How Not to Prepare for CISSP: Experience and Mistakes of a Survivor

Certified Information Systems Security Professional (CISSP) is a globally recognized vendor-free certification that validates the technical skills and practical experience of an information security professional. The certification was developed by the International Consortium for Information Systems Security Certification, also known as (ISC)².

CISSP is especially in demand among foreign IT specialists, but in our country, the presence of this certificate is also a sign of the quality of a specialist. I will tell you my path to preparing and passing this exam now, when it is impossible in the Russian Federation.

How to prepare?

My preparation for the exam was quite extreme, as it was carried out in a very short time. Such frivolity was due to the fact that I am an active information security consultant and I spend all day doing this very information security. I naively believed that I would not need much training, it would be enough to just refresh my memory.

This challenging experience allowed me to structure the list of materials that need to be studied during the preparation process, depending on the amount of time you have.

No.

Hours to prepare

Experience and knowledge

Recommended material for study

Chances of success

1

30–40

English: B2 and above

IB: From seven years old with deep understanding in five domains and superficial in the remaining three

– Video Destination Certification by domains;

– Practice questions from the CISSP All-in-One Exam Guide eighth or ninth edition (here is a translation of the fifth editionbut it is better to solve tests in web-simulators for the eighth or ninth edition) with mandatory reading of explanations of the correct answers – at least 400 problems

2

40–60

English:

B2–/B1+ and above

IB:

From six years old with deep understanding in four domains and superficial in two, one remaining one to improve in the process of preparation

CISSP Exam Study Guide from Netwrix;

CISSP Cheat Sheet;

– Video Destination Certification by domain, with problem analysis and advice on passing the exam;

– Practice questions from the CISSP All-in-One Exam Guide eighth or ninth edition (here is a translation of the fifth editionbut it is better to solve tests in web-simulators for the eighth or ninth edition) with mandatory reading of explanations of the correct answers – no less than 600 problems;

– If you encounter unknown technologies in tasks, and the explanation is superficial, you should study such technologies in more detail

⭐⭐

3

60–90

English:

B1 and above

IB:

From five years with deep understanding in three domains and superficial in three, the remaining two will be improved in the process of preparation

CISSP Exam Study Guide from netwrix;

CISSP Cheat Sheet;

Sunflower CISSP – Crash Cram;

– Video Destination Certification by domain, with problem analysis and advice on passing the exam;

– Practice questions from the CISSP All-in-One Exam Guide eighth or ninth edition (here is a translation of the fifth editionbut it is better to solve tests in web-simulators for the eighth or ninth edition) with mandatory reading of explanations of the correct answers – at least 1000 problems;

– If you encounter unknown technologies in problems, and the explanation is superficial, you should study such technologies in more detail;

– If you come across unfamiliar topics in cheat sheets (CISSP Cheat Sheet and Sunflower CISSP — Crash Cram), you should study such topics in more detail

⭐⭐⭐

4

90–130

English:

B1– and above

IB:

From five years with deep understanding in two domains and superficial in four, the remaining two will be improved in the process of preparation

Eleventh Hour CISSP;

– CISSP All-in-One Exam Guide eighth or ninth edition (here is a translation of the fifth editionbut it is better to solve tests in web-simulators for the eighth or ninth edition);

CISSP Cheat Sheet;

Sunflower CISSP – Crash Cram;

– Video Destination Certification by domain, with problem analysis and advice on passing the exam;

– If you encounter unknown technologies in problems, and the explanation is superficial, you should study such technologies in more detail;

– If you come across unfamiliar topics in cheat sheets (CISSP Cheat Sheet and Sunflower CISSP — Crash Cram), you should study such topics in more detail

⭐⭐⭐⭐

5

130–200

English:

A2+ and above

IB:

From five years with deep understanding in two domains and superficial in two, the remaining four will be improved in the process of preparation

– (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide;

– (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests

OR

Solutions to all questions from the CISSP All-in-One Exam Guide eighth or ninth edition (here is a translation of the fifth editionbut it is better to solve tests in web-simulators for the eighth or ninth edition);

CISSP Cheat Sheet;

Sunflower CISSP – Crash Cram;

– Video Destination Certification;

– To study CISSP repository on Redditwhere they share relevant experiences and materials;

CISSPrep.net Memorization Sheet;

BCP/DRP By Larry Greenblatt;

– If you encounter unknown technologies in tasks, and the explanation is superficial, you should study such technologies in more detail

⭐⭐⭐

⭐⭐

My experience. The beginning of the story

In April 2023, the company paid for my CISSP certification. The appointment was for the very end of December 2023 in Almaty – I decided to put the certificate under my Christmas tree.

In October, I asked my colleagues for preparation materials, passed a couple of short tests (20 questions each). Having shown a result of 70%, I, joyful, believing that half the job was done, put the materials in a folder, where they waited for their turn, “while there are more pressing tasks”, although reviews on the Internet said that those who successfully passed prepare for three to four months.

Work and other work-related activities took me so much that already in November I knew that things were going badly. As a result, in mid-December I postponed certification to the longest possible date – April 17 ((ISC)2 allows you to take the exam within 365 days after purchase).

The deadline was approaching, but the preparations were not moving forward. When you go through life with the motto “Always say “yes”!” to all new interesting initiatives and things, and you work in a company where there are many such things, it is not surprising!

My experience. Preparation

Finally, on Friday, April 12, after work, I was finally able to sit down and prepare. I thought my experience would be enough, but the amount of material terrified me from the very beginning. But where has ours not disappeared!

If at the very beginning I planned to study all the materials I had (and these are thousands of pages in English and hours of video), that is, to follow path 4 or 5 (from the table), then in a situation of limited time I had to optimize – this is how path 2 was born.

I developed two plans – a maximum and a minimum, within which I determined by what date where I should be.

I prepared as follows, going through the domains:

  • read the chapter on domain CISSP Exam Study Guide from Netwrix (a short guide of 94 pages);

  • watched the video on the domain Destination Certification;

  • solved problems from the CISSP All-in-One Exam Guide by domain (after the first domain, only the first domain, after the second – 1+2, etc.) 20 problems per approach as many times as needed until I showed 70%+.

I walked slowly, trying to delve deeper into the topics I was only superficially familiar with. As a result, I managed to complete domain 1 on Friday evening. On Saturday, I managed to complete domain 2 and domain 3, and on Sunday, domains 4 and 5. It sounds simple, but in order to stick to at least the minimum plan, I had to sacrifice sleep, which was first reduced to six hours, then to four hours, and then to two hours – and that was on the plane.

On Monday I had to put my work tasks aside and spend the whole day preparing to finish domains 7 and 8. By 7pm I had started taking the tests (40 question emulations in one hour) and I wasn't very happy with the results. I was getting around 70-75% with a minimum of 70%+ required, but to be on the safe side the target was 80-85%.

I realized that sleeping was not an option. I spent the entire night from Monday to Tuesday solving test problems, despite the fact that I had slept a total of only 14 hours over the past three nights. At the airport, I watched a video from Destination Certification with tips on how to read questions correctly. On the plane, I solved test problems again until I fell asleep with my laptop in my arms. When I arrived at my hotel room in Almaty, they shared other test questions with me, which turned out to be much more difficult. I solved them for another eight hours, until midnight. The results were sad – 50-60%.

The plan was to get some sleep, but eight and a half hours after such a marathon was certainly not enough. 10 minutes of a morning maximum contrast shower and a cup of double ristretto helped.

Over breakfast I took another shortened test run on the new questions, got 63% and sadly headed off to the exam.

My experience. Exam

The testing center had standard procedures — checking documents, taking a photo, and a slightly less standard procedure — taking a venous pattern from the palms. I was lucky that the testing center had only one place to take the exam — in a quiet room under cameras. When the Terms and Conditions appeared on the screen, I marked out the exam plan: how many questions I had to answer by what minute, divided into half-hour segments. This is a great time for preparatory procedures, since the time has not yet passed, and all the equipment has already been issued. In the future, you practically do not waste CPU on “I’m on time — I’m not on time.” This is also a great time to display on paper what you put into your short-term memory before the exam itself, but I did not need to do this.

I took the exam, as I wrote above, on April 17, and on the 15th the format changed – the time was reduced from four to three hours and the number of questions was slightly reduced: from 125-175 to 100-150, but the time per question became less. I was going, just a little behind schedule. Some questions were difficult in terms of English (I only have B1+). But in general, the questions were about as difficult as in the CISSP All-in-One Exam Guide and easier than the questions in the second source, which made me sad on the last day before the exam.

I'll get a little ahead of myself. Of all the questions I solved (and that's about 500 questions), I got… 1 on the exam. But it was still very useful, since they set up a mindset. There are a lot of questions on the exam where out of four options they give three good answers, but you have to choose the best or priority one. My advice is to think more like a CISO, not like a techie. If the answer option concerns caring for the health and lives of people, this is almost certainly the right answer. If the question concerns what to rely on when choosing a solution, often these are risks for the organization's business. There were also quite a few technical questions. Here, the second set of practical questions helped me, which forced me to delve deeper into some technologies, clarifying, for example, where exactly a GRE header is added to the packet when building a tunnel using this protocol. Networkers will smile at this point, but in vain! If you talk with such depth for the entire information security, the smile will disappear.

At some point, a window with a running status bar appeared on my screen – I assume that the VPN to the head office in London “coughed” in the test center. It was literally for a few seconds, but I physically felt my soul sink into my heels, knocking me out of the “flow” state (let me remind you that I had the last possible day of delivery, which I myself had reached, and I was already in the test center). But the connection was quickly restored.

About halfway through the exam, I sped up because I was already starting to noticeably fall behind schedule. As a result, 10 minutes before the end, I answered 120 questions. “The end is near!” I thought. The last questions were not difficult for me. As a result, 30 seconds before the end, I moved on to question 128. It turned out to be one of the most difficult to understand for me in terms of English. I did not want to poke at random, so I decided not to answer. The time ran out, but the question did not disappear, and the Next button did not accept an empty answer. I frantically read the question and answer options. I tried to understand the semantics of incomprehensible words and look for associations in my head. In the end, I roughly understood the question, the answers too. But since it was approximately, I was able to filter out two incorrect answers, and I had to choose from the remaining two. The time was already three to five minutes. “No “We lived richly, there’s no point in starting!” I thought and for the first time during the entire exam I poked at random.

My experience. Results

My colleagues warned me that the exam results would not be displayed on the screen right away, but on a printout from the administrator. I raised my hand, waited for him, and we went to look. I was mentally prepared to fail: everything was against me – both the way I had prepared and the nerves during the exam. They gave me a piece of paper with a bunch of small text on it. My previous exams always had large inscriptions: Passed (more often than not), Failed (this happened once). And here there was just a sheet of text. My head was spinning, the administrator, seeing my glassy eyes, congratulated me and pointed with his finger where to look.

And here I am now, sitting in a magnificent Indian restaurant in the center of Almaty, sipping Singapore Tiger with Indian mutton masala, happy as an elephant, and writing these lines.

In the end, I spent about 50 hours preparing. It was a glorious hunt! But I don’t advise anyone to repeat my experience! The Internet correctly writes about three to four months, depending on your experience and how much real time you are ready to devote to preparation.

Passing the exam successfully is only part of the journey. Next, you need to confirm your experience – at least five years in at least two domains. And you need to confirm it with documents. But no special preparation is required here, except maybe agreeing with your managers at your previous places of work over the past five years that they can call them. My verification took six weeks, and now I am a full-fledged holder of the CISSP certificate.

I would like to wish good luck to everyone planning to take the CISSP! The devil is not as black as he is painted! But in order to confidently prepare for the exam without stress, I still recommend setting aside more time for preparation than I did.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *