Passed CISSP Exam - My Process (Long)

Background:
I work for the federal government and was fortunate enough to have most of the study material, eight days of classroom instruction, and my voucher provided at no cost to myself. This review will be most beneficial to people in a similar situation to myself.
I have a Masters in IT, have been working in security since about 2009. Currently I focus most of my work on patch management and system compliance. I earned Security+ a few years ago and began the 'passive' study phase of my CISSP effort in September 2015 by studying for and earning the Certified Ethical Hacker certification.
I began 'actively' studying for the CISSP three weeks before my exam and passed on February 11th, taking 1hr45 minutes to complete the exam.

Written Study Material:
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide 7th Edition (ISBN 978-1119042716)
Eleventh Hour CISSP: Study Guide 2nd Edition (ISBN 978-012417142

CISSP Exam Cram 3rd Edition (ISBN 978-0789749574)
CISSP All-in-One Exam Guide, 6th Edition (ISBN 978-0071781749)
CISSP Study Guide 3rd Edition (ISBN 978-0128024379)
Official (ISC)2 Guide to the CISSP CBK 4th Edition (ISBN 978-1482262759)

Video Material:
Kelly Handerhan at Cybrary - https://www.cybrary.it/course/cissp/

Test Engines:
Sybex/Wiley (Sybex 7th Edition) - https://sybextestbanks.wiley.com/
Total Tester (A-I-O 6th Edition) - Total Seminars - Best selling books plus practice exams for A+, Network+, and IC3 certification
Cram Master Online - http://crammasteronline.com/

Misc:
https://www.safaribooksonline.com/
https://www.reddit.com/r/cissp

My process:
I began five months before my exam by sitting for the C|EH exam. Some CISSPs in my organization felt that I wouldn't gain very much from the experience but I disagree. Security Assessment and Testing, Security Operations, and Security Engineering were all domains that have significant overlap with the C|EH curriculum. Specifically I was well prepared for cryptology, the OSI model, how IPSec works, vulnerabilites, and tools/methods for vulnerability testing because of the C|EH work.

For the next four months I did my normal routine. I listened to my security podcasts (Security Now! w/Steven Gibson) and continued to investigate general industry knowledge through work and security news sites. Nothing particularly intensive or focused.
Three weeks before the exam, one week before my classroom instruction started, I read the Conrad 11th Hour book over the course of two nights. It's short and only took about 2 hours total. It's very shallow as it's essentially an expanded glossary with no filler or deep details. It did serve as a nice, targeted introduction to the testable material.

After laying the foundation with the 11th Hour book I started reading the full Sybex 7th book. I tried to keep up with a chapter or two per night and ended up finishing it over the course of two weeks. I gave it one honest read through and it served as the backbone of my studies, I can't stress how valuable the Sybex 7th was to my studies.

After I finished about 25% of the Sybex 7th I began watching the Cybrary videos. These are exceptional, and free. Kelly covers the material in a way that really helps you not just retain it, but understand it so you can apply it to the exam questions. I'd put this series of videos ahead of ITPro.TV, CBT Nuggets, and FedVTE if I were forced to choose. The total series is just under 16 hours and I watched them over the course of about 7 days. Close to the test I went back and rewatched a few key segments that I still felt weak in.

Two weeks to go to the exam and I was 75% done with Sybex 7th. I finished it about seven days before the exam and did not return to it. Having completed Sybex 7th and Cybrary I began using test engines to gauge what my weaknesses were. The class I went to provided the Cram Master account and I started doing those questions first. They were by far the easiest but were useful in that the engine tracked my progress to show which domains I was the best and worst in. I used this information to direct the course of my studies.

The Saturday before my exam I downloaded the Total Tester test engine and took a full 250 question simulated exam. I was discouraged to see that I tested below 70% in three domains, but I knew where I had to focus. In my case I needed to emphasise more on BCP/DRP, Comm/Network Security, and Physical Security (fire safety). I continued to use the Total Tester engine for the next three days, taking short 25 question exams. During this time I review the Exam Cram 3rd in the areas I need help, and also take a very quick look at the All-In-One 6th to get in in-depth explanation of BCP. The Harris book is too detailed and was not helpful to me.

Three days before the exam I switch to the Sybex 7th test engine and take short 25 question exams a few times a day. I never scored higher than 90% on any one exam. This engine has questions that are the closest to the actual exam in tone and content. I reread the 11th Hour book over two nights.

One day before the exam I study for a few hours early and then mentally check out. I take my wife to dinner, have two beers, spend the evening playing Rocket League and go to bed early.

Test day, it's -18F in Wisconsin on the way to the test center. Awesome. Doesn't matter, once the test starts you're not focused on anything but the questions anyway. Of the 250 questions I completed, absolutely none of them were in any of the test engines I used. None. People say this all the time, but do know that if you're banking on rote familiarization you're not going to get it here. You'd think at least a few would accidently line up, but, nope. Learn the material, do not waste time on memorizing questions. You can take breaks so I gave myself limits and took a break at 100 and 180 questions. Do this, even if you think you don't have to. I felt so much better once I got back into my chair after stretching my legs and visiting the restroom. Trust me, you'll feel better. I finished in 1hr 45min, including the breaks. I subscribe to the philosophy that you either know the answer or you don't, so I did not flag any questions and did not go back and review anything. Of the six people taking the exam in my group, all but one passed.

Test tips:
-If you see a concept on the exam that you didn't cover in your studies, don't sweat it, it's probably a non-graded pilot question. There were a few that I knew for sure were not mentioned anywhere in my studies.
-Don't worry about complex simulations or anything, it is mostly multiple choice and some matching.
-The safety of people is most important. People are also your weakest link, mostly because of social engineering.
-Understanding Single Sign-On (SSO) technologies, well established and emerging, is very important.
-It really is a management exam, don't spend an overly abundent amount of time on technical details. Personally I wish I had spent less time on Comm/Network and more time on Software Development.
-Use Test Engines to see where you stand so you know which domains to focus on. Don't just take endless questions and think you're helping yourself. I recommend not even starting with test engines until 10 days before sitting for the exam.
-You're time is best spent reading, reading, reading as many different sources as you can. It's all based on the same CBK but the different deliveries will facilitate your understanding of the material.

Material Review:
CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide 7th Edition (ISBN 978-1119042716)
-The backbone of my study tools. Highly recommend.
Eleventh Hour CISSP: Study Guide 2nd Edition (ISBN 978-012417142

-Excellent foundation/review text. I read it twice.
CISSP Exam Cram 3rd Edition (ISBN 978-0789749574)
-Used this text to fill in some gaps near the end. Lots of erratta and typos. .mobi/ePub format available on Safari Books.
CISSP All-in-One Exam Guide, 6th Edition (ISBN 978-0071781749)
-Barely used this, I wish I hadn't. If I were going to setup a BCP/DRP program, I'd use this text. Total overkill for this exam.
CISSP Study Guide 3rd Edition (ISBN 978-0128024379)
-Did not use, was the classroom text for the course I attended.
Official (ISC)2 Guide to the CISSP CBK 4th Edition (ISBN 978-1482262759)
-Did not use, dry.
Kelly Handerhan at Cybrary - https://www.cybrary.it/course/cissp/
-Amazing, can't recommend them enough. It was free but I'm going to donate to them as a thank you. All of the video lectures are also available as audio mp3 tracks. Their mobile app allows you to take the videos with you everywhere, as well.

Test Engine Review:
Sybex/Wiley (Sybex 7th Edition) - https://sybextestbanks.wiley.com/
-Closest to the actual exam, I saved it for last. Web based. Also has 600 flash cards that I went through once early but never looked at again.
Total Tester (A-I-O 6th Edition) - Total Seminars - Best selling books plus practice exams for A+, Network+, and IC3 certification
-Questions are more technical than the actual test, great for challenging yourself.
Cram Master Online - http://crammasteronline.com/
-Access provided by my employer, questions are soft. Their platform works really great on mobile browsers. I would lay in bed at night and try questions until I fell asleep.

Misc Items:
https://www.safaribooksonline.com/
-Free for people with .mil e-mails. Has a 10-day Trial if you want to check it out otherwise. Almost all of these materials are available on there, some in Kindle/ePub format.

I'm happy to answer any questions about any of this, so long as it's not about specific items on the test. Fire away.
On to endorsement. I already have an Endorser ready to review my resume, I just don't fully understand the "two domains in five years" requirement. Is that two domains within five years, or two domains with five years of experience each? I'm going to call ISC2 next week to get a definitive answer. I know cyberguypr advises you can mix and match to get to five but I want to be sure (see it in writing or talk to ISC2) before I give my paperwork to my endorser.

I'll post the progress of my endorsement process as I reach those milestones.

TL;DR version:
Read 11th Hour
Read Sybex 7th
Watch Cybrary
Use Test Engines to see where you're weak
Read more material on weak domains
Read 11th Hour

Find more posts tagged with

Comments

Mike7

Congrats and thanks for the detailed review. To answer your question, 2 domains that add up to 5 years or more of experience. You can use your CEH to get 1 year experience waiver. Check the ISC2 site for details.

And I agree with this completely.

Of the 250 questions I completed, absolutely none of them were in any of the test engines I used. None. People say this all the time, but do know that if you're banking on rote familiarization you're not going to get it here. You'd think at least a few would accidently line up, but, nope. Learn the material, do not waste time on memorizing questions

megatran808

Congrats and thanks for sharing your experience!

jkatheresh

Congrats on your achievement and thanks for your sharing your views.

havoc64

Great write-up! Congrats!

DAVIS NGUYEN

Congrats!

jones551

Great Work! Congrats..

Brain-D

Congrats! Thanks for the write up!

Gess

Thanks everyone. I submitted my package to my Endorser this morning, hopefully he can get it up to ISC2 by the end of the week so I can get in line for Endorsement.

Ertaz

Gess wrote: »

Thanks everyone. I submitted my package to my Endorser this morning, hopefully he can get it up to ISC2 by the end of the week so I can get in line for Endorsement.

Congrats! How would you compare the level of difficulty to the SEC+ test?

Gess

Security+ is a great primer for this. It covers the same kind of ground except CISSP casts its net much wider. Think of it as Sec+ ensures that you know what the concepts are, and CISSP ensures you know how to apply them to simple scenarios.

gncsmith

Congrats!!

GetUmJ

Great write up and congratulations on passing the exam. I'm currently studying for mine I started February 1st. I agree with you Cybrary is a great resource and Kelly Handerhan is great I've spoken with her a few times over the last year.

Gess

I had a co-worker endorse me. It was his first time and he was very, very thorough. Which is fine. He submitted it to ISC2 and I received my e-mail today saying they received it and added it to their queue of endorsements to look over.

Will update when I receive my confirmation e-mail.

techtia

Congrats!

cyberguypr

@techtia, I am not sure what your end goal is. Your posts seem to be all over the place and I can't discern any particular path you may be interested in. The CISSP requires 5 years experience. Someone with "0 years in IT" taking the exam would be doing the cert a disservice. At this point in your career more advanced certs wont help if you don't have the right experience. I suggest taking a pause and reevaluating where you are and where you want to go.

techtia

@cyberguypr

Sorry. Not quite sure my path either but will take your advice.

sectest

GetUmJ wrote: »

Great write up and congratulations on passing the exam. I'm currently studying for mine I started February 1st. I agree with you Cybrary is a great resource and Kelly Handerhan is great I've spoken with her a few times over the last year.

How does one get in touch with her. Does she have a contact number ?

Gess

I received my certification e-mail about an hour ago. It took 5 weeks 1 day.

Thank you everyone, this place is a great resource when writing a study plan.

Ertaz

Gess wrote: »

I received my certification e-mail about an hour ago. It took 5 weeks 1 day.

Thank you everyone, this place is a great resource when writing a study plan.

Congrats. Did you have to reach out to them to get them moving on it or did your confirmation come out of the blue?

Gess

I was going to call them on Wednesday if it didn't come, which would've been six weeks. I don't *need* it right this moment so I wasn't going to push it.

Ertaz

Gess wrote: »

I was going to call them on Wednesday if it didn't come, which would've been six weeks. I don't *need* it right this moment so I wasn't going to push it.

Maybe they are making progress on their backlog, so mine will be along some time next week.

Gess

Hope so, best of luck!

ZzBloopzZ

Do you think you would have passed the exam with just Sybex, Cybrary and the Sybex + McGraw Hill practice exams?

Also, you stated that you regret reading "CISSP All-in-One Exam Guide, 6th Edition" for the BCP/DRP as it was over kill. Does the Sybex cover these topics in that detail as I am also not as comfortable with those areas.

I also have a CEH and Security+ like you and agree that at least 5-6 of the domains carry over from those certs, at least thats what I can tell so far from finishing the Cybrary videos.

Thanks!

mika123

What where your scores in the 4 Sybex Bonus Exams?

Gess

ZzBloopzZ wrote: »

Do you think you would have passed the exam with just Sybex, Cybrary and the Sybex + McGraw Hill practice exams?

Also, you stated that you regret reading "CISSP All-in-One Exam Guide, 6th Edition" for the BCP/DRP as it was over kill. Does the Sybex cover these topics in that detail as I am also not as comfortable with those areas.

Yes, I think those materials would be sufficient.
If you already have access to the AIO book and you want a confidence booster, go ahead and read her BCP/DRP. The whole point of studying is for you to get comfortable. However; the level of detail on the exam in those areas is much much lower than what that text goes into. You can use that chapter to write a BCP/DRP SOP for your organization. It's just too much. I got more value from reading the chapter on it in Sybex 7th and watching the BCP section of Cybrary twice than I did from trying to read the AIO 6th. If you're constrained by time or resources, don't use AIO 6th. If you have the time and book, by all means read through it once.

mika123 wrote: »

What where your scores in the 4 Sybex Bonus Exams?

I never took the Exams individually. What I would do is check all 4 exam boxes, and then on the bottom left side of the screen I would tell it how many questions I wanted. It would generate the questions from all 4 exams. I would typically score 90% or better, taking anywhere between 50 to 100 at a time. I think there are 1001 questions total.

I mentioned it earlier but I'll restate it here; none of the test questions from any of the banks I used (Sybex, AIO6th, CramMaster) were on the exam. Use tests to find out what domains you're weakest in (AIO6th, though overly technical, is great for this and the test engine is free, the link is in my original post) and then restudy those areas. Do not waste time memorizing exam questions.

ZzBloopzZ

I have more questions for you my friend. Here is my plan of attack:

1. Cybrary (Finished it last night. I noticed I study better (better understand/comprehension) once I understand the overall concept/principles first)
2. Sybex 7th Edition (Will start reading this tonight)
3. Then 1 week before exam do the Sybex, McGraw Hill & CCCure practice exams. They will be used strictly as a tool to help me determine my weakest link which I will read up on.

As a fourth step, do you think I should even bother with the 11th Hour Study Guide 2 days before the exam?

I also got my CEH in September 2015 and understand the overall concepts in many of the domains. I agree there is much overlap. Goal is take exam 3rd week of May.

Thanks!

havoc64

Congrats and great writeup

Gess

The 11th Hour was nice for pulling concepts together. It's a short read and I think it's worth spending an evening on. If you're concerned about time and have an awareness on where you might need some help you can go ahead and read just the material you're concerned with. I know when I read it the second time near the test I skipped some chapters that I knew I had down cold.

Doing C|EH as the beginning of my CISSP studies helped me a lot. It basically meant I only had to review the Telecommunications portion instead of learning it from the ground up.

Thanks havoc and everyone else.

vanithasizzle

Hi Gess,

Thank you for all the information provided. I want to know whether CEH is necessary before giving CISSP. I have not done CEH yet and I have started reading some books for CISSP. I cam across your blog and now a little confused about this.

Thanks,

ZzBloopzZ

vanithasizzle wrote: »

Hi Gess,

Thank you for all the information provided. I want to know whether CEH is necessary before giving CISSP. I have not done CEH yet and I have started reading some books for CISSP. I cam across your blog and now a little confused about this.

Thanks,

I suggest you just go straight for the CISSP. I wish I did instead of wasting my time on the CEH.

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of