Some thoughts on taking the CISSP

Suresh Solomon

8-10 minutes

A few of my colleagues asked for some input to help them prepare for the CISSP, I thought it better
to put my experience here for all who want some insight.

I heard of the CISSP about a year ago and I did not take a second look. I believe it was a video on how
to tackle the CISSP exam.

My experience has been purely in the Unified Communications (UC) field and there were some
changes happening at my workplace. I was also looking for roles in the Unified Communications
space, but nothing materialized.

As I was assessing my options, I did some learning in DEVOPS and took up the training from
Microsoft on SC200 - Microsoft Security Operations Analyst and eventually took the certification.

The SC200 was an interesting one, as it also covered Cloud Security quite well. The content of the
training and exam was an eye opener to the security space. It had a lot of basics I already was
exposed to working in UC. The exposure to security and UC made me see the bigger picture.

I started looking for security roles within the organization. The one opportunity I had requested that
I needed some form of experience in SIEM or have certifications such as CISSP.

In my experience changing jobs to new field is always a challenge. The people hiring always expect
experience in the field you applied to. I think this is one of the biggest mistakes hiring managers
make. But well, I have no influence on that.

Again, I had to reassess my skills and needed prove I am competent in the role I applied for. This is
when I decided I needed a security certification. I will share how I prepared for the CISSP, it is
actually not as difficult as it is made out to be, but the scope is wide, and this is where the challenge
is.
The CISSP is not a technical exam, but it requires one to have some technical knowledge on the 8
Domains covered. My guess is many people may have experience in one maybe two domains and
majority might have little or no knowledge on the other domains.

Preparing for the exam.

Materials used

1. The CISSP Official Study Guide 9th Edition Sybex (usually referred to as the OSG)

2. The CISSP Official Practice Tests 3rd Edition Sybex

For the Official study guide you must activate the online questions. Refer to the book on how to do
this. The online questions were key in my preparations.

3. Boson ExSim-Max for CISSP

4. CISSPprep.net – Question Bank

5. CISSP Question Banks from Udemy. This did not help me much.

6. Youtube videos

Cissprep – mnemonics to memoriz

Kelly Handerhan- Video on Kerberos

Prabh Nair- Coffee shot Videos

Other specific videos to understand topics that I had challenges.

7. Personal notes
When I could not answer a question, I research and take notes on the subject.This way my notes
only contain information I don’t know or remember.I recreated the notes several times. This was
helpful as I start to be aware of the curriculum, the notes only contained stuff I needed to
memorize.I had 10 pages in my final week.

Pitfalls.

Apart from the Official Study Guide and the Official Practice Tests, the question banks had questions
from the earlier ISC2 CISSP curriculum. This is one reason the I did not get higher than 70+% on the
questions. What I started doing was, when I got a question wrong, I looked up the key word on the
OSG. If there was a hit, then I would research and make my notes. If it did not, I moved on to the
next.There are a lot of dated questions on the internet, make sure you cross check with the OSG 9th
Edition to eliminate non relevant questions.

Step 1

Read the OSG the whole book. This was the most challenging. I did not take notes, just read cover to
cover. The goal of this exercise was to be aware of the subjects. I did not really learn from this phase.
At After completing the book, I could hardly recall what I read. This is part of the learning
process.The OSG is presented by Chapters, not Domains. This is because there are several chapters
that cover multiple domains. This might get you confused, but eventually it will become clear.

Step 2.

Answer the questions at the end of each chapter, these questions are not to the CISSP standard but
tests how much of the chapter you retain. For the wrong answers I just reread the specific topic and
moved on. Nothing done to memorize here too. Just remember to not answer the last 4 Practice
Tests. Keep them for the final week before the exam.

Step 3

Boson ExSim-Max for CISSP,

Step 4

CISSP Official Practice tests.

The Practice tests are by domain, I answered all the domains, except for the last 4 Practice tests.In all
my practice tests I wrote down the score as reference. My score was in the 40%-70+% until I took
the exam.

Step 5

I subscribed to cisspprep.net for their question bank. This was my key to passing the exam.

The questions here made you think in a different way, this was key in successfully answering the
questions. There are about 1500 questions, this took quite a bit of time. To ensure I had enough time
to complete all the questions, I prepared a spreadsheet that listed all the questions banks I had. Each
question bank had the estimated time required (about 1.25 minutes per question)

I also included date columns to estimate when I can complete the questions and plan for the exam
date.Taking work into consideration I made sure I had accommodated for days I may not have the
time to answer questions. This helped reduce the stress that comes along with knowing you are
behind time.

With the dates planned I then booked my exam on July 8th. I wanted it sooner but there weren’t any
slots earlier.

The CISSPprep has some youtube videos. What I liked was they provide the methods to memorize
the key items required. I used quite a bit as part of my memorization.
Step 6

The final leg of my preparation. I took time off work 2 days before and on the day of the exam.At
the start of the final week. I started the final 8 sets of questions from the Official materials. I had
taken about 1 test per day. At this phase fatigue was already setting in. I could not watch any videos,
and just stuck to completing the Official Practice Tests.

The indicator that I was ready for the exam (noted this after the exam) is that I could answer the
questions on the average of 1 minute per question. Some took more time but generally that was my
timing.

Exam day:

The center I took my exam was strict on the security. Made me clear my pockets, checked my belt,
took my palm scan. Was given a locker to store my items.The room temperature was acceptable,
and I was provided with a erasable note pad with a few pages.I did jot down the stuff I memorized.
But I did not refer to that during the exam.The exam stopped at 125 questions about 120+ minutes. I
did not look at the question count or the time I preferred to look at ensuring the questions are
answered quickly.

When I answered the last question and clicked next, there was a delay presenting the next page. I
immediately new I was done. The good news was printed on the next screen.

Completing the process.

The exam is only part of the requirement, you need to have your ISC2 membership endorsed. I did
not know of any CISSP personally, this got me worried. But reading the process on the ICS2 portal,
the was an option to have ISC2 endorse my application.

The Application was straight forward, provide my work history and the relevant scope of work in
relation to the domain. I think if you have the work experience in part of the domain as part of your
work is enough. The domain does not need to be your primary work.
I was requested additional information to confirm my employment, I also had to provide my salary
stub as proof. It took about 1 week from the time I submitted to get the approval.

Once approved I had to pay USD125 for the Annual Maintenance Fee. The approval was completed
the next day.

Final words.

I have over 20 years’ experience in IT, my perspective may be different than yours. But having said
that the CISSP can be achieved given sufficient preparation. It took me 4 months from the time I
started as I had to accommodate family and work surprises. I think 3 months is doable.

Hope my experience helps you with your journey to CISSP.