In this post, I am going to share my personal experience to obtain the CISSP certification. CISSP is one of the most renowned certifications for the information security career and it is said that it is very hard to earn. Earlier this year (2020), I decided to give CISSP a try and in the following lines, I describe each step of my journey which includes my background, study strategy, exam experience, the endorsement process, analysis of the material I used, my certification numbers, final notes, and the mind map I created as part of my study strategy. Hope you enjoy this reading and that this post may help someone to grab this certification too.
I am a Brazillian bachelor of computer science living in Brazil, working in IT since 2007. Started working in the IT support area, moved to governance, then moved to another company to work in IT infrastructure, focused on Unix and Windows servers. Until here I had ITIL, COBIT, and ISFS certifications.
Since 2013, I have been working in the information security area for an energy utility. For 4 years I have worked in security and risk governance and security auditing then moved to lead the security operations team, which is my current position. Since this company provided me no help for certifications (and they do not care about it), I stayed away from certifications. Later in 2019, the company gave me training and a voucher to take CompTIA's Security+ exam, which I enrolled in and got the certification in ≈1.5 months. This gave me confidence (and the will) to take other certifications.
Coming back from vacations, due to the remote work, I decided to take another certification, and I chose CISSP because it is widely accepted as one of the best certifications on security, and the price fitted my personal budget --my employer would not pay for that.
Due to Covid-19, I decided to extend my preparation time span, because Belo Horizonte locked down in March and obviously, the exam center was closed, so I would study less per day for more days until the lockdown had finished. I decided to take the CISSP later in March 2020 and after collecting some material, started studying by April. Finally, I decided to use the Pomodoro Technique to study because I wanted to make sure I would always be focused on while studying without any distractions.
The review for all material is in the next sessions (including the links), but my strategy was:
- Started by reading the Official Study Guide (OSG) --cover to cover and taking notes.
- Took one Boson test #1 in simulation mode --always used Boson in this mode.
- Read the All-in-One (AIO) cover to cover taking notes.
- Did the exercises in the CISSP app.
- Another Boson test (#2).
- Took all exercises from Official Practice Tests.
- Repeated both Boson tests (#1 and #2).
- Reviewed my study notes.
- Took another Boson test (#3).
- Watched to Destination Certification videos.
- Took Boson #4.
- Read the Eleventh Hour (EH) cover to cover.
- Boson #5, the last one, using a mask to better simulate the exam environment.
- Did all AIO Practice Exams.
- Started a comprehensive review: Watched to some of Larry Greenblat's videos on YouTube, my personal notes so far (OSG, AIO, and Boson), and Memory Palace.
- I used all notes plus EH to create my personal mind map and the last step was to explain to myself each of those 2300+ topics.
- Watched Kelly Handerhan's Why You Will Pass (WYWP) video for the last time.
Basically, my studying consisted of a lot of reading, taking notes, and exercising, because it is the best way for me to really understand the concepts. Since I studied so little per day, I also had the opportunity to think about all the concepts I had learned each day, which also helped me really understand all of the topics.
- (ISC)2 CISSP Official Study Guide (8/10): Read this book cover to cover, taking notes, and doing all the exercises. The authors are pretty dry, but this is the official study guide, so it is essential. On average, I scored 80% on the exercises, but definitely, they are not a good metric to consider for the exam.
- All in One (9/10): Again, read this book cover to cover, taking notes, and doing all the exercises. This is a very good book, which I pretend to use further in my career. The topics are well grouped and the concepts are introduced in a matter that you understand the context behind that. On average, I scored 75%, but again, the questions are focused on the understanding of the concepts and do not prepare for the exam.
- Boson (8/10): The best legal exam simulation available. Acquired this bundle with a discount voucher, and they are the best preparation material I had contact. The questions follow the best/least mindset, which is essential for the exam. Besides, the explanations are very well written and I learned a lot from reading them. I did almost all of the exercises during job intervals and, of course, affected negatively the results. I took the last of the five tests during a holiday, at the same time I had scheduled my exam, on the same weekday, using a mask (which I knew I had to use due to Covid-19) and scored 83%. On average, my final mark was 74%.
- CISSP Practice Test Free 2020 (6/10): This set of exercises is just OK. Many of them are the same as the ones in AIO, and since I had already read the book and its exercises, it had no real effect on learning.
- (ISC)2 CISSP Official Practice Tests (8/10): It is a good set of exercises because they are the official practice tests, but they look more like the other exercises from the OSG than with the real exam. On average, my final mark was 81%.
- Destination Certification (6/10): Good review videos (especially the Kerberos one) on the exam, which helped me a lot on creating my own mind map, but I noticed some mistakes (arguably) on the explanations, furthermore, this is a pretty recent project, so there is no sufficient videos --for instance, by the time of my study there were no videos for domain 4.
- Larry Greenblatt YouTube free videos (7/10): Although these videos are just a taste of Greenblat's course (which seems to be great), they are such a great source of information, especially those in which Larry gives tips on question resolutions --his Spock and Kirk imitation is hilarious and didactic. Unfortunately, I could not afford Larry's training, but as far as I could notice in these videos, it is highly recommended. If I had taken his course this grade could be even higher.
- (All-in-One) CISSP Practice Exams (5/10): This book is just OK, mainly because I have found some copy-and-paste questions from AIO, and some pretty specific questions pertained to the original book --it looks more like the authors are focused on test the memorization for the AIO than preparing for CISSP. Therefore, some questions are poorly written as well as the explanations, so they did not convince me. My average score was 76%.
- Eleventh Hour CISSP: Study Guide (7/10): A 10,000-feet overview of the main concepts, so I used it as a review of all of the content. Sadly, some concepts are deprecated and differ from other more-reliable-sources, like Sybex and AIO. It was a cornerstone to improve my mind map.
- Memory Palace (6/10): A nice comprehensive set of topics. Covers almost everything in the CBK and is a good resource for those who have not taken notes to review before the exam. Personally, I missed some topics and found some explanations pretty shallow, as well as there were many things that could be skipped for this type of material. Some topics are misplaced between domains and others are duplicated, and it can cause confusion.
- My own material (10/10): Taking notes was crucial for assuring I was learning the studied concepts. At some point by the middle of my journey, I decided to create a mind map (I kindly called it Sunfish --see the last session) and this resource absolutely helped me better organize all of the topics inside my memory and also it was the last resource I used to review before the exam. One week before the exam I started reviewing the mind map and explained for myself each one of the 2300+ topics.
- Why You Will Pass (8/10): Kelly Handerhan does an excellent job of summarizing everything I learned (in a 30,000-feet height) and leveraging my confidence. I would really like to take her classes on Cybrary, but my CISSP budget could not pay for that.
- CISSP Subreddit (10/10): This sub showed me CISSP was a possible dream and following week-by-week other people getting certified is such an awesome motivation. Reading other people's experiences helped me to define my own path and create a preparation roadmap in accordance with my reality. As other users indicated, I also tried some Discord channels dedicated to CISSP, but that looked kind of chaotic for me, so I spent less than one hour following that. Reddit on the other hand is easier for me to follow, interact, and stay tuned IMHO.
I was reviewing the material for the last three weeks before the exam and felt very confident. Since I had so much time to prepare, I used some time to get me set for the exam day, separating the necessary IDs, reading the NDA, selecting some snacks to take to the exam (eventually I could feel hungry), and also taking a backup mask.
One day before, I went walking to the test center (2 Km away from my house) to map the route, and to minimize the anxiety. I also watched the WYWP for the last time and avoided studying. Spent the day listening to music, watching TV series, and eating healthy meals. My strategy was to save the more energy I could to spend it during the exam.
On the day of the exam, I woke up early and completed my morning routine, including taking a shower and stretching my neck and my back to be physically well prepared. My exam was scheduled for 9:30' AM, but I left my house around 8:20' AM. Usually, I walk very fast, but on this day I was walking slowly. Despite leaving my house so early, I was feeling very calm and confident.
I was allowed to enter the test center exactly 30 minutes before the scheduled time and followed the usual ritual: Some signatures, photos, water, bathroom, and kept my stuff in the closet. Finally, I was ready for the exam. Sat down in the position indicated by the test administrator (TA) and started passing the CISSP!
Around question 20, the internet connection was lost and my station froze, so I lost a few precious minutes. After asking TA for help, it was solved and I continued, but around question 30 the system got unresponsible again, and this time the TA explained about the internet connection and put me in another station. Despite the exam time being stopped each time, I noticed I had lost a couple of minutes on each freeze --guess it is the time between the connection interruption and the remote system noticing the issue. After ≈10 minutes, the connection was re-established and I started from the point where I had stopped, but around question 50 the system froze another time and I lost more minutes and concentration.
At this point, while the TA was trying to get the system running, I closed my eyes and used some meditation techniques, like focusing on breathing and avoid thinking about the problem. It helped me a lot, so I stayed calm and focused. When I got back to the game, I noticed I lost ≈10 minutes in the exam (total for all of the three freezes), plus the time I needed to get fully concentrated again. I started thinking about asking for cancellation, but I decided on another approach: I had to be strong, use all the things I learned and answer fast because, in the worst scenario, there would have 150 questions!
From question 50 to question 90 fortunately the connection stabilized and I was 120% concentrated, answering really fast, without overthinking. At this point, the questions were pretty easy and by question 95 I was pretty certain I had passed. I was so sure, I was thinking even in check any answer until question 100 to finish the exam ASAP --of course, I dropped this idea and kept solving the questions appropriately.
The exam finished at the question 100, so I went to the TA, filled a few forms, more signatures, bathroom, took my stuff, and only then I received the final print stating: "Congratulations! We are pleased to inform you that you have provisionally passed the Certified Information Systems Security Professional (CISSP) examination."
It worth saying that I followed the tip of reading each question and each choice at least two times, especially those that looked too obvious. Another thing to have in mind is that you will not get all questions right, so assume that some questions can be wrong and avoid wasting time. I remember that in two questions they were asking for things I had never heard about, thus for both of them, I chose not to waste time, guessed any answer based on intuition, and moved on. Of course, if you repeat this behavior for too many questions, it indicates that you need to study more and the chances of failing are higher, but it is OK to not knowing a couple of questions. Do not overthink the questions!
Approximately 30 hours after finishing the exam I received the famous endorsement email. The first thing I did was to be certain that my personal information was OK in the (ISC)2 portal, and it was not (my name was wrong), so I emailed them asking for a correction. At the same time, I contacted a pal who was already CISSP and he said he would endorse me.
Two days after the first contact, I discovered that I had duplicate accounts, so both should be merged. In the end, it took ≈3 weeks to merge both accounts, fix my name, and fix a problem when submitting the last form. After that, my endorser approved my request in ≈24 hours and I finally received an email telling me to wait 4-6 weeks for the endorsement to be reviewed. Fortunately, it took only one week and I received an email to pay the annual membership fee, which I paid immediately.
After that, I finally received an email from (ISC)2 congratulating me for becoming a Certified Information Systems Security Professional (CISSP)!
CISSP by Numbers (my KPIs)
During my preparation, I felt difficult to know if I was already prepared for the exam or not. Since most of the exercises are not equal to the real exam, they cannot be considered as a good metric. This way, like a good computer scientist, I measured some numbers from my preparation, especially the exercise scores and anyone could use them to benchmark their level of preparation.
- Preparation period: 30/03/2020 - 11/10/2020
- Study time: ≈484 pomodoros or 12,100 minutes or 201.66 hours or 8.4 days
- Maximum pomodoros in a day: 8
- Average pomodoros per day: 3
- Maximum consecutive pomodoros: 4
- Maximum consecutive days without studying: 6
- Pages read: ≈2,942
- Number of pages in personal notes: 133
- Exercises taken/grade: 3,905/78% (3,047 correct, considering only the first try)
- OSG 1: 0460/80% (368)
- OSG 2: 1334/82% (1,094)
- AIO 1: 0415/75% (311)
- AIO 2: 0355/76% (270)
- 11th.: 0040/90% (36)
- Boson: 0750/74% (555)
- App..: 0551/75% (413)
- Total cost: US$ ≈1,059.24 / R$ 5,889.37 (US$ 1 == R$ 5.56)
- Exam statistics: 100 questions in 120 minutes
CISSP is such a MONSTER of certification. There's A LOT of things to learn and most of them require a good level of understanding, so you must dig each one to learn everything that is required to pass the exam. I had been working in the security information area for seven years when I started my studies and was surprised by how many topics I wasn't aware of. But the major gain for me was to really understand how each term I had contact in all of those years was related to each other and better understand how they fit in the whole set which we call "security".
In my opinion, having the courage and trusting in yourself is as important as studying all the terms and concepts in the CBK. You must understand that despite this being a tough exam, it is not impossible. If you roll up your sleeves, study hard, and be confident, you can do it. My final tip is to enjoy the study process and have fun. Take your time: Focus on really understanding everything this exam is proposing for you. Face CISSP as a marathon, not as a sprint-race, so studying every day even for a few hours is better than study a few days for 20, 22 hours. Breath! Trust yourself! Relax! You can do it!
Bonus: Sunfish, a fishbone mind map for CISSP
As pointed out, I created a mind map to help me in my studies and after passing the exam, I decided it could be useful to more people. This way, I am releasing it in the links below.
I called it Sunfish because the final mind map plotted as a fishbone resembles an Ocean Sunfish skeleton.
Here are the three flavors of this mind map:
- PDF: You can navigate through the topics, but can't see notes and there is an XMind watermark --I used the free version. Despite that, it is a good way to have the first contact with the material.
- Markdown: XMind allowed me to export the mind map to markdown and since it is Git friendly and compatible with Zola, I decided to make it available. Good for navigating between topics using a web browser or text editor.
- XMind: This is the master file, so it can be opened in XMind to further improvements. It is also a good way to navigate between the topics and read every note.