CISSP.. How I did it.

Since I passed my CISSP exam, A lot of people have asked me to share my experience and resources I used. I am listing them in this post. Hope you find it useful. 

1. My Resources:

The first thing I did was to find out the official resources/guides. There are two reasons for this- first the official guide generally list ALL the topics that you should know before the exam, second- the official guide is as close to a firsthand information about certification as you can get. (coherent terminology for example). The official guide of Mike Chappel was my main resource, you can buy it from here: https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1119475937 I read the book from cover to cover and made notes religiously. I found these notes very helpful at the end during my revision.. Whenever I start a very long book- I generally look at the content table and pick a topic that I liked. In this case- I started with laws and regulation as this was something very new to me and I liked legal dramas. Like everything else in life, getting started is the most difficult part of the whole process.

I also used acloudGuru CISSP course (Ermin) and Pluralsight’s one (Kevin Henry). I played these videos mostly while driving just to validate my knowledge. I found that while both courses were very detailed- it only covered 80% of what was in the book.

A very important mention here- Kelly Handerhan’s 15 mins video on YouTube “Why you will pass the cissp“ was probably the most important 15 mins during my preparation. If you are preparing for CISSP- you must watch it every now and then to help you into getting the CISSP mindset. A lot of question in exam will be choosing the best option among the given options and CISSP mindset will be determinantal in selecting the right option.

Lastly I skimmed through few NIST papers and watched some YouTube videos in case I was not clear or because I was curious.

 My advice: Use multiple resources- one source as primary and others to supplement it. It depends if you are read-from-book person like me or if COD videos work better for you. In any case- you would want to review the official guide as it's important. Making notes are important for me, specially when you will start the revision in last two weeks so I would advise you do it too.

2. The Time:

With a full time job and with two kids at home aged 5 and 2 months- I realistically couldn’t spend more than couple of hours during weekdays and a few more during weekends. I therefore gave myself a comfortable seven-month target. I booked my exam after I finished 80% of book.

My advice: Look at your circumstances and the way you want to study. Some people want to fire all the engines and will finish the content in a months’ time while like myself would prefer to go slow and steady- the bottom line is it’s a one man race and all it matters is you finish it once you have started it.

 3. The Questions:

Here is the important part- while all the resources will help you familiarise with the topic, the actual exam will test you on the “application of these elements”. Take for example- there are different type of access control method- DACL, MAC, RBAC and ABAC. The guide will introduce you to these concepts however- in actual exam; one is given a scenario and asked what kind of model should you use. Take another example- you will learn different types of Disaster recovery methods, in exam you will be given a scenario and you will need to chose which DR method is ‘best’. Another one, reviewing a line of code and tell what is wrong/right in it. I practised from official practice test https://www.amazon.com.au/Cissp-Official-Isc-Practice-Tests/dp/1119252288 however please note that this is just to validate your knowledge. The real exam questions will not be like in the book. Also- do not get disheartened if you don’t get a lot of it right. I read somewhere not to attempt the exam if you are not getting 90% answers right. This off course was not right.

My advice: Again- I refer you to Kelly Handerhan’s video. It is very important you watch it as many times as you can! The questions that you will see have technical answers and CISSP answers. You also need to have some real world experience in implementing and designing things.

4. The Exam:

There is not much information available particularly about this exam but like any computer adaptive exam- if you get the answers right the computer will increase the toughness of the questions. So its not a bad thing if you believe you are getting a lot of curve balls thrown at you. It means you are doing great! While I didn’t find this info anywhere to confirm my hypothesis but the way Computer adaptive exams are generally designed- you see more questions on your weak points as computer is trying to gauge you.

Depending upon how good or bad you are doing- you may see between 100-150 questions. I got 100 questions.

My advice: Because you don’t know how many questions are going to be there- I suggest not to spend more than 3-4 mins in a question. There will be few low hanging fruits which you will answer within seconds to make up for the time lost on the tough ones. Even in worst case scenario you still have around 1.5 mins per question. What’s important is that you read the question at least twice to understand it before choosing an answer.

Last word:          

When I was preparing for the exam, I came across a lot of negative information like the pass percentage is only 20% and its even lower for first timers. Ignore all negative commentary. The most important step in making something happen is to believe that it can happen. Create a realistic timetable and then stick to it. Check this out if you need some help in developing a strategy: https://www.dhirubhai.net/pulse/six-step-guide-achieve-all-your-goals-mayank-sharma-togaf-9-/ Lastly- talk to your family and friends and keep them informed about your progress. It is going to take a toll on your social life and family and friends are going to be your support system too when you’ll feel low.

Good luck!