If you’ve been in the Security field for some time now, you may have realized the importance of obtaining certain certifications. Whether you’re more hands and want to be on the offensive side (Think CEH, or OSCP), or you want to learn about IT governance (Think CISA), or just getting started (Security+) we can all agree that certain certifications will provide us with additional knowledge and perhaps better job opportunities in the near future.
Personally my next step was to obtain my CISSP, and after 5 years of being in the Security field (10+ years in IT), I decided to take the exam and fortunately passed it! It took me close to 2 months to prepare and about 4 hours to complete the exam.
For this post, I will provide you with my recommended path, in terms of what materials to read and how to practice for the exam.
(Note: I’ve included my amazon affiliate links, so if you buy a book or items below, you’ll help this site out as well, so thank you!)
Getting Started: Obtaining the right study material
- Shon Harris – All in one, Seventh Edition. – This book is very thorough, and will have more than enough information for you to pass the exam. In my opinion, if you really want to be a security professional, you will need to have a good understanding of most security concepts to be successful in your career. If you believe that as well, then this book is for you; however, some might think this is an overkill for the exam.
- Eleventh Hour CISSP – Third Edition: Study guide – This book gets straight to the point when it comes to CISSP concepts. Each domain chapter varies (For example some domains are covered in about 28 pages, while others might might be 55+ pages). Although this book WILL touch on all material in the exam, it is not as thorough as the Shon Harris book. (Note: if you are a university student or have a subscription to higher education material, you may find this book as a pdf version if you search through http://www.sciencedirect.com) it’s free for students). If you are a University of Houston Student you can access it here.
- The Sunflower Study guide (Free Downloadable PDF) – This is a condensed guide that is meant for review; however, it is great for last-minute study before the exam, or as a refresher. Print it out!
- Simple CISSP – Audio – I got the audio version of this book since I wanted to also study while on the road (my daily commute is about an hour each day), so it’s a good way to study while sitting behind traffic. You can download the Audible app to your phone and download the content locally so you won’t have to waste your data.
- McGraw-Hill Education (Free audio) – This site provides with audio recordings by Shon Harris, which were recorded in the early 2000s, as she makes references to older technologies; however, most security concepts she explains are still valid, so it’s a fair resource. I downloaded them to my Google Drive and used the phone app to stream them when I was driving or working.
- Cybrary ISC2 CISSP – By Kelly Handerhan (Free Video Course)- This is a 13hr course which covers all domains. Kelly does a great job at giving you exam tips which can come in handy. I’d highly recommend it, specially if you are a visual learner.
Quiz & Test Material:
- CISSP Official (ISc)2 Practice Tests – This contains 1000 questions and is broken down by domain (each domain will have about 100 questions each). I found this to be a decent guide to test my knowledge. I had access to the Testbank for www.wiley.com which allowed me to create practice tests/quizzes from all 8 domains, and the questions were all from the CISSP Official (ISC)2. It was a good practice since it gives you random questions from random domains which is a realistic practice exam.
- ElseViewer Inc CISSP practice exams (Free) – I found this about 8 days before I took the exam, and for me this was the closest thing to the real exam. In terms of how the questions are phrased, and the answer choices. (Update: This is what I meant when I referred to it as the closest thing, in terms of how the questions are asked, below are a few questions that I think are very similar to what I saw on the actual exam; however, on the actual exam, you will have a specific scenario followed by 2-4 questions related to that scenario.
Q1: A large software company issues guidance to patch against a vulnerability found in its database software. Who patches the vulberability?
A. Data Owner
B. Information Security offier
C. Data Custodian
Q2: During an internal security assessment, external auditors discovered a “back door”. This was immediately brought to the attention of the CSO and the security team. The “back door” finding indicates an issue with:
A. Data integrity
B. System stability
C. System access
D. System integrity
Q3: In the event of a security incident, what group of individuals is responsible for identification, containment, and recovery?
A. Computer Incident response Team
B. Disaster recovery team
C. Security administrators
D. Security Management Team
Q4. You are leading a new data center build and have to decide on the safest and most effective form of fire supression. Which of the following would be considered best choice?
A. Design a system using wet chemicals
B. Design a system using soda acid and water
C. Design a system using only soda acid
D. Hire and expert
Note: Take multiple quizzes/exams, as some of them might ask the same question in a different way; however, if you understand the material thoroughly, you should do well in all of them.
My Game plan:
I was very aggressive with my study plan since I wanted to take my exam before the end of the summer and right before grad school semester started.
50+ days before the exam:
I started reading the Shon Harris book, and would allocate 1.5-2 hours for reading. While reading, I would highlight and add sticky notes to pages that I thought were important. On the weekends I’d spent more time (4-6 hours). Normally I would average about 40-60 pages daily. It’s a looong book!
During this time, I also started listening to the audio book, which would reinforce some of the concepts that I was learning while reading, so this was a good way to review.
40+ days before the exam:
About two weeks after I initially started reading, I started doing practice exams/quizzes from the Official ISC2 question bank. This helped me see what concepts I was strong at, and what I was weak at.
15+ days before the exam:
I started reading the Eleventh Hour CISSP book – Each chapter took me about 1 or 2 days to read, so it was fairly easy. I used this as a review to the Shon Harris book. As I mentioned before, this book WILL cover most if not all topics that will be in the exam, but is not as thorough as the Shon Harris book. In my opinion this was a great review book!
10+ Days before the exam:
I started watching the Kelly Handerhan Video series on Cybrary. I would watch it for about 1 hour and fast forward on the topics that I knew well. My takeaway from here was that she gave good exam tips, and she explained some of the topics really well using her own examples. The biggest takeaway from her videos is that you should view this exam as a manager instead of as a technical person would do (which I agree 100%).
At this point I also found which I believe is the best practice exam site regarding the CISSP exam, ElseViewer. I sat down with a classmate and we spent about 2 hours taking this exam, which was challenging, but it gave me a good perspective on how the exam would be structured and how they would phrase certain questions. Such as “Choose the BEST answer”, or “What is the Most Important”. My takeaway was that I had a better mindset of how the real exam would be like.
2 Days before the exam:
I was reviewing The Sunflower Study Guide and just reviewing some of the Acronyms to ensure that I knew what they meant.
1 Day before the exam:
I did nothing, whatever I had learn or not learned didn’t make a difference.
The exam took me about 4 hours, and halfway though I took a 20 minute break as my eyes needed some rest.
This was MY experience in preparing to take the exam; however, I have to be clear and say that being in this field and having actual experience did helped me understand these concepts better, and therefore the preparation time for you might be longer/shorter depending on your level of understanding. Additionally having taken some risk management classes in my graduate class also helped me understand some of the Risk domain topics which would have taken longer for me to grasp if I didn’t have that experience.
The material that I provided in this post should be more than enough to get you that certification; however, do take some time to prepare as this is a $600 exam which is an investment and will definitely help you in your security career.
Lastly, if you have a technical background, the exam might be extra tricky. Some questions will give you several “right” answers and you will most likely pick the technical answer from the rest which most likely is WRONG. Take off your technical hat and put on your “Management Hat” while you take this exam, and you will have higher success. Of course if there’s a question that is specifically asking for a technical control or action, then use common sense and pick a technical response.
- Know the material thoroughly! – Anyone can study for exams and pass them; however, if you don’t have an understanding of the concepts then you won’t be a good Security professional.
- Know the ISC2 by heart (Code of Ethics Canons)
- Practice makes perfect – Take practice exams and focus on your weaknesses
- Find someone that already has the CISSP so they may sponsor or vouch for you after you take the exam.
Thanks for reading!
Here’s more Amazon books you might find useful for your studies: