ISC² CISSP
Date Earned: May 12, 2020
Proof: https://www.credly.com/earner/earned/badge/e30f91d0-8692-4993-8b5a-c1b88f583049
Before reading the below, the best piece of advice I can offer when reading any of these write-ups is bear in mind they are what worked for the author. Take from the below the parts that will help YOU prepare, and ignore the rest. If it isn’t helpful, it’s hurtful.
I really wanted to come out of this exam with some insight I’d not seen elsewhere, that magical silver bullet. That didn’t happen. All the advice I thought of after the exam was stuff I’d heard elsewhere. So what I’m offering here is a list of what I found most valuable based on my exposure to .1% of the possible exam questions.
Context (my experience before studying starts)
I’ve been in IT for around 10 years, with about 5 of that being in dedicated Infosec roles (incident analyst, incident responder, forensic investigator, appliance administrator) in both government and private organisations. Before that, I was filling administrator roles, both in in-house and MSP roles. I achieved a few certs, MCSA in Windows Server and Office365, CompTIA’s Sec+, some forensics, some networking etc.
For the two years leading up to the exam, I had been a dedicated incident response resource, performing incident response as a consultant, and training others to do the same.
Prep (What I used and what I thought)
Note, that this is MY experience, pick out what suits you, leave the rest.
Discord
First, for real, this discord, right here https://discord.com/invite/certstation. I wouldn’t have passed without it. I joined this discord… roughly 4-8 weeks before I sat the exam, did nothing for a week, then got really involved. I believe in order to get the most out of this server, you need to contribute. A couple of notes on this server, though:
- Be wrong. Defend your answer if you’re solid on it, but be open-minded. If someone makes a good point, consider it. Research it.
- There’s nothing wrong with being wrong. There’s a bit of culture about racing to have the right answer, and that’s sweet, nothing wrong with a bit of healthy competition (I’m guilty of it myself). Just remember proving to everyone else in the server how smart you are isn’t going to help you on the exam. Make sure you’re still learning.
- This is an excellent server, but think critically about the information you’re being provided. Not everybody will be willing to change their stance on what they believe, and that can sway you into incorrect thinking. See the first point. Do your research, reach a conclusion based on evidence, and let that be the knowledge you take into your exam.
Udemy (Thor Pedersen) (Here, get sick discounts: https://thorteaches.com/udemy/)
This course was my bread and butter. I listened to this twice, once while painting, and then a second time at 1.25x speed. Udemy was a bit screwy, so I couldn’t really read the slides, but Thor’s explanations and examples certainly made up for it. No rose-tinted glasses, Thor can be a bit tough to understand at times, but this content worked for me. Thor also makes the slides available for download, mitigating the Udemy issue.
Boson Practice Tests
These are technical, much more technical than the exam. You’ve heard it before, you’ll hear it again. However, I don’t think this is a bad thing. The explanations are excellent, and I think the understanding you gain in order to be able to pass the Boson tests enables success on the actual exam. In my opinion, Boson is not an exam simulator of any kind of representative standard of the actual exam. What it is, is another learning tool in your toolbox.
CISSP PocketPrep
This was excellent for reinforcement, and replaced Reddit on my phone for the last few weeks. Mostly used in small rooms with no other distractions ;)
Sybex Official Study Guide
For me, this was the official reference guide :P. This was too hard for me to read, no matter how many times I tried, so I used it when I came up against a concept that I couldn’t fully grasp via other means. The online flash cards and associated practice test was excellent for concept cementing and definition remembering, though.
Pluralsight (Kevin Henry) CISSP Course
This did nothing for me. I couldn’t get into the delivery, and it felt like some material was designed for other exams and was being shoehorned into CISSP prep.
LinkedIn Learning (Mike Chapple)
I enjoyed this course. I listened to it when I was painting the house, so I didn’t get a really visual experience, but that doesn’t seem like much of a loss; the few slides I did look at was a few words on the screen Mike was talking about. The course content was really helpful to me.
The exam
A lot of people talk about taking the day before the exam off, and relaxing, and not studying. I didn’t do this. I passed the exam. You know your fatigue level and readiness best, do what works for you.
I listened to Kelly’s “Why you will pass the CISSP”, and it was excellent advice. I think this is over-hyped, though. It applied in various strengths to about 40% of my exam questions, where my impression from other reviews was “this video is applicable to every question”. It wasn’t in my exam.
I did the usual things, got in, sat down, immediately started scribbling down the RMF and SDLC steps. I never referred to these again, but knowing they were there gave me peace of mind. Again, do what works for you.
The exam was actually more technical than I expected. I had a subnetting question, and it was, in my opinion, about 2 inches deep :P. I only had multi choice questions, no drag and drop or hotspots.
The questions weren’t worded with gotchas, they were very straightforward. There were a couple where I read too fast, and initially missed that they were asking for a solution instead of a policy, or a next step, or what have you (read questions slowly or twice. There’s advice I’ll bet you’ve never heard before).
No double negatives, and very few NOTs at all.
The questions can typically be distilled down to the one you’re used to seeing. While most of them are scenario based, what probably 20% of mine were asking was “what is the name of the SDLC / RMF / RA / SA / BCP / DR step they are on OR will move on to next”
A fair number of them were “Here’s a scenario, what’s the best technology to implement to fix the problem”. Note here it wasn’t asking for a policy, but for a technical solution.
I can’t remember where I read the advice, so can’t credit the author, and I’m sorry about that, but it went “Give the question what it’s asking for. If it wants a policy, give it a policy. If it wants a solution, give it a solution”. That certainly applied to my exam.
Finally, while I mentioned that all the questions made sense, sometimes the answers just didn’t align with what was being asked for. Like, there was no best, they all seemed equally wrong. In that case, I just picked an answer that ‘felt’ right, hit next, and didn’t let it stay in my mind. It was the only way to preserve my sanity.
I think the biggest thing for this exam is understanding the material. 95% of my questions were scenario based, and if you understand the underlying technology and methodology, you can apply it to anything they ask with a sufficient degree of certainty. Discussion in discord, and the Boson questions, helped me most with this.