I did not use any of ISC2’s tests. I thought that they were way too expensive and since they were retired questions, I did not want to study old stuff.
Additionally, I did not expect that they would really have my best interests at heart because their business model is to make money by selling tests and they make more if you fail.
As I studied, I realized that the people who said that they had the most difficulty with the exam were technical people who had system/network administration experience and so I surmised that the CISSP exam must be slanted more toward a business manager’s perspective. I was right, so pretend that you are a consultant and are approaching assessing, implementation and maintenance of information How I Studied For, And Passed The security for a company from that view point and you will be better able to answer correctly. For example, if you are tasked to implement a business security program for your company. Where will you start? How will you convince management that they need to spend money on your project vs. another project? What types of encryption will you chose for security risks 1, 2, and 3, and why is that the best solution for that particular situation? Which IDS type will you place where and why? The difference is subtle but very important.
You still must know the technical subject matter (OSI layers, crypto techniques, application development, security frameworks, access models, and such), but you must also know how to research and implement a complete Information security plan from a business management perspective, this where knowledge of policies, people, frameworks and money come into play. Shon’s video and AIO book are the best for this.