“…The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.” – Nathan House, CEO, StationX
On December 27th, 2023, I passed the CISSP exam on my first attempt at question 125 at roughly 2 hours and 5 minutes in. This post is to share how I managed it, what helped me, and what didn’t.
About the CISSP Exam
At the time of writing, the English language CISSP exam is only offered in CAT (Computerized Adaptive Testing) format and is between 125 and 175 [multiple choice] questions in length.
For those who are taking the exam on or after April 15, 2024, be aware of the following changes:
- Domain 1’s weight increases 1%, and Domain 8’s weight decreases 1%
- The total number of questions will be reduced from 125-175 to 100-150
- The time limit will be reduced from 4 hours to 3 hours
Beginning in August, I committed to spending 5-7 hours a week on CISSP study, which included books (physical and digital), video courses, and practice questions.
Courses and videos:
- Derek Fisher’s Ultimate Cybersecurity Course & CISSP Exam Prep (StationX, August-October 2023)
- Thor Pedersen’s CISSP Video Bootcamp series (StationX, October-December 2023)
- Peter Zerger’s CISSP Exam Cram (YouTube, December 2023)
Derek Fisher’s course is a good introduction to the CISSP material but doesn’t go into much detail. I object to the use of the word “ultimate” in the title because this implies that it’s the final word when it should really be the first.
Thor Pedersen’s course goes into much more detail and includes other goodies such as external links, downloadable study notes, and practice quizzes for each domain.
Peter Zerger’s CISSP Exam Cram was the best of both worlds, concise and complete.
- The Official (ISC)2 CISSP CBK Reference 6th Edition
- (ISC)2 CISSP Official Study Guide (both 8th and 9th editions)
- All-In-One CISSP Exam Guide 8th Edition
- How to Think Like a Manager for the CISSP Exam
I didn’t read any of these books cover-to-cover. Instead, I used them as reference material and for their practice questions.
- End-of-domain course quizzes
- Peter Zerger’s CISSP practice test
- CISSP Official Practice Tests
- TotalTester CISSP practice exams (came with All-In-One CISSP Exam Guide)
- WannaPractice CISSP practice exams
- Boson CISSP practice exams
Altogether, I completed about 3,000 practice questions. This helped me develop my time management, question analysis, and answer evaluation skills. It also helped me to identify which areas I was weakest in so I could focus my study efforts.
In the last week leading up to my test date, I was averaging 80-84% on my complete practice exams across multiple sources.
- I actively participated in an online study group hosted on StationX. I’d post a summary of my weekly progress, screenshots of quiz/test results, and articulate my intentions for the following week. This helped to keep me on track and accountable.
- I explained the CISSP concepts I was learning to friends and family members. Thor Pedersen is a big advocate of this, and I can attest that if you can’t teach it, you don’t really understand it.
- I invented mnemonics to memorize concepts I was struggling with but was unlikely to ever use in my day-to-day work.
- I researched topics from sources that were not CISSP-specific/centric (e.g., cryptographic systems, networking concepts, security models, etc.). The CBK doesn’t always go into detail, so having additional sources of information helped to contextualize what I was learning.
In a conversation with Nathan House, CEO of StationX, shortly after passing the exam, he said to me:
“I knew you would pass. If not the first time then the next. Because I see it all the time. The people who pass are those that simply start and keep going. They have grit and determination. They show up. Then there is everyone else. They don’t.”
I think there’s a lot of truth to that. Passing the CISSP exam has been a professional goal of mine for years, and I wasn’t entirely sure I could do it until I did. It’s also important to understand who it’s for and what it’s supposed to represent.
This is not an entry-level certification, despite many job postings that would elude to the contrary. It’s intended for experienced professionals with 5 years of experience (or 4 years of experience and a four-year degree or one of a handful of certifications).
That’s not to say that you couldn’t study hard and pass it with little to no preparation or experience; some have, but why would you want to? What would this prove other than to suggest that you’re a good test taker? Waiting until I had the requisite experience, desire, and incentives made the process all the more worthwhile to me.
My best advice to anyone considering taking CISSP is to ensure that you have as much time as you feel that you need to; think of it as a marathon rather than a sprint. For me, this was about four and a half months. As you work your way through the process, test your knowledge often and focus your time on the areas you’re weakest.
Above all, try to learn, retain, and apply something new every day.