The CISSP Exam

Last Sunday, I took and passed the CISSP exam. I had made it a personal goal to pass the exam before the end of the year, and I’m happy to say that I have achieved my goal. What was my study plan? Read on…

I actually had a very simple plan for studying. First, based on the advice of some of my classmates in the MSST program, I bought the CISSP All-in-One Exam Guide by Shon Harris. Starting in July (once I had some time after buying a house and moving), I read this book cover-to-cover. Obviously, I was better at some chapters than others and skimmed over those more (as a former network admin, for example, I had the network topology stuff down well, and I love crypto just because it’s fun), but I still read each chapter and took the practice test to set a baseline. I did this for a couple months before I had read it all the way through.

Next, I looked for some practice questions online. By far, the best site I found was CCCure.org, which has hundreds of CISSP practice questions for a very reasonable price ($40 for six months of unlimited access when I bought it). Not only do they have a lot of questions, but they also allow you to fine-tune your practice quizzes, by focusing on just one area of the CISSP, or (even cooler) allowing you to just take questions you have gotten wrong in the past. For a couple months I did practice tests almost every day, doing 50-200 questions depending on time and my energy level.

When I identified areas that I needed help with through these questions, I made flashcards. Hundreds of them. I then divided them up into different piles: things that were easy to remember, things that were moderate, and things that I had problems with repeatedly. The first bunch I’d just give a once-over every once in a while, while the hard stuff I would work on daily. With this strategy, I feel like I peaked on the day of my test, conveniently for me.

I also found it helpful that through my job and my MSST program, I’ve been exposed to the governance side of security, which is probably the hardest thing understand for me. I’m great at technical stuff, but it’s the governance that is just as important (and something I had zero exposure to before my MSST studies began). Had I taken it before I had these experiences, I know I wouldn’t have done nearly as well.

There’s no magic bullet to passing the exam: it’s just a lot of studying and repetition. But it’s doable!