As a disclaimer, I’d like to disclose that I am a factory made Computer Science person, lol. Meaning I studied the subject in undergrad, did internships and full time positions for various technology companies and recently completed a masters program in Cybersecurity. So I had a couple of years of information to build upon to get to this point. Nevertheless, on January 2, 2018 your girl successfully passed her Certified Information Systems Security Professional exam - better known as the CISSP in industry terms (you know we love our acronyms).
For those of you unfamiliar with the certification, it is “an independent information security certification granted by the International Information System Security Certification Consortium, also known as (ISC)².” It is globally recognized and seen as one of the most prestigious industry standard certifications for security practitioners in the field of Information Security. The exam has changed over time but the following are the criteria needed to pass the exam and gain certification successfully:
Successfully pass the exam
Have 5 years of cumulative, paid work in two or more of the 8 domains of the CISSP Common Body of Knowledge (Or 4 years if you have completed an undergraduate degree)
Have another currently certified CISSP endorse you
Agree to their code of ethics
Pay annual maintenance fees
When reading up about the certification I kept seeing that this is the hardest exam I will ever face and that I would first to do need this or that before I should even go for it. At one point someone even told me that I wasn’t ready to tackle a certification like this. Spoiler alert, I ignored this and went for that shit anyway. To be fair they weren’t completely wrong. It was one of the most stressful exams I have ever studied for. Luckily, my ambition always outweighs my fears and in true how-can-I-stress-myself-out-today fashion I set my sights on taking the exam Jan 6, 2018 - one day before I was set to take a week long cruise with friends and family. I don’t advise this at all but for me it was the motivation I needed to guarantee I would pass and enjoy my holiday.
So how did I go about tackling this? I will tell you...
Preparation
The very first piece of advice I can give you is to buy the exam as soon as you are able to. Prior to buying the exam I wasn’t fully putting my heart into studying. It wasn’t until I had to buy my hard earned money down that I had gotten serious and prepped. If this sounds familiar, 🗣 buy the exam. I gave myself three months to full time study to take the exam. Again don’t advise.
Research
OK, the test has been purchased, now what? Once I knew how long I had to study I went to task to find out what the exam would cover. The exam covers 8 categories, which they call domains, each with its own weighted answer score:
CISSP CAT Examination Weights
1. Security and Risk Management 15%
2. Asset Security 10%
3. Security Architecture and Engineering 13%
4. Communication and Network Security 14%
5. Identity and Access Management (IAM) 13%
6. Security Assessment and Testing 12%
7. Security Operations 13%
8. Software Development Security 10%
Total: 100%
When I was first studying for the exam it was originally a 6-hour, 250 question exam. A month before my scheduled exam, (ISC)² changed the format and created what is now today the current exam: a 3-hour, 150 maximum Computerized Adaptive Test. What this means is that as you answer a question on the test, the algorithm in the software determines if the questions should increase/decrease in complexity based off your answers. I have even heard the exam will cut off before the 150 maximum if it determine you have not answers enough questions satisfactorily to pass the exam. Harsh, right?
Once I figured out what will be on the exam, I started looking for study materials so I can map out a plan.
Study Materials and Plan
The following resources are what I used, combined, to aide my studying:
CISSP All-in-One Exam Guide by Shon Harris: This resource was by far the best help during my studying. Shon Harris' book is very detailed, very in-depth, and quite frankly boring but this book went over many concepts in a concise way that I did not get from other books. Additionally her questions were more modeled after the exam. She also did some write-ups on this site for the exam. Unfortunately, it might not be up-to-date as she passed away a few years ago but the material is still relevant enough to learn.
(ISC)² CISSP Certified Information Systems Security Professional Official Study Guide: The official guide by (ISC)² is a great place to start for those who are new to Information Security. They go through the basics - from networking to penetration testing - and give you a well-rounded guide to the exam. It wasn't as detailed as I would like but was great as a refresher.
Online Test Questions (for computer and phone): I googled and searched for all of the CISSP test questions I could find both online and for my phone (application). Websites like this one were a tremendous help in testing how far along in my studying I was and let me know my areas of weakness.
Work: I was fortunate to be working as a SOC (Security Operations Center) analyst at the time that I began my studies. A lot of my day to day activities I was able to map out to the domains I was studying for. These users I have to activate whenever a new hire is on-boarded - that is part of Identity and Access Management. The monitoring of Wifi activity - that is part of Communication and Network Security. Once I began connecting the dots between what I was studying and my day to day work activities, things began to fall into place. Even if you are not in the field itself, looking for everyday ways you can connect the dots work too. You have an iPhone that has a password or biometric entry? Identity management.Your iPhone security updates you hopefully are installing each time? That's under Security Operations.
Once I gathered all my study materials I set about making an actual study plan. Each day I aimed to read one whole chapter in a book while taking notes. Each weekend I would study over the notes I had and take practice quizzes / tests for a few hours a day. Once I finished a book I would scrap the notes and start over, this time going backwards. I did this method for hours and weeks on end until I felt comfortable that I knew each of the domains and its concepts thoroughly. This isn't a one-all-be-all plan but it did help me drill the concepts in my head until I was practically answering questions in my sleep.
Day of the exam
To say I was nervous was an understatement. I know I have been working hard towards this day but there were so many what-ifs going through my head. Tests give me anxiety and this day I was through the roof with the stress levels lol. Once I sat down though, I took a couple of deep breathes, remembered why I was here and wrote out my notes on the dry-erase board they provide you.
3-hours and 150 questions later, I received this:
It took everything in me not to do the running man out of the testing room. Excited was an understatement and I was fully ready to now enjoy my vacation.
I hope I was able to provide whoever is interested in this exam with some useful steps and resources to begin preparing. Its a bit of a sacrifice in focusing on your studying, and possibly turning down those bomb Sunday brunches (trust me I was devastated), but it was well worth it.
Signing out,
Dominique, CISSP :)