CISSP 2015 passed first attempt - some tips and notes

GlobalNomadDad

Hi folks - greetings from Jerusalem! I passed the exam yesterday, and wanted to write up what worked for me for those of you still studying out there.


First some background - I have 15 years of experience working in both Network Administration and IT Security. Prior to that, I was a software developer - mainly working with database development. I can’t stress enough that real world experience does help when it comes to this exam. For the vast majority of the questions I saw yesterday, I would ask myself something along the lines of “what answer would make sense my workplace environment?” Of course you’ll need at least four years of experience to get credentialed. Experience alone probably won’t get you a pass. Though some of the CISSP domains were fairly familiar to me, others certainly were not - so I did need to add a lot of self-study on top of what I do doing the work day.


I started studying in February - reading Eric Conrad’s CISSP Study Guide, Second Edition cover to cover, and taking notes (almost 60 pages worth by the end) as I went along. I used Shon Harris’ CISSP All In One Study Guide, Sixth Edition to “dive deep” into topics I needed more information on. It was also my primary “reference material” - where I’d go to look up topics as I had questions. The change of domains in April set me back… I had planned to take the exam in May, but was worried that there would be a lot of new material covered - material which is not yet covered in decent study guides. I self-studied exclusively - no boot camps or formal classes.


Based on my test yesterday, I’d say that probably 80-90% of the topics were covered in one of the two references listed above. For the new stuff, the review of what’s new in CISSP 2015, from cccure was excellent - with links to some good reading material on topics such as embedded systems / Internet of Things, mobile devices, VoIP, Cloud and Federated Identity systems, sandboxing and more. My advice on the new material? Don’t sweat it. If you’re working in IT and fairly conversant on current topics in our field, a lot of this stuff is going to be pretty much “common sense.” Make sure you’re solid on the material in the original 10 domains, do some extra studying using the cccure references and you’ll be fine.


Next tip is to study a lot of questions. I’d guess that I probably went through over 5000 overall. There are tons of them out there. I found cccure’s to be the best. Not just because there are a lot of them, but because the questions and answers have been peer reviewed, and the descriptions in the answers are excellent. Not sure why the domain is freepracticetests.org, as they are (no longer) free… but the $90 for three months of access was worth it. Their dashboard tells me I took 50 quizzes in the last two months - covering almost 3000 questions. I also went through all the questions in the Eric Conrad book, as well as those available online. I found the questions in the Shon Harris book to be the most challenging - as they tended to require an in-depth knowledge of each of the topics - particularly the “scenario based” questions. Online communities such as this one were also valuable resources.


Finally - for additional review during the last two weeks, I purchased the PocketPrep app for my iPad - with 600 CISSP questions. I found this app much less useful. Most questions were brief and typically very poorly written, and answers offered no in-depth explanations. I’m not convinced that all of the answers given were correct Many appeared to be based verbatim on some random snippet of text from the Harris text or some other guide on the internet. However, it never hurts to have more questions thrown your way, and these were no exception.


Overall, I’d guess I reviewed something in the range of 5000+ questions (not all unique) in the past 3 months or so when I set a test date and really started really buckling down.


Here’s my strong recommendation for practice tests. DON’T focus on memorizing answers. Out of the 5,000 or so questions I went over, I’m pretty sure I didn’t see a single one on the actual test. Instead, focus on using the questions to learn the topics… particularly why the correct answers are correct, and why the incorrect answers are not. Don’t get discouraged if you don’t get high scores to begin with. Instead, use your incorrect answers as your most telling guide to what topics you need to review the most. If you sign up with cccure, you’ll get good explanations for each question/answer. If you understand the “why” of each answer, it really doesn’t matter exactly how the question is worded… you’ll know the material, and you’ll ace the test.


Of course, there are some areas among the 8 domains where you do need to commit facts to memory… key and block sizes of various encryption algorithms; IP addressing; TCP header values and well known ports; ISO and IEEE 802 standards; OSI and TCP/IP network models; Common Criteria and Orange Book standards and what’s in them. Make yourself flash cards and drill, drill, drill.


For my last week, I reviewed each of the chapter summaries from Harris; and re-took each of her chapter end quizzes (as I mentioned before, they’re hard - I was getting 60-80% on most). Ran through additional tests on cccure and PocketPrep. I did one last “full length” 250 question test last weekend. This test is a long slog, and you have to be prepared for it. Rote memorization is my weakness, and I was reviewing info on 3x5 flash cards right up to walking through the test center door.


I finished the initial pass in about 2 hours, without a break. Did a second pass in about 45 minutes, and changed 4-5 answers along the way. Caught a couple of questions where I had failed to notice the NOT or INCORRECT in the question, and had to flip my answer - be careful about these! Completed the exam at about the 3 hour mark, feeling pretty solid. Got the “Congratulations, you have completed the exam” message and had a moment of doubt… “completed??” what does that mean? Finally got the coveted “Congratulations, you’ve passed” printout from the test center printer, and knew I was good.


A couple quick thoughts from the exam itself… 250 questions is indeed a lot of questions. I’ve taken a lot of MS and CompTIA cert exams, and don’t recall any of them being nearly as long as the CISSP. However, the questions were written very well, and were very clear - not much “trickery”, and there didn’t seem to be a focus on getting “ISC2’s answer” (unlike with the MS exams, where you really have to understand how MS would want you to answer the question). I only saw one or two that I really had no clue about… even with those though, you can make a very educated guess by ruling out at least two of the answers as distractors, and then guessing between the remaining answers.


Hope this is helpful to those out there still studying - and please let me know if you have any questions!

CLICK

Awesome write up, thanks for the details, very much appreciated and BIG CONGRATS!!!