I recently passed my CISSP. It was an accomplishment that took over a year. My goal is to write my process down so that a reader my benefit from what worked for me.
- Preamble: what I’ve studied in the past
- Removed my casual video games
- Bought the book
- Got the videos
- Purchased an app
- Purchased a better app
- Bought an audo book
- Delayed the test
- Studied every wrong answer until I was over 80% on practice exams
1. Resources I’ve studied in the past
These are some of the resources I had already had experienced before heading down the road of test preperation:
- Subscribed to Security Now
- Subscribed to the Defensive Security Podcast
- Listened to audiobook @War by Shane Harris
- Listened to audiobook Ghost In The Wires by Kevin Mitnick
- Listened to audiobook Social Engineering by Paul Wilson and Christopher Hadnagy
2. Removed casual video games
The first big step was to remove distractions. I was playing DOTA Underlords on my phone and I could beat the computer on “hardcore” mode. How was I able to master this game but I hadn’t taken the steps to study my test? It was bullshit. When I gave away my Xbox and I deleted Underlords, I told my self that I was going to apply that idle time towards studying.
3. Bought the book
The CISSP All-In-One Exam Guide covers all of topics for certification. I read a lot of technical books, but the content and pacing of the Exam Guide was too dense. Fortunetely, my background overlaped with several disciplines.
My relevant security work includes working for a security company validating hackerone.com submissions. It was great for learning about the OWASP top 10. I also attended defcon and lead a pentesting team during that time. The other relevant occupation is that of a software engineer. There is a lot of software development, networking, and software patching in my day to day operations.
In total, there was probably 3 disciplines I knew fairly well without any prepwork. Despite this, there was still so much ground to cover in the book.
I needed a primer.
4. Got the videos
The book was too dense a read. So I got a video series on the 8 disciplines. In the beginning, I was watched it on the treadmill while I worked out. In my view, it’s a much better introduction to the concepts. I could receive a high level view of what needed to be learned.
The content was older, so some stuff wasn’t up to date, such as GDPR. Over the course of a year, I probably watched the whole thing 3 times. In fact, at 8 weeks before my test, I made it a goal to watch one discipline a week. That worked well, but I should have dedicated one week at the end for just studying.
The videos alone helped introduce topics that outlined the information well. But, it wasn’t enough to pass.
5. Purchased an app
The CISSP Pocket prep was a fantastic app. It has quick quizzes (which I did on the toilet) and the questions revealed the answers right away. My goal was to learn by taking practice quizzes, then getting the answers wrong and reading explanations until I had memorized the content. Unfortunetly, the context-dependent nature of the questions made studying more about memorizing questions rather than learning the material. This technique would have failed if I didn’t have the video series to provide additional context.
6. Purchased a better app
The CISSP (ISC)^2 Official App bundle was a bundle that contains both a study app and test app. I did not like the study version over the Pocket Prep. The quizzes were long and the answers weren’t revealed until the entire test was completed. As I remark later, this app actually boosted my proficiency more than the Pocket Prep. However, the content was harder to understand and internalize when I was first starting out.
7. Bought an audiobook study guide
The CISSP book from audible was initially terrible. It was way too drab. I thought I could listen to it in the car and take care of the business of studying on my way to work. I probably would have fallen asleep and crashed my car. It was, however, useful for highlighting how detailed the test was going to be. I remember listening to questions and answers on topics that I had never heard before.
8. Delayed the test
I made the choice to reschedule the test 3 weeks out to make sure I was ready. According to the CISSP test taking procedure, a tester can reschedule a test (for $50) if it’s not within 24 hours of the actual test. After switching from Pocket Prep to the official app bundle, my quiz scores were way down. The official apps were harder and I was not passing.
9. Studied every wrong answer until I was over 80% on practice exams
With one week left to go, I took the practice test located at the back of the book. My score was 67%; failing. However, I wasn’t failing by much.
I spent the first half of that week reading up on every single question I got wrong. That’s when I started to realize that the entire book was being tested. Since it was too much work to read the book cover to cover, I had to just keep getting answers wrong on the practice test as a way of discovering topics I need to study.
I had believed that I might be able to infer the right answer if I didn’t know the question. This was not true because definitions are highly context dependent. Additionally, questions are designed to make it hard to guess the correct answer. I had to learn the entire book as much as possible.
The CISSP All-In-One comes with an online test prep.
Originally, I didn’t use it because I was taking its study resource
and the user interface was frustrating. The site was run by (what appears to be) the outdated flash programming language.
Increasing the font size didn’t do anything for the readability, it just stayed the same size. The quizzes were unusable as far as I was concerned and I gave up on them.
Three days before the actual test, I reviewed the book’s online resource again. Surprisingly, the practice tests where comprehensive and easy to do compared to the study resource. The practice tests consisted of 125 questions in a three hour time span. This was more efficient than studying from the back of the book. I could take around 90 minutes for an exam and then review the ones I got wrong. If I had to do it over again, I would have started with the online practice tests sooner.
When I reviewed the wrong answers, I would look at the relevant section of the book and study the material. I would become familiar with the content and try to internalize it. This made it easy to spot the material I had not covered. I did this three times the evening before the test.
Around 10 pm the night before, I had consistently scored above 80% and went to bed to get some sleep before my test at 8 am. I still honestly had no idea if I was going to pass.