Passed CISSP on 4/3

I registered here just to send out a thank you to this community for giving me advice and study tools to help me pass. It made a huge difference. To pay back, I'll try to give you my experience and study tools I used to pass (making sure I don't violate NDA, of course).

My experience: I'm a Network Engineer for a technology company and have been working in IT for over 12 years. Jobs held in the past: Field IT Technician, a Systems Admin for Windows/AD/Netware networks, Virtualization (VMware) Admin and Engineer, and as a Network Admin and Engineer. I now mostly deal with Cisco firewalls, routers, and switches with heavy focus on firewall security, VPN management for users and office tunnels, and wireless deployments.

Time taken to study: 6 weeks - Typically I averaged between 4 and 5 hours a day on days I did study (5 days/week typically). Took 3 days off work before test to really focus and solidify my knowledge and those days I put in a min of 12 hours with a couple 1 hour breaks here and there.

Tools used and notes:

CBT Nuggets CISSP Course - Good start to get the groundwork for the CISSP but NOT to use as a sole source of information. There's a lot not covered in the course that is heavily relevant to the test. During the course, I made notes on a separate text file per video so I could go back and look and focus on specific domains without having to search through a wall of text. Also found it really helped to use a fixed width font and indent as I'm a very visual person and it helped me to find and organize the concepts much better.

Syngress CISSP Study Guide - 2nd Edition (Eric Conrad, Seth Misenar, Joshua Feldman) - Read it cover to cover. If I didn't understand a specific concept, I'd go online and search until I found a good page to fully explain it to me in a way that I could understand better than the book was explaining. I took notes per domain as I read through the book. Again, organizing with indents so I could visualize and find info faster. Some notes I never went back to but that was not the main reason I took notes. It was to solidify it in my head by repeating it. I made sure to type it out in my own words and not use verbatim from the book as I took notes.

CCCure.org Practice Tests - These helped identify areas I really need to study more but that was far less valuable than specific explanations of why I got an answer wrong or right. I didn't just read explanations for the questions I got wrong, I did it for all questions. I'd typically take 100 and 150 tests and did a couple 250s. It'll take you forever but taking a 250 and then going through and reading all explanations of all questions (especially WHY specific answers are incorrect) really helps.

Transcender Practice Tests (given to you with subscription to CBT Nuggets) - These had much more in-depth technical questions. Sometimes, WAY too in-depth. Technical questions should only go as deep as is needed to give you the understanding of how secure the control/solution is and why or simply how it works. I think Transcender test writers lost sight of that. It's more important to know that DES is less secure than AES than it is to know that how many rounds each algorithm performs. I would recommend using both CCCure and Transcender as it is good to get explanations from multiple sources to really help you conceptualize properly (which is ABSOLUTELY the most important thing you need to do to pass the test).

11th Hour - Eric Conrad - Incredible crunch time book I went through the day before the test. Do not use this book for your main resource. It's there to help you recall and solidify what you've already learned from your other materials.

Tips:

Because I work in networking, Domain 2 was very easy for me. Without having this background, I would have had a VERY hard time packing this knowledge in with all the others here. You truly do need to have experience in 2+ domains to pass this test due to incredible amount of knowledge in this test. Either that or study for a very long time (or have photographic memory!). From just my personal experience of learning networking fundamentals in the past, I'd say focus on understanding how the OSI model works. Memorizing the layers does not do much for you. You need to understand how these layers apply to specific technologies and protocols and WHY they do. I'd even go as far (if you have no experience in networking) to recommend downloading and installing Wireshark on your laptop. Do some packet captures and start looking at them. See how they are organized. How they encapsulate. Where certain data is located in the layers. Wireshark does a great job of visualizing how packets are organized.

My weak points were Domain 4 (Software Development Security), and Domain 8 (BCP/DRP). Domain 4 really got me good. I'd go back to the big book and reread that chapter and grill myself until I got it. I didn't do practice tests on specific areas. I used tests to grill me and flag CONCEPTS I was having a hard time with, not entire domains. Then I'd read the explanations in the questions and go back to chapters and focus on those specific concepts I was lacking in rather than wasting time with stuff I already had down.

Memorizing definitions and steps shouldn't be a focus. The definitions only give you the ability to speak the language. You cannot pass this test through memorization alone. You can only pass through conceptualizing. The goal is to understand the logical reasons behind WHY. The most important thing to understand is what is the best and most secure solution/practice/procedure and why one might be better than another in different situations. I can't stress that enough.

Just as most of the books say, legal requirements and human life are at the top of the heap in terms of priority.

Understand the ISC2 CISSP Code of Ethics agreement. Understand the canons and apply them in top-to-bottom order when confronted with a dilemma.

If you smoke, put a patch on, you can't chew gum, snus or go outside to smoke once you've started the test. The patch kept me from letting a craving distract me.

Eat something heavy that will burn off slow before going in (I ate a big bowl of oatmeal with bananas and didn't start getting hungry until I was done with the test).

Many on here said they thought the actual test was easier than the practice exams. I could not disagree more. I thought the test was WAY harder than the practice exams and I have a lot more respect for this cert now that I've witnessed how hard it is and how it really does a good job of evaluating your understanding of the knowledge. I've done Novell Engineer certs back in the day, Microsoft certs, Cisco certs... nothing has been as challenging as this test. UNDERSTAND... don't memorize.

By the time I finished the test, I was pretty sure I wouldn't pass. The test really makes you doubt yourself a lot. Don't let it get to you. Focus on one question at a time, get through it, go to the next. Don't read into questions, only base your answers off the info presented to you. Nothing can be inferred. This test is a feat of super-natural stamina.

So, hopefully, this helps repay my debt to this awesome community for their tips and tools they gave me. If you're taking the test soon, I wish you the best of luck.

Find more posts tagged with

Comments

seigex

Congrats on the pass!

cyberguypr

Congrats on the pass and thanks for the detailed writeup.

Chuzpah

Congrats on passing this monster! 8 days until I enter the belly of the beast for my attempt!

Great post and thanks for the tips.

Veei

Good luck, Chuzpah!

Mentality

Congrats, way to go.

I have a question about the exam breaks: Do they get deducted from the total of 6 hours, or they are fixed intervals of 10-15 minutes each that are set aside?

I know it might sound like a horribly stupid question, but I have never took an exam where breaks were allowed and my CISSP exam is next week, s I had to ask.

Robertf969

Congrats on the pass

papadoc

Congrats! Very thorough and solid study plan.

Just so people don't get scared of this exam, I was one of the ones that made that comment. The exam was definitely clearer and easier than the practice exams I took from MH and Transcender.

Also, there was some inference in the questions, I detected at least four questions with clear inference to previous ones that helped me answer them.

mjsinhsv

Mentality wrote: »

Congrats, way to go.

I have a question about the exam breaks: Do they get deducted from the total of 6 hours, or they are fixed intervals of 10-15 minutes each that are set aside?

I know it might sound like a horribly stupid question, but I have never took an exam where breaks were allowed and my CISSP exam is next week, s I had to ask.

Not a stupid question at all.
You are allowed to take breaks but are not required to take any breaks.

The breaks are not scheduled and the clock keeps ticking while you take a break.

ISC allows 6 hours to complete the test. I've heard of people completing the test in 2.5 hours without taking any breaks.
Have also heard of people taking the full 6 hours to complete the exam.
Depends on how prepared you are.

I took two 10 minute breaks to clear my head and stretch when I took the test and finished around 3.5 hours including my review.

Good luck !

Mentality

Thank a lotmjsinhsv.
That sounds good, 2 or 3 breaks of 10 minutes sounds reasonable.

Veei

papadoc wrote: »

Congrats! Very thorough and solid study plan.

Just so people don't get scared of this exam, I was one of the ones that made that comment. The exam was definitely clearer and easier than the practice exams I took from MH and Transcender.

Also, there was some inference in the questions, I detected at least four questions with clear inference to previous ones that helped me answer them.

Definitely wasn't my intent to scare people but, for a very expensive and long test, I'd like to help people know what to expect. Most of the 1500+ questions I answered with Transcender and CCCure were by far easier for me than the test. There were straight-forward answers to most of the questions on the practice exams... not so on the real test. You really had to be careful of context because there was more than one right answer for MOST of the questions but only one could be singled out as the best based on the details given. I'm very surprised you found the actual test easier. Maybe the batch of questions you got were quite a bit different from the style of questions I got.

As for inference, I meant within a single question, you can't infer any extra information for a scenario type question than what they give you on that question. As for inference on questions that gave you answers to other questions, I don't believe I found more than one... at least for questions I wasn't sure on. They really do know how to make well constructed tests. My only beef was I got a handful of questions (maybe 10) that I felt really didn't give you enough information to properly answer the question as some extra context was left out.

I took a lot of time to complete the test. I was done with the last question with about 45 min to go. I did take a couple breaks in the middle though to stretch, use the restroom, etc... probably burned 30 min off the clock because of that. I took a LOT of time with questions as I was very paranoid about making sure I had read and comprehended the details correctly. Perhaps my short 6 week timeline is the reason I felt the actual test harder than the practice or perhaps bad luck on the batch of questions given to me but I was getting 85+% on the practice exams and felt confident going in.

Chuzpah

Veei wrote: »

Good luck, Chuzpah!

Thanks!

rickberr

Congratulations!

rickberr

Chuzpah, good luck on your exam!

lpmndcte

Congratulations Veei...

Spin Lock

This is an excellent write-up! Thank you for taking the time to give back. Very thorough and helpful.

6 weeks total prep time for the CISSP? That's crazy short! Setting aside 4-5 hours per day to study is real dedication, but at least for me, I just can't study that many hours continuously and retain enough of the info. Hella of an accomplishment to get it done so quickly. Congrats.

Veei

Spin Lock wrote: »

This is an excellent write-up! Thank you for taking the time to give back. Very thorough and helpful.

6 weeks total prep time for the CISSP? That's crazy short! Setting aside 4-5 hours per day to study is real dedication, but at least for me, I just can't study that many hours continuously and retain enough of the info. Hella of an accomplishment to get it done so quickly. Congrats.

You're welcome! If it helps even one person, I'm happy.

Yeah, not the smartest decision I've ever made taking the test within 6 weeks. I wanted to get it done before the 4/15 change since I had already started on everything. Honestly, though, I'm not really sure whether another week would have helped me or not. I really had the material down and was scoring very well on the practice tests. I've read others on here that have done it in 5-6 weeks so I think that maybe it's just more due to my heavy exposure to most of the domains in my 12 or 13 years in IT that really affected it. A lot of it already committed to memory from day-to-day use (minus the SDLC and BCP/DRP stuff... grr).

papadoc

Interesting, how we can find the experience so different but that all depends on preparation and background as you stated. I started preparing since last year September. Philz1982 did tell me the exam was easy, but I didn't believe him until I took it. My opinion and it is my opinion only is that there is a huge amount of "hype" around this exam in terms of difficulty and I think because I've been in Infosec for over 15 years and operating at a CISO level, I found the management portion of the exam super easy to go through. The technical parts of the exam are much less in terms of rote memorization. Certainly one would find it much more difficult if they did not have the requisite experience. A lot of candidates that don't will over study for it, but that is the only way they can pass it, to make up for the lack of experience within infosec and/or mgmt.

The reason I think the Transcender tests were easier than the exam was because of the number of choices. Transcender can sometimes offer up to 7 possible answers and some of those are answers with multiple choices such as "All of them," or "a, b, "b, c, d, " "None of them," "a & c." The CISSP answer format is only four possible answers. To me, that made the exam much easier for me as elimination was much easier.

I don't think it was the specific "form" of the exam I received, I got a lot of BCP and Crypto along with Access Management questions, which I feel are areas where people have the most trouble.

You were scoring 85% on test questions, which is higher than where I was. I barely broke 80% on many of the Transcenders and was in the high 60s - mid 70s across all of the MH.

Veei wrote: »

Definitely wasn't my intent to scare people but, for a very expensive and long test, I'd like to help people know what to expect. Most of the 1500+ questions I answered with Transcender and CCCure were by far easier for me than the test. There were straight-forward answers to most of the questions on the practice exams... not so on the real test. You really had to be careful of context because there was more than one right answer for MOST of the questions but only one could be singled out as the best based on the details given. I'm very surprised you found the actual test easier. Maybe the batch of questions you got were quite a bit different from the style of questions I got.

As for inference, I meant within a single question, you can't infer any extra information for a scenario type question than what they give you on that question. As for inference on questions that gave you answers to other questions, I don't believe I found more than one... at least for questions I wasn't sure on. They really do know how to make well constructed tests. My only beef was I got a handful of questions (maybe 10) that I felt really didn't give you enough information to properly answer the question as some extra context was left out.

I took a lot of time to complete the test. I was done with the last question with about 45 min to go. I did take a couple breaks in the middle though to stretch, use the restroom, etc... probably burned 30 min off the clock because of that. I took a LOT of time with questions as I was very paranoid about making sure I had read and comprehended the details correctly. Perhaps my short 6 week timeline is the reason I felt the actual test harder than the practice or perhaps bad luck on the batch of questions given to me but I was getting 85+% on the practice exams and felt confident going in.

Veei

papadoc wrote: »

Interesting, how we can find the experience so different but that all depends on preparation and background as you stated. I started preparing since last year September. Philz1982 did tell me the exam was easy, but I didn't believe him until I took it. My opinion and it is my opinion only is that there is a huge amount of "hype" around this exam in terms of difficulty and I think because I've been in Infosec for over 15 years and operating at a CISO level, I found the management portion of the exam super easy to go through. The technical parts of the exam are much less in terms of rote memorization. Certainly one would find it much more difficult if they did not have the requisite experience. A lot of candidates that don't will over study for it, but that is the only way they can pass it, to make up for the lack of experience within infosec and/or mgmt.

That's true. My experience is much more technical and less management based. Most of the management based experience I have is on risk assessment. I don't think I can disclose the amount or type of questions I got asked on the actual exam but I'll say that the practice exams did not come close to prepping me for the type of questions that were presented to me on my test. Roll of the dice maybe or, perhaps, it's adaptable. That said, the practice exams are still VERY valuable because reading the explanations of each question really gives you a good understanding of why certain answers are right or wrong to help build your understanding of the concept. I found CCCure exams were more expertly crafted and less poorly worded. Both Transcender and CCCure had great explanations, though.

I can understand how some would view the Transcender exams as harder due to the possible multiple correct answers (i.e. A, B, and D only, All of the above, etc) but, to me, it was still very clear cut on what the correct answers were. More BEST/MOST type of questions would have been super valuable to preparation.

GForce75

Congrats and thanks posting useful information for everyone! 7 more days until the clock ticks for the new test.

Chuzpah

rickberr wrote: »

Chuzpah, good luck on your exam!

Thanks Rick! I feel about 95% ready for the exam on the 14th. I'm taking 250 question practice tests to help build my stamina as well as focusing on my weak areas (namely Cryptography, BCP, and Risk).