How I Passed CISSP

How I passed CISSP

My Background
I have been working in Information Security roles for about 10 years. In 2000 a colleague of mine explained that CISSP was the best qualification in the industry but I couldn’t see how to get it as, at that time, there were no text books for it!

Over the years I have worked on firewalls and routing (for about 5 years) and, more recently, in policy and governance (for about 5 years). I would say that I knew about half the domains pretty well so for these I needed a formal read through of relevant material. For the other half I would need to learn the concepts.

In 2007 I started a distance learning business degree, so putting in hours of self-directed effort has become natural for me. After I got my degree I wanted to get information security qualifications for my CV/resumé.

My Action Plan
I looked at the exam schedule on the ISC2 web site in early 2011. The immediately upcoming exams were fully booked, so I had to look further ahead.
The exam availability choice was either 10 weeks or 15 weeks away. I wanted an unhurried ‘quality’ week per domain to learn, so I chose the one that was 15 weeks away.

I then drew up the following timetable – and stuck to it!

Week 0 - Book the exam, read (ISC)2 requirements, order books
Week 1 - Security Management Practices
Week 2 - Security Architecture and Models
Week 3 - Access Control Systems and Methodology
Week 4 - Telecommunications and Network Security
Week 5 - Computer Operations Security
Security+ exam
Week 6 - Cryptography
Week 7 - Application and Systems Development Security
Week 8 - Physical Security
Week 9 - Business Continuity Planning and Disaster Recovery Planning
Week 10 - Law, Investigation, and Ethics
CISSP exam

The books that I bought were
• CISSP All-in-One Exam Guide, Fifth Edition by Shon Harris
• CISSP Exam Cram (Exam Cram (Pearson)) by Michael Gregg
• CISSP Practice Questions Exam Cram (Exam Cram (Pearson)) by Michael Gregg
I (honestly!) did not use any other resources. No forums, no downloaded presentations, no other books. There wasn’t enough time.

My opinion is that the All-in-One book is overkill for the exam. Nevertheless it is a good reference guide for your job. The Exam Cram books maybe just enough to take the exam but I would not risk using only these.

Each Monday I would start reading the relevant chapter of the All-in-One book and then the equivalent chapter of the Exam Cram book. From past experience of exams I think that the only true way of assessing my knowledge is to sincerely take practice tests. I know people who skim read questions, look at the answers and then say to themselves that they would have got it right, but I know it’s easy to delude myself when doing this.

So, on the Sunday, I would do at least 50 questions from the relevant chapter of the Practice Questions book. I answered these on copies of this answer sheet. After this I marked them and read the explanations of the questions that I had got wrong.

I made a few notes of concepts that I struggled with to use as a simple revision sheet. I did not make notes on anything I was confident with. This ended up being less than three pages when printed off. It was mainly lists of things. The answer sheets were all kept, labelled with the name of the domain at the top.

When I got to week 5 of the schedule, I really wanted to see if I was on track or not so I booked a CompTIA Security+ test. The test venue was local and I was able to book it at short notice (less than a week). It cost me an exam fee (£191), but I felt that the syllabus should be more than covered in the first five weeks of CISSP revision work. And I wanted the experience of taking a real, independent and unequivocal InfoSec test. I passed, which gave me confidence for the remaining weeks of study.

In the immediate week before the exam I looked at my past answer sheets and selected the two domains which I had lowest scores on. I then re-read the appropriate two chapters from the Exam Cram book on the basis that this was the best use of cramming before the exam, as I guess that I must be better in the other domains.

The Exam
Before the exam I just could not sleep. The journey up to London was straightforward for me as I had already been to the venue a few weeks before when I was in London for a trade show, so I already knew where I could get a coffee before going in. On the train I looked at my revision sheet just to cram in a few of the lists of concepts.

Outside the exam building a cluster of potential CISSP exam takers gathered. I was pleased to hear that none of them had done it before as this implied that it is an exam that people pass. Or maybe they fail and don’t retake it!

The entry into the exam hall was meticulous. It took about 30 minutes to get into the hall as everyone’s ID and exam slip was checked and all bags were put at the back of the room. One of the instructions was that no drinks were to be placed on the desks. The invigilator had once seen someone spill a drink over their answer sheet and the student had to complete a new one under time pressure.

We spent about 30 minutes being slowly instructed on completing the answer form; Forename, Surname, Candidate Number, etc. Again, the invigilator had prior experience of people racing ahead and filling in the wrong sections.

The exam then began, on time. The exam answer sheet is completed by colouring in a circle next to A, B, C or D with a pencil. It looks like this. I went through the whole question book and wrote lots of question marks and ticks next to questions. This took me about two and a half hours. I then went through every question again and transcribed it onto the answer sheet; another two and a half hours.

I would not do this again. Instead, I recommend answering every question straight onto the answer sheet as you read it. If you don’t know, you don’t know, so just guess. You can make a note in the question book if you want to, but I honestly think that if you dont know first time round, you are unlikely to know better second time round. There is a school of thought that if you start changing your answers, you'll be more likely to get them wrong.

So in total I was in the exam room for five hours and ten minutes and I had effectively gone through every question twice. I had taken in some water and chocolate as I like to be minimalist - others had sandwiches. I went to the loo three times as a way of taking a break.

The exam questions were extremely clear and fairly worded. They are much better worded than the Exam Cram practice questions I had used. If you can pass Exam Cram mock tests, you should feel confident about the real test.

The email with my results arrived three and a half weeks after I took the exam. I passed!

I then had to submit a copy of my CV and complete a form, countersigned by another CISSP, to be formally awarded the CISSP designation. After emailing this it took five weeks to get a response – success!

In summary, my advice is
• Be organised. All the information you need is on the ISC2 web site.
• Be honest with yourself. Properly test yourself once a week for 10 weeks. Don’t pretend test.
• Be slick. Take Security+ halfway through your revision. And, if you really are organised, you can schedule your CISSP to be in the month before the CISM exam (only held in June and December) and get this as part of your efforts. I passed CISM with no extra revision - three certs for 10 weeks of self-study effort