How I Passed the CISSP

At the time all I knew about it is the name itself and that it is one of the top recognized certifications in the industry. I was told that it will not be easy and that you need to have a certain mindset to pass it. But since there was such a nice opportunity (the company I work for organized a bootcamp) I thought to myself, let’s do this!

My background: 1 year in Software Development and ~2 years in SOC (Security Operations Center).

Few words about CISSP

Certified Information Systems Security Professional (CISSP) is an adaptive exam, which means the questions complexity will adjust based on your answers in order to allow for a demonstration of minimal level of understanding of concepts for each of the 8 security domains. Depending on how well you answer the questions you will get 100–150 questions and 3 hours to complete. Passing grade is 700 out of 1000 points.

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

The exam outline can be found here.

How I prepared

At the end of August I read the book recommended by our instructor: CISSP Study Guide, 3rd Edition — By Eric Conrad, Seth Misenar, Joshua Feldman. I read it once. We were supposed to finish reading it by the time the bootcamp starts (beginning of September). I really enjoyed the bootcamp, although it was pretty intense and a lot to grasp in only 9 days (5 hours a day).

Following the tradition, to make it official, I had scheduled the exam date to be at the end of October, which I later had to postpone to November 23rd due to an unplanned 1-week vacation. I would not recommend taking vacations in the middle of preparation for the exam as it did set me back a bit in terms of motivation and time.

My strategy was pretty simple, after I read the book and did the bootcamp, it was time to do as many prep tests to get the feeling of the exam and also, identify the gaps in knowledge, and re-study those gaps. I read a few chapters only from the book: (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition By Mike Chapple, James Michael Stewart, Darril Gibson.

I took a week off before the exam to revise the recordings of our study sessions/presentations and the notes I took during our study sessions, I also did all the prep within (ISC)2 Official SSCP Exam Prep App. I studied until the very last day despite everyone recommending to take a break a day before the exam.

Reflections

“Congratulations! We are pleased to inform you that you have provisionally passed…”

Now, looking back, I feel like doing too many prep tests might give you a fake sense of confidence. Confidence of course is good but you might be a bit surprised on the day of the exam, don’t underestimate it. The exam can be quite challenging because of the wording of the questions comparing to the prep tests. You gotta think like a manager/lawyer with a technical background. Larry Greenblatt’s exam tips might be very helpful, I only found this after I passed the exam.

The exam will have questions like “what should you do next” and very often you will need to choose the BEST option against the given. Always read all the answers before finally choosing, because again, there will be times when all the answers are correct, but you gotta choose that best one. When reading the questions identify the keywords since the sentences can be quite long.

There was enough time to complete the exam. No need to memorize acronyms, every acronym on the exam is spelled out. At times the questions felt really vague/abstract/incomplete, but maybe that’s just me. There were at most 10 short straight-forward questions, don’t expect trivial questions, lots of scenario-based questions. There won’t be questions to test the knowledge of vendor-specific products but there will be technical questions.

Don’t overthink the complexity of the questions or how well you answered, just be persistent, keep your cool, keep going.

As for me, the key take aways are to really focus on learning/covering/understanding the concepts, especially because the material is so vast, and learn to think as a manager/lawyer with a technical background.

Additional Resources

To conclude, apart from the resources that I’ve mentioned above, here’s the list of resources other people who took and passed the exam found valuable.

©2024 infosam.space, built by Sam with