Certified Information Systems Security Professional (CISSP) certification is considered a gold standard in cybersecurity profession. Many mid- to senior-level security professionals consider achieving this certification at some point in their career.
After I obtained my Certified Secure Software Lifecycle Professional (CSSLP) certification, I posted an article on how to prepare for that certification exam. I received feedback and questions, most which centered around topics such as “How hard is the exam?” “How much time do I need to prepare for the exam? and "What are the resources that I can use to prepare for the exam?"
Recently, I passed the CISSP exam. This time I tried to keep notes of preparation timeline for each domain and topic covered in the exam. In this article I will share my experience of preparing for and successfully completing the CISSP exam.
The exam has two formats. For people who take the exam in English, it is a Computerized Adaptive Test (CAT). The test will adapt to your ability to answer the questions, meaning the complexity of each subsequent question is determined by the result of the previous questions. The goal of the test is to accurately measure your proficiency in a short period of time.
As the complexity of the test increases, there may come a time when you could receive a question that requires a lot of time to think, or you may not have a clear answer to it. This does not mean the testing process is trying to fail you. You should take this as a positive sign that you have done well up to that point. Also keep in mind that to pass the exam you need to score 700 out of 1000. The questions are also scaled, meaning as you answer more difficult questions, you are scoring more points and getting closer to completing the objectives.
During the exam, you may also be presented with some unscored questions. These are experimental questions to be included in some future exams. The questions will not have any indication if they are operational (mandatory) or unscored and they do not count towards measurement of proficiency. Instead of worrying about possible wrong answers to previous question, keep moving forward with confidence.
For more details on the exam format, I recommend visiting CISSP Computerized Adaptive Testing (https://www.isc2.org/Certifications/CISSP/CISSP-CAT).
The length of the non-English linear format of the exam is six hours, during which time you will be required to answer 250 multiple-choice questions.
The maximum length of the English CAT exam is four hours. During this time, you will be required to answer between 125 and 175 multiple-choice questions. You may be able to finish the test earlier than four hours if the test determines you have proven the required competence in all domains of the exam. The adaptive nature of the test gives the individual opportunities to answer questions correctly until it determines the individual will not be able to prove the required competence.
For all practical purposes, you should plan your time accordingly to answer at least 125 questions in four hours. As the test is long, you may want to plan for one or two breaks to stretch out.
Preparing for the exam tends to be at the forefront of everyone's mind once they decide to take the exam. The CISSP exam covers a wide range of topics that touch all aspects of security. There are eight domains covering approximately 300 sub-topics.
If a person commits to spending at least two hours per day preparing for the exam, they can be ready in about three months. Later in this article, I will describe how I reached this conclusion.
I prepared for the exam using the following resources.
As with most tests, it is helpful to consult a variety of resources to ensure you are covering all domains sufficiently in your preparation. The exam questions are prepared by multiple people and each person has a unique style of presentation. This means that a question about one topic could be asked in different ways using different terminology. Using different resources exposes you to a variety of points of views and explanations for the same topic.
Everyone learns in different ways. One person's way may not work for another person. I am going to talk about the strategy that has successfully worked for me in passing the CSSLP and CISSP exams.
I started by reading each chapter in the CISSP Study Guide. The book has 21 chapters spanning over 1115 pages. Depending on your current knowledge of the topics, you will be able to cover some of the chapters faster than others. My personal recommendation would be to not skip any topic. You may know the subject but reading through them will provide you with a deeper context. Based on the questions I saw in the exam, I feel that it is essential to have additional knowledge about the topics. One may know the high-level concepts of the topic, but the exam may present you with different terminologies, acronyms, etc. that you may not have seen before.
After completing each chapter, take the practice questions at the end of the chapter. This will help in gauging your familiarity with the topics.
After completing the study guide, I moved on to watching LinkedIn course videos offered by Mike Chappel. These videos will reinforce the topics that you studied in the study guide.
After completing a video on a particular domain, I took the test for that domain from Official Practice Tests. Each test has 100 questions. Do not be discouraged if you are not scoring 100% - Keep in mind that in the exam you are required to score 700 out of 1000 and not 1000 out of 1000. These practice exams of individual domains will help you in deciding if you need additional review of certain topics.
After completing the Official Study Guide, LinkedIn courses, and domain practice tests, I moved on to taking the full practice tests offered in the Official Practice Tests book. There are four tests with 125 questions each. The scores of these practice tests start giving an indication of the level of your preparation. Based on my personal experience, a score of 80% in each practice test would put you in a comfortable position.
Based on the scores from practice tests, make a note of the domains and topics that you still need help with. You will need to go back to the study guide or CBK to read those topics again until you are comfortable with the subject.
In this age of Generative AI, ChatGPT played an interesting part in preparation for the CISSP exam. There were a few subjects that I needed some help with. Instead of talking to some person about those subjects, I decided to use ChatGPT as the instructor.
Depending on the topic you want to discuss, it is important to set the correct persona to ensure the discussion stays focused on the topic.
My final review of all the domains was the CBK reference book to reinforce what I had studied so far. It provided a different point of view of the topics and helped in covering some minor topics that were not present in the Official Study Guide.
If you are already very comfortable with your preparation, you may not need to read this reference book.
As of August 2023, the registration fee for the CISSP exam is $749. If you use the resources I listed above, then the cost breakdown is as follows.
Prepare yourself for a four-hour focused mindset. The questions will be contextual and the answer will be based on that context only. You may find that all options are viable answers, however the correct answer is the one that best fits the context and scenario presented.
Read the questions very carefully; many times the answer will be in the question itself. For example, the question could ask you to pick a technical security control for a given use case. The answer choices may have options for all types of security controls that could be the best option, but the question asked you to pick best "technical" control. If you are not careful, you may end up picking the answer that is "operational" control.
There may be questions where all options could look wrong to you. Keep in mind that the exam has asked you to pick the best option from the options presented to you in each scenario. It is similar to a real-life scenario in which you are presented with choices you may not like but you must make lemonade from the lemons offered to you.
Identify obvious wrong choices quickly and focus on the ones that seem relevant to the question.
Pay very close attention to the negative questions where you are asked to pick an option that is NOT the best choice. I have personally made mistakes for these scenarios during practice tests. You may face some double negative questions as well. Keep an eye on the word NOT in the question and in the options.
A very important piece of information about adaptive tests. You only get one chance to answer a question; you cannot go back and fix it. Once you have clicked the "Next" button, there is no "Previous" button anywhere during the test. I did not realize this when I took the CSSLP exam. During the CISSP exam I kept this in mind.
The CISSP certification is worth the time and effort. It is not just about getting the certificate. You will learn a lot about cybersecurity along the way. From my personal experience I can say there are topics I thought I knew very well, but I learned many new things about those topics during the preparation.
At the beginning it may seem like an uphill task, but it is achievable.