I passed the CISSP this year – I passed the test on March 30th 2023 – and effective certification on 01 June 2023.
If you’re really curious – my certification number is 762433
CISSP is regarded as the top IT/Information Security certification out there. I’m going to cover these topics:
- What is CISSP
- Why is it so hard
- What I used to pass
- Test Tips
What is CISSP?
As you probably know CISSP stands for Certified Information Systems Security Professional. As of June 1st 2022 (exactly a year from when I became certified) the English Computerized Adaptive Test[ing] (CAT) consists of 125-175 questions. However, you’re not graded the entirety of the 125-175 questions. 50 of those questions are beta questions, or questions that they plan on adding in future CISSP versions, and you’ll be the guinea pig.
Each test will quiz you on currently 8 domains. Domain topics will change over time, depending on the climate of Information Security, as of right now (25 Aug 2023):
Security and Risk Management Asset Security Security Architecture and Engineering Communications and Network Security Identity and Access Management Security Assessment and Testing Security Operations Software Development Security
I’m not going into detail about the domains in this post – maybe I will in the future – but right now I want to write about my journey through CISSP because I learn in my own way – and perhaps it will help others that learn in a similar manner.
Why is it so hard?
Well – the test itself is adaptive . Before its current testing environment it was a 250 question test. 250 questions. That’s rough. It’s almost 200 now – but it’s now an adaptive test, called Computerized Adaptive Testing (CAT) where each question is based on prior answers. I’m not really sure on how it works, but I’ve heard that it gets harder when you answer correctly, and either easier if you don’t or stays the same. Either way – you can’t go to previous questions like in a lot of CompTIA certifications or Cisco certifications.
The CAT format itself plays a tremendous psychological strain on the test-taker. At least it did for me. Actually, I passed on my second attempt on CISSP. I first took the test in 2020 (keep in mind I passed Security+ in May 2019). Back then – the questions seemed extremely specific and the answers very ambiguous. Keywords like ‘best option’ or ‘most secure’ , stuff like that is riddled all over the test. It was a quick realization that I did not know most of the material. The test would change throughout my attempt and it felt harder sometimes, and often times seemed easier. But here is the kicker. You know how I said the test is 125-175 questions?
Once you cross that minimum threshold of 125 questions… the test will stop. And you pass or fail at whatever question you last answered.
My first attempt – I failed at question 137. It was so psychologically intense, that I remember which question number I failed in.
Even my last attempt, after hitting question 125, my heart was beating out of my chest while reading… I honestly could barely focus.
In the military, or at least in the Army, we have a fund of 4000 dollars through tuition assistance or credential assistance, if you fail a class or a test you have to pay the Army back.
During my last attempt, I had 2 children and one on the way. Paying back 700+ dollars was most definitely going to be a financial strain. So I really really needed to pass.
Thankfully I did at question 136. Yes – very similar to my last attempt, but in the ratio of questions, a lot better.
What’s the main takeaway?
The test is known for it’s vague questions, in many ways every answer choice seems like the correct choice. It’s hard to focus on the scenario that’s being presented and as well as choosing a good answer that fits the criteria.
Well here’s a hint that I’ll elaborate later in this post.
Sometimes every option is a valid answer.
But, there is only one correct choice.
What did I use to pass?
I used two main study materials. Well really one, with multiple supplemental study tools.
Main study material:
I read this book multiple times. Going over each section as needed. But there’s so much it’s hard to keep track of what I need to re-learn.
If you’re trying to follow in my footsteps, don’t be overly concerned about learning all the nitty gritty details. You will most likely will be tested on them (believe me – sometimes you need to pay attention to the smallest details) but for now, understand the concepts that are being provided with each domain. Then do the pre assessment after you studied. Yes – use the pre assessment in a post manner. Score at least a 70-75% on it. You’ll have to do the math yourself. Again, you’ll most likely revisit these areas again, so don’t need to worry about scoring a 100% each time. The issue is knowing which domains to prioritize…
You don’t know what you don’t know
The official study app was the main focal point of my studying. I studied passively over the 3 years it took me to retake the test. It was actually roughly the same time of year as when I took it back in 2020. However, I started hardcore studying around January of 2023.
It was really difficult going through the book again, as I already felt like I knew the material. I wanted to know the things I didn’t know.
So I downloaded the app around February 2023. There’s the free version, and the subscription version. I definitely paid for the subscription version, it’s worth it in this case.
What the app does, is that it allows you to customize your tests based on domains, and they have a test bank of roughly 200-300 questions per domain… it’s very thorough. The free version, the test bank is very minimal in comparison.
I would often customize the a quiz to 100 questions with randomized domains with simulation mode (meaning you don’t know if you got the right answer right after you submit your choice), similar to the CISSP test, but less questions.
It’ll rank your performance on each domain.
This makes the app worth it. Now… if you scored like 60% or so on a certain domain, then you’ll go over to that domain test bank and start taking questions in practice (or something) mode, meaning you immediately are told whether or not you’re right or wrong and then a brief explanation of why the correct answer is the correct answer.
Then find those concepts in the book and study.
Rinse, and repeat until you perform better on the custom randomized tests.
This was the most effective way for me to study. As I only had 30-60 minutes each day to study. I didn’t want to study at home too much, because, I want to be present around my kids and wife.
My time with them is more valuable than anything else in the world. More time with them is the reason why I study so much, so it would contradict taking time away from them to study.
After that cyclic rinse and repeat. I watched a seminar recording by Sari Greene CISSP Test Taking Tips or something like that on learning.oreilly.com. And I’ll go more in-depth about what I learned in the next portion.
Ok – so we covered pretty in-depth about the exam and study strategies. At least my study strategy.
For the last step – you’re already taking the test. Great. During the test you’re most definitely going to come across a question that will have all technically correct answers as choices. I know – that seems intimidating, but when you come across it, really look at the answers. You’ll find that often times, and I had a lot of these questions, that the answers are actually apart of the correct option.
Also, remember how I said 50 of those questions can be beta questions? Those 50 questions aren’t graded. That means if you’re taking the test and you get stumped by a really hard question or you don’t feel like you didn’t do well on some questions, it could be that you’ve been getting beta questions. Don’t let the questions discourage you. Everyone progresses through the test differently. Take a deep breath and be confident in what you’ve studied. Be calm and carry on.
Last tip, and this is a tip that can be used across almost all the IT certifications. Process of elimination. CISSP does a really good job of putting close answers as the options. If you can, take as many as you can out. Then – don’t take too much time debating about the remaining answers, just let statistics answer the right answer for you, because honestly – if you’re unsure, you’re going to think about that question for the rest of the test. I luckily didn’t have to do this often. Sometimes, a coin flip answer helps you mentally, and keeps you focused on the next questions. You have to keep a constant focus, because it’s a long test. If you get hung up and get unfocused, you’ll have to waste precious time re-reading questions.
I’m going to condense it all into a takeaway section.
- Step 1: Read the book, take notes if you need to. (Even as a Security Enthusiast, I agree that it’s absolutely boring at some points – just get through it somehow or another.)
- Step 2: Re-assess your knowledge. (Through the app)
- Step 3: Re-read areas you need to improve, definitely take notes this time! Watch a Youtube video on the topic or a podcast, become extremely familiar with the stuff you don’t understand.
- Repeat steps 2-3 until you achieve 80-90% per domain on the app on the randomized 100 question simulated test.
- Take the CISSP exam. Remember test taking tips.