Also Passed on Dec 1
Well, I passed. My 50,000 foot impression of the exam is that it asked mostly briefly worded questions which conveyed complexity in an economy of words.
I paced methodically through it in one sweep for 4.5 hours then took a break followed by a very short review. I should have taken Ibuprofen before the exam because my back hurt by the end. I also should have taken a break at question 125. I didn't mark any questions because I felt I either knew the answer or I narrowed it down and took my best shot, often choosing the more "responsible manager" response (based on appropriate roles, due care, and due diligence). Be very cautious when changing answers.
Definitely understand how public key and symmetric key cryptosystems work (and their practical application and real-world value) and how IPsec and the OSI/TCP-IP models work (as well as the attacks and mitigations for different protocols). Fully understand the access control models. I wouldn't focus on outdated evaluation models, but current ones are worth your time. Read ISC2's "Security in the Skies" article (which discuses cloud security concerns very clearly). If it feels like you're too far into the weeds, you probably are.
I think the advice I received to approach this exam like a manager is spot-on and there were many questions where you could have reasonably picked a more technical answer, but the management-centric answer was BETTER. As others have written here, plenty of BEST, FIRST, and WHO questions. If you took the PMP, you know it's all about processes and sequences. Cough, cough, this exam was quite familiar in that respect. I recommend process sequence flash cards for all the domains. Anywhere a process is cited, understand it and write it out to help commit the sequential steps to memory.
In my studying, in relative order of priority, I focused on Risk Analysis, Cryptography, BCP/DRP, Telecomm/Networking, and Access Control. I found (as expected) that the exam covered these and the other domains in an applied manner (rather than fact regurgitation). You have to understand and be able to apply CISSP CBK content in an IT management advisory context.
Every pass through CISSP content is valuable and your understanding will increase. Even people that are very competent in specific domains may need to tweak their understanding to match the CBK. I recommend concentrating your studying and drilling over a period of no more than 8 weeks (of increasing intensity) leading up to your test date.
All in all, I think the CISSP tied together concepts and subjects I've been working with professionally for 20 years. I learned some new things and deepened my familiarity with others in a way that will help me in my career. I found this exam a bit more difficult than the CISA (which I took last June).
Resources:
(NOTE: Based on the realignment of CISSP domain content, there are new editions of many of the resources below--some have been updated, others are about to be released. I think you would do fine with the existing books since the realignment doesn't really change anything on a substantive level.)
ISC2 Official Guide (Sybex 2015) Study Guide (my primary resource, read slowly, took all the chapter exams). This is a deeper dive than Conrad, but not as needlessly wordy as the AIO or the CBK (which was simply filled with needless words). This book provides a decent online test bank including all the end-of-chapter tests (if you want to take them online) as well as four 250 question exams.
Cybrary (great--FREE--auditory resource that I uploaded to my phone) I watched almost all of the webinar sets and contributed $50 to their site. The webinar set isn't 100% complete though (download and browse the slides to find the gaps). This resource nicely augments reading.
CCCure (paid questions, 2015 test bank, pro setting, unattempted questions only). I've been drilling for a couple months, 25 here, 50 there. I covered the whole test bank. The key is to study the answers you got wrong. Ask yourself: Why did I get that wrong? How can I remember this? etc. I can't emphasize how important it is to set the test bank to only provide unattempted questions, otherwise you'll answer based on question memorization and that could give you the impression that you're doing better than you actually are. This web site looks clunky and isn't the most polished, but it works very well. You can register through https://www.freepracticetests.org/quiz/index.php
Transcender (I will say the drag and drop questions on Transcender were incredibly easy compared to the exam and not at all challenging). The exam is standardized on 4 answer options, unlike Transcender. In general, it seems like Transcender asked a lot of check-all-that-apply, or choose "A, B, and D" or "C and B", which didn't feel like the actual exam. I would only get Transcender if you've exhausted CCCure.
CBT Nuggets 2015 Video set (I paid for this, but only used a little bit of it). It is a high quality production. Be warned: Keith Barker is over-the-top enthusiastic. I would have used this more if they had a way to securely download the audio for off-line listening. Keith is definitely right about setting a test date to focus your efforts.
On classroom-based review courses... If your employer is willing to pay for, or give you time to attend, a review course, then the time away from your work duties is the key value. I don't think most review courses will provide more content-level value than Cybrary and CBT Nuggets.
Sunflower (reviewed the day before)
Conrad 11th Hour (reviewed the day before)
CISSP Cert Guide (Pearson 2014) (a few bits). This is a surprisingly well written book. I think it competes well with Conrad. It has an easier reading feel to it than the Sybex book, and if I were to do it all over again, I might have used it as a primary read.
Dummies (I would have read this had I had more time. It would probably serve as a good first-pass through the content as their writing style is easy-to-digest.
Conrad Study Guide (I read several chapters, but not the whole thing) Everyone seems to gravitate to this (admittedly well written) book because it's shorter, but I don't think it covers everything at the level of detail you may need to pass. I'm just sayin'...
AIO - I read 120 pages early on and said forget it. I didn't much like the AIO questions.
CBK - Not a readable resource in my opinion. Good for weight lifting or self-defense.
I paced methodically through it in one sweep for 4.5 hours then took a break followed by a very short review. I should have taken Ibuprofen before the exam because my back hurt by the end. I also should have taken a break at question 125. I didn't mark any questions because I felt I either knew the answer or I narrowed it down and took my best shot, often choosing the more "responsible manager" response (based on appropriate roles, due care, and due diligence). Be very cautious when changing answers.
Definitely understand how public key and symmetric key cryptosystems work (and their practical application and real-world value) and how IPsec and the OSI/TCP-IP models work (as well as the attacks and mitigations for different protocols). Fully understand the access control models. I wouldn't focus on outdated evaluation models, but current ones are worth your time. Read ISC2's "Security in the Skies" article (which discuses cloud security concerns very clearly). If it feels like you're too far into the weeds, you probably are.
I think the advice I received to approach this exam like a manager is spot-on and there were many questions where you could have reasonably picked a more technical answer, but the management-centric answer was BETTER. As others have written here, plenty of BEST, FIRST, and WHO questions. If you took the PMP, you know it's all about processes and sequences. Cough, cough, this exam was quite familiar in that respect. I recommend process sequence flash cards for all the domains. Anywhere a process is cited, understand it and write it out to help commit the sequential steps to memory.
In my studying, in relative order of priority, I focused on Risk Analysis, Cryptography, BCP/DRP, Telecomm/Networking, and Access Control. I found (as expected) that the exam covered these and the other domains in an applied manner (rather than fact regurgitation). You have to understand and be able to apply CISSP CBK content in an IT management advisory context.
Every pass through CISSP content is valuable and your understanding will increase. Even people that are very competent in specific domains may need to tweak their understanding to match the CBK. I recommend concentrating your studying and drilling over a period of no more than 8 weeks (of increasing intensity) leading up to your test date.
All in all, I think the CISSP tied together concepts and subjects I've been working with professionally for 20 years. I learned some new things and deepened my familiarity with others in a way that will help me in my career. I found this exam a bit more difficult than the CISA (which I took last June).
Resources:
(NOTE: Based on the realignment of CISSP domain content, there are new editions of many of the resources below--some have been updated, others are about to be released. I think you would do fine with the existing books since the realignment doesn't really change anything on a substantive level.)
ISC2 Official Guide (Sybex 2015) Study Guide (my primary resource, read slowly, took all the chapter exams). This is a deeper dive than Conrad, but not as needlessly wordy as the AIO or the CBK (which was simply filled with needless words). This book provides a decent online test bank including all the end-of-chapter tests (if you want to take them online) as well as four 250 question exams.
Cybrary (great--FREE--auditory resource that I uploaded to my phone) I watched almost all of the webinar sets and contributed $50 to their site. The webinar set isn't 100% complete though (download and browse the slides to find the gaps). This resource nicely augments reading.
CCCure (paid questions, 2015 test bank, pro setting, unattempted questions only). I've been drilling for a couple months, 25 here, 50 there. I covered the whole test bank. The key is to study the answers you got wrong. Ask yourself: Why did I get that wrong? How can I remember this? etc. I can't emphasize how important it is to set the test bank to only provide unattempted questions, otherwise you'll answer based on question memorization and that could give you the impression that you're doing better than you actually are. This web site looks clunky and isn't the most polished, but it works very well. You can register through https://www.freepracticetests.org/quiz/index.php
Transcender (I will say the drag and drop questions on Transcender were incredibly easy compared to the exam and not at all challenging). The exam is standardized on 4 answer options, unlike Transcender. In general, it seems like Transcender asked a lot of check-all-that-apply, or choose "A, B, and D" or "C and B", which didn't feel like the actual exam. I would only get Transcender if you've exhausted CCCure.
CBT Nuggets 2015 Video set (I paid for this, but only used a little bit of it). It is a high quality production. Be warned: Keith Barker is over-the-top enthusiastic. I would have used this more if they had a way to securely download the audio for off-line listening. Keith is definitely right about setting a test date to focus your efforts.
On classroom-based review courses... If your employer is willing to pay for, or give you time to attend, a review course, then the time away from your work duties is the key value. I don't think most review courses will provide more content-level value than Cybrary and CBT Nuggets.
Sunflower (reviewed the day before)
Conrad 11th Hour (reviewed the day before)
CISSP Cert Guide (Pearson 2014) (a few bits). This is a surprisingly well written book. I think it competes well with Conrad. It has an easier reading feel to it than the Sybex book, and if I were to do it all over again, I might have used it as a primary read.
Dummies (I would have read this had I had more time. It would probably serve as a good first-pass through the content as their writing style is easy-to-digest.
Conrad Study Guide (I read several chapters, but not the whole thing) Everyone seems to gravitate to this (admittedly well written) book because it's shorter, but I don't think it covers everything at the level of detail you may need to pass. I'm just sayin'...
AIO - I read 120 pages early on and said forget it. I didn't much like the AIO questions.
CBK - Not a readable resource in my opinion. Good for weight lifting or self-defense.
Comments
-
clarkincnet Member Posts: 256 ■■■□□□□□□□Congrats and thanks for the review.Give a hacker an exploit, and they will have access for a day, BUT teach them to phish, and they will have access for the rest of their lives!
Have: CISSP, CISM, CRISC, CGEIT, ITIL-F -
Clm Member Posts: 444 ■■■■□□□□□□congratsI find your lack of Cloud Security Disturbing!!!!!!!!!
Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig -
NotHackingYou Member Posts: 1,460 ■■■■■■■■□□Congratulations, thank you for sharing your study plan.When you go the extra mile, there's no traffic.
-
havoc64 Member Posts: 213 ■■□□□□□□□□CBK - Not a readable resource in my opinion.
Couldn't agree more. I read the first two chapters and wanted to put a fork in my eye..lol
Congrats! -
fegbada Registered Users Posts: 2 ■□□□□□□□□□Hi,congrat for this wonderful experience - I however failed in my fisrt attempt which was scheduled for 4th of dec 2015(last week friday).
My discoveries are as follows -
The CISSP CBK does not provide detail information that can will sufficiently enable you pass to pass the exam as 70% of the exam questions can not be link in any way to the CBK study guide.
In conclusion I feel that the CBK is needed for reference or to consolidate on your studies hence other detail source of study is needed.
With the above understanding,I will need your help on the best way forward to pass this exam as I hope to retake the exam by second week of next month which is january.
In addition,I have the 7th edition of shon harris but your contribution on other source of material will be highly appreciated.
Thanks for your asistant -
Dan-in-MD Member Posts: 52 ■■■□□□□□□□I wouldn't use the ISC2 CBK or Shon Harris AIO if I was paid $600. The first is poorly written, and the second is just too wordy and the questions seemed overly involved. Look above to see my study resource recommendations.
For any exam, you need to absorb knowledge and train yourself in test taking.
I don't think knowledge is optimally absorbed in one pass, but through multiple exposures from different angles. Over the course of six weeks, I went through classroom training (with a workbook as part of that class), Cybrary, the Sybex Official Guide, all of the CCCure 2015 paid question bank, and 11th Hour. I took some Transcender questions, and read parts of Conrad, Shon Harris, the CBK, Dummies, CBT Nuggets, and Cert Guide. In my opinion, no one resource is sufficient. I acquired these resources because I wanted to determine which were good, and which weren't. I wanted to invest my time with the best.
I study to understand, not just get through a test. So if something doesn't make sense, I re-read it until it does. If I get a question wrong, I study the explanation.
You can be very knowledgeable, but still fail the exam because you don't understand how to approach the test, manage your time, parse the questions, reason out the false answers, and narrow down the right answer. This is where up-to-date practice exams are beneficial. The problem is that many of the practice exams are asking questions about the Orange Book, classful addressing, and other obscure technical trivia. Others have question structures that do not reflect the exam.