Passed CISSP - 20 Dec 2015 (Passing Formula)

Hello Everyone,

Greetings from London..

First, I would like to thank all who participated in this community to share experience on how to pass the CISSP exam.

I passed my second attempt this December. I failed my first attempt back in summer, that was BEFORE I discover this great forum and the advice on how to pass, what to read, how to practice.... I am grateful for you all for the rest of me life!

When I was reading all posts; the "Passed" posts and "Failed" posts, I was looking for a definite guaranteed formula for passing. I mean which books should I read etc. But the tricky part was when I see the person who writes the posts of passing says he/she got 15 or 20 years of experience in IT security, I get worried because I don't have such a long history in Security!

I only have 4 years of experience in IT Security, plus a postgraduate degree that helped me wave one year of the 5 years required experience to get CISSP certified!

So I decided if/when I pass, I will come back here and share my advice for ONLY those who are like me: a few years of experience in Security and are brave enough to sit the most challenging exam on the planet: C I S S P !!!

Look, to be honest, I bought all the books recommended by others in this forum (I mean it ALL BOOKS!). I am not going to list them here but go check all other posts. I read most of them but I feel it was really unnecessary for passing the test. Okay they are all good for general knowledge. But if you want the Shortcut to pass, keep reading the below...

But.........

My experience with this exam is summarised as follows:

1- ISC2 aim to make all CISSP certified security professionals to "speak the same language" of security, to share the same "sense" of security. The want us to be on the same page when thinking of security. Therefore, watch out of the "mindset" that you must reach in order to consider yourself fit for the exam.

2- ISC2 is serious about the "1 inch deep, 1 mile wide" philosophy. To pass the exam, just apply this concept in your study. Feel free to study deeper than the 1 inch of knowledge on every single domain, but you are not preparing for the exam, instead you are satisfying your knowledge which is a good thing BUT not necessary for this exam.

3- ISC2 are shifting the interest of CISSP exams from the old fashion security to a new fashion security. This means, unfortunately, all Shon Harris phenomena is now "Out of date". The exam writers seem to be "in love" with a new style of CISSP delivery represented in the SYBEX 7th Edition Book. I am sure those who have read both Shon's All in One book and those who read the Sybex 7th Edition know what I am talking about.

4- The CCCure practice tests are the MOST relevant to the actual exam. You need to subscribe and pay to get the questions bank. I have done all questions (1800+). Everytime I set it to 250 questions, I keep doing it until I get 80% pass. Make sure you do the "unattended questions" to make sure in every set you get new questions. Shon's practice books are "out of date". RIP Shon, I loved you so much, but ISC2 have moved on!

In summary, the formula to pass CISSP exam is:
===============================

Sybex + CCCure = Pass

Sybex: http://www.amazon.co.uk/Certified-Information-Security-Professional-Official/dp/1119042712
CCCure: https://www.freepracticetests.org/quiz/index.php?page=register

Notice:
=====
1- The exam questions are very VERY tricky. It is a game of English Wording! Read each question again and again until you get full insight of what the question is really asking you NOT what you think the question is.

2- When you read the question, watch out of ALL keywords in the question. Keyword-1 will take your brain focus into a topic. Keyword-2 will be combined with keyword-1 and will take your brain focus to a totally different topic.

3. Seriously, this exam is for MANAGERS not for Technicians. You will find questions that will drag you to technical stuff like a magnet. RESIST yourself and do not follow your Pride.

4. Your Previous Knowledge is your Worst Enemy in this exam. Do NOT, seriously I mean it, Do NOT apply your previous knowledge into this exam. Instead, use the "CISSP MINDSET" which is how to answer as per ISC2 Code of Ethics and as a Manager.

I will finish the post right here, I will come back for more insights and will answer all your questions mates

Best regards,
Lion

Find more posts tagged with

Comments

nothing007

Lion,
Well written your thought and concept....

I red most of the forum and every one said we need to approach this exam like a Managers....... ! Is there any book or model which represent how the manager think or approach.. Just kidding...

diabolusBR

First of all, Congrats. I also passed the test the same day.

The only thing you said that I kind of disagree is the CCCure formula, I had a completely different feeling from it. The CCCure had more of "AiO" style for me... had tons of questions focusing too much on the "mile deep" of the technical side AND the orange book.

For me, the test bank that helped the most was the Sybex. But hey, to each it's own. Both styles are somewhat different and both worked for both of us.

Maybe the best thing we can get out of it is the "try it all" fact and see what fits you. lol.

Once again, congratulations. Cheers!

danny069

Sybex 7th, and CCCure, this is also what I feel is enough to pass. I will watch the Cybrary vids as well. Congrats!

Gess

Thanks for the heads up about the Sybex 7th. Was going to start on the Harris book, even though I knew it was out of date, but I'll skip right up to the Sybex book. I liked them a lot for Sec+.

I've been reading the Conrad 11th Hour already. Any insight as to its relevance? It's not terribly deep but I don't want to waste time either.

jones551

Congrats

sydneysundar

Congrats!.. a month to go for my exam.. !!

TechGuru80

Shon Harris material such as the mp3s is still relevant. I did not read her book so I cannot comment on that but the technical information is still accurate. You should use newer materials when possible but some older stuff still works.

DAVIS NGUYEN

Congrats!

lion007

nothing007 wrote: »

Lion,
Well written your thought and concept....

I red most of the forum and every one said we need to approach this exam like a Managers....... ! Is there any book or model which represent how the manager think or approach.. Just kidding...

Hi nothing007,

Happy New Year to you and all wonderful members in this community

Your question is a Very good question and it is not a joke, I was wondering what a Manager Answer is!!! Because anyone who has never worked as a Manager, will not know how to pick up the Manager-based answer instead of the Technician-based answer.

The trick is:

If you have not been a Manager, then pick up the answer That Your Manager Would Pick Up

So for example, I am making up this question to explain this point:

Q/ What is the BEST approach to increase security in your organisation:

A- Install Bio-metric for physical access control.
B- Install Bio-metric for physical access control and Firewall/IDS/IPS for the logical access control.
C- Install Bio-metric for logical access control and Firewall/IDS/IPS for the physical access control.
D- Apply Defense in Depth.

Analysis:
======

(A) is one example of Physical Access Control.

(B) is one example of Physical Access Control and three examples of Logical Access Control... which looks right, innit?

(C) mmmm... this is a tricky one, because the examples in (B) are the same here BUT the the examples do NOT match the access control types. So this option (C) is trying to confuse me with the possible Right answer which is definitely (B)?? Maybe?

(D) mmmmm... this is tooooo short to be a good answer!! And what the heck is "Defense in Depth" anyway??!! Nah forget it... the right answer is absolutely (B)!! It stands as a good TECHNICAL ANSWER and MY PAST EXPERIENCE matches this way of thinking... Bio-metric physical access control is heaven for me! and Firewall/IDS/IPS is super right answer for ANY organisation, is it not!! ..... so I will go for (B)

You know what, you are WRONG!

Did you read the question? Again? And Again? Did you notice the Keyword "BEST"?

The Correct answer is the BEST answer you choose as a MANAGER... which is here (D) : Defense in Depth !

The concept of "Defense in Depth" is the answer that a Manager would choose. Because it implies all the physical & logical examples mentioned in (B) BUT not only this, it covers all the three main controls in CISSP: Physical + Logical + Administrative.

Got it?

That's how a Manager would answer such a question in this exam. That was an example of the "Magnet Effect" Questions that will try to confuse you and will always try to seduce you to go back to your First Sweetheart: Technical Stuff !! Remember??

Hope this example was good to differentiate between a Manager Answer and a Technical Answer.

HOWEVER, having said so, you may get a straightforward technical question, like what the Port Number of a specific Service/Protocol (POP3, IMAP, FTP, SSH, etc), the four options are only numbers, in such case just answer the BEST Technical answer among all possible Technical Answers. But again, such questions are not more than 10% of the entire exam, but I thought to mention it as NOT 100% of the questions are on testing your Managerial Skills. So be wise

Best of luck to all...

Lion

lion007

diabolusBR wrote: »

First of all, Congrats. I also passed the test the same day.

The only thing you said that I kind of disagree is the CCCure formula, I had a completely different feeling from it. The CCCure had more of "AiO" style for me... had tons of questions focusing too much on the "mile deep" of the technical side AND the orange book.

For me, the test bank that helped the most was the Sybex. But hey, to each it's own. Both styles are somewhat different and both worked for both of us.

Maybe the best thing we can get out of it is the "try it all" fact and see what fits you. lol.

Once again, congratulations. Cheers!

Hello diabolusBR,

Thanks man and congratulations to you too.... passing the exam is such a Big Effort!

Happy New Year

In response to your point, I have done all the questions in the end of all Chapters in the Sybex 7th Book, they are great, as well as the practice exams that you get after you register online when purchasing the book.

My philosophy of Recommending the CCCure in the Formula of passing, because assuming the candidate will have to read the Sybex 7th book cover to cover and practice all the Questions in the Book, this will kind of covering the same "Style" of the Questions in the Sybex Practice Questions Bank. Therefore, it is important to Test the Knowledge the candidate will get from the Sybex book in a Different battlefield which is Clement's CCCute. The Balance is great and it will prepare the candidates for CISSP exam to the "Minimum" preparation required to pass the exam.

The other beauty of CCCure questions is that, the questions are examining your understanding to the questions, they are Tricky too and as tricky as the real exam. Moreover, some questions are scenario-based which is something you will get in the real exam! The technical questions (e.g. the Orange Book geeky such!) are not necessary to pass so whatever you will answer should not affect your target score of 70%-80% when you do a 250-question round in CCCure bank. So I allow 20-30% wrong answers when I do CCCure questions, but hey - make sure you don't get wrong answers on Managerial stuff!

But I agree with you, the more and more you read and practice, the more you will score in the real exam. However, the Passing Score is 70% only So for those who are not Perfectionist and are looking for a Schortcut to pass, my formula will guarantee you passing with 70%. If you want to secure more than 70% to be in the safe side, the more reading/practicing will increase your passing score. But when you finish the exam, you will only be told: "You Passed!" - you will never know your score unless you fail. You pass, then you passed! You fail, you get your score in order to know where is your weakest domains to focus on in your next attempt.

One gentleman who has passed the CISSP exam in this forum posted something funny stuck in my mind when I was doing the exam. He said: In the exam, when you read the question and then read the 4 answers... watch out this:
- If you feel that all 4 answers are all correct or all wrong, then you will definitely fail.
- If you feel that 3 answers are correct and one is wrong, then you will also fail.
- If you feel that 2 answers are correct and 2 are wrong, then you have a 50% chance to pass! So make sure you pick up the Manager's answer and you will pass!
- If you feel that 1 answer is correct and 3 are wrong, then you must be either Shon Harris or Dr Clement! LOL And you will definitely pass!

I swear I don't want to show off, but having read ALL books, having done ALL CCCure and SYBEX practice tests, in 80% of the questions I felt that the correct answer is 1 out of the four! So guys, read more and practice ever more if you wanna feel confident that you will pass with more than 70% score which is the minimum to pass.

Thanks, and congrats once again

lion007

danny069 wrote: »

Sybex 7th, and CCCure, this is also what I feel is enough to pass. I will watch the Cybrary vids as well. Congrats!

Hi Danny, Happy New Year!

Yes what I forgot to mention is, the Cybrary Videos are the Best in making you on the right track. They are good in the sense that they narrow your focus on what matters to study - only if there were complete. Unfortunately, they don't cover the entire mile-wide area of CISSP.

Best of Luck

Danielm7

Congrats and good explanation of thinking like a manager. One thing that stuck with me from the cybrary videos was the idea of how human safety and life is always above everything else. An engineer might be thinking how you are going to restore data when the building is burning down, a (good) manager should think how to get the people out of the door and accounted for.

lion007

Gess wrote: »

Thanks for the heads up about the Sybex 7th. Was going to start on the Harris book, even though I knew it was out of date, but I'll skip right up to the Sybex book. I liked them a lot for Sec+.

I've been reading the Conrad 11th Hour already. Any insight as to its relevance? It's not terribly deep but I don't want to waste time either.

Hi Gess, Happy New Year!

You may keep Shon's AIO Book as a reference in case you wanna go beyond the inch-deep knowledge. She is good at explaining complex concepts OR some technical stuff which I sometimes keep forgetting it, such as the difference between Backup types (Full, Incremental, Differential) [the Parity Bit!] and she also gives a Wide range of examples on the Three Access Control types and its applications in a nice table. But again, do you have time to go beyond the inch-deep? If yes then why not?

This leads me to a BIG Advice: B]Set a Deadline for yourself to sit the exam[/B. If you leave it open, your psychological state will not push you to put enough efforts to do it ever, it is a tough exam and rather embarrassing to fail it! So pick up a date and start planning your time (evenings etc) to balance your readings and practicing.

Preparing for this exam requires : 50% Reading + 50% Practicing Tests

In response to your question re Conrad 11th Hour, I would call this book a Summary Book. It covers the Mile-wide but it does NOT cover the 1-inch-deep for this exam. I used it as the last revision piece the night before the exam. Remember, you don't want to exhaust your brain the Night Before the Exam. But if you want to revise the entire mile-wide in one day, just go through the Table of Contents of the Conrad's 11th Hour the night before the exam and if you feel that you wanna remember a concept quickly then jump into that topic. In summary, I wouldn't use Conrad as a Main source of reading, but instead only for quick revision when my brain needs a break!

Good luck

lion007

Danielm7 wrote: »

Congrats and good explanation of thinking like a manager. One thing that stuck with me from the cybrary videos was the idea of how human safety and life is always above everything else. An engineer might be thinking how you are going to restore data when the building is burning down, a (good) manager should think how to get the people out of the door and accounted for.

Thanks Daniel, and yes I remember Kelly mentioning that in the Cybrary videos, and it is very true and very applicable in the real exam, a Manager will always pick up Human Safety which is also the first point in the ISC2 Code of Ethics:

[h=2]Code of Ethics Preamble:[/h]

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

[h=2]Code of Ethics Canons:[/h]

Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.

lion007

jones551 wrote: »

Congrats

Thanks Jones

lion007

sydneysundar wrote: »

Congrats!.. a month to go for my exam.. !!

Thanks sydneysundar, remember the formula (Sybex 7th edition Book + CCCure Practice test!)

lion007

TechGuru80 wrote: »

Shon Harris material such as the mp3s is still relevant. I did not read her book so I cannot comment on that but the technical information is still accurate. You should use newer materials when possible but some older stuff still works.

Hi TechGuru, I have read Shon's All-in-One Book and have watched her entire CISSP Video Training Course DVD. The Cryptography part was exceptionally amazing and helped me understand it technically well.

However, Shon was referring to the old 10 domains. She passed away in Nov 2014. The 10 domains were merged into the new 8 domains that were published in April 2015. So in general the "contents" of Shon's materials are the same. But the CISSP exam's Style and Focus has shifted significantly towards the new challenging style and focus of the security market today to meet the new demand on having CISSP Holders who are up-to-date and more relevant to the security market of today. I remember in Shon video training the focus was more onto the "content" not the "context" of the new exam - if this makes sense?

Happy New Year

lion007

DAVIS NGUYEN wrote: »

Congrats!

Thanks Sir, Happy New Year!

cbkihong

Congrats! Passed mine half a year ago. Good writeup, though I am intrigued by this statement of yours and would appreciate any elaboration.

lion007 wrote: »

3- ISC2 are shifting the interest of CISSP exams from the old fashion security to a new fashion security. This means, unfortunately, all Shon Harris phenomena is now "Out of date". The exam writers seem to be "in love" with a new style of CISSP delivery represented in the SYBEX 7th Edition Book. I am sure those who have read both Shon's All in One book and those who read the Sybex 7th Edition know what I am talking about.

That's the bit on "old fashion security" vs "new fashion security". The Sybex was not available when I prepared and I did not intend to buy it post certification. I did not have a chance to read Shon in much detail for my exam preparation either, though Shon was exactly what got me to know of CISSP in the first place. So I'm not sure what exactly you meant for the new vs old fashion part, and what kinds of delivery in Shon that have become out of date (the verbiage of Shon's treatment of technical topics, I agree, being too detailed for exam - though as you said it's still good if you would like to learn more beyond the inch deep strategy required by the exam).

One thing I definitely saw Shon's going short, is discussion to prepare candidates for that "manager mindset". Not sure whether that relates to the "challenging" question style you mentioned, but I think the 4ed CBK complemented that aspect (provided you could sit through all its mess).

lion007

cbkihong wrote: »

Congrats! Passed mine half a year ago. Good writeup, though I am intrigued by this statement of yours and would appreciate any elaboration.

That's the bit on "old fashion security" vs "new fashion security". The Sybex was not available when I prepared and I did not intend to buy it post certification. I did not have a chance to read Shon in much detail for my exam preparation either, though Shon was exactly what got me to know of CISSP in the first place. So I'm not sure what exactly you meant for the new vs old fashion part, and what kinds of delivery in Shon that have become out of date (the verbiage of Shon's treatment of technical topics, I agree, being too detailed for exam - though as you said it's still good if you would like to learn more beyond the inch deep strategy required by the exam).

One thing I definitely saw Shon's going short, is discussion to prepare candidates for that "manager mindset". Not sure whether that relates to the "challenging" question style you mentioned, but I think the 4ed CBK complemented that aspect (provided you could sit through all its mess).

Hello cbkihong,

The new fashion security, in addition to being managerial strategic security mindset not technical, it is more focused on concepts like "Advanced Persistent Threat (APT)", Zero-day attacks, mobile security, automation, data security on cloud computing, configuration management for proactive defense. You will NOT find such topics fully explained in Shon's study materials (books or practice tests).

If you ask any company nowadays about when they made the last purchase to security defense systems, the majority will say it was 3-5 years ago. The problem is, threat has changed, from the Traditional Threat to the Advanced Persistent Threat. These days, you can go to Tor network and buy Zero-day viruses and worms off the black market. Such novel threats cannot be detected by any signature-based control. Moreover, APT attacks are based on looking like legitimate traffic, so anomaly-based controls are also ineffective. The concept of "New Defence in Depth" aims to focus on Detection of outbound traffic/data because in APT defense strategies we tend to assume we are already compromised since signature-based and anomaly-based detection are hopeless in detection APT. These Traditional Defence controls are still good for Traditional Threats. But the Security World is shifting towards APT, which we hear about everyday of big companies getting compromised. For example, Encryption which used to be our best security strategy is becoming our greatest weakness, since APT attackers use encrypted tunnels to have persistent access to our resources bypassing our defences!

I am not sure if you heard about the TalkTalk recent compromise in the UK? TalkTalk, the giant communication body, they are ISO-27001/PCI-DSS certified, they use Nessus Vulnerability Scanner (the Best scanning tool ever!) regularly - but they were defeated by APT!

So the ISC2 are realising this dilemma and they want new CISSP holders to be current, relevant, and up to date, so they shifted the focus on the new concepts..... these new concepts are covered in the Sybex 7th Edition.

Hope this was useful

Gess

lion007 wrote: »

This leads me to a BIG Advice: B]Set a Deadline for yourself to sit the exam[/B. If you leave it open, your psychological state will not push you to put enough efforts to do it ever, it is a tough exam and rather embarrassing to fail it! So pick up a date and start planning your time (evenings etc) to balance your readings and practicing.

Preparing for this exam requires : 50% Reading + 50% Practicing Tests

In response to your question re Conrad 11th Hour, I would call this book a Summary Book. It covers the Mile-wide but it does NOT cover the 1-inch-deep for this exam. I used it as the last revision piece the night before the exam. Remember, you don't want to exhaust your brain the Night Before the Exam. But if you want to revise the entire mile-wide in one day, just go through the Table of Contents of the Conrad's 11th Hour the night before the exam and if you feel that you wanna remember a concept quickly then jump into that topic. In summary, I wouldn't use Conrad as a Main source of reading, but instead only for quick revision when my brain needs a break!

Good luck

Thanks, I'm set to take the exam on Feb 11th so the motivation is there.

I appreciate the input. I was hoping the Conrad book would be a decent intro and finisher, but I've already started reading the Sybex book so the Conrad book will likely be a final look over the material. Thanks again.

lion007

Gess wrote: »

Thanks, I'm set to take the exam on Feb 11th so the motivation is there.

I appreciate the input. I was hoping the Conrad book would be a decent intro and finisher, but I've already started reading the Sybex book so the Conrad book will likely be a final look over the material. Thanks again.

That sounds great - wish you very good luck, mate and all the best with the exam

nothing007

Lion,
I really appreciate your time and response.... They way you wrote the response... its made me to say 1000 time thanks....

Thanks.. thanks.....

NotHackingYou

@lio007 and @diabolusbr congratulations to you guys! What were you scoring on CCCure / Sybex exams toward the end? I am scoring about 85% on both.

hilld

nothing007 wrote: »

Lion,
Is there any book or model which represent how the manager think or approach.

I think that is called Dilbert.

lion007

nothing007 wrote: »

Lion,
I really appreciate your time and response.... They way you wrote the response... its made me to say 1000 time thanks....

Thanks.. thanks.....

Most welcome mate, wish you all the best with the exam

When you pass it please come and let us know here and share the good news and your feedback

lion007

hilld wrote: »

I think that is called Dilbert.

Is that the comic written by Scott Adams? lol

lion007

CarlSaiyed wrote: »

@lio007 and @diabolusbr congratulations to you guys! What were you scoring on CCCure / Sybex exams toward the end? I am scoring about 85% on both.

Hi Carl,

I first used to get 70%-75% when I started (that was after finishing the Sybex 7th book), and then towards the last sets of 250 questions I used to get 80%-85% until I finished the question bank on CCCure. I then started with the Old CISSP bank on CCCure targeting only the the sections I felt I need more practice. So i started to get why I was getting these questions wrong. I developed a methodology of picking the correct answer based on ISC2 mindset i.e. the Managerial mindset

Wish you good luck mate with the exam....

TechGuru80

lion007 wrote: »

However, Shon was referring to the old 10 domains. She passed away in Nov 2014. The 10 domains were merged into the new 8 domains that were published in April 2015. So in general the "contents" of Shon's materials are the same. But the CISSP exam's Style and Focus has shifted significantly towards the new challenging style and focus of the security market today to meet the new demand on having CISSP Holders who are up-to-date and more relevant to the security market of today. I remember in Shon video training the focus was more onto the "content" not the "context" of the new exam - if this makes sense?

Happy New Year

I actually thought the audio had some context but I think the individuals experience impacts what materials help the most.

To be honest, I liked studying the 10 domain style to get ready for the 8 domain exam. I thought it made narrowing down my studies easier.

ragavansa

Congrats and welldone