Make a plan, stick with it!
By popular demand I am sharing my CISSP study plan. Itâs fairly wordy, longer than future posts I am planning, but take away from it what you will. And I really hope it helps and motivates you to study and pass.
Up to this point I have been working in an Information Security governance, risk and compliance role for 4 years with 20 yearsâ additional experience in IT, with Microsoft MCSE and Certified Novell Engineer (yes my career does go back pre Y2K!) qualifications. This provided me with a base of networking, cryptography and operations. Everyone will have a different base of knowledge, so use yours and identify gaps to focus on.
My employer provided me with CISSP training from Global Knowledge CISSP which demystified the content and domains that make up CISSP. A quick note about this course, it was death by powerpoint but the instructor really made it for me as he added anecdotes. In all fairness the course wasn’t his, he was just teaching it. I realised that the CISSP knowledge wasn’t as hard as I thought it might be and it mirrored my Information Security role.
After the course while I was more comfortable with the concepts I didn’t feel ready to take the exam. Then work and life got in the way, so two years went by. During this time I parked my CISSP study and studied Certified Ethical Hacker (EC-Council) eventually picking up CISSP for Dummies. Part of the issue was that while work had paid for my course they hadn’t paid for the exam and with tighter budgets they weren’t willing to prioritise paying for my exam.
So this year I decided to take the lead in my Infosec journey, invest in myself and pay for the exam. It was the best decision that I could make and totally empowering.
My study for CISSP started on the 5th June. The week before I had been on holiday in the sunny south of Spain and had decided during this time that on my return I would book the exam and start studying when I got back. AÂ number of factors influenced my decision, not least the fact I had waited long enough to take CISSP. I felt ready. The exam was booked for late August giving me just over two months of intensive study.
For motivation I kept a tracker using Google Sheets recording what I did towards CISSP every day. Planning which days I could study and what times of the day worked. Found that Sunday to Thursday evenings, between 8 and 10, along with drive in worked for me. This worked out to around 4 hours a day, about 20 hours a week.
I recommend looking at how much time you can set aside to study, be creative with time available and develop a plan and stick to it.
My study plan went along the lines of making sure I knew a domain then did sets of 50 questions to make sure I got it. If I achieved 80% I would move onto the next domain, read it and do the questions and repeat. My typical day would be read Sybex CISSP 7th Edition, listen to Cybrary CISSP in the car and then do practice questions either on the current domain or the previous one as a refresher.
OK, so this depends on how you remember stuff. I bought an exercise book wrote down notes for various concepts that I felt I needed to remember. I didnât note take everything, more the core concepts like managing risk, business continuity, disaster recovery, cryptography, etc etc.
Be creative; write, type, mind map, mime
Guess what the tracker is for. The weekly review really helped me keep on track and motivated to ensure that I was moving forward and at the right pace. Two months is not a long time. Time wise the review was just a quick 10 minute session to correct my approach, maybe I skipped a day, recognise that, adjust, move on. Immerse yourself in CISSP. Immersive training in any field helps to gain knowledge and CISSP is no different As I said above spending most of my free time like in the car listening to podcast training helped cement the knowledge. I didnât use flash cards. Mentioning this as I know some people like that sort of thing. Not me.
My strategy for the exam, from the very beginning was, know the concepts and how to apply them. If you come across a concept you don’t understand, google it, find it in one of the resources ( which I have shared below) and make sure you understand the pros and cons of using it. Take practice tests. So long as you are getting 80% or higher you will be fine.
I read somewhere that get 80% in practice tests for a domain before moving onto another domain.
To be honest when you are revising take questions that take in a few domains or more. During the exam you will be asked questions from different domains so be used to getting a crypto question then risk then physical security. Read the question and all the answers. Then go back over and read the question and answers again. Only then, look to answer the question. Each exam question has four available answers. Eliminate at least one answer, two if possible.
When you are down to two, think Kirk and Spock. It does work.
CISSP is like an English language exam. I didnât get that until I took the exam. Larry Greenblatt talks about this. See resources below. Before submitting your answer, think does the answer I chose answer the question. What is the question asking and what are they looking for. Donât ask me to repeat any questions on the CISSP exam. It is against ISC2 ethics and my honest answer is that I cannot remember any anyway. Understand and remember the ISC2 code of ethics.
Resources; how they worked for me.
Shon Harris All-In-One book – I bought this when I started my Infosec role, read the first few chapters but didn’t touch this during my study this year. I had it by the side of my couch ready for last minute revision but never opened it.
CISSP for Dummies Guide â A great resource and recommended reading. Having attended the CISSP course few years back I knew the syllabus and CISSP for Dummies had enough detail to feel comfortable I understood the concepts. I read this over the last couple of years and referred back to it during my exam prep.
11th Hour CISSP – Not recommended. A buddy loaned me a copy and I read it in two evenings, only 200 or so pages. I found it a waste of time. Glad I didn’t pay Â£20 for it. If you are wondering how I read it in two evenings, skim reading.
Cybrary CISSP â A great resource and recommended listening. A Free CISSP course that is well presented and I found helped cement many concepts needed for the exam. I mostly listened to it in the car, so two hours a day. Went through it again a few weeks before the exam. /www.cybrary.it/course/cissp/
CCCure exam questions website – I paid for a 3 month subscription and was taking 50qs exams generally twice a day, morning and evening. As its online based you can dive in do a few then save and carry on where you left off next time. So great for lunchtimes and other breaks in the day. Overall I would give CCCure 7 out of 10. It isnât essential but it gave me confidence. /www.cccure.education/
Sybex CISSP 7th Edition – A great resource and recommended reading. I valued this over all the others. It is a long read but knowing the CISSP content I skim read each chapter then did test questions until I could move onto the next chapter and repeat.
Sunflower CISSP Cram Study Guide – A good resource. I read this the Sunday before my exam, fully expected to read it in 2 hours, spent 8 hours reading through it and identified some factual errors in it. Reason for the 8 hour read, I read it carefully, absorbing everything.
Kirk and Spock – /www.youtube.com/watch?v=eLYbFtS7G9E&t=0s&index=4&list=PLoMRAM_UwwHc_SA_10Yb5kAzGNmtzxuNw Larry Greenblatt shares his exam tips along with some anecdotes. I watched this video a few days before the exam and I found it worked for me. Kirk and Spock? Just watch the video, they did help me in the exam.
CISSP Official ISC2 Practice Tests â Mixed feelings about the test engine and questions. The UI is not as friendly as CCCure but the questions do get you thinking.
Countdown to the exam.
I managed to get three full days of study, around 30 hours, before the exam. Saturday through Monday, with exam on Tuesday morning. Reviewed Sunflower CISSP cram study guide.Read 11th Hour CISSP. Skim read it. Practiced lots of questions, including doing two lots of 150 questions, to simulate the exam conditions. Felt ready to pass CISSP.
In part 2 I will share the next steps following success in passing the CISSP exam.