I passed the CISSP exam on Saturday – first attempt.
Wow. What an experience. I can't believe I am actually posting this! This forum helped me identify successful materials so I wanted to give back.
Where to begin? I actually began this journey about five years when work had additional training credits and I volunteered to attend a security class. In ignorance, I selected a CISSP class and was blown away by the massive content and insanely large Shon Harris book. I decided that someday, if I ever had months to spare, I would study for the exam. Fast forward to late last year – after attending a work-sponsored security summit in Chicago, my interest peeked in the CISSP certification and I decided to pursue it as a way to externally validate my 10 years of security experience.
After 92 days of studying a minimum of 4 hours a day Monday – Friday and more on Saturday, I finally took the exam and passed.
My study plan:
Conrad 2E book (7/10) – I read this book from cover to cover, highlighted a ton of concepts, and took notes on Brainscape. Decent enough book and it helped me to gain a basic understanding of the domains. I think I rather preferred the 10 Domain format – I felt like I could understand the subjects better.
Cybrary.it (10/10) – Kelly does a WONDERFUL job of breaking down the topics in an easy to understand format. I read a chapter in Eric Conrad 2E and then watched the corresponding Cybrary videos. I took notes from Kelly and added them to my Brainscape notes. I downloaded the MP3s and listened to them about three or four times altogether as I made several long trips in the car.
Brainscape (10/10) – so memorizing facts on notecards stink. I LOVE this site because they use an algorithm, based on your feedback to any one fact card, to show you only new fact cards when you are ready for them. I seriously think technology this helped me to gain command of data faster than other methods. I made close to 2,000 unique cards and ran through a total of 10,000+ views. The iPad was really easy to use. I cannot recommend this enough!!!
CBTNuggets (2/10) – I tried to use these videos and even watched about a third of them, but I couldn’t make it through the remainder. I think they are fine to help learn basic concepts but I personally couldn’t get into them. Some people have reported that they were able to really use them and I think they might work just fine for other people. Worth the cost of a month to see.
Shon Harris AIO (4/10) for study (10/10) for desk reference. I have two editions of this book – and I have read about 50% between both editions. Solid read on basic concepts. When I needed the detailed information about a concept, this book never let me down. The only issue is the current editions are dated and do not reflect the current exam.
Shon Harris MP3s (2/10) – I tried… seriously I tried. I got through one MP3. I almost fell asleep driving while listening to the calm soothing monotone voice of Shon so I decided for the driving safety of the general public I would switch over to Cybrary. Never looked back.
Sybex 7th edition (8/10) – If I had to choose a single book to read (which is crazy because I read almost every book generally suggested on the forums) this book would win. I read it cover to cover, highlighting new concepts I had not seen yet or concepts that I hadn’t completely memorized. It took some getting used to because I went from the 10 domain format to the 8 domain format. I’m not a fan of the 8 domains – I found myself having trouble trying to get a clear picture because they keep jumping around. Ok – this book verbose compared to Conrad. They literally repeat whole paragraphs from previous sections. At first I thought all the material I was reading was running together, but then I checked previous chapters and realized that it wasn’t me or deja vu – it was them. I really liked the chapter summaries – this really helped me. I later reread the book a second time only focusing on the highlighted areas and end of chapter summaries. Great book.
Conrad 3E (7/10) – I purchased this book and read through it looking for the differences and new content. The book has the same material as before (plus the extra content) but arranged in the 8 domains. No highlights as I knew the concepts by now. Great book.
I used the Combined Notes (no rating) found on this site as a last minute review but by the time I looked at it, I knew everything. It made for a good read on the airplane as I flew to my Training Camp class.
Larry Greenblatt Cyber Kung Fu (8/10) – I watched all five episodes of Larry’s Kung Fu magic. I watched this the week before I went to Training Camp. If I could do it over, I would have watched this first, and saved Kelly’s videos for last. Larry did a good job of making some concepts very easy to remember. I think some of the things he focused on were based on the old exam format.
Training Camp Online Class (3/10) – I started this class online in either December or January (midway through my preparation) but I gave up after about 3 modules or so. Honestly, I thought this was boring and not very high quality material. That’s surprising because the week long Training Camp I attended was super high quality and most wickedly awesome. I don’t know why they pushed this out – it seriously needs a revamp to catch up to their high quality live class. If you go the Training Camp route, and have limited time, either Kelly and/or Larry are worth it.
Training Camp Week Long Live Class (9/10) – This was worth the money and time. By the time I attended this class I had around 90 days of study under my belt using the books and classes referenced above (and practice tests listed below). I had a remarkable instructor who understood the material and brought it together with a lifetime of experiences which made it real. If you go this route then you need to prepare yourself for hours and hours of lecture. Did I forget to mention the hours and hours of lecture? But it was worth it. Completely worth it. I will use them again – and I’ve never really felt that way about a training center before (been around long enough to have tried several over my career).
Official CISSP CBK Training Guide (9/10) – This is the HUGE green book that you get when you attend an official course. This book covered so many topics that are not in any of the other books I had read. Some of these felt like extra knowledge type topics and some of the materials turned out to be vital to my understanding of specific concepts. After having read and studied from (nearly) all the current books out on the market for the new test, I feel I can say with some authority that they are all screwed up in some way, shape, or fashion. For example, this book is impossible to use to actually locate something. If you don’t use a sticky note to mark the page, you will never find it again. Can I just say again that I REALLY don’t like the way the domains are now organized? For example, crypto is spread all over the place. However, even with all that – this book did the best job of outlining the concepts. If you look at BCP or BIA in Sybex, Conrad, and this book, none of them explain the process the same way. That used to really bother me until I finally realized that you don’t need to memorize a specific numbered list of action items. You need to understand the bigger picture. I like absolutes, and of course, life rarely has any.
Practice Tests
Before I rate these, I wanted to make a few comments. First, I feel there are three types of questions: assessment questions, review questions, and practice questions. Each has a place but you need to understand how to use them.
Assessment Questions are either hard, easy, or equal. With this type of question, you can take a test, study concepts, and take another test. Your score should reflect the delta in your studying. Review Questions are used to point out your weaknesses – in other words – what are the things I don’t know. Both of these types of questions were very beneficial to me.
Practice Questions are realistic to the test. However, you are NOT going to find these questions on the Internet for several reasons. First, because they are simply too difficult to write. The question sites on the Internet are there to make money (and I’m glad they are there – I needed them and I really benefited from their services) but they make money by having a large number of questions in the test bank. Second, even if someone used their own skills and knowledge and wrote a question that was similar to a real test question, ISE2 would just deactivate the question in the batch. I took 1,600 questions from all different sources and they were all either assessment or review questions – nothing I worked on was close to the questions on the test. As far as brain **** - don’t believe for a second that you can find real CISSP test questions on the Internet because you will not. The site that publishes actual copyrighted questions will quickly experience a DCMA takedown.
CCCure (8/10) – This site provides a great mixture of assessment and review questions. The wording is off occasionally, the site is clunky and sometimes the reporting doesn’t work unless you click on the link several times, and there are a lot of old 10 Domain style questions. My biggest complaint with this service was the quality of the questions – there are plenty of good questions – it’s just some of the questions reference concepts that are no longer emphasized. GREAT Personal Customer Service!!!
Sybex Questions Online (8/10) – This site is terrible. The application interface is terrible. The questions; however, are high quality review questions. Best questions, hands down. I would give them a higher score if the site wasn’t a flashback straight out of 2005.
Sybex Chapter Questions (7/10) – The questions in the book were surprisingly good. I did all but a few chapters. They helped me to focus on problem areas. I liked these.
Transcender (5/10) – I got access to this through my CBTNuggets subscription. The first exam I took had networking questions and they asked me a series of subnetting questions. Spoiler Alert – you don’t have to subnet for the CISSP exam so it brings no practical purpose to do practice exams on it. I wasn’t impressed and with limited time and two solid resources (CCCure and Sybex), I decided not to try again. Maybe I got a fluke set of questions – certainly CCCure gave me some crazy questions – but I never had time to go back and give them a second chance. Other people I respect have reported they liked these so I wouldn’t rule them out.
Skillset CISSP Questions (5/10) – This site has the potential to be something very nice in the future. I watched several of their videos and thought they were succinct and very high quality. The format of the website was frustrating and the quality of the questions were “simply ok”. I think there is some real potential for this in the near future.
Final Thoughts
So… I’m an over preparer. I know it. I just wanted to learn everything I could and make sure that I had a solid understanding of all the material and not just enough to pass a certification exam. Most people do not need to do what I did – in fact now that I’ve written it all out it seems kinda crazy even to me. But I recognize this is just me.
People learn differently. I learn by using all my senses. I would read a concept, write it down on Brainscape, walk around my house, an airport, or a soccer field between innings watching my kids play, reading those concepts out loud and rating my mastery. I would then watch a video where someone else explained the concepts and added their personal experiences. Each time I touched the material I tried to attach the concepts to my own professional experiences in security. I'm a speed reader BTW.
I found it amazing that many people who attended the Training Camp class with me had done little to no studying ahead of time. One of which I know passed the exam. So, there are a lot of ways to do this and depending on who you are and how you study, you just need to find what works for you personally. Good Luck!
Sorry that was a LONG post. I don’t want to get into any specifics of the test because of the agreement I signed. Now, I’m going to fly back home and see if my wife and kids will remember who I am… Next week I will start on the credentialing process. CISM next?
