UPDATE: I also encourage you to read my write-up about of how I passed CSSLP (after CISSP), there are even more details about my training process and study approach: The Shadow of CSSLP.
I started somewhere in 2015 with just reading the book "CISSP All-in-One Exam Guide" (Sixth Edition, Shon Harris), and my English level didn't allow me to move quickly, I had to improve my vocabulary, reading, writing, listening. I didn't force my studying, I decided to make an overall review of all domains in to get back later with a more conscious approach to study. After a while, I dropped reading for a couple of years, and I concentrated on earning real practical experience in cybersecurity which is 14 years as of 2021.
Basically, I don't feel that having experience in 3 of 8 domains is really enough to be confident to step up the CISSP certification. I think that CISSP is more prone to corporate security, and in my case, I had many years in R&D (development in security), where you're pretty close to technicalities, but far from things like security governance, operations, access controls, etc. In 2019 I got the application security position in a company, where corporate security is the biggest challenge, and I gained exactly that experience what CISSP stands for.
At some point I just realized that I'm ready, it was October 2o2o, I just needed to prove that I am who I am. I started my dedicated preparation: 2 hours every morning (books, video courses), then I added 2 hours in the evening, then I couldn't stop and spent 6-8 hours per day, especially on the weekend, and in the end, I was spending the whole weekend in the study.
Books, video courses, 4500 practical test questions during 2 months.
- Create a plan for preparation. It's easy. For example, you want to watch 10 hours of video courses and you'd like to spend 10 additional hours to learn the contents of the video, therefore you need 10 days (~2 weeks) if you spend 2 hours per day for preparation.
- Set up a schedule in your calendar for every single day. Just do it: go to your calendar right now, and make an appointment for every day.
- You will need to answer from 4000 to 5000 practical questions where you get ~80% of correct answers. How much time would you need? 200 questions per day = 20 additional day days of preparation. Not too much! :)
real-life experience. It's all different. You need to concentrate at maximum in the process of your preparation to get ready for the examination.
All in all, I feel that all study materials contain incomplete but complementary knowledge, something like this:
- Initially, I bought CISSP Certification video courses by Thor Pedersen on Udemy (8 courses per ~$16), and at the end of my studying, I found all those courses cheaper on his personal website https://thorteaches.com/. And because I also purchased "Boson" tests later for ~$99 (see below), it would be cheaper to just go to https://thorteaches.com/ and buy there "CISSP Bundle + Boson" for ~$175 (Thor's videos + Boson tests). Arithmetics is simple:
$175 < 8 * $16 + $99. And now I don't get any referrals from this guy, I just want you to save a couple of bucks.
- In the case if you prefer learning on Udemy I put all links here:
- Install (ISC)2 Official CISSP Tests on your phone. Run "Quick Test" (10 questions) periodically every day, "Mock Test" (50 questions), and "Practice Test" (125 questions) whenever you wish.
- Install Boson's test kit "ExSim-Max for CISSP 2020" ($99). There are 5 test sets (as for 2020), use them to finalize your preparation. Don't solve them all in the beginning, keep a couple of test sets to double-check your readiness later.
- I won't recommend to start from "CISSP All-In-One Exam Guide", but I can't change my past where it helped me to discover CISSP, and later to dive into particular details of most of security domains, though there is a lot of outdated information which would not be necessary to dedicatedly learn in order to pass the exam. I answered practical questions at the end of each chapter and at the end of the book. The questions are really hardcore there, but they shake your mind pretty badly.
- "CISSP Practice Exams" (by Shon Harris) was on my table as well, and I used it to train practice question of several CISSP domains (no all of them though).
- There are resources that I didn't use in my preparation, but many people recommended:
- "CISSP Study Guide" (by Eric Conrad) is a very appreciated and highly recommended book, but I didn't read it.
- "The Official (ISC)2 Guide to the CISSP CBK Reference" is an official reference to CISSP CBK (Common Body of Knowledge). I used (ISC)2 Official CISSP Tests and Boson test kit instead of official CBK.
How I Figured Out That I'm Ready
It was Thursday's evening, and I felt that I'm fed up with preparation.
It's kind of "enough" code in my head.
I decided to solve Boson's quiz to check whether I'm ready. The goal was to pass the test exam with the ~80% rate. I passed. And in the next minute, I entered Pearson Vue (ISC)2 and scheduled my exam for the next morning.
I took a taxi and arrived at a PearsonVue test center half an hour before the exam. Questions were crazy. There were questions when I had no idea about what they are. Just imagine my feelings, when after processing tons of information over the years of work and through the course of studying, you still see something for the first time on the exam.
There were questions, when I had to write down some calculations to figure out the right answer. Overall, it was hard to say whether I win, or I fail.
Later, I found the official CISSP Computerized Adaptive Testing (CAT) FAQ, and I felt exactly what described there:
Consequently, many candidates will feel that they did poorly on the exam as all candidates are expected to only get 50% of items they answer correct. This psychological phenomenon is common for CAT exam candidates, as most fixed-forms exams have candidates answer a higher proportion of items correctly due to item targeting inefficiencies. It is important for a candidate to remember it is not the number of items answered correct that is important, everyone will get about 50% correct, it is the difficulty of the items that he/she answer correct which is relevant for passing the exam.
I passed the exam on the 100th question, BUT I hadn't received my result immediately in that PearsonVue center for some reason, so I had to go back home, and check the result in my PearsonVue account.
I received the official "pass" result in the evening.
CISSP is an English exam. In most questions, you can feel that 4 of 4 answers have a chance to be correct, yet there are tiny differences that you learn to identify through the course of your preparation (e.g. prefer risk-based approach and cut off any unclear answer).
The funny thing is that because I'm not a native English speaker, I just forgot whether "pass" means "good", or "bad", therefore I was pretty nervous until I got the official result on my mailbox. This is because in my native language we say "passed successfully", or "passed unsuccessfully", instead of "passed", or "failed" in English. So, if you worry, just know that "pass" means "good", and "fail" means... you know, it means that you have to try harder. ;)
I don't want to spend too much time on certifications, the thing is to apply knowledge, protect the common good. I'd like to pass CSSLP to showcase my secure software lifecycle experience, and I know that it's better to not lose the momentum after passing the first exam.
In the end, let me recall my own words from my LinkedIn post:
I often forget, I often disbelieve that if to put effort, motivation, and determination, you can achieve good results, and it will always remind me to not forget, and to believe in myself.