Surprised at the end: I passed + tips

So I read dozens of "OMG I passed + tips" threads on here, and while I found all of them helpful, with useful insights and handy study tips ... turns out they none of them applied to my exam.
Literally. None. Of. Them.
If ever there were an example of CISSP exams drawing on a complex and extremely large bank of unpredictable questions, mine is it. So here's the background.

I wen't in with about 4 months prep. I'm an Aussie living in the Philippines and literally none of the books I would have normally purchased to study are available here with any less than 3 months shipping time. As a result I relied on the 6th edition PDF copy of Shon Harris' book, CISSP for Dummies (I know, I know) and the Syngress CISSP Study Guide.
I used the Cybrary videos at length (more on how they're objectively great resources but were useless to me), Defence Point Vids, Simplilearn vids on YouTube, the Shon Harris audio files, Professional Test Pro test Q's, Prep 4 Sure test Q's and other random resources I used to cover cloud infra and various other random topics I wanted to focus on.

This is the Phils so people seem to enjoy skimping on the AC when they can and my test centre was no exception. I was sweating within 5 minutes of sitting in the waiting room. I sat on a milk crate.

The test begins..... My reaction to the first question "wait... what?...."
second question: "what.... I didn't even know that was a thing"

Not off to a great start. The third question set me off on what towards the end I thought would have been a mediocre showing at best, as I relied on judgement from years of management more than I did on anything I had studied in great depth.

BCP questions: maybe 5 all up
Crypto... less than ten I think, and only two where I had to know any acronyms (for example, 3DES / AES)
Risk Management: no formulas, no needing to know the acronyms I studied.. literally none of that or any of the BCP/DRP content I was expecting showed up in any force.
Instead I was left hating myself for not focusing more on federated identity techs, implementation of IAM in cloud environments, Audit, software testing, SDLC and every nuance of every subprocess therein.

In retrospect, having the background I did from all the study was great, but I still feel like 60% -70% of my time was wasted despite focusing on areas recommended in the Cybrary videos, commentary on here, and other resources.

I passed the exam by (you guessed it) using good judgement honed from my work experience, using the 'managers hat', and good exam taking techniques.

I frequently came across questions where A and C were obviously not correct and I made a judgement call between B and D. A lot of the questions came down to that - I can conceive of circumstances where two answers are correct, what are they after, what is the true meaning of the question. I put my pass mark down to those judgement calls more than any material I studied. I could have spent 1 hour on symmetric crypto, 2 on BCP/DRP and none on physical security and still passed. I was underdone on Software Development and all the nuances of the entire life cycle (not my area of expertise), auditing processes, and IAM in Cloud environments (this stands out for me, but realistically knowing SAML, SSOs and related techs in traditional networked and cloud environments would have easily been sufficient. Fortunately I was across the majority of it. I just recall glossing over things like SAML and SOAP and kicking myself for it in the exam. IT could easily be different protocols in any other exam).

In short, my experience seems to differ from the majority of people who have told their tales here. This just goes to show that 1. all the material is useful. You can never know too much.
2. don't expect your exam to be the same as other you've read about. I was so prepared for BCP and RISK to make up a majority but was left wanting
3. use the most updated study resources you can find. Know SAML, IAM in Cloud etc etc;
4. you will learn from your exam. There were literally cases where I eliminated 3 answers and was surprised to find that problem X was solved by implementing solution Y. Y was literally the only answer it could have been so I had a couple "oh.. who knew... that's how you do that" moments!

All in all a valuable experience. Grateful to everyone here who posted resources and tips. I thank you all for helping me along. I hope this post proves useful to others on their way to CISSPville.

Find more posts tagged with

Comments

bpenn

Congrats! This goes to show that you better know all of the rubric for the exam. The CISSP exam is like a box of chocolates. Ya neva know what you are gonna get.

cyberguypr

Congrats!

Ertaz

ScottFiesta wrote: »

3. use the most updated study resources you can find. Know SAML, AIM in Cloud etc etc;

What is the acronym AIM stand for? Authentication and Identity Management?

ScottFiesta

Sorry, Ertaz. Good pick up. It was supposed to read IAM, "Identity and Access Management".

I said in my original post that I was going to expand on my comments about the Cybrary videos but failed to do so. Overall they're a fantastic resource with great explanations for some difficult concepts. They're a fantastic addition to much of the other stud material that's been identified and discussed ad nauseam on here.

For me it was only a flawed resource because the presenter, Kelly comments at the start of each domain on how prominently she thinks each domain (in the old structure) will figure in the exam. She agreed with most commentary on this forum that Risk, BCP/DRP, Ops and Access Control are the highest, with Software Dev leading up the rear. I based my study on this model of relative domain importance.

In fact I should have prioritized
1 software/app dev, SLAs, config and change management, third party involvement, contract management. (no models like waterfall or spiral came up for me). Much of this wasnt identifiable topics you could study and be confident you've prepared yourself. Rather, it was about understanding the concepts and their interplay and applying that understanding as well as your experience to specific scenarios.
2 IAM, especially cloud related implementations.
3 IS Governance and risk management at a macroscopic level (pure experience and judgment here)
4 legal, ethics, audit, investigations
5 Ops Sec
6 telecoms / networking
7 Sec Architecture and Design (TCB/RM/Kernel controls and vulnerabilities etc)
8 BCP/DRM
9 etc etc with Physical a big last. I recall getting only one fairly obvious question on physical sec where the toss up was between having clutter and vegetation near a low set building or open ground and a good field of view of the surrounding area (this isn't the question verbatim, rather its a rough approximation for the type of Q it was).

Again, all the best

dustervoice

Congrats .. well done & great write up.

Ertaz

ScottFiesta wrote: »

Sorry, Ertaz. Good pick up. It was supposed to read IAM, "Identity and Access Management".

OK, no worries. I am taking the test soon and I wasn't familiar with that. You had me googling like a mad man

Congrats on your result and thanks for taking the time to share your experience.

sameoj

Congrats

havoc64

Congrats and great write-up. I too agree that SDLC was my weak area and I was worried about the SDLC questions that were present on my exam. I agree 100% about using your Manager Hat. I have recommened to several people here that the key to the test is word sleuthing.

1. Read the Answers before you read the question
2. Define the Adverbs and Adjectives of the question
3. Use #2 to eliminate the wrong answers
4. Use your management thought process to pick the correct answer from the remaining answers.

Again, Congrats and Best of luck in the endorsement time..

DAVIS NGUYEN

Congrats!