The CISSP certification journey

The CISSP from ISC2 is widely regarded as the pinnacle of security certifications. Once you start reading into the domain coverage for this exam you'll soon understand why is it coined as being "a mile wide and an inch deep". I didn't think starting out in revision, that in the same exam I would be answering questions on types of fire extinguishers, international law and then on to cryptographic algorithms. Truly this is an education in many security concepts, off piste to many items prior to me tackling this exam.

I have for some years worked in and around IT security, which certainly assisted my knowledge in around 6 of the 8 domains, to an elementary standard. Thankfully there is a wealth of communities available out there unlike any exam I have sat in recent years. There are so many incredible free and paid resources like videos, practice questions and books. So many to shake a credit card at that you have to be selective. There are groups available on Facebook, Reddit, LinkedIn which I found to also be a necessity in order to live and breath the exam preparation topics.

The attributes of the exam for me, included 6 months of preparation, including videos, reading material and reading books. I have listed below the resources I used and the scored out of 10 for usefulness to my journey. I much prefer self study to classroom sessions due to expense and getting time off to attend etc. As such I paid for online resources but was worth it. All in to get this certification (bearing in mind the cost of the exam is ￡700) was around ￡1,000. I am sure you could do this cheaper. If you needed more motivation to prep first time round, a retake costs an additional ￡700!

If you are approaching from a background in data protection, be aware!! There is confusion on much of the learning material out there. Most learning material and videos were written prior to GDPR. They end up having you double guessing how ISC2 will expect the answer or indeed how up to date they are, come exam day. As an example the below question had me stumped and this is an official source question. So many things wrong with it.

Additionally from a security stand point there are some topics that are seemingly only included for nostalgias sake but you have to know about. Classic example is the US Department of Defense "Crayola Books" also known as the rainbow series. I have only ever heard of them referenced in 1990's pop culture film until this point. There were at least 3 questions on the Orange Book and the influence into Common Criteria alone! For a book that was written before I was born, it seems more history than cutting edge.

Additionally this has ruined a classic 90's film for me. Researching has revealed that Dade in Hackers (1995) didn't know what he was talking about referencing the Orange Book. When he said "Computer Security criteria" but correct title is actually "Trusted Computer System Evaluation Criteria". Inaccurate.

Talking of accuracy this is one of the key games that the test writers play. They give you several options but slip in an option that overreaches into the false. Great example of this below from Larry Greenblatt. In the answer A, B and D are all accurate but D is more precisely accurate.

Highly recommend viewing Larry's video. It was the wisest 35 minutes spent. Not only of the topic of accuracy but the other games that are played to get the best quality of answer from candidates taking the exam.

7 steps on how to pass the CISSP in hindsight:

Looking at what worked for me and the routine which seemed to work in my scenario. My steps included...

1. Watch videos to start with Thor Teaches or CBTnuggets once through. To see what the foundations of this exam are about. Get an idea of the 8 domains and agenda. There are around 30 hours of content for both but will build a great baseline by which to build.
2. Make exam prep a daily task. Start running through exam questions daily using PocketPrep or equivalent from the AppStore. It helped me being about to sit 10 questions on a mobile device while on a tube trip or queuing for something etc. Additionally join groups on social media to bounce ideas and soak up knowledge. There are often daily questions that are debated. I have been doing this for 6 months daily and improved my general knowledge of this area.
3. Hit the "big" exam question engines. Resources such as Transcender(Kaplan) or Boson or Sybex are more like the real exam questions you will face. Reference Shon Harris or Sybex books for any questions you do not answer correctly. This is important. By failing to answer a question correct highlights a gap in knowledge. Use this as an advantage to close the gaps you have in the weaker domains. I would guess that you need to be answering and understanding around 4000 questions over the course of exam revision from multiple sources.
4. Learn the technique for answering questions. A week or two before the exam sign up for O'Reilly's videos delivered by Sari Greene. She has great videos on strategies to answer the questions. The way the examiners are searching for the management stance on an answer can be tricky for people from technical backgrounds but it is well explained here. Similar to Larry's video referenced above.
5. Mnemonics help on the deep technical aspects. Everything is a Mnemonic that I have to remember. "All People Seem To Need Data Protection" or "Application, Presentation, Session, Transport, Network, Data, Physical" for the OSI model. DEER MRS H CARBIDS for standard asymmetric / hashing / symmetric cryptographic algorithms. "All True Italians Like Pizza" for DoD TCP/IP model. Not sure how I would remember any other way.
6. Use mind maps. Start summarising the bits you need to memorise. Stick them up on the wall. It'll look a mess but will be very optical in learning this wide topic.

1. Pass the Exam. Easier said than done for sure but if you have put the time in then there is no reason to run into issues. Just remember the exam is 2 halves; the technical aspect which is just knowledge repetition AND the format and accuracy of the answers to the questions. Failing to prepare for one of these is a bad strategy.

There is a reason this exam has such a savage reputation but with the right approach and utilising the wealth of material out there you can make a success of this exam.

In conclusion Please Do Not Throw Sausage Pizza Away and importantly Never Interrupt Talking Animals. Good luck with your CISSP journey!

Appendix

Books used:

• Sybex (8th edition). Read cover to cover once and for reference after. (8/10)
• 11th hour book (3rd edition). Read cover to cover 3 times. Very good book! (10/10)
• Shon Harris (7th edition) All in One. For reference only. I didn't get on with this book other people swear by it. (5/10)
• Sunflower CISSP reference (10/10)

Videos:

• CBT Nuggets. A favourite of mine from doing Microsoft exams in the past. For CISSP it is really is high level and should be supplemented. (7/10)
• Thor Teaches for me this was the right amount of depth in a short period of time. (10/10)
• Study notes and theory by Luke Ahmed (8/10)
• O'Reilly free trial videos. Very strong resource!! Highly recommend. (9/10)

Exam question preparation:

• Sybex Official Practice Tests (2nd edition). What better resource than the exam provider.
• Thor Teaches Example Questions. Again good to start with these. They link with the videos.
• Transcender now owned by Kaplan. This was the closest to the real exam questions but expensive.
• PocketPrep iOS app. Super simple but handy application with questions. Really good for train/plane journeys.
• Sybex iOS app. I used sparingly as these questions I didn't want to waste being as they are the only ISC2 official questions. Same as the book.