In 1994, (ISC)2 released the Certified Information Systems Security Professional (CISSP) credential. It was the first Information Security Credential to meet ANSI/ISO/IEC Standard 17024. Since its inception, CISSP has been highly coveted by Security practitioners around the world. By studying for the exam, you are expected to significantly enhance your cybersecurity knowledge and understanding. Earning the CISSP credential validates your understanding of many topics in Information Technology, not just Security. You are expected to fill vital roles in Information Security while taking on more responsibilities in your organization.
Currently, there are 120,000 CISSP professionals globally and counting -- due to the reputation of the certification. How does CISSP impact the job market? A quick search on Indeed displays 13,149 jobs that mention CISSP in the job description. For comparison, CASP+ is a new certification by CompTIA, which is regarded as equivalent to CISSP. On Indeed, a search for jobs that have CASP+ in the description displays 1,897 jobs. Someone who has CISSP is expected to be an ideal candidate for many Security positions in the market, including the following positions:
Chief Information Security Officer
Chief Information Officer
Director of Security
Security Systems Engineer
I'm sure we all have heard of the phrase: "many miles long, but only a few inches deep." That is CISSP in a nutshell. However, some students tend to think of CISSP as the Great Wall of China, with the height of the walls being the depth of each domain. Those who manage to become certified are expected to know a plethora of information regarding the subjects from eight domains. Each domain is weighted appropriately according to (ISC)2:
• Security and Risk Management (15%)
• Asset Security (10%)
• Security Architecture and Engineering (13%)
• Communication and Network Security (13%)
• Identity and Access Management (IAM) (13%)
• Security Assessment and Testing (12%)
• Security Operations (13%)
• Software Development Security (11%)
Before starting on your CISSP journey, you need to know the requirements to take this test. Each individual who takes the test is expected to have five years of necessary full-time paid work experience in two or more of the eight domains in the CISSP exam objectives. A year can be substituted if you have a college degree or a certification on the (ISC)2 approved list: CISM, CCNA Security, Cisco CyberOps Associate, CompTIA Security+, MCSA, GIAC certifications, and more. More information can be found at this link https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway. However, those that think they're ready can take the exam and become an Associate of (ISC)2. This program allows someone to become CISSP certified if they obtain five years of relevant security experience in two of the eight domains; they have six years to acquire relevant experience. It's important to note that an Associate of (ISC)2 is not the same as being CISSP certified. If you don't have the necessary five/four years of work experience, it may be best to wait.
Additionally, all CISSP candidates are expected to abide by the Code of Ethics, which is a set of guidelines that Security professionals of CISSP are required to uphold:
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
After completing and passing the exam, you are expected to provide proof of relevant Security experience on the (ISC)2 website. To start the process, you need to be endorsed by another CISSP holder or an (ISC)2 certification holder in good standing -- preferably someone who knows your work history because they will submit the endorsement on your behalf. Then, after verifying the details, your endorser will review and submit your resume and other pertinent details to (ISC)2 online. The entire endorsement process can take anywhere from 6-8 weeks. Candidates have to submit all documentation within nine months of passing the certification.
The name of the official CISSP exam is called CISSP-CAT, which stands for Computerized Adaptive Testing; it is an online exam. Before the CISSP-CAT, the exam was paper-based consisting of 250 questions with a total exam time of six hours. The CISSP-CAT exam is designed to be adaptive based on your correct & incorrect answers. The length of the exam can consist of a maximum of 150 questions, with a minimum of 100 questions. Within those questions, the candidate will have 25 unscored pretest questions. However, the test does not tell the test-taker which questions are the pretest questions, so it's important to answer every question with 100% effort. In addition to the multiple-choice, (ISC)2 included advanced innovative questions, more commonly referred to as drag-and-drop questions. Since the exam is adaptive, you are not able to go back to previous questions answered. If the candidate fails to answer all the questions within the allotted time frame, they automatically fail. The total time length of the tests consists of a maximum of three hours. A passing grade is 700 out of 1000 points. Lastly, the total cost of admission for this lofty exam is $750.
My work experience consists of seven years of Information Technology. Within that timeframe, I held the position of IT Helpdesk, Satellite Operator, Network Engineer, and System Administrator. Currently, I am a Cloud Security Analyst at Bytechek. I own several certifications from different vendors, including CompTIA's CySA+, Cisco CyberOps Associate, and EC Council Certified Ethical Hacker. I have a bachelor's degree in IT with a specialization in Cyber Security, and I am a member of the CyberCats CTF (Capture the Flag) team at the University of Arizona.
Studying for the Exam
I started studying in early March for CASP+ because I thought it was a better fit for what I wanted to do in the future. CASP+ is more of a technical certification, and I wanted to enhance my career technically, so I thought that was the right pathway. A couple of weeks later, I was talked into pursuing the behemoth, CISSP. I've always respected this certification, but I've been horrified by the stories from colleagues and anonymous people online who have taken the test. It's disheartening to know that several people can fail an exam even after devoting several months or years to master the content.
My journey started with (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide by Chapple, Mike. The book is about 1100 pages in length, and the pages were pretty bland, but I read the entire book front to back in about a week. Although the page count sounds like a lot, other CISSP books are similar in length, including the All-in-One Study Guide and the Official CBK. Prepare yourself to read A LOT. I then filled in the gaps I had with ANKI study notes I made and Eleventh Hour CISSP by Eric Conrad. Towards the middle of April, I watched CISSP videos from Mike Chapple's course on Linkedin and a couple of videos on Youtube (CISSP MindMap). At the start of May, I ended up taking a 5-day boot camp to confirm what I didn't know and did know; it helped me immensely. During that timeframe, I had to juggle moving to a new apartment, and I felt like I didn't get as much as I wanted to get out of the course, but it was still an excellent investment. Nevertheless, at the end of that boot camp, I scheduled my test date for May 22nd at a PearsonVue in Nashville, TN, because I thought I would be ready by then -- I was wrong.
The entire month of May consisted of 8-12 hour study days comprised of videos, books, practice tests, and ANKI notes. Every day I had a quota of at least three 150 question practice tests from either Boson, Sybex, or PocketPrep in addition to my other resources. Each Sunday confirmed my fears of being underprepared due to the content of the test, but I pushed through it. During the last week of my test, May 16-22, I committed to 12-hour study days, sleeping at two or three in the morning regularly. During this timeframe, I increased my practice test usage to five per day and supplemented the rest of the time I had in the day with reading and ANKI.
On Wednesday, May 19th, I ended up emailing my boot camp instructor, basically telling him that I was not ready for the exam and I was going to cancel my appointment with PearsonVue testing center. The cancellation fee would've cost me $100. After much reassurance from him and my wife, I kept the exam and studied even harder for the remaining days. Although I do not recommend this to anyone, I ended up continuing my rigorous study schedule even on the day before the test. I filled it with practice tests and videos from CBTNuggets.
Day of the Test
On the day of the test, I couldn't sleep due to my nerves. My test was at 10 in the morning, and I've been up since 4 in the morning -- another terrible thing to do on tests. I filled my sleepless hours with more CBTNugget videos and Kelly Handerhand's Youtube video "Why You will pass the CISSP."
After Listening to silence on the way to the Testing Center, I was finally in my seat, about to take my test. Without voiding the NDA, I want to say that the CISSP exam was exactly how people described it: HARD. At about question 75, I was sure I failed the exam. I was tired of being in the chair, and I was mad that I wasted money and time preparing for this test. My only hope was passing question 100 and making it to question 150. Generally, if you pass question 100, you're close to passing the exam -- the exam needs a couple more CORRECT answers to pass. However, my exam ended at question 100.
Receiving my Test Results
After receiving my test results from the PearsonVue proctor, I stormed out of the Test center to wait for my ride home. I didn't look at my test results on the way to the car. While waiting, I decided to look at what CISSP pass/fail results look like on Google. I compared it to the back of my paper in the sunlight and noticed that it didn't have any failed objective percentages. If you fail CISSP, your test results will display your results and the domains you didn't do well in. I flipped my paper over, and it confirmed that I passed the exam at 100 questions.
1. Cybrary: Kelly Handerhan CISSP course
2. Linkedin: Mike Chapple's CISSP course (2021 update)
3. CBTNuggets: (ISC)² CISSP by Keith Barker & Ben Finckel
4. Youtube: Why you will pass the CISSP by Kelly Handerhan
5. Youtube: CISSP Mindmap
1. CISSP Study Guide: Conrad, Eric; Misenar, Seth; Feldman, Joshua.
2. Eleventh Hour CISSP® Conrad, Eric; Misenar, Seth; Feldman, Joshua.
3. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide: Chapple, Mike
4. CISSP For Dummies: Miller, Lawrence C
5. CASP+ CompTIA Advanced Security Practitioner Certification All-in-One Exam Guide, Second Edition Lane, Nicholas
1. Boson practice exams
2. Wiley practice exams
3. CISSP Mindset Academy practice exams
4. CISSP Pocket Prep (IT Security & Security)
1. Anki notes
2. Sunflower notes
CISSP is a challenging exam. To reiterate, you need a score of 700 out of 1000 points, and you have 3 hours. I think those that are studying now should wait for the new resources to come out. Due to the exam refresh, topics may look different due to updates. However, if you're comfortable with the material, take the exam sooner -- don't let me discourage you.
Taking the exam requires confidence, and if you don't feel confident about one of the exam topics, I recommend you reread the correlating chapter or watch a video on that domain until you are sure of the material. I think you can get away with not knowing certain subjects well, but it may prove to be detrimental. There is a rumor about the exam “honing in on your weak points”. My weakness out of all the domains was domain 8. Software and Development Security, and during the test, I saw many questions from that topic.
Many people admit that they never feel like they're ready to take CISSP, and it's true. You will never feel prepared to take the CISSP exam because it's such a comprehensive test.
Essential Exam tips
While taking the test, don't rush. Read all answers, then the question multiple times to ensure that you didn't miss anything. Remember, you have three hours to do 150 questions at the most, which is more than a minute per question -- but don't lose track of time! Eliminate the wrong answers, then thoroughly analyze the remaining to ensure you fully grasp what that question is asking. At times, all answers can be correct; however, you are looking for the MOST RIGHT answer according to that particular scenario.
On test day, you are given a whiteboard/paper depending on the test center. For complicated questions, write them down and circle words to help you deduce the correct answer. Another strategy is to use the time during the NDA to brain dump last-minute thoughts; you have 5 minutes to accept, or you will automatically fail. Arguably the most crucial consideration to keep in mind is that this exam is a managerial test. Thus, it would be best if you approached every question from the perspective of a C-level manager. As Kelly Handerhan preaches, "Your job is not to fix the problem, it is the find the long-term solution."
Do not feel discouraged with how you think you are doing while taking the test. Due to the difficulty of the exam, it is extremely common for test takers to assume they are not doing well. If you view the CISSP subreddit mentioned above, nearly every test taker will admit that they thought they failed. My advice to this is to be resilient and keep pushing on until your test stops. Other tips include the following: get a good night of sleep, eat a big breakfast, arrive to the Test Center early, and wear comfortable clothes.
Know the Material
I highly recommend you don't just memorize the material. The questions require you to know more than just the basics about the technology/subjects asked. For example, what happens in each phase in Incident Response? Do you know how to apply a scenario-based question to the (ISC)2 Code of Ethics? Can you explain the differences and benefits of the SOC Audits? Can you explain what happens during certain SDLC or BCP phases? Are you familiar with ABAC, MAC, DAC, due diligence, due care, gross negligence, ITIL, Common Criteria, security frameworks, security controls?
Making a Study Plan
If I had to start this whole process from scratch, I would've allowed myself more time to study for the exam. I think three/four months should be sufficient for those that have Security experience. Next, I would've subscribed immediately to the https://www.reddit.com/r/cissp subreddit. This Reddit community has so much knowledge and tips from people who have taken the exam previously. It consists of failed and passed experiences. I also heard of a Discord channel that addresses questions and concerns regarding CISSP.
Before officially starting your study plan, you should schedule a realistic testing date and commit to it to minimize procrastination. I always recommend to people to use multiple methods of studying: videos, books, notes, etc. Doing so allows you to view subjects from different perspectives and potentially clarify something you didn’t understand fully. After concepts start to become clearer, start doing practice tests. The point of practice tests is to get an idea on how the exam will format questions and review the answer explanation; memorizing the questions and answers will not help you. A lot of the good practice test software have book references that support the correct answer – review them!
Learning From My Mistakes
I don't think anyone should repeat my study techniques. I don't feel like it's healthy to study for the length of time I did per day. Give yourself adequate time and preparation to avoid cramming for the exam as I did. Although this is an important exam for a Security Practitioner's career, I don't feel like it should consume your life as much as it did mine.
After an exam like this, I plan to significantly slow down my studying efforts to allow for more time with family and friends. After my break, I intend to study and pass the AWS Solution's Architect exam. My next goal would be (ISC)2 CCSP since CISSP waives the requirement and a decent amount of content carries over and it cloud security-related. Besides certifications, I plan to peruse more books pertinent to Cybersecurity and participate in online labs such as Well-Architected Labs and TryHackMe. I know obtaining a certification is one thing, but having the experience is another. I read somewhere that you don't truly understand the material unless you can successfully teach a kid; I plan to apply that concept to my studies.