The International Information System Security Certification Consortium ISC2 Certified Information Systems Security Professional (CISSP) is one of the most, if not the most, prestigious and widely recognized cybersecurity certifications in the industry. There are many reasons for wanting to obtain the CISSP, and the purpose of this post isn't to convince you to go after it. Since you are here, you must be thinking about going for it. Awesome! In this post, I will share my personal CISSP learning experience and tips and tricks to pass the exam so you, too, can become a CISSP.
Summary
The exam is very difficult, and there are no shortcuts to success.
You should have another cybersecurity certification before attempting the exam.
You can avoid expensive boot camps by self-studying.
You should watch a complete video series before attempting the exam.
You should read one exam guide cover to cover at least once before attempting the exam.
You should complete and understand at least 1,300 practice questions before attempting the exam.
You should do a few hundred flashcards at least once.
Don't worry about the time during the exam.
Some questions won't give you as much information as you want. You have to assume some details.
Take off your technician cap during the exam and think like a CISO.
You don't have to memorize acronyms.
Be consistent with your studies. Make a study schedule and stick to it!
Recommended Study Resources
I recommend these study resources to be completed in this order:
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide
Flashcards provided by video course
(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests
Practice exams provided by the video course
Only if you scored below a 70% average on the Official Practice tests or are not confident about the exam you are ready for the exam if you score an average of 75% or more on the official practice tests.
Alternate/AdditionalStudy Resources/Disclaimers
I completed this course during my CISSP studies. However, despite having good content, it doesn't provide enough content. 18 hours of videos aren't enough to get you where you need to be for less experienced cybersecurity learners. This course covers the basics and not much else. Even though I didn't sit through a single second of the ITProTV course that I am recommending, it provides about 22 more hours of content. I completed the ITProTV PenTest+ and Certified Ethical Hacker (CEH) v11 courses. Both courses feature Daniel Lowrie, who is also one of the edutainers in the CISSP ITProTV course. Because of this, I trust the ITProTV CISSP course and recommend it over the CBTNuggets course. I'm a fan of both ITProTV and CBTNuggets. You really can't go wrong with either one. Despite your choice, they both give access to the same exact practice tests and flashcards, which are both fantastic practice.
This is the book I read cover to cover. But not by choice. This was the recommended book for my Advanced Information Systems Security course at the University of Maryland Global Campus (UMGC). It's a great book, and I have nothing negative to say about it. I recommend the Official Study Guide over the All-in-One Exam Guide because ISC2 promotes it. It is also written by Darril Gibson (RIP) and Mike Chapple, two authors I highly respect. The book is published by Sybex. I used Darril Gibson's Security+ study guide to pass Security+ and Sybex books to pass Linux+, Cisco Certified Network Associate (CCNA), and Cloud+. I've also read the Sybex CEH book, and I'm currently reading their PenTest+ book, which is also co-authored by Mike Chapple. Needless to say, I'm a massive fan of Sybex books, Darril Gibson and Mike Chapple, so I'm recommending the official study guide over the guide I read. Honestly, you can't go wrong with either one. Just make sure you get the most current edition of whatever you choose.
Boot camps
I know many people in the industry use boot camps to aid in passing certification exams. And if you're the kind of person who needs/wants a boot camp, by all means, do one. I'm not here to talk bad about boot camps. In fact, I like the idea of them. However, they are far too expensive, especially when you can spend far less money buying a book, a video series, and some practice questions for far less money. The self-study route is almost always the more economical route to passing a certification exam. This is why I've never attended a boot camp and self-studied for every certification I have.
Recommended Prior Experience
You must have at least five years of cybersecurity experience before earning the title of CISSP. However, you can still take the exam and become a CISSP associate if you don't have the necessary experience. Before studying for the CISSP, I recommend having at least one other cybersecurity certification. The nice part about having a cybersecurity certification before taking CISSP is that it waives one year of experience for the five-year requirement. Here is the list of certifications that will waive one year of experience. Having one or two of these certifications will significantly improve your success while studying for the CISSP and taking the exam. CompTIA Security+ laid out my foundational knowledge of cybersecurity, and as long as the certification stays relevant, I will continue to recommend it as a starting certification for anyone wanting to get into cybersecurity.
Exam Tips
Don't worry about the clock.
I had about 90 minutes left on the clock when I got kicked out of my exam at 149 questions. On almost every question, I read both the questions and answers 3-4 times. During my exam, I also paused several times to take mental breaks, look around my cubicle to rest my eyes, stretch in my chair, and even doodle on my dry-erase board. Granted, I didn't have to answer the last 26 questions (look up how the exam works if you don't understand why I got kicked out at 149/175 questions). But even if I took three minutes per question on the last 26, I still would have had 12 minutes to spare. The exam gives you plenty of time to think about the scenarios given to you, so don't rush it.
You have to make assumptions.
Many scenarios won't give you as much information as you may want to successfully select the best answer. This is where the exam gets tricky. Sometimes you have to assume things about the scenario to give you the missing information you want. Information Technology (IT) devices can be configured in a seemingly infinite amount of different ways, and you will ask yourself, "what way is the devices in the question configured?". It's easy to get frustrated at the question, but ask yourself, "what is the most likely configuration?". My strategy during the exam was to assume that devices were configured in their default setting or with "book definition" settings. For example, a question might mention a firewall but not tell you what kind of firewall it is. Is it a stateful or stateless firewall? Is it a layer 3, layer 4, or layer 7 (Web Application) firewall? Each firewall type would change your answer in the scenario (because most, if not all, answers will be correct. You must choose the BEST answer). You may be able to determine the type of firewall with context from the question, but you will often have to make these challenging assumptions. Good luck!
Think like a CISO.
If you work as a technician in IT, you must train your brain to think like an upper-level manager during this exam. A technician and a manager often think entirely differently. You must approach each question from the strategic rather than the tactical level.
Don't worry about memorizing all the acronyms.
When it comes to cybersecurity, we have to know many acronyms. In other certification exams, you need to memorize almost every acronym to pass the exam. Not for the CISSP; most, if not all, of the acronyms, will be spelled out for you. Concentrate on what things do rather than what the letters in the acronyms mean while studying for the exam.
Conclusion
The CISSP is very difficult. No certification exam is easy. Preparing for the CISSP exam will take months of hard, consistent work. There are no shortcuts. The key to success is not taking long study breaks. Once you start studying, don't stop. I highly advise against taking more than a week off at a time from your studies. The CISSP has a ton of information, and it can be easy to forget some of it over time. And even though I passed the CISSP on my first try, I failed my first CCNA attempt for taking too much time off studying, so I am speaking from my own experience. I recommend 2-3 hour study sessions at least 3-5 days a week. If you can do more, you should. Doing less won't make the exam impossible, but the longer you drag out your studies, the more likely you will forget some of the information. Whatever the case, make a schedule that works for you and stick to it! Consistency is a massive part of every certification exam.