Preparing for and passing the CISSP Exam

CertificationsCISSP
Table of Contents

On the 18th of December 2023, I passed the CISSP exam on my first attempt at 125 questions, which at the time was the minimum amount possible.

I’ve been asked by several juniors how I passed, seen lots of people talking about how they struggled with the textbook, and seen even more people talking about struggling with the mindset. So I thought I’d keep this here and if anyone ever asks me again, I can point them here.

So what actually is the CISSP?

The CISSP (Certified Information Systems Security Professional) is one of the most well known certifications in cyber security. It is run by ISC2 and covers eight domains ranging from security governance and risk management through to software development security. It is often listed as a requirement or a strong preference in senior security roles, and in some government and defence contexts it is practically mandatory.

It is not a deeply technical exam. It is a mile wide and an inch deep, testing your understanding of security concepts, frameworks, and best practices across a very broad scope. The challenge is less about knowing how to exploit a buffer overflow and more about understanding which control framework applies, who is accountable for a decision, or what the first step in an incident response process should be.

The exam itself uses Computerised Adaptive Testing (CAT), which means the difficulty of the questions adjusts based on how you are going. You will answer between 125 and 175 questions, and the exam can end at any point once the system has enough confidence in whether you have passed or failed. This means you never quite know when it is going to stop, which is a strange feeling.

What I used

I prepared using four major resources:

  1. The Official CISSP Textbook
  2. Pete Zerger’s CISSP Exam Cram Full Course (All 8 Domains)
  3. Andrew Ramdayal’s 50 CISSP Practice Questions
  4. Practise questions on LearnZApp

Three months of train questions

I began by going through the LearnZApp questions on my commute to and from work each day for about three months. I answered nearly the entire question bank and started around 60% correct, progressing to around 85 to 90% on average.

I also downloaded Pete Zerger’s video and converted it into an audiobook format and listened to it several times. It is full of great mnemonics like “All People Seem To Need Data Processing” which for some reason just stuck with me. Even now I hear it in his voice.

This phase was low effort but consistent. I was not carving out dedicated study time, just making use of dead time on the train. Over three months that added up to a lot of exposure to the material.

Thinking like ISC2 wants you to

I was making progress on some of the questions but continued to answer others in a way that was too sensible and too grounded in real life, which is not always the best option for the exam. It was not until going through Andrew Ramdayal’s video that things really clicked.

Understanding what was really being asked and the expected answer with the BEST or MOST or FIRST questions was crucial. I cannot stress enough that if you are an experienced cyber professional, Andrew’s video is the number one resource.

There is one question in particular where he explains that for the MOST CORRECT questions, you have to imagine picking only one option and completely ignoring all others. What would you do in that circumstance? It is totally, bafflingly different to reality but it is such an important way of thinking for the exam.

As an example, in real life if you discovered a vulnerability you would probably do several things in quick succession. You would assess the risk, notify relevant people, check if it is being exploited, and start working on remediation. On the CISSP exam, you need to pick the single most correct first step and treat the other options as if they do not exist. That shift in thinking is the difference between getting tripped up on questions you actually know the answer to and breezing through them.

The week off

In December, I took a week off work and read the entirety of the CISSP textbook. With eight domains to review over nine days, it was a massive focus commitment with hours of uninterrupted study per day. All in all I put in around 50 hours of prep time in the nine days preceding the exam.

My process for each chapter was:

  1. Read the chapter in full without taking notes
  2. Read the review questions at the end
  3. Go back through the chapter taking detailed handwritten notes
  4. Do the multiple choice questions

Additionally, I re read through all of my preceding notes four hours after I had taken them to reinforce the memorisation with spaced repetition. I also repeated this at the start and end of every day. Anything that was unclear, I went and revised my notes. By continuously reinforcing the concepts daily, over and over, they were burnt into my brain.

Some of the subjects in the textbook, especially the first two chapters, are incredibly dry and boring. I think this hurdle kills a huge amount of enthusiasm in prospective CISSP candidates. If you are slogging through the governance and risk chapters and wondering what you have gotten yourself into, just know that it gets better.

The networking, cryptography and other chapters were really quite interesting for me, and I know it is funny to have to remember fence heights and fire extinguisher types but I found the physical security section genuinely interesting too. Some chapters were far easier than others to get through due to my professional experience and I barely had to take notes. I think in the entire section covering types of attack there was a single type of attack that I had not ever done, and that was my entire set of notes for that chapter.

The actual exam

On exam day, all of that prep paid off. I had basically every part of the required knowledge fresh in my mind and answered all questions nearly straight away. I passed in just under an hour.

The testing centre experience itself is about what you would expect. You lock your belongings away, they check your ID, and you sit at a computer in a quiet room. The CAT format means that you are constantly aware that every question could be your last. When it hit 125 and stopped, there was a moment where I genuinely was not sure if it had stopped because I passed or because I failed. The proctor handed me a printout and I had to read it twice before it sank in.

I think my approach of cramming intensively in the final week was way better for me personally than stringing out the prep over months and just forgetting who the heck Gramm Leach Bliley are by exam day. That said, the three months of casual question practice beforehand was important too. The cram week worked because I was not starting from zero.

After the exam

One thing that caught me slightly off guard was the endorsement process. After you pass, you do not just get the certification. You need an existing CISSP holder to endorse you, confirming that you have the required professional experience. ISC2 gives you nine months to sort this out, so it is not urgent, but it is worth knowing about in advance so you are not scrambling to find someone after the fact.

What I’d tell someone starting out

If I were giving advice to someone about to start their CISSP prep, it would come down to a few things.

Do not start with the textbook. Start with LearnZApp or a similar question bank and just get familiar with the material and the question style. Use your commute, your lunch break, whatever dead time you have.

Watch Andrew Ramdayal’s video before you do anything else if you are already working in cyber. The mindset shift it provides is worth more than weeks of textbook reading.

When you do read the textbook, do it in a concentrated block close to the exam. The CISSP covers so much ground that spreading it over months just means you forget the early chapters by the time you reach the end.

Write your notes by hand. I am convinced this made a difference. There is something about physically writing things out that makes them stick in a way that typing does not.

Use spaced repetition. Re read your notes the same day you take them, then again the next morning. It sounds tedious but it works.

And finally, do not underestimate how much professional experience counts. If you have been working in security for a few years, you already know more than you think. The exam is not trying to catch you out. It is trying to confirm that you think about security the way a senior professional should.