Hello and welcome!! If you have found yourself here then you must have an interest in obtaining the ISC2 CISSP certification.
I posted about passing the CISSP certification on LinkedIn a while ago, and since then I’ve received several messages from friends, colleagues and complete randomers asking questions about it, what I used, book/course recommendations etc etc. Rather than sending the same generic reply back 15 times, I decided I’d give back and write the whole thing up here. Hope you find it helpful!
First of all, CISSP certification has been on my cert list for a while now. I’m delighted to have got it and it sits nicely alongside my other certifications.
WHY I DONE THE CISSP AND WHY YOU SHOULD TOO
The CISSP certification stands as one of the most prestigious credentials for IT and cybersecurity experts. I studied and passed lots of other certifications but this certification not only opens doors to higher salaries but also provides a competitive edge in the job market.
When you include the CISSP certification on your resume, it sends a clear signal to recruiters and employers that you are among the elite candidates in the field of information security. After all, to obtain this certification you must possess a minimum of four to five years of practical experience.
I have done some research:
- Nearly 1 billion emails were exposed in a single year, affecting 1 in 5 internet users.
- Data breaches cost businesses an average of $4.35 million in 2022.
- Around 236.1 million ransomware attacks occurred globally in the first half of 2022.
- 1 in 2 American internet users had their accounts breached in 2021.
- 39% of UK businesses reported suffering a cyber attack in 2022.
- Around 1 in 10 US organisations have no insurance against cyber attacks.
- 53.35 million US citizens were affected by cyber crime in the first half of 2022.
- Cyber crime cost UK businesses an average of £4200 in 2022.
- In 2020, malware attacks increased by 358% compared to 2019.
- The most common cyber threat facing businesses and individuals is phishing.
You can read all about the exam on the (ISC)² website. But here are the bits you need to know.
The CISSP exam is made up of eight domains… and in the exam, you need to pass ALL EIGHT DOMAINS.
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
As well as passing the exam, you must have a minimum of five years of cumulative paid work experience in two or more of the 8 domains above. In some instances, you can satisfy one year if you have a degree or other relevant security certifications.
Don’t stress if you don’t quite have 5 years of experience, you can still pass the exam and become an Associate of ISC2… then you will have six years to earn the five years of experience!
THE CAT EXAM
The CISSP exam uses Computerized Adaptive Testing (CAT) for all English exams. CISSP exams in all other languages are administered as linear, fixed-form exams. You can learn more about CISSP CAT.
|Length of exam
|Number of items
|125 – 175
|Multiple choice and advanced innovative items
|700 out of 1000 points
|Exam language availability
|(ISC)² Authorized PPC and PVTC Select Pearson VUE Testing Centers
As you will see, the number of questions will vary between 125 and 175. It’s totally random too, you won’t know how many questions you will actually get until you sit the exam!!
|1. Security and Risk Management
|2. Asset Security
|3. Security Architecture and Engineering
|4. Communication and Network Security
|5. Identity and Access Management (IAM)
|6. Security Assessment and Testing
|7. Security Operations
|8. Software Development Security
Sorry to the bearer of bad news…. but it’s important to know that the current CISSP CAT exam contains 50 pretest (unscored) questions. Basically, questions that won’t be counted (if you get them right or wrong). Pretest questions enable (ISC)² to continue expanding the exam bank to strengthen the integrity and security of the CISSP for all those who earn the certification. The pretest questions will be indistinguishable from operational (scored) questions and should be considered carefully to select the best possible answer. Responses to pretest questions will not impact scores or the pass/fail result of the examination.
My background in IT is quite varied, I worked in IT Managed Services as a Consultant for around nine years and this allowed me to get involved in all areas of IT, working on a bunch of projects around Infrastructure, Virtualisation, Exchange, Office 365, Network, Security, Cloud etc… Brilliant experience and you easily become a “jack of all trades”.
For the last 7 years, I’ve been heavily focused on Cloud, Network & Security. This has given me lots of opportunities to work directly on security-based projects, this is obviously a huge benefit to me and really helped me during my studies for the CISSP exam.
I’ve also obtained a number of other certifications, some of which are security related such as CompTIA Security+ and Azure Cybersecurity Architect Expert.
MY EXAM EXPERIENCE
First of all, the CISSP exam is unlike any other exam I’ve done, it’s extremely challenging and the CAT exam is purposely built to find your weakest areas and push you hard!
I sat my exam in the Pearson Vue office in London, I booked a mid-day exam slot… right after lunchtime thinking I’d make my way into the city early, eat a nice lunch and be full for the next few hours. That was wishful thinking as there was no way in hell I was able to eat… after studying solid for 3 months my nerves were shot.
I arrived in plenty of time, put everything into the locker, had my palm scanned and got my whiteboards ready for the exam.
NOW… a really good piece of advice that I had seen somewhere on Discord is you need to accept the NDA within 5 minutes! The NDA is shown onscreen before the exam starts and if you don’t accept it… the exam closes and you have to book it again!!! In my case, the exam attendant was trying to find working dry markers…but she had already started the screen for my exam!! So I KNEW I was on the clock and I could see my screen turned on!! In the end, I asked her to bring one to me as the time was running out and I needed to go! When I got to my exam screen, the clock had less than 2 remaining minutes! Just something to be aware of on exam day!
Anyway, so the exam started… I felt ok for the first 30 questions, the CAT was doing its thing and starting to fire difficult questions at me!! I got to about question 45 and I started remembering some of the comments I had heard about the exam… (9 out of 10 people that I spoke with all said the same… “most of the way through, I was sure I had failed the exam”). At question 45, this was definitely how I felt too, before taking the exam I took over 3000 practice questions and the exam questions I was seeing were nothing like any of the practice questions, in some instances the questions I got had several answers that looked correct.
The questions got progressively harder from about 50 to 100 but I was digging deep and trying to remain calm! Being a technical person, my mind would automatically target the technical answers… remember for the CISSP exam you need to think like a manager or a CISO, do not fix anything, you need to advise.
Now the thing that I struggled with the most in the exam, is the time, you need to keep a very close eye on it, 2 hours seemed like 30 minutes in my exam! I was counting on going to 125 questions…I thought if I did ok in the first half of the exam, then the exam might not bother taking me all the way to 175 questions!! Oh boy how I was wrong, I was about 3 hours into the 4-hour exam and I can still remember clicking next at 125 and seeing 126… f$%k.
In the end, my exam went all the way to 175 and I had 60 minutes left to answer 50 remaining questions. I can easily say the CAT exam worked out exactly where I was weakest and it pushed me to the limits in the end!
After the exam finished, I stood up, walked out, got my palm scanned, went to the reception and collected my results… I didn’t even look at them, I went to the locker, got my things and walked outside. I’ll be honest, at this stage, I was about 75% sure I had failed… those last 50 questions wrecked me and I was mentally drained and exhausted.
As I was walking out of the building I flicked the sheet open and read CONGRATULATIONS!! What a moment! I made some sort of weird noise that caused the man across the street to walk a little faster! Great way to end months and months of hard work!! The next thing I did was walk right across the road into the closest pub for a pint because believe me…I needed it!!
Don’t just rely on a single course or a book to pass this exam… you need to use several different courses, books, videos, and communities. Basically, get your hands on as much material as you can.
I started studying for the CISSP certification on 1/1/23, it was one of my new year’s resolutions and I wasn’t hanging about. Starting on 1/1/23 and aiming to take the exam at the start of April… this gave me a full 3 months of dedicated study time! Moral of the story… properly plan and dedicate your study time.
ALWAYS SET AN END DATE!!!! Otherwise, you’re giving yourself lots of opportunities and excuses to procrastinate. I usually book the exam two months out!
Find some mentors that have taken the exam and ask for their advice and guidance… if these are real people at your company then happy days!! If not, get onto Discord or Reddit. Join the groups I mention below and introduce yourself, get involved, ask and answer questions.
Sometimes the best way to learn something is to teach it. If you are lucky enough to have someone willing to learn from you, take advance of it and teach them what you already learnt from your CISSP study.
If you can, take a few days off before the exam. I did this and took some practice tests, also crammed in some last-minute study.
In the exam:
- remember you are an advisor, a contractor or CISO! The exam will try to trick you into fixing things! Do not fix things, advise, or fix the process!
- People are always the weakest link!
- Always choose the health and safety of the employees!
- Think defence in depth.
- Read the question twice before looking at the answers.
- The first 15 – 30 minutes of the exam are the most stressful.
- When looking at the answers to questions, eliminate the obvious options first.
- Study all domains, do not skip any! Remember if you fail one, you fail the exam.
When you pass, and I know you will. Take a break and reward yourself!!
EXAM MATERIALS I USED
Disclaimer: This is the material I used to study and pass the exam on my first attempt. I’d highly recommend you do your own research and buy the materials that work best for you!
In my eyes, this is an absolute must!! It’s a thick book and an intense read so be prepared. I kept this by my side at all times, picking it up over breakfast, lunch, dinner and before bed!
At the end of each chapter, there’s a quiz you can take, there’s also a bunch more questions you can do by signing up on the Sybex website.
This is the official ISC2 book. I didn’t buy this book, a friend let me borrow it for a few months. It was quite useful for referencing back and getting more detail on areas I was stuck on.
Again, I was able to borrow this from a friend, great book. Loads of practice questions/testrs, I didn’t use this book as much as I should have!
Concise and brilliant for reinforcing your study! I read this in the last 3 weeks before the exam. Smashing out 2-3 chapters a day highlighting areas I was weak in! A few days before the exam I flicked through again to make sure I knew those highlighted topics! It’s a few years old but still very valid!
I really really liked this book, it takes you through loads of questions… Explaining them step by step, basically teaches you the mindset you need to answer the questions!! Highly recommend!
LinkedIn Learning has a great course by Mike Chapel, I watched the entire course TWICE. While watching the videos made note of all the areas I was weakest in and tried my best to double down on those. Mike Chapel also wrote the Sybex book above, this video course is the perfect companion to the book.
This is 8 hours long and I went through it twice, dont forget the links in the video description… All the content is available to download as PDF’s too. Again, highly recommend this!
Quite an old video, but still very valid. I saw a lot of people recommending this video on Discord and Reddit. Worth watching.
Loads of great videos and they run through a bunch of practice questions too. They have a book now available too, I’d buy it if I was doing the exam again.
I signed up for the premium version which was around £7 a month and completely worth it. This app has thousands of practice questions and 10 practice exams!! I did them all. It gives you a proficiency counter for each of the domains. I was sitting at roughly 80-85% in all domains by the time I was walking into the exam.
The best thing about this app is, if you get the answer wrong, it gives you the chapter and location of the answer in the Sybex book!! Definitely get this app.
When you buy the Sybex book I mentioned above, you get access to Wiley’s large test bank of questions. Follow the instructions in the book to activate your copy and access the questions.
Can’t thank this Discord enough, it was really active and a great place to ask loads of questions. Loads of people post practice questions too, oh and they have free boot camps and learning events! There are a lot of really smart people in there that helped me so much! Definitely recommend!
I found a bunch of free PDF’s on here that contained people’s notes, good for finding CISSP training and reading about exam experiences.
Good luck – it’s a mountain of work but definitely worth it in the end!