Just Passed the CISSP Today With a Month of Study

I just passed the CISSP exam today on the first attempt with about a month of dedicated study all together. I kept feeling like I should have put more time into studying but I just felt like I was ready. You can pass this exam as well if you prepare properly.

Since I’m using a similar hero post image as the other CompTIA success posts I’ve done, I have to mention that just passing the CISSP exam isn’t enough to get CISSP certified. I still need to find someone to endorse me, wait like 2 months, and then pay the AMF before I’m official.

Update 9/26: Woohoo, just got the provisionally passed email. Now, onward to the endorsement process.

Update 10/7: Double woohoo, I asked one of my mentors to endorse me and she agreed! Now I wait…

Update 1/6/20: A little over 3 months in and still no CISSP certification. This endorsement process has proven to be quite a lengthy process. Check out the post on my delay with the endorsement process to see what the deal is.

Study Materials Used

I bought a book that I read cover to cover (it’s only 200 pages), 11th Hour CISSP 2nd Edition. It’s written well and is fun to read, but it is a ton of content packed onto each page. If you know nothing about information security, a lot of the terminology will go right over your head. I’m familiar with a good portion of the material and even noticed a few things I forgot I studied when skimming the book the morning of the exam.

By this point I’ve done IT work for about 15 years or so, with the last 5 being specifically in security. I also have an MBA with honors (Beta Gamma Sigma) and actively study business, personal finance, and digital enterprises. So, this exam’s material was right up my alley. I don’t know every domain extremely well, but I’m able to work through the issues.

Additional Study Materials

I used the following materials to prepare for this exam:

• Full CISSP Course Path by Mike Chapple on LinkedIn Learning
  • I was planning on picking up Mike’s Official Practice Test book, but never got around to it
• All in one CISSP audios by Shon Harris
  • This content is based on the old exam setup with 10 domains, but her explanations are excellent
• Boson CISSP exam package
  • Practice exams
  • Practice lab

The Boson prep package was interesting. They were more technical and do not match the content of the exam. What they did match was exam style and question structure, which really helped me get into the mindset of the exam. The questions I mostly kept missing were the tricky ones that I didn’t fully read all the way. I took 4 practice exams before I had a passing score.

Alternative Study Recommendations

I did not use the official Sybex book but I’ve heard good things. I also heard good things about Essential CISSP by Phil Martin. Essentially, he explains things pretty well. I purchased the audiobook to go through but unfortunately I ran out of time and didn’t get to use it to study with.

Essential CISSP Chapters

If you do go with the Essential CISSP (which is recommended), you’ll find there is a lack of chapter information so it may be hard to keep track where you are. Here’s that info:

3. Security and Risk Management Domain
4. Confidentiality Integrity Availability CIA
5. Authentication Authorisation and Auditing (AAA)
6. From Vulnerability to Exposure
7. Administrative Technical and Physical Controls
8. Security Frameworks
9. Computer Crime Law
10. Policies, Standards, Baselines, Guidelines and Procedures
11. All About Risk Management
12. Modelling Threats
13. Assessing and Analysing Risk
14. Managing Risk
15. Business Continuity and Disaster Recovery
16. Personal Security
17. Security Governance
18. Ethics
19. Asset Security Domain
20. Information Life Cycle
21. Information Classification
22. Layers of Responsibility
23. Retention Policies
24. Protecting Privacy
25. Protecting Assets
26. Data Leakage
27. Protecting Other Assets
28. Security Architecture and Engineering Domain
29. System Architecture
30. Computer Architecture
31. Operating Systems
32. System Security Architecture
33. Security Models
34. Systems’ Evaluation
35. Certification vs Accreditation
36. Open vs Closed Systems
37. Distributed Systems Security
38. A Few Threats to Review
39. The History of Cryptography
40. Cryptography Definitions and Concepts
41. Types of Ciphers
42. Methods of Encryption
43. Types of Symmetric Systems
44. Types of Asymmetric Systems
45. Message Integrity
46. Public Key Infrastructure
47. Key Management
48. Trusted Platform Modules
49. Attacks on Cryptography
50. “The Author Talks about some aspects of physical security”
51. The Site Planning Process
52. Protecting Assets
53. Internal Support Systems
54. Communication and Network Security Domain
55. Telecommunications
56. Open System Interconnection Reference Model
57. TCP/IP Model
58. Types of Transmission
59. Cabling
60. Networking
61. Networking Devices
62. Intranets and Extranets
63. Local Area Networks
64. Wide Area Networks
65. Metropolitan Area Networks
66. Multi Service Access Technologies
67. Remote Connectivity
68. Wireless Networks
69. Network Encryption
70. Network Attacks
71. Identity and Access Management Domain
72. Security Principles
73. Identification Authentication Authorisation and Accountability
74. Access Control Models
75. Access Control Techniques and Technologies
76. Access Control Administration
77. Access Control Methods
78. Accountability
79. Implementing Access Control
80. Monitoring and Reacting to Access Control
81. Threats to Access Control
82. Security Assessment and Testing Domain
83. Audit Strategies
84. Auditing Technical Controls
85. Auditing Administration Controls
86. Reporting
87. Management Review
88. Security Operations Domain
89. Operations Department Roles
90. Administrative Management
91. Assurance Levels
92. Operational Responsibilities
93. Configuration Management
94. Physical Security
95. Secure Resource Provisioning
96. Network and Resource Availability
97. Preventative Measures
98. Managing Incidents
99. Disaster Recovery
100. Insurance
101. Recovery and Restoration
102. Investigations
103. Liability and its Ramifications
104. Software Development Security Domain
105. Defining Good Code
106. Where do We Place Security
107. Software Development Life Cycle
108. Software Development Models
109. Integrated Product Team (APT)
110. Capability Maturity Model Integration
111. Change Control
112. Programming Languages and Concepts
113. Distributed Computing
114. Mobile Code
115. Web Security
116. Database Management
117. Malicious Software

Mindset Videos

These 2 videos below also helped with preparing for the exam as well:

Why you WILL pass the CISSP by Kelly Handerhan

I did not go through Kelly’s CISSP course on Cybrary but I’ve heard great things. You can view her entire free CISSP course here.

CISSP Exam Tips – Understanding Semantics and Context by Larry Greenblatt

Spock certifies and Kirk accredits. Ha, genius.

Keeping the Confidence

So what did I do to mentally prepare for this exam?

If you recall the last exam I passed on the first try, I made a note to myself, naming myself as newly CompTIA CySA+ certified. I was very specific about my intention and I think that played a huge role in getting me prepared for the exam. I didn’t write a note to myself this time. But I did create this post, announcing my intention publicly to become CISSP certified in 2019. Not only that, I also told a few people around me as well. I have never made a public declaration in this manner before.

I feel good about the exam. Half of the exam I knew pretty well and the other half I had to work through. I’m extremely happy to keep the “passing on first attempt on all certifications streak” alive.

Just like with other exams, I created my own CISSP study notes. Much like before, I created the notes before the exam to make sure the concepts were fresh in my mind.

The exam was pretty much exactly how I was expecting it to be, except it had a bit more in-depth technical network admin stuff than I was expecting. Luckily, I know that stuff pretty well.

As always, I should have prepared a little more but I just felt like I was ready so I didn’t study as much as people normally would. I don’t regret this decision since I can always look up information I’m fuzzy on or consult with someone else if I ever need to.

Study Tips

1. Review the CISSP exam objectives if you haven’t already.
2. Get a good book, an audio book/notes, AND a video course.
3. Set a study schedule and plan a date for the exam.
4. Buy the exam voucher from Pearson Vue.
5. Schedule the exam through Pearson Vue.
6. Take practice questions and practice exams. Even if the exam questions are not the same content, you at least get the practice of context and answer elimination.
7. Review material that’s still fuzzy to you. Watch YouTube videos, review concepts on Wikipedia or other pages, and improve.
8. This certification is as much an English test as it is a information security test.
   1. Read the question, eliminate 2 answers (1 is an obviously wrong choice).
   2. Re-read the question before selecting the final choice.
   3. Watch out for catchy words like MOST, LEAST, ALL BUT, EVERYTHING EXCEPT, and double negatives. If you speed through reading like I do, these are tough ‘gotchas’.
9. The exam is Computerized Adaptive Testing (CAT). Just because you don’t finish at 100, doesn’t mean you failed or are close to failing. The exam wants you to prove yourself. You can still pass after 150 questions.
10. Know your stuff and be sure to practice!

Conclusion

Basically, stick what you hear about the exam and you will be fine. Take off your tech hat and think like a manager. Although, you can work through the exam pretty well, you still need to know the fundamentals to give you a fighting chance.

You need to apply critical thinking and your experience when going through the questions. There will be multiple tricky questions so don’t rush, pay attention, and read carefully. Don’t be surprised to see a few questions that may have two close answers. They may even be right answers, but going through the elimination process will give you the correct answer.

If you slack on policy, SDLC and frameworks, you will get creamed. They may seem like no-brainers in theory, but application and order of steps are important. Even though these topics are taught at the end of most educational materials, don’t let off the gas. They are important.

Lastly, if you don’t use your scratch pad at all during the exam, no problem. If you didn’t finish the exam at 100 questions, no problem either. Whether you finish at 100 or 150 questions, the important thing is you pass.

Have you passed the CISSP exam yet? If so, what do you think of these tips?