Maintained by the International Information System Security Certification Consortium (ISC2), the Certified Information Systems Security Professional certification is a highly sought after designation in the United States and beyond. The credential offers candidates the opportunity to prove extensive knowledge and experience in an array of fields related to cyber security. The course work takes a vendor-neutral approach as opposed to focusing on specific solutions, and instead enforces industry standards and best practices. The certification is accredited by ANSI and is DoD compliant per Directive 8570. For these reasons, and the minimum five years of professional experience required by ISC2, the CISSP commonly appears as a desired trait on cyber security job postings.
I recently decided to pursue the CISSP and, after about twelve weeks of studying and preparation, managed to pass the exam on my first attempt. The task was incredibly daunting given the vast amount of information the exam covers, as well as the $700 USD price tag associated with each attempt. Now that I have stepped through the threshold I wanted to create a write-up that others can reference as they begin the journey themselves. At the wishes of ISC2 I will not discuss anything related to the exam that is not already public knowledge, though I will include my study notes, the steps I took to succeed, and various personal remarks.
The exam format for the CISSP recently changed and now spans between 100 and 150 questions with a maximum time of 180 minutes allotted, meaning you are given well over a minute for each item even if you go all the way to question 150. Should you go past the time allowed, however, you will automatically fail. At no point will you be able to go back and revisit questions you've already seen. Most of the questions will be multiple choice, though other more interactive formats do exist. Regardless of how many items you end up seeing on your exam, 25 of them (known as pretest questions) will be unscored. These will not be disclosed to you at the time they are delivered. The test supposedly scales to the candidate taking the exam and will get progressively more difficult as questions are answered correctly. 70% is the official 'passing' score, but because the exam scales and difficult questions are weighted differently from easier ones, I suppose it's possible to still fail even if 70% of the total questions asked are answered correctly. Regardless, I still used 70% as a measure of my knowledge during my own study. If you do fail, you are given three opportunities in any 12-month period to reattempt certification. You will have to wait 30 days after your first failure, 90 days after your second failure, and 180 days after your third. After passing the exam you will have to be endorsed by another ISC2 member or ISC2 themselves, who will review and approve your endorsement application containing proof of at least 5 years of industry experience. You will also have to participate in Continuing Education or re-certify every three years, as well as pay an annual maintenance fee (currently $85 in 2019)
I personally used only the official Sybex study guide and practice exams during my studies, but they cover all eight domains in the Common Body of Knowledge in great detail over a combined total of 1,500 pages of material. The domains consist of, and are scored, as follows:
Security and Risk Management (15%)
Asset Security (10%)
Security Architecture and Engineering (13%)
Communication and Network Security (14%)
Identity and Access Management (13%)
Security Assessment and Testing (12%)
Security Operations (13%)
Software Development Security (10%)
Even though the official guide was all I used to study, I feel industry experience played a significant role in organically understanding much of the material. I would encourage most people to reference at least one other source during their own preparation. The CISSP subreddit offers a wealth of knowledge and resources that can offer additional guidance to people just starting out since that is not a road I took. I will say that being Security+ certified helped pretty significantly as I prepared for the CISSP. Sec+ is similar in that it is a very high-level exam and paints everything in broad strokes. You'll hear that both of these exams are 'a mile wide and an inch deep', so the CISSP study material just felt like a more expansive version of Security+. Sybex recommends studying for 30 days, but if you value your sanity and have a desire to maintain any sort of personal life at all, I would give yourself significantly more time. 90 days gave me the flexibility to study only a couple hours a day, and provided many more opportunities to revisit the same content over and over again. I essentially read through the book once, took notes, and then focused solely on test questions. After each iteration of practice exams, I went back and refined my notes based on questions I answered incorrectly or had no knowledge of. By the end of my test prep I was scoring 85% on practice exams and was able to recite all of the flashcards I made from memory, backwards and forwards. This is exactly how confident you want to feel going into the exam, because the entire time I was taking the actual test I felt like it was murdering me. While nothing I studied prepared me for the specific questions and scenarios they asked, I knew enough to be able to narrow down the right answer to at least a 50/50 chance. There were a couple dozen questions I absolutely knew the answers to, but everything else caught me by surprise. After reading the questions and answers, and then re-reading the question, I was able to talk my way through to an answer. I started to lose steam after question 60 at which point the screen started to blur and I felt like the room was melting around me. You have to maintain concentration in order to keep the exam from being more difficult than it actually is. Re-reading a question often times helped me see it in a new light which made the answer obvious. Don’t forget that, even if the exam doesn't stop at question 100, you have 50 more chances to earn yourself a passing score.
Below is a directory to the other articles that contain my study notes for each individual domain. As a disclaimer, do NOT rely on these notes exclusively, or even as a substitute for your own notes. I spent at least 100 hours preparing for the exam, and these notes do not encompass everything I learned during that time. You'll also notice several gaps in each domain where I just didn't have anything recorded. Use these resources as a supplement for your studies, not a substitute.
Additional questions can be sent to email@example.com
Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8:Software Development Security