Certification: Passing the CISSP Exam

What is CISSP?

“The Certified Information Systems Security Professional (CISSP) is the most globally recognized certification in the information security market. CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.” (ISC)2

The spectrum of topics included in the CISSP Common Body of Knowledge (CBK) ensure candidates are competent in the following 8 domains:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Who is CISSP for?

The CISSP certification is geared towards information security professionals who have 5 years of experience in one or more of the above 8 domains. The certification is taken by a wide range of fields of expertise, from technical to management roles. As of July 1, 2020 there are 141,607 (ISC)² members holding the CISSP certification worldwide.

The certification is taken by individuals who are serious about their career and intended to stay and grow.

The certification is usually listed as a pre-requisite or asset on many job listings for senior level roles, however, there is an increase in the number of entry level positions posting this certification, which would be an indicator of that company filling in check boxes rather than finding the best candidate.

In his blog post, Daniel Miessler says, “What people fail to realize is that it’s geared for high-level security professionals such as managers. Obviously, anyone can go for it, but it’s not designed to test technical skills or the ability to actually perform in the trenches of an infosec environment… It’s a test designed to ensure that you are familiar with some basic concepts; it’s when people lose sight of this that the confusion starts”.

Moreover, CISSP is usually pursued because of its high regard in the industry. For example, in Europe, the certification was listed as equivalent to a masters degree, which garnered much backlash from the InfoSec community on Twitter.

Whatever your reasons are for taking the certification, no matter what anybody says, it will definitely provide value to your career, as its the king of InfoSec certs.

Note to the Reader

As a note to the reader, before I attempted CISSP, I was already an (ISC)2 member and holder of the SSCP certification. This certification is a condensed version of CISSP which introduces the candidate to all of the necessary terminology and topics.

I highly recommend the SSCP certification for anyone not yet ready for the CISSP exam.

Studying for the CISSP

The following section will detail how I studied for the CISSP. This isn’t necessarily how you should study for the exam, but this is the way I tackle any certification exam.

Training Materials – Sybex Study Guide

The Sybex study guides, the textbook and corresponding practice tests, are all you should need to study for and write the exam.

The textbook is pretty thick and consists of 21 chapters of material, where each chapter is based on one or more of the 8 CISSP domains.

The practice tests book comes with 100-120 practice questions for each of the 8 domains and an additional 5 exams with 125 questions each, for a total of 1334 questions.

How to Study

The Material

The method in which I studied the material was taking 1 chapter a night and completely writing it out in Microsoft Word. This was a painstaking task that took over 1 month. The final product was a MS word document with 88,000+ words in over 335 pages.

After completing the coursework in the main textbook, I set my focus on all the short answers at the end of each chapter. Again, I manually wrote out every single short answer/question to ensure it was understood as muscle memory. There are approximately 105 of these short answer questions.

After completing these two documents, I had a solid grasp on nearly every concept covered in CISSP. I began to re-read each section and highlighted anything I didn’t completely understand or couldn’t remember.

There is no way to sugarcoat this, but this was extremely boring and I had to constantly keep myself motivated by looking up people posting how they just passed to motivate myself, telling myself “If they can do it, I can too.” Again, the material is extremely dry and repetitive, so get into a routine and don’t give up! Set goals for yourself, like 1 chapter a night or 5 chapters a week.

Practice Questions

The next task was doing all the practice questions.

There are 420 multiple choice questions in the main textbook followed with 1334 in the practice test textbook for a grand total of 1754 multiple choice questions from the official material

I recommend using the Wiley test banks online to create your own quizzes and attempt ALL of the questions. You can see below what that looks like.

After completing all the questions for the first time, I created new quizzes based on the questions I failed or struggled with to re-enforce those areas where I was weak.

After completing these I knew I was ready to book the exam and write it. The rest is history.

Additional Links

Last updated for accuracy: July 27, 2020.