Around the middle of January, I decided to commit to studying for the Certified Information Systems Security Professional (CISSP) exam. The CISSP was something that had sat on my list of goals for at least the last few years, and I finally made the call to dedicate the required time and effort into passing this exam. I always knew that the CISSP would be a certification I would attain at some point in my career, and various factors meant that I found myself in a position with the required time and motivation to finally knuckle down and give it a good go.
I studied almost everyday over a 6 week period, spending around 40-50 hours total before sitting my exam last Friday, March 4th. I passed after answering 100 questions, taking just under 90 minutes to complete the exam.
This blog post will cover the method and resources I used to study, before I give some of my thoughts about the CISSP exam and course content overall.
The first thing I realized was how much I had underestimated the sheer amount of content that is contained within the CISSP syllabus. After viewing the number of pages there are in the Official Study Guide, and struggling through the first chapter, I knew reading the entire thing was going to be an extremely difficult task for me specifically.
Instead, I opted to go for a more video-centric approach to familiarize myself with the content, and then focus heavily on practice questions to reinforce concepts I understood and identify any areas I was less familiar with. This comprised the bulk of my study efforts, then after a 4 week study period I felt like I was ‘peaking’, and prolonging the exam more than necessary would begin to make things worse. I scheduled the exam for 2 weeks later to give myself another fortnight of intensive study before sitting the exam.
In the final week leading up to the exam I reviewed some summary resources to really make sure I was comfortable with everything covered across the 8 CISSP domains. I also viewed a couple of YouTube videos dedicated to the exam itself to help ensure I approached each question with an effective mindset.
In total, I watched around 22 hours of video content, answered over 2000 practice questions and read through 3 different summary resources before sitting and passing the CISSP exam.
Video Course Content
This was the primary method I used to actually learn the content required for the CISSP exam. At a little over 15 hours, the videos presented by Kelly provided just the right level of depth and detail required to understand the overall concepts of the 8 domains. Kelly also delivered her content in an easy to understand way, so it never got too boring or difficult to comprehend. I took notes of everything covered in this course to assist with committing the content to memory as opposed to just passively watching the videos.
Overall, this was probably the most effective resource I used to actually learn the material, and I’d highly recommend this to anyone who is more inclined towards videos rather than written material like I am.
Following on from the more in depth content on Cybrary, I watched the CISSP MindMap videos presented by the Destination Certification YouTube channel. These helped to review the concepts and content of each domain, and reinforce the learning I took from the Cybrary course. While these videos did not go into too much depth, I’d still recommend this as a resource once you have become familiar with the majority of the content. I mainly passively watched these videos, only taking notes during moments where I felt something was particularly useful or worth writing down.
Practice Questions and Exams
I found these practice exams to be fairly easy, acting more as pure ‘knowledge check’ questions that were a bit easier than the questions I saw on the CISSP exam, which required more interpretation. I did find this question style useful for studying purposes though, as any incorrect answers were strong indicators that I didn’t understand the content well enough, rather than individual errors in my judgement or interpretation of the question.
For every incorrect question, I would read the explanation and then read the relevant section of the Official Study Guide if I felt like I needed to review the content in greater depth than what the answer explanation provided.
Note: I averaged around 80% for each of these practice exams.
These practice exams came highly recommended on Reddit, so I decided to give it a try when I saw they were running a promotional sale. These questions were much more similar to the actual exam in format and style, which helped prepare me for the type of interpretation skills and mindset required in the exam itself. However, many of the questions were far too technical in my opinion, asking extremely specific questions about relatively obscure sections of the syllabus. I even noticed some questions about topics that I could not find referenced in the Official Study Guide. This was frustrating at times, as it made me question whether I knew the content in enough detail, which ultimately wasn’t an issue when it came to the questions asked in the exam.
One huge positive for these practice questions was the quality of the explanations offered for each answer. I found these to all have a very good level of detail, with direct references to documentation for further reading. This also helped with my learning of content that I didn’t already know sufficiently.
Note: I averaged around 70% for each of these practice exams.
Books and Written Resources
As mentioned above, I did not read this ‘cover to cover’ like many other CISSP holders recommend. I personally felt it was too wordy and found it a difficult read.
Where I found this to be the most useful was when I needed to read up on specific things that I hadn’t yet fully grasped. Going back through chapters or sections based on the results of practice exams helped ensure I had no gaps in my understanding of the course content. By the time I was finalizing my preparations for the exam, I had a good feel for what my strengths and weaknesses were. Being able to quickly re-read the sections I was comparatively weaker in helped provide a bit more confidence going into the exam.
This was probably the most useful written resource, and I highly recommend this for people who are in the last couple of weeks of exam preparation. The Memory Palace is essentially a distilled version of the Official Study Guide, and packs in as much information as it can into a single PDF document.
I reviewed this PDF over the course of a day, taking extensive notes as I went. If I came across a section where I wasn’t too comfortable with my current level of understanding I would note this down for a more in-depth review later on.
Very similar to The Memory Palace, I quickly reviewed this document but personally found it to be a bit more convoluted comparatively. Still a useful resource, but it largely fulfills the same purpose as The Memory Palace, which I had already gone through by the time I reviewed the Sunflower CISSP document.
This is a published book which also servers as a resource to quickly review the CISSP content. I found it less ‘to the point’ compared to The Memory Palace and more wordy overall, which made it harder for me to digest. It was a fairly easy read though, and helped to solidify my overall knowledge of the content contained in each of the 8 domains.
Exam Tricks and Tips Videos
The day before my exam, I watched the following videos on YouTube for some last minute tips on how to approach the questions in the exam. I’d recommend both of these videos, as well as the channels in general, both of which have a range of useful videos relevant to the CISSP that would be valuable for anyone wanting to review parts of the course content.
Studying for the CISSP was considerably more difficult than I initially thought it would be. There was far more content across the 8 domains than I had expected, with a surprising amount of technical detail contained in some of the domains. I had to study much harder, and for longer than I had anticipated, which made passing the exam feel like a real achievement. Although I did this over a relatively short 6 week period, I put in a significant amount of time and effort in order to accomplish this goal which is always a satisfying feeling.
With that said, I don’t think the knowledge I gained is really relevant to the work I do on a day to day basis, and I can’t really see how passing the CISSP has made me a better security professional overall either. The content is almost exclusively theoretical, and doesn’t offer too much that could be considered practical or useful in the majority of situations. While it’s good to understand how cryptography works, knowing the different symmetric encryption algorithms and the various key sizes is very rarely going to be useful in an everyday scenario.
Regardless of whether or not I think the CISSP is worthy of it’s status within the cyber security industry, I’m glad to have accomplished one of my long-term goals. This certification has sat at the top of my list since I started in cyber security, and it’s great to have this finally checked off.
For anyone thinking of studying for the CISSP, I hope this post helps to plan out your own method for study. Please feel free to leave comments or get in touch with any questions, I’m more than happy to help!