CISSP Preparation & Exam
I recently ramped up study for my CISSP and just passed this week! In this post, I wanted to detail the resources I used to prepare for the test.
Cybrary
I used the Cybrary catalog of online courses as my primary method to prepare for the exam. It was great and they have a test-pass guarantee if you go through their prep program. I began studying 2-3 months before taking my exam.
The Cybrary CISSP Prep Program consists of 15 hours of video instruction covering the 8 domains of the CISSP. It’s relatively high-level, but builds a good foundation. Next are 25 hours of labs that walk you through encrypting/decrypting files, setting up two-factor for SSH and a variety of other practical topics as a security engineer. These tasks didn’t present themselves on the exam in the form of questions, but were useful to build skills. The last steps in the program are completing practice tests through Kaplan and Practice-Labs. I assumed these would be quick to knock out, but I ended up putting in about 20-25 hours of just practice tests to feel comfortable with the content and get at least a 80% score on both to satisfy Cybrary’s test-pass guarantee.
Kaplan does a great job of explaining the correct answer on their practice tests and I spent a lot of time understanding why the correct answers were correct. This is important because you won’t see these same questions on your exam — this isn’t a practice test where you memorize the correct answers so that you’ll recognize them on the exam. No, you have to understand why the answers were correct because you will see similar questions on the actual exam.
CISSP Official Study Guide
I had the older 7th Edition book by Sybex, but it was good enough to supplement my Cybrary training and fill in the blanks when reviewing the Exam Outline next. The 8th edition came out in 2018. What was in the Exam Outline and wasn’t in my copy of the book, I just Googled to fill in the gaps.
CISSP Certification Exam Outline
Go down the list of topics and apply the Feynman technique to explain each topic in as much detail as possible. With this technique, you right down everything you know about a topic. It ensures you understand it. If you’re stuck on a topic, go back to source material to increase your knowledge.
The Exam
I went to the local Pearson VUE testing center to take my exam. I took 2 forms of ID and had to scan my palms multiple times. Once in the testing room, I acknowledged the non-disclosure agreement from ISC2 and began the exam.
The exam uses Computerized Adaptive Testing (CAT), which means if you answer questions correctly then you’ll see fewer to confirm your knowledge in that domain. However, if you answer questions in a domain incorrectly, you’ll see more as the test tries to ascertain if you understand that domain. The test will have between 100 and 130 questions and you’ll have 3 hours to complete it. I found that spending approximately 90 seconds per question was enough. It allowed me to actually read the question without trying to pick it apart too much.
After 102 questions, my test ended abruptly. Just a message on the screen saying the exam was over. I assumed I had failed because I hadn’t answered enough questions correctly. The Pearson VUE proctors couldn’t tell me if I passed or failed either. I went up to the front of the testing center, looked at the printout and was surprised to discover that I had actually passed! I re-read that printout five times to ensure I was actually reading it correctly. That was the most stressful test I’ve ever taken and so was the discovery if I passed or failed. Whew!
Endorsement
Between 2-5 business days after provisionally passing the exam, I received an email from ISC2 with next steps. You have 9 months to complete the endorsement phase, but I can’t imagine anyone wanting to wait unless you needed more time to get the 5 years of work experience required.
I immediately began filling out my endorsement request. I reached out to an old co-worker who is a CISSP as my endorser (I needed their last name and ISC2 number). I then had to list my work experience illustrating 5 years experience in at least 2 of the 8 domains and provide a job description for each job. For me, the past few years as Information Security Officer directly covered four or five domains; I had to enter my supervisor’s contact information so that they could confirm I actually worked in that job those dates. Before becoming ISO, I listed my experience as a Network Engineer in domain 4. Fortunately, my endorser and supervisors were quick to confirm me and a day later my endorsement was back with ISC2.
I’m now waiting the 4-6 weeks for ISC2 to review my application and grant my CISSP certification. At that point, I’ll need to pay the $125 maintenance fee (and annually thereafter).
Conclusion
It’s been a wild ride achieving my CISSP. It has been the hardest exam I’ve taken, required more prep than anything I’ve done and requires more confirmation than any certification. I can see why it’s such a coveted certification and it’s one that I’m most proud of.