In late 2021 I decided to pursue the CISSP.
Why take a certification? There are a lot of personal motivations behind the choice to pursue a certification: the need to stand out, prove to peers you really know your field, salary raise, etc. For me, was just the joy of learning. Learning is a central matter in my life, and I love working in the security industry because it seems like you never know enough!
So Why CISSP? I had a look at Paul Jerimy Security certification map, and I felt it was hard enough based on my academic and professional background. Paul’s roadmap is amazing, if you are not sure which cert can be the best for you, go there and you will find out.
Regarding the experience requirements, you need to have 5 years of relevant experience in CISSP domains, but in case you have a 4+ years degree in a relevant subject, you will need just 4 years of experience.
How to study
Before proceeding, please keep in mind the time and study repetitions I needed were conditioned by my professional and academic experience. So please, scale the time based on how much you already know.
That said, I started my journey with the Sybex “CISSP Official book 9th edition”. Reading every single page, without any rush. No notes, no stop in case I was finding something hard to understand.
This gave me a big picture of the amount of information and the granularity of details.
The second source, and in my opinion the biggest help, was the “CISSP EXAM CRAM” Course by Pete Zerger on YouTube. Close to 8 hours of dense explanations and tips. The course is updated to the 2022 edition of the CISSP exam, and he underlines the main difference we will find in the last edition at the beginning of every domain. There I started to take intensive notes, close to 200 pages of notes, stopping the course at any slide I felt I needed to dig more. I would say it took around 50 hours to deeply understand every slide and take appropriate notes, but it was worth the effort.
In some cases, both Pete’s course and the SYBEX manual provided descriptions not that clear to me, and in those cases, I used both “CISSP for Dummies” and Pearson’s “CISSP Cert Guide, Fourth Edition” as support sources.
How to practice
I would have had more time to practice, but I just had around 10 days to practice.
I used Sybex’s “CISSP Official Practice Tests” and Ted Jordan’s “Practice Exams and Tests”.
I didn’t have enough time to evaluate the individual weaknesses for each domain, so I made the full practice tests (mixed questions from all 8 domains) and then calculate the weaker domain to review.
I made an excel table to track my results like in the table below:
This was my first full test (I know, not a great start).
With the table, I had a quick understanding of the domain I had to focus my effort on.
I kept doing tables for all the other full practice tests.
In the same spreadsheet, while reviewing the numbers, I also noted down the acronyms or sentences I was not sure about, and they were added to my notebook notes.
The day before the exam I reached 82% of correct answers.
Test experience
I decided to go with the CAT version of the Exam. It is adaptive, and you will be examined after responding to each question. There is a minimum of 125 questions to a maximum of 175, based on your performance. You will have 4 hours to complete the questions, and you are free to take breaks to use the toilette or eat a snack.
Ok, this was my strategy: a break around question 60, and another around question 120. I say “around” because while practicing I found out I make a pretty long series of a good answers, followed by a series of questions I alternate good and wrong answers. So, I gave myself the 60th question as an estimation point, but stopped at around question 55, because I felt my “good series” was ending. Snack, water, toilette, try to be calm, look outside the windows, and release a bit of stress.
And we are ready for the second round. I went straight until question 110, I felt still a bit of energy and I decided to proceed until 125. I read a lot of people were stopped at 125 with a congratulation or rejection, but when I send my answer, I received question number 126. And decided to take a second break.
Same story, snack, water, toilette, relax. I had a bunch of extra time, so I felt calm.
The third round is the weird one. Weird because now, at question 126, I could have been stopped at any question, and the psychological aspect become the main actor of the performance. For 5 questions I was distracted after each question thinking It should be the last one, and then I was able to re-focus myself and go straight until the 175. And this is how it was. I had to complete all the possible questions.
Below is the resume of the breaks:
First break at minute 50 | 55 questions answered.
Second break at minute 95 | 125 questions answered.
End of the exam at minute 130 | 175 questions answered.
I know, I usually manage better my time, but the questions were shorter than expected.
Tip: The exam is adaptive, and your brain will push you to think “If I’m receiving an easy question, it means I’m not performing well, but it’s not true. There are several not-weighted questions, they don’t count in the evaluation process. So don’t try to trick yourself!
Feel free to reach out with any questions and leave a comment in case you appreciated the post.
Salvatore
A really well thought out and well written blog. Congratulations on accomplishing your CISSP! Keep up the amazing work 😄👍