How to study for the CISSP exam

If you are wondering about the best approach to study for your CISSP exam, here are some helpful hints.  I passed the CISSP exam this past December (2023).

I studied for about a year and spent the last few weeks before the exam very focused.  

To give you some sense of my background: I understood high level much of the material covered in CISSP.  My background in leading large teams in software development meant I was familiar secure software development and web/mobile application architecture and from heading up the PMO, a good grounding into risk management. I have dated hands-on experience with Unix based systems and yes, I have somewhere still the "Unix-V" book which everyone should read as it is so beautifully consistent, coherent, and lucid about what good programming and systems architecture looks like.  Am trying to remember - I think it was written by Dennis Ritchie himself?  If anyone knows - please comment!  My weakest areas were the networking domain, and the cryptography subjects.

In hindsight I should have paid more attention to the dates of the study materials.  The 2018 audible book and 2021 Udemy course had information that seems no longer relevant to the exam - however still very useful for core concepts.  So with that, here are some of the resources I used:

  • I found Kelly Handerhan's course on Cybrary very entertaining and informative, especially if you know the basics.  They focus on what you need to know and give a lot of memory aids, and introduce subjects with a great amount of humour. Cybrary is not cheap but they have great customer service and a wide range of materials
  • The "All In One CISSP exam guide" is a great reference guide and has some of the best explanations, well written and funny
Front cover of the CISSP exam guide book
  • My company's Udemy offers three 2021  practice tests, which gave a good refresher on topics, however the 2021 tests seem out of date for the exam areas in 2023.  I see that my private Udemy has more up-to-date practice for the 2023 exam, which may have been more useful
Udemy CISSP practice course
  • I found Thor Pedersen's material on Udemy contained helpful explanations, and you can select the specific domains to brush up on.
  • I bought the audio book for "Essential CISSP Exam Guide 2018" from Audible, written and narrated by Phil Martin which was very strong on the networking concepts and great to listen to when going for a bike ride or run.
  • The ISC2 exam outline summary is useful to check if you've missed a topic
  • I also purchased and ran through the complete self-paced course from IS2 itself.  I found the text book a great overview.  I found the practice test questions very helpful to solidify the text book content, but not directly related to the exam.  I will now always remember when Chile enshrined privacy in to their constitution (2018) and how many members APAC has (21) and which is the protocol number for ESP in the IP packet header (50) , but I found the actual exam not the same as the practice tests in the slightest.

    screen shot ISC2 self paced training

I actually really enjoyed doing the exam, which I found used mostly used scenario based questions and would ask you, as a security professional, to choose the best recommendation for a given scenario.   

For example: given such and such a use case, what controls would you recommend to protect your web server, to protect the physical security of your facilities, to introduce security principles into a startup's software development cycle" etc.   

I would suggest spending more time on reviewing and thinking through controls for specific scenarios than memorizing details of which ports operate for which protocol. However, make sure you do know your basis ISO and TCI/IP network stack!  Esp the distinction of what operates at level 2 or 3, MAC or IP based, I found very helpful. 

Couple more thoughts:

  • I forgot to pay attention to the total number of questions for the test, which I think is displayed at the beginning, and I therefore had no idea whether I was being fast enough in answering the questions
  • The exam does NOT allow you to go back to a question, which the staff emphasizes before the test, but it is still unsettling to commit the answer and made me take more time per question
  • I thought I was being too slow, but completed the exam in 3 hours
  • You can leave the exam room to get to your 'cubby' where you can store your food and drink, but you cannot take any of it into the test room with you.  I still found it well worth the lost time (the exam clock does not stop) to re-hydrate and feed the brain
  • When registering for the exam through ISC2, I took the 'pay a little extra for another chance to write the exam' option, which really helped me feel better during the exam
  • Relax and focus !  By the time you are taking the exam, you've done what you can and just do your best!  

Good luck, and would love to hear if any of this is useful!


Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.