First, I would like to thank everyone who shared their experience, and preparation strategies It was immensely helpful. I thank you all for all the insights and suggestions. Now, it’s my turn hoping that it will help others.
Background: Over 15 years of software development and management experience. I am Security and Compliance lead for a FedRAMP compliant system and have represented it in both SOC and FedRAMP audits for last couple of years. I hold Sec+, PMP, ITIL and dozens of Microsoft certifications.
Preparation: Decided to prepare over a year ago, watched a few video courses and then life happened. That’s why my first recommendation would be to schedule your exam, which will build a bit of pressure and keep you busy and on track. Don’t take too much of time to prepare for it. Assess yourself by taking 1-2 practice tests and timebound yourself.
Eventually started preparing about 5 weeks ago. On an average devoted 7-8 hours on weekdays and 12-13 hours on weekends.
First 2 weeks were dedicated for watching videos and preparing my own notes. I had access to LinkedIn Learning, Pluralsight and O’Reilly Learning from work. I used Thor’s slides as base notes and then added more information as needed, specially images as they tend to stick better than text. I have no networking background hence domain 4 needed extra efforts. Domain 3 also demanded additional hours just because of the sheer number of topics covered.
For domain 3 and 4, I decided to not make any notes and go with Thor’s slides as notes. Only made short notes from Larry’s videos.
Last 3 weeks were solely focused on tests. Took test, reviewed answers and revised my notes. Analyzed what I missed and why I missed it.
Books:
-
CISSP Certified Information Systems Security Professional Official Study Guide 8th edition – 5/10. Read a couple pages here and there and realized that it’s dull and almost impossible to finish (hats off to all who did). My strategy was to check exam essentials section at the end of each chapter and making sure I had a good grasp over those things or at least most of those things.
-
CISSP Study Guide 3rd edition by Eric Conard – 8/10. Used it for selective topics, particularly for Networking and Security Engineering.
Video courses:
-
Kelly Handerhan – 7/10. Good starting point.
-
Mike Chapple – 6/10. Again, good for a quick overview of things. Covers some points which are not covered by Kelly.
-
Sari Greene – 7/10. Covers a lot of ground but is extremely long.
-
Thor Pedersen – 9/10. This stuck to me. It was a match made in heaven :). Because I used Thor’s slides as base of my notes, I could follow his videos and read my notes at the same time very easily. I watched all domains at least 2 times, domain 3-4 at least 4 times.
-
Larry Greenblatt – 10/10. I bought the video recordings. Made notes of domain 3 and 4.
-
David R. Miller – 9/10. Watched all domains once and Networking twice.
Watched Kelly, Mike and Sari courses last year and decided to not watch them again. Only focused on Thor, Larry and David. I watched all videos at 1.5x minimum, sometimes at 2x or higher, depending on how comfortable I was with the material.
Practice Questions (overall did around 4000 questions):
-
CISSP Certified Information Systems Security Professional Official Study Guide – End of Chapter tests and Official Practice Tests – 6/10. Official study guide end of chapter questions and official practice tests helped me cement the basics.
-
Thor’s tests on Udemy – 6/10. Like official practice tests, most questions are straight, only a few made me think.
-
Kaplan via Pluralsight – 8/10. Kaplan forced me to think deeper about each option. I made sure that I understood why something was right and why not.
-
Boson – 10/10. Boson taught me English. I saw words used in the context that I never realized could be. It changed the way I was reading questions and was thinking about it.
-
Larry’s test – 10/10. I felt so miserable while attempting this. I realized I don’t know English and nor the material.
I used tests as learning device. I would pick one domain at a time, take all questions for that domain, make notes of what I missed and kept a tally of my scores. Both, Kaplan and Boson, each domain was done twice. First time I scored around 70-75% on most, revised notes, and then on second attempt around 75-85. Didn’t take Boson full length tests.
To motivate myself, I would take Thor’s test and would go through them as fast I could. Most of the time finishing in 30 minutes or so (to check how fast I could answer straightforward questions without overthinking, scored around 85% on all of them).
NIST Publications – I have read a few of these while preparing for FedRAMP certification for our product.
Podcasts by Eric Conard and Shon Harris. Both are great. Listened to Eric for short runs and Shon for long ones. Again, everything at 1.5x minimum.
I made 3 strategic decisions which worked out well for me. Please take them with a pinch of salt.
-
Pareto Principle, (80-20) rule. Focus on key 20% of the concepts like CIA, least privilege etc. After all I only need 70%.
-
It is a management exam hence won’t dig too deep into technical details like number of rounds, bit details in encryption, distance/speed of cables etc. I tried to remember the best I could but didn’t worry too much about it.
-
Focus on my strengths. I had trouble with Networking, so I made sure I make up for it in other domains.
Made my own cheat sheet and tried to replicate it a few times before the exam and made sure that I could copy it in 1 minute or so. Before start of the exam, we get 5 minutes to select a check box and click Ok. During that time, I dumped it onto the empty sheet provided.
Actual exam experience: Larry mentioned in his videos that if you pay attention to first 25 questions and got those right then you won’t feel that exam is heavy on any one domain. So, I did, without looking at clock. When I looked at the clock for the first time, I was at question #35 with only 110 minutes remaining. I started to panic and then started to speed up. Fastest finger first with Thor’s exams helped here. Took calculated guesses and used elimination for most of the questions. Throughout the exam had no certainty of passing. Avoided overthinking and tried to correlate with what I learned from CISSP tips videos by Larry, Kelly and Derek and it did help.
If you put your best efforts, do lots of practice questions and have enough experience you will pass the exam. Please do remember, there is no alternative for experience, everything else is secondary.
Best of luck to everyone who is preparing for the exam. Remember, it’s worth it.