Passed CISSP (Long Post)

tchetche Registered Users Posts: 2 ■□□□□□□□□□
My Starting Point
20+ years IT experience, about half as software developer working on all phases of the software development life cycle, the other half as business analyst for enhancements. The last five years primarily focused on security-related enhancements.
No formal security training.
Thorough, detail-oriented mind, used to be good at taking tests (but no serious test taken for many years…)

  1. This forum
  2. Reddit for CISSP
  3. Concrad Study Guide third edition (8/10)
  4. Sybex Official Study Guide seventh edition (8/10)
  5. Kelly Handerhan Cybrary Videos (9/10)
  6. Shon Harris AIO seventh edition (5/10)
  7. Sybex Official Practice Tests first edition (8/10)
  8. Conrad 11th Hour third edition (4/10)
  9. Internet
  10. SuperMemo 16 (8/10): Advanced flashcard program for Windows with pretty evolved spaced repetition algorithm optimized for retention. Unfortunately the program itself is not very user-friendly and can have a steep learning curve. I had used it before so I was already familiar with the program.
    (Note: If you decide to use the product, it is cheaper to buy a $2 "Freeware" version in their store and upgrade from there instead of buying a full priced version.)
  11. XMind 8 Free (8/10): Pretty nice mind-mapping program
  12. PearsonVue example test app (9/10): good to become familiar with the app I would be using during the actual exam

Preparation Approach
Overall preparation time almost a year. I had no deadline, so my focus was on getting a good understanding of the materials, not on getting through as fast as possible. I did the preparations in addition to my regular job, and wanted my pace to be sustainable for as long as necessary.

My preparation steps:
  1. Read a lot of threads on this forum and on the Reddit for CISSP, extracting information on study materials, exam content, and general exam tips.
  2. Based on that research I settled on the Conrad Study Guide, the Sybex Official Study Guide, and Kelly Handerhan's videos as my main study sources.
  3. Settled on the Conrad Study Guide as the first book to work through. When comparing the two books I found that the Sybex Study Guide seems to assume that you already have a good general understanding of security because chapters contain many cursory references to concepts from other chapters and topics. The Conrad Study Guide, on the other hand, stays much more focused on the current topic. The flip side of this is that the Sybex gives more context, while the Conrad primarily describes the current topic without much context.
  4. Worked through the Conrad Study Guide. Highlighted passages I found important. At the end of each chapter I transferred info I wanted to remember into SuperMemo. It took me about two months to work through the book in this way. Created about 900 flashcards in SuperMemo.
  5. Used SuperMemo to learn the information entered from the book. Did that for another month or two.
  6. Watched Kelly Handerhan's videos. They gave a very good overview of the topics and provided a lot of context, so were very helpful. Of course, they don't go into all the necessary details. Should have probably watched these first.
    Added some new content from the videos to SuperMemo, less than 100 cards.
  7. Did a few practice tests to asses my knowledge. Found myself severely lacking, realized I needed to learn more.
  8. Studied the Sybex Study Guide, using the same methods as for the Conrad (highlighting and adding info to SuperMemo). At this point I could easily follow the book, it provided much helpful context and a lot of additional data. But it was weak in some areas where the Conrad was stronger.
    Did the chapter tests before and after studying a chapter.
    Added another 800 flashcards to SuperMemo.
    Overall took another two months for this.
  9. After completing the book started learning again with SuperMemo, which now had content from all three sources.
    Continued to use it for learning until the exam. During learning I also focused on improving my understanding, filling gaps in my knowledge, and relating different data to each other.
  10. During that phase I also started to create mind maps to get more structure into the data I was learning. I did not try to put all relevant knowledge into mind maps, but rather stuff where I saw value and wanted more clarity. The process of creating mind maps in itself was really helpful. Ended up with about 20 mind maps, organized by topics, not by domain.
  11. During that learning phase I also started focusing on practice tests. Primarily I used the Sybex Official Practice Tests. Even though I had the book I almost exclusively used the online version, despite some drawbacks that it has. (At times the response times were really slow, and the overall usability was not great, but it still was better than using the book itself.)
    Did the domain-specific questions first (100 per domain), and later the full practice exams.
    Also did the practice tests that came with the Sybex and the Conrad study guides and some of the McGraw-Hill Practice Exams.
    The practice tests were a mixed experience. On the one hand, they showed me what I knew and where I still had gaps, made me familiar with different forms of questions, and gave me much needed test experience. On the other hand, all of them had some sloppy and inaccurate questions and answers, some of which made me unnecessarily doubt my own understanding, and the accuracy of the material.
    Overall the best practice tests were the official ones. But even though the Sybex Study Guide and the Sybex Practice Questions are advertised as belonging together and sold as one package, they were not completely consistent. There were practice questions about materials that were not covered in the study guide at all.
    Other practice questions (more so from the other sources) went way too deep into details, whether they were technical, legal, or otherwise. The worst offender in this regard were the McGraw-Hill Practice Exams, and I stopped using them at all after a while.
    Some of the practice test results caused me to study more details (often using the internet), add a few more items to my flash cards, and make some changes to my mind maps.
  12. During that phase I also used other sources to study more details about some topics that were not covered very well in either book, such as cloud computing and federated identity management and the different protocols used for it. I got these topics from other posts on these forums. During that phase I also used the Shon Harris AIO. It helped to understand some details better, but was way too detailed as a general study book.
  13. When I found that I had a pretty good understanding of most of the materials and had scored mostly in the 80 - 90% range on practice tests (except the McGraw-Hill ones), I scheduled the exam, about four weeks out.
    Even at that point I wasn't really sure how good my understanding was, primarily related to my practice test experiences. I also found that in some areas the different books had different and sometimes even seemingly conflicting content. Some areas were I found this were incident management and BCP/DRP.
    But I also thought that only the real exam would give me clarity, and I didn't want to go through a week-long boot camp if not necessary.
  14. I continued with the SuperMemo learning, practice exams, and clarifications during the last four weeks before the exam.
  15. A couple of weeks before the exam I read through the Conrad 11th hour book, but I found it mostly a waste of time. There was very little in the book that I found still helpful at that point.
  16. The last few days before the exam I reviewed the practice questions where I had had problems before, primarily from the Sybex book.
  17. During that period I downloaded the sample test application from Pearson Vue and played with it until I was familiar with its working - one less thing to be concerned about during the exam. While the app also has features that don't apply to the CISSP exam, it gave me familiarity with the ones I would be able to use.
  18. During the last week before the exam I also focused on the general exam tips that I had extracted from the different threads on this forum and the CISSP Reddit. I found some of the tips really good and assumed they could help me approach questions with the right attitude and help me improve my exam score.
    This was the primary content I focused on during the last couple of days before the exam.
    At that point I did not try to cram more specific knowledge into my memory but rather to relax and be as fit as possible on exam day.

Exam Day
I had scheduled the exam for a Wednesday at noon. I would have preferred a Tuesday, but that wasn't available soon enough.
I wanted a day rather early in the week to not be exhausted from a regular work week. Didn't want Monday to be able to switch back from "weekend mode" before the exam.
I am not an early riser, and noon gave me plenty of time to get ready for the exam that day.
The choice ended up working well for me.

I took about five hours for the exam, taking breaks whenever I felt I needed one. One of the exam tips was that time is not your enemy, fatigue is. I found that to be true, so I took my time and took breaks when necessary.

I did a brain **** at the beginning of the exam on the provided white board. It was not any exam content I wrote down, but rather important general exam tips I wanted to keep in mind during the exam.

My exam ended up having three phases:
  1. I went through all the questions from beginning to end. If I could answer a question relatively confidently or was clear that further thinking about it wouldn't make a difference, I just answered the question and moved on.
    If I felt I would need more time to think about the question to come up with a good answer, I left the question unanswered and moved on.
    If I wasn't sure but leaned towards a particular answer, and wanted to review the question again, I marked the question for review.
  2. After having worked through the whole exam this way and finding that I had plenty of time left, I went through the questions that I hadn't answered before. (The exam app allows you to select just these.) I was prepared to take as much time as necessary on them, and found that I could answer most of them rather well now.
  3. Having answered all questions now, I went through the ones I had marked for review. I changed my answer on maybe a handful of them.

Overall I didn't find the exam too difficult. There were quite a number of questions where the right answer was obvious to me, and quite a number where the right answer was quite likely. Then there were some questions where the general exam tips helped me to come up with a likely answer, and of course there were other questions where I just made a more or less educated guess.
When finishing the exam I felt that I should have passed comfortably, but I wasn't really sure until I got the confirmation.

Lessons Learned
  1. Studying for the exam significantly changed my understanding of security. Even though I had quite a lot of security experience (actually more than I realized before starting to study), the studying put it into an overarching framework that allowed me to see all the individual pieces in a larger context. Before I had more of an intuitive idea that security is complex and multi-facetted (but usually didn't see it addressed in such a way) - now I had the confirmation.
  2. If I had to start all over, I would probably watch the Kelly Handerhan Cybrary videos first and then study the Sybex official study guide, using the Conrad study guide more as a reference or to fill specific gaps.
  3. As far as I can tell, all the study guides and exam preparation questions I worked with go into unnecessary detail in some areas, while not containing relevant information in other areas.
    A main area of unnecessary detail seems to be US laws related to security. Even though exam guidelines state that this is an international exam (which also was my experience), study guides contain plenty of details about US laws, and practice tests include questions about them. I found this discomforting, as before the exam I didn't really know what would be in it, so I rather erred on the side of studying more than necessary.
  4. As a consequence of the last point, if I had to start over, I would pay more attention to the general exam tips early on and would have aligned my studying with them more closely.
  5. If I had to start over again, I would also have created mind maps earlier. I found creating them to be a good study help that supported me in clarifying structures and relationships, which I find important for understanding.
  6. For many of the flashcards I created from the first book I studied, I formulated the text in a less than optimal way that made it harder to remember. At some point I found these tips about formulating knowledge on flashcards for retention, which I found helpful and applied from then on: 20 rules of formulating knowledge in learning
  7. For federated identity management, I found the following presentation very helpful:
  8. For a better understanding of cloud offerings, I found information from the Cloud Standards Customer Council very helpful: Cloud Standards Customer Council | CSCC
  9. My mind maps can be downloaded here:
    One file is the mind map with my collected exam tips printed as a pdf, the other one is all my mind maps combined into one file with multiple tabs, in Xmind 8 (free version) format.
    IMPORTANT: My mind maps do not cover all exam areas, and included areas might not be covered fully. They also contain unnecessary details for some areas. They were tailored to my particular needs at the time and might not work for you. It is best to create your own mind maps, if you decide to use that study tool. The process of creating mind maps itself increases understanding and retention.

Good luck, and enjoy the ride!


  • ITSec14ITSec14 Member Posts: 398 ■■■□□□□□□□
    Awesome post and congratulations! Your feedback is greatly appreciated for those of us who will be attempting this exam in the near future.
  • CryptoQueCryptoQue Member Posts: 204 ■■■□□□□□□□
    Congratulations. Your post will help a lot of people aspiring to pass this exam. Welcome to the club!!! icon_cheers.gif
  • jercxjercx Member Posts: 36 ■■■□□□□□□□
    congratulations! i shared the same sentiments specially on the following points. I can see parallels of the things we both did right.. and wrong. =)

    Other practice questions (more so from the other sources) went way too deep into details, whether they were technical, legal, or otherwise. The worst offender in this regard were the McGraw-Hill Practice Exams, and I stopped using them at all after a while.

    A main area of unnecessary detail seems to be US laws related to security. Even though exam guidelines state that this is an international exam (which also was my experience), study guides contain plenty of details about US laws, and practice tests include questions about them. I found this discomforting, as before the exam I didn't really know what would be in it, so I rather erred on the side of studying more than necessary.
  • DAVIS NGUYENDAVIS NGUYEN Member Posts: 1,472 ■■■□□□□□□□
  • sameojsameoj Member Posts: 366 ■■■□□□□□□□
  • NavyMooseCCNANavyMooseCCNA Member Posts: 544 ■■■■□□□□□□
    Congrats! Thank you for the information!

    'My dear you are ugly, but tomorrow I shall be sober and you will still be ugly' Winston Churchil

  • KragsterKragster Member Posts: 44 ■■□□□□□□□□
    This was an excellent post, thank you very much for sharing and congrats on the pass!
  • KeisukeKeisuke Registered Users Posts: 3 ■□□□□□□□□□
    Congratulations Tche!

    in which Country did you take the exam? could it be possible that the questions about the US legislation are asked only to US citizens?
  • djcarterdjcarter Member Posts: 44 ■■□□□□□□□□
  • tchetche Registered Users Posts: 2 ■□□□□□□□□□
    I took the test in the US.
  • KeisukeKeisuke Registered Users Posts: 3 ■□□□□□□□□□
    tche wrote: »
    I took the test in the US.

    ok, so my assumption is wrong
Sign In or Register to comment.