How I Passed CISSP

Commander JamesonCommander Jameson Member Posts: 8 ■□□□□□□□□□
How I passed CISSP

My Background
I have been working in Information Security roles for about 10 years. In 2000 a colleague of mine explained that CISSP was the best qualification in the industry but I couldn’t see how to get it as, at that time, there were no text books for it!

Over the years I have worked on firewalls and routing (for about 5 years) and, more recently, in policy and governance (for about 5 years). I would say that I knew about half the domains pretty well so for these I needed a formal read through of relevant material. For the other half I would need to learn the concepts.

In 2007 I started a distance learning business degree, so putting in hours of self-directed effort has become natural for me. After I got my degree I wanted to get information security qualifications for my CV/resumé.

My Action Plan
I looked at the exam schedule on the ISC2 web site in early 2011. The immediately upcoming exams were fully booked, so I had to look further ahead.
The exam availability choice was either 10 weeks or 15 weeks away. I wanted an unhurried ‘quality’ week per domain to learn, so I chose the one that was 15 weeks away.

I then drew up the following timetable – and stuck to it!

Week 0 - Book the exam, read (ISC)2 requirements, order books
Week 1 - Security Management Practices
Week 2 - Security Architecture and Models
Week 3 - Access Control Systems and Methodology
Week 4 - Telecommunications and Network Security
Week 5 - Computer Operations Security
Security+ exam
Week 6 - Cryptography
Week 7 - Application and Systems Development Security
Week 8 - Physical Security
Week 9 - Business Continuity Planning and Disaster Recovery Planning
Week 10 - Law, Investigation, and Ethics
CISSP exam

The books that I bought were
CISSP All-in-One Exam Guide, Fifth Edition by Shon Harris
CISSP Exam Cram (Exam Cram (Pearson)) by Michael Gregg
CISSP Practice Questions Exam Cram (Exam Cram (Pearson)) by Michael Gregg
I (honestly!) did not use any other resources. No forums, no downloaded presentations, no other books. There wasn’t enough time.

My opinion is that the All-in-One book is overkill for the exam. Nevertheless it is a good reference guide for your job. The Exam Cram books maybe just enough to take the exam but I would not risk using only these.

Each Monday I would start reading the relevant chapter of the All-in-One book and then the equivalent chapter of the Exam Cram book. From past experience of exams I think that the only true way of assessing my knowledge is to sincerely take practice tests. I know people who skim read questions, look at the answers and then say to themselves that they would have got it right, but I know it’s easy to delude myself when doing this.

So, on the Sunday, I would do at least 50 questions from the relevant chapter of the Practice Questions book. I answered these on copies of this answer sheet. After this I marked them and read the explanations of the questions that I had got wrong.

I made a few notes of concepts that I struggled with to use as a simple revision sheet. I did not make notes on anything I was confident with. This ended up being less than three pages when printed off. It was mainly lists of things. The answer sheets were all kept, labelled with the name of the domain at the top.

When I got to week 5 of the schedule, I really wanted to see if I was on track or not so I booked a CompTIA Security+ test. The test venue was local and I was able to book it at short notice (less than a week). It cost me an exam fee (£191), but I felt that the syllabus should be more than covered in the first five weeks of CISSP revision work. And I wanted the experience of taking a real, independent and unequivocal InfoSec test. I passed, which gave me confidence for the remaining weeks of study.

In the immediate week before the exam I looked at my past answer sheets and selected the two domains which I had lowest scores on. I then re-read the appropriate two chapters from the Exam Cram book on the basis that this was the best use of cramming before the exam, as I guess that I must be better in the other domains.

The Exam
Before the exam I just could not sleep. The journey up to London was straightforward for me as I had already been to the venue a few weeks before when I was in London for a trade show, so I already knew where I could get a coffee before going in. On the train I looked at my revision sheet just to cram in a few of the lists of concepts.

Outside the exam building a cluster of potential CISSP exam takers gathered. I was pleased to hear that none of them had done it before as this implied that it is an exam that people pass. Or maybe they fail and don’t retake it!

The entry into the exam hall was meticulous. It took about 30 minutes to get into the hall as everyone’s ID and exam slip was checked and all bags were put at the back of the room. One of the instructions was that no drinks were to be placed on the desks. The invigilator had once seen someone spill a drink over their answer sheet and the student had to complete a new one under time pressure.

We spent about 30 minutes being slowly instructed on completing the answer form; Forename, Surname, Candidate Number, etc. Again, the invigilator had prior experience of people racing ahead and filling in the wrong sections.

The exam then began, on time. The exam answer sheet is completed by colouring in a circle next to A, B, C or D with a pencil. It looks like this. I went through the whole question book and wrote lots of question marks and ticks next to questions. This took me about two and a half hours. I then went through every question again and transcribed it onto the answer sheet; another two and a half hours.

I would not do this again. Instead, I recommend answering every question straight onto the answer sheet as you read it. If you don’t know, you don’t know, so just guess. You can make a note in the question book if you want to, but I honestly think that if you dont know first time round, you are unlikely to know better second time round. There is a school of thought that if you start changing your answers, you'll be more likely to get them wrong.

So in total I was in the exam room for five hours and ten minutes and I had effectively gone through every question twice. I had taken in some water and chocolate as I like to be minimalist - others had sandwiches. I went to the loo three times as a way of taking a break.

The exam questions were extremely clear and fairly worded. They are much better worded than the Exam Cram practice questions I had used. If you can pass Exam Cram mock tests, you should feel confident about the real test.

The email with my results arrived three and a half weeks after I took the exam. I passed!

I then had to submit a copy of my CV and complete a form, countersigned by another CISSP, to be formally awarded the CISSP designation. After emailing this it took five weeks to get a response – success!

In summary, my advice is
• Be organised. All the information you need is on the ISC2 web site.
• Be honest with yourself. Properly test yourself once a week for 10 weeks. Don’t pretend test.
• Be slick. Take Security+ halfway through your revision. And, if you really are organised, you can schedule your CISSP to be in the month before the CISM exam (only held in June and December) and get this as part of your efforts. I passed CISM with no extra revision - three certs for 10 weeks of self-study effort icon_wink.gif


  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,718 Admin
    Congratulations on passing the CISSP, CISM, and Security+ exams! You've posted one of the best reviews on TechExams thus far. icon_cheers.gif

    Also thank you for introducing us all to the term "invigilator." It has been a long time since a member has used that word on TE.
    In 2000 a colleague of mine explained that CISSP was the best qualification in the industry but I couldn’t see how to get it as, at that time, there were no text books for it!
    The CISSP exam was first administered in 1996, and only as part of a training course offered by the (ISC)2. Although the CISSP was considered very significant in less than five years, it did take a while before study guides were published. Before that, an exam candidate had to rely on their own InfoSec experience and word-of-mouth (via Web sites and USENET) of what materials to study.

    Again, congratulations! I hope you make TE your new tech-home on the Web!
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Congrats on the pass!
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • Chivalry1Chivalry1 Member Posts: 569
    Congratz on the pass and great review.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • ITdudeITdude Member Posts: 1,181 ■■■□□□□□□□
    Ditto here! icon_wink.gif
    I usually hang out on (FF02::A) and (FF02::5) when I'm in a non-proprietary mood.

    Simplicity is the ultimate sophistication.
    (Leonardo da Vinci)
  • instant000instant000 Member Posts: 1,745
    I think the best thing is that you practiced using a bubble in sheet, which would have been a very smart thing for anyone to do who is going to take that test. I mean, seriously, I hadn't used a bubble-in sheet since what? High school college entrance exams?
    Currently Working: CCIE R&S
    LinkedIn: (Please connect: Just say you're from TechExams.Net!)
  • TechStrikerTechStriker Member Posts: 131
    Congrats, good work
    Passed SNIA - SCSP
    Working on VCP4
  • Fugazi1000Fugazi1000 Member Posts: 145
    Good write up. Well done

    If you were in a university building close to BT Tower on the 11th of June.... then I was there with you! I got to escape after just 3 hours.
  • ehndeehnde Member Posts: 1,103
    instant000 wrote: »
    I think the best thing is that you practiced using a bubble in sheet, which would have been a very smart thing for anyone to do who is going to take that test. I mean, seriously, I hadn't used a bubble-in sheet since what? High school college entrance exams?

    What is this bubble sheet you speak of?? **Goes back to playing Atari**
    Climb a mountain, tell no one.
  • whatthehellwhatthehell Member Posts: 920
    Congratz on the pass and thanks for a great resource post!
    2017 Goals:
    [ ] Security + [ ] 74-409 [ ] CEH
    Future Goals:
  • Commander JamesonCommander Jameson Member Posts: 8 ■□□□□□□□□□
    Fugazi1000 wrote: »

    If you were in a university building close to BT Tower on the 11th of June.... then I was there with you! I got to escape after just 3 hours.

    On the 11th June I was in a university building doing my CISM exam. It was near Mile End, not the BT Tower. If you ever get a chance to go up there's a great view from the top of the tower.
    CISM took me about 3 hours 15 minutes.
  • Inbahrain2011Inbahrain2011 Member Posts: 9 ■□□□□□□□□□
    Congrats on the Passes!! Taking 3 certs and passing all of them in that amount of time is impressive. I took and passed my CISM in June as well. I am planning on taking the CISSP next. Did you feel that alot of the material for the CISM was a review of stuff you studied for CISSP, and if so what specific domains in the CISM were a review for you. I want to start studying now but I have to much going to dedicate the time I need to. Thanks for any adive you can provide.
  • Commander JamesonCommander Jameson Member Posts: 8 ■□□□□□□□□□

    In my case, the CISM was covering areas that I already had revised for CISSP.

    But I want to remind you of my situation; I have over 10 year's experience and wanted the CISSP knowing that I understood over half of the CISSP concepts very well, but not in a formalised manner.

    Also, I think I should say that my goal was squarely on getting CISSP. Security+ and CISM were welcome extras, but not the principle focus of my attention.

    All of us on the forums have different levels of experience and knowledge. After reading your comment I think the best advice I can give is to look at my post at the top again (read My Action Plan) and to buy a book to make your own judgement. You can then make your own study timetable.
  • juliana.nicolaujuliana.nicolau Registered Users Posts: 2 ■□□□□□□□□□
    C. Jameson thanks a lot! Your plan looks just like mine and I was not feeling so confident!
    My Security + test is close and I will certainly do the CISSP after it.
    I was wondering if you can update the link of your answer sheet - I couldn access it - and I want to see how you did it! :)
    Once again congratulations.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,927 Mod
    The answer sheet link above works perfectly fine. Do you have A PDF reader installed? Anyway, it's just a Scantron mock-up sheet where you can filling A, B, C, or D circles. Are you in a region that still uses paper-based exam?
  • juliana.nicolaujuliana.nicolau Registered Users Posts: 2 ■□□□□□□□□□
    Hi, sorry I read it wrong! I thought it was a "control sheet", like something to follow up your weekly exercise work!
    Here it´s computer based as well! Tks
Sign In or Register to comment.