CISSP - Passed first attempt - 22 May 2014

Hello

I am putting this up to provide assistance to others.

Background: senior network engineer with 10 years experience. I have worked for banks, insurance firms, financial services and telecommunications. The financial services roles are heavily regulated, risk is at the forefront of decision-making when compared with telcos. A mixture of engineering, architecture and design.

Material used:
- Sybex CISSP by James Stewart / Mike Chapple / Darril Gibson
- Eric Conrad 2nd Edition.
- Eric Conrad 11th hour

Test questions used:
- CCCure Paid
- McGraw Hill free questions
- GISP practice exam through SANS

The Shon Harris book in my opinion is not good. Spend your time reading something else. It's far too verbose. Anyone who meets the required 5 years experience in two or more domains should be at a position where the content of this book is excessive.

The Sybex book sits perfectly between the Eric Conrad 2nd Edition and Shon. It goes into more detail than Eric Conrad but keeps everything relevant. It is not simply broken into 10 domains like the Eric Conrad, so it can be difficult to find something specific, eg I struggled to find the place in the book where the difference between Entrapment and Enticement existed, or the difference between Certification and Accreditation. Regardless of this, I do recommend it.

I stopped using CCCure Paid once I discovered the free McGraw Hill questions. In my opinion they are the best question resource by a long shot, in terms of the content and how the questions are structured. The GISP practice exam is good also. I was averaging 80-85% in all these tests. I sat the GISP practice exam two nights before the real exam. This was the end of my study. I got 84%.

One tip I would recommend is cover your house with post-it notes. Anything I was struggling to remember ended up on a post-it note and was stuck in kitchen or lounge or somewhere. Just a prompt - eg "PAPA" which stands for the first letters of the Four Canons of ISC2 Ethics. I'd see this, recite what it meant, and talk out loud about them. Or ACID for the four things a database transaction must adhere to.

I read the Sunflower PDF near the end and noticed many errors in it. This was reassuring and made me feel I was ready for the exam.

I finished in just over three hours and marked about 40 questions for review. I changed answers on a few of them. I can't say much apart from think like the position being referenced in the question - whether it is manager, data custodian, CEO, etc. It's not a technical exam like a Cisco exam. The questions are clear in what they are asking. There are no double negatives. Important words are clearly bolded and capitalised (GREATEST, BEST, LEAST etc).

I left thinking I had passed, I didn't think I had failed. Take your time. 6 hours is a long time. There's no need to rush. I didn't study the night before, or in the morning. I ensured I got a good night's rest (by making my wife sleep on the couch...) It was an early start - 8:15am at the testing centre. I finished just before midday and promptly went to the nearest pub for a quiet pint of celebratory beer.

Good luck to all who sit it. Use the breaks on offer. I got to a point where I was having to read each question three times and one question seemed to blend into the next. I took a 10 minute break for water and a granola bar and felt much better.

Find more posts tagged with

Comments

TheProfezzor

Congratulations on the Pass. Really nice to see it pay off for you. You said that Shon Harris isn't a good read. Someone earlier wrote that it's the best for CISSP. I am currently going through AIO myself. Do you think Sybex book covered everything, that was asked in the examination?. Your comments will make me either continue with AIO or move to Sybex.

Thanks.

sojourn

The Sybex book definitely covers everything off. I think the key requirement is to get into the right mindset - the ISC2 way of thinking - so that you are able to answer questions that you may not specifically have a reference for. eg "I haven't seen this before, but from how ISC2 generally are, I can expect they would want this option to be the answer".

I think the risk with Shon is that it's difficult to separate what is truly important for the exam because there is just too much content. Can't see the wood for the trees, so to speak.

The Shon AIO is probably good for people who do not have any exposure to the majority of the CBK. I view CISSP as a mid-career qualification and would expect candidates to have had sufficient exposure to the CBK in their career to date, and that's where the AIO is overkill, in my opinion.

LionelHutz32

Congrats sojourn and thanks for the write-up.

One thing I want to ask is regards the McGraw Hill free questions and the GISP practice exam ...in your mind is it worth paying for the GISP if you already have access to all of Shon's practice questions (the McGraw free online, her AIO book end of chapter questions and her separate practice book of questions)?

I have access to all of these and I'm paying for the exam myself so I'm a bit reluctant to shell out another €100+ just for one GISP practice exam ....is there such a difference in style between the two? The GISP has been recommended quite a bit on this forum so I'm in two minds whether to pay for it or not ...

Thanks.

TheProfezzor

Do you think the Sybex book covered the Telecom and Networking part well?. I see AIO has covered it extensively and since I am am amateur when it comes to networking, the detail put into AIO is too much. Does Sybex pull it off well, for someone who is new to networking and who is going for CISSP?. How technical were the questions in the exam and how technical were questions that belong to the Networking domain specifically?

zxbane

Great review and congrats!

sojourn

LionelHutz32 wrote: »

One thing I want to ask is regards the McGraw Hill free questions and the GISP practice exam ...in your mind is it worth paying for the GISP if you already have access to all of Shon's practice questions (the McGraw free online, her AIO book end of chapter questions and her separate practice book of questions)?

I have access to all of these and I'm paying for the exam myself so I'm a bit reluctant to shell out another €100+ just for one GISP practice exam ....is there such a difference in style between the two? The GISP has been recommended quite a bit on this forum so I'm in two minds whether to pay for it or not ...

I only really did the GISP for peace of mind. I don't think it is necessary. The McGraw Hill questions (all 20 exams) and the Shon Harris questions are perfectly sufficient, I think.

The GISP test is a similar structure to the CISSP - you sit there, sign an NDA, and have 5 hours to complete the 250 questions. So it does get you used to sitting there and working through a very similar exam structure, and the act of answering 250 questions without stopping. It took me just over 2 hours to finish the GISP practice. You get a read-out at the end telling you your approximate score across each domain (out of a maximum of five). So there is a benefit of that.

TheProfezzor wrote: »

Do you think the Sybex book covered the Telecom and Networking part well?. I see AIO has covered it extensively and since I am am amateur when it comes to networking, the detail put into AIO is too much. Does Sybex pull it off well, for someone who is new to networking and who is going for CISSP?. How technical were the questions in the exam and how technical were questions that belong to the Networking domain specifically?

It's hard for me to objectively answer this because I am a network engineer by trade. I configured my first Cisco router in 200, so TCP/IP and OSI have been a daily part of my work for over a decade. It's kind of second nature for me now.

I personally think the Sybex covers everything off fine, for Networking. It goes to the required depth but not too much. The risk with networking is that it IS a big technical domain with lots of concepts which can easily confuse someone. I didn't read Shon's chapter on networking, so I can't really comment directly. I think the risk is that she would delve in way too dee. I didn't really read much on networking at all, I shouldn't have to! I already know my OSI and TCP and smurf/land/teardrop attacks and all that. I had to brush up on old WAN technologies (X25, Frame Relay) and the definitions of screened-host, screened-subnet etc, and re-learn things from how the ISC2 defines aspects of networking. Also I had to learn up on the five generations of firewalls.

The exam is a primarily a management exam rather than a technical one. Everyone says the CISSP is a mile wide and an inch deep, in terms of how it covers off the CBK. The questions are structured to fit this ideal. I can't really say much more (NDA and all that.)

TheProfezzor

Thanks for the response. I really appreciate it.

cyberguypr

Congrats!

jvrlopez

Good job on the pass and thanks for the write up!

Agree with you about the Sybex book over the AIO. The AIO just has way too much info in it...

bigdummy

Congrats, and thanks for the great write-up!