now on the path to CISSP certification
- If you don’t pass — well done for giving the exam a go. These are learning exercises and sometimes we don’t get on the first go. There are further opportunities to strengthen any weaknesses and to go again. Don’t give up — many people (thought to be >50%) miss this exam on first attempt. This is not a fail in the traditional sense, but First Attempt In Learning (F.A.I.L). A virtue is getting back up when you get knocked down. When sitting hard exams, the reality is that people do miss. It is not a reflection on you, and more an opportunity to go again. Life is bigger than exams and try and keep this in perspective. Go again — I’m sure with perseverance and dedication that you will make it!
Best of luck on your journey — I will try and update this article further if any other strategy tips come to mind, so do come back!
Lastly, when studying, keep in mind that socialisation is a powerful tool and joining a support/chat group (via discord or other) might be helpful if you don’t have anyone in your work environment.