How I Prepared and Passed CISSP

Cissp I locked myself in for 2 months to prepare for the CISSP (Certified Information System Security Professional) exam, and now I’m back triumphant to tell the story. Yes, I just received the Congratulations email from ISC2. I’m sharing my experience here with a hope that it might be helpful to anyone who’s preparing to take the exam. There’s no doubt that it was THE MOST difficult exam I’ve ever taken.

Let me give you a general idea about this certification. CISSP is a security certification carried out by (ISC)², which is a globally recognized, vendor neutral organization for certifying information security professionals. To pass the CISSP exam you’ll have to be competent in 10 Domains of the Common Body of Knowledge (CBK):

  • Access Control
  • Application Security
  • Business Continuity and Disaster Recovery Planning
  • Cryptography
  • Information Security and Risk Management
  • Legal, Regulations, Compliance and Investigations
  • Operations Security
  • Physical (Environmental) Security
  • Security Architecture and Design
  • Telecommunications and Network Security

To qualify to sit for the exams you need to:

Subscribe to the (ISC)² Code of Ethics.
Have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK® or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a Master’s Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.

Update: Effective 1 October 2007, professional work experience requirements for the CISSP will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP CBK domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP, or SSCP exam to have their qualifications endorsed by another (ISC)² credential holder. These changes will not affect those who sit for an examination on or before 30 September 2007. For more information, please refer to the Experience Requirement Change FAQs.

The exam itself is 6 hours long, with 250 questions based on the 10 domains. 25 out of 250 questions are for research, but you’ll have to answer all of them, and there’s no way of knowing which one is which. So, 225 questions will be scored, and you’ll have to get 700 out of a possible 1000 points on the grading scale to pass. Different questions carry different weight (marks) and there’s no way to know which question carries how much marks. As of writing this, the exam costs US$ 499 if you register 16 days ahead of exam date or US$ 599 if you register later.


My Recommendation

The best book you can buy for your preparation is CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris. The most helpful place, with a lot of useful resources is CCCure.org web site. You can ask questions on the Forum or search for anything that you want to know about the exam. The forum is very lively, with a lot of CISSPs replying to your queries promptly. The Quizzer is another valuable tool to check yourself on where you stand, before starting the preparation and taking the exam. The quiz gives you a general idea about which domains or topics you’re weak in, this way you can devote more time to strengthen you weak areas. If you’re taking a self study route, you should view the flash based Exam Introduction and Overview by Clement, which provides a thorough overview of the CISSP Exam, with tips on how to prepare, how to study, what resources to use, and a whole lot more. I found it extremely useful.

How I prepared for the Exam

I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies. Even with these precautions, there’re times when mind goes wild and body aches like hell :).

Because of my experience at work and previous studies, I was already familiar with most of the topics in Telecommunications and Networking, Cryptography, Operations Security, and Security Architecture and Design. I was ok with remaining domains but the Physical Security and Legal, Regulations, Compliance and Investigations were quite new to me.

My Study Materials
1. CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris
2. Mike Meyers’ CISSP(R) Certification Passport by Shon Harris
3. CCCure.Org (Quiz, Forum, and Summarized Concept)

Phase 1 (approx. 20 days)
I read CISSP All-in-One Exam Guide, Third Edition (All-in-One) by Shon Harris page by page first, then took the practice questions at the end of each chapter to see how I retained the material. As I was progressing, I had a feeling that I was forgetting the earlier chapters.

Phase 2 (1 day)
Took 250 questions quiz from CCCure Quizzer (select all 10 domains, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results of the quiz gave me a clear indication on which domain I was weak. I saved the results in Google Docs, so that I would be able to refer back to it later. I scored 76%.

Phase 3 (approx. 15 days)
Based on the results of the quiz, I prioritized to review the domains, starting with the one that I scored least. In this phase I read All-in-One book page by page for the second time, and after completing each chapter I took the CCCure Quizzer, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). The results suggested me which topics I needed to review within each domain. I saved each quiz results in Google Docs, so that I would be able to refer back to it later. I was scoring over 80% in each of the 10 domains.

Phase 4 (approx. 10 days)
For each domain I reviewed the questions and answers that I got incorrect. I narrowed down my preparation and zoomed down to the individual topics from the incorrect answers. After revising all the topics across all 10 domains that needed attention, I took the same quiz, 100 questions (select only one domain, difficulty pro, closely related, shuffle answers, review only incorrect answers, activate timer). By now I was scoring above 90% in each of the 10 domains.

Phase 5 (approx. 15 days)
The CD included in All-in-One book has a Total Tester Software with a lot of questions (60 to 100+ per domain). Took test for each domain. After taking the test from CD, read All-in-One book for the third time, but this time I just read the headings, subheadings, flipping, and skipping the pages, only stopped to read the topics which pulled my attention. When there were 2 days left for the exam, I started reading Mike Meyers’ CISSP(R) Certification Passport, it’s a very well summarized book which contains most of the concepts necessary for the exams. I highly recommend this book at the end of your preparation. On the last night before I went to bed I read the study guide (cram) that was produced by Michael Overley and improved by Jane E. Murley.

The Exam day

I was quite satisfied with my overall preparation, but that couldn’t help me with the anxiety and anticipation. I’d read a lot of horror stories at CCCure Forum about the exam questions. I went to bed early the night before exam, but found it quite difficult to fall asleep, anyway got around 5 hours of sleep. Woke up early on the exam day, did 45 minutes yoga, and had a heavy breakfast. I went to the exam center with some energy bars, a bottle of water, a pack of HB No. 2 pencils, a sharpener and an eraser. 2 pencils are provided by the ISC2 but aren’t that good, so I highly recommend you to take your own pencil, eraser and sharpener. I had brought a jacket with me and put it on throughout the exam. It was quite cold. You should be prepared for warm or cold condition.

The exam was physical, mental as well as English test. After 3 hours of sitting, my neck was like one big knot. I ate one energy bar, around half a liter of water, and went to toilet twice. Some questions didn’t make any sense at all.

If I had to break the questions, it would be something like this:

  • Around 5% were straight forward. One line question and very obvious answer.
  • 20 – 25% of the questions were very tricky, not difficult but needed to watch the keywords like NOT, WORST, BEST, etc. The practice quiz helped me a lot on watching the keywords.
  • 20% either didn’t make any sense to me in English or were like questions from another subject. Maybe they were the research questions.
  • 50 to 60% of the questions were similar to the CCCure quiz and All-in-One CD questions. They were just similar in construction and difficulty, but none were exactly the same.

All 100% of the 250 questions were the ones I saw for the first time. I’d never seen any of those questions in the quiz or practice questions. I circled the answers to my first 125 questions in the question booklet in around 2 hours. Then I copied (marked) those answers to the answer sheet, which took around half an hour. After that I started marking the answers directly to the answer sheet. I think marking directly to the answer sheet is a better idea, it’ll save you some time. It took me 5 hours to finish all 250 questions. Initially I’d put a question mark in the question booklet at those questions which I was not sure of. So, came back and reviewed the answers of those not-sure questions, ended up changing 8 answers. I didn’t have time to review all the questions, and may be that was a good thing :). I was quite sure that I got around 50 to 60% correct, but came out exhausted, and was not sure if I would pass.

Post Exam

The wait after the exam is even worse than the preparation or taking the exam. In some cases the results are emailed as early as 5 days. So, after 5 days I kept on checking my email every few minutes, hoping to see the results. Also visited the Forum to see if anyone would post anything about the exam in Hong Kong on 22 April. Finally the results came in, exactly after 10 days, I opened the email and saw the word Congratulations!, That’s it. I felt like I’d let go of 100 pound weight from my shoulder, and felt as if my body had melted on the chair I was seating. A very pleasant feeling followed and I thought the time, effort and money spent were worth it.

After getting the results you need to get an endorser to sign the endorsement form and send it to ISC2 together with your resume. The endorser must be either one of the certificates holder, such as CISSP, GIAC, MCSE, MCDBA, CISM, CISA or company’s CEO, CIO, Managing Director, Executive Director or Managing Partner. I’ve already sent the signed endorsement with my resume and am now waiting for the official certificate.

Conclusions

The CISSP Exam is all about concepts. If you know the concepts well, you can pass, but don’t underestimate it, there’re a hell lot of concepts to remember. I think you need to have some experience in the field, otherwise it would be too difficult to just study and remember the concepts. Make a study plan and follow it. Read each and every page of the All-in-One book. Do as many as possible practice questions and quiz as you can. The preparation and exam both are physical as well as mental challenges so, take care of your body and mind too.

26 comments on “How I Prepared and Passed CISSP
  1. Bharat says:

    Hello Dai

    Congraturlations !!! So you did it after all! Sounds like hell of a tough nut to crack. Every effort well spent. We need to have some drinks to celebrate the occassion eh ?

  2. Thanks Bharat, I’m still recovering from it’s aftermath 🙂 Sure, we need to celebrate. I’ll ring you up soon.

  3. neteng says:

    Congratulations Niranjan!!! That’s a fantastic cert to have, very marketable. Good luck in the future. Also, your blog is looking really good.

    Phillip

  4. Thanks and always good to see you back here, Phillip. I noticed that you’d been busy with your new work and CCIE lab. Wish you a good luck and hope to see the good news in your blog soon.

  5. Vaibhav Shah says:

    Dear Nirlog,

    Hearty congrats for becoming CISSP.

    Your posting an detailed guide on prep for CISSP is simply amazing & very
    informative.

    It has given me an idea on how to prepare fr CISSP, i really dono werther i can
    make it as I am not much expirenced in Security, I am working as an Network
    Administrator in Kuwait & I have exposure to 3 domains.

    You say you found it very tough inspite of being so much qualifications & on
    job expirience. I have given 3 months time for prepration.

    Will be glad if you can give more insight towards this certification.

    Thanks v much, god bless you, i wish you all the best.

    Heartiest Regards

    Vaibhav

  6. Hi Vaibhav,

    thanks for the email with kind words. I’d replied to your email but got a bounce back from yahoo. So, I’m replying you here.

    I’m glad that you find the post very informative. In terms of insights about the CISSP exam, I think I’ve pretty much included everything I could tell in the post. If I had to add more, I would say this: CISSP is all about
    CONCEPTS. As for the domains I think most important domains are following:

    1. Access Control.
    2. Telecommunications and Network Security.
    3. Information Security and Risk Management.
    4. Security Architecture and Design.
    5. BCP & DRP.

    Hope this helps. Good luck for your preparation and exams.

  7. Vaibhav Shah says:

    Dear Niranjan,

    Sorry for mispelling ur name in earlier post.

    Thanks veryyyyyyyyyyy much for reply & inspiration.

    In case of further info required i might mail u. hope u wont mind.

    God bless,

    Vaibhav

  8. Rukmani says:

    Hello Niranjan
    This post is really helpful. I passed CISA this june. I am an IT auditor. Do you think CISSP will be too tough for me? I practice audit day to day and not security (like firewall, cryptography,etc). Do you think its gonna be more difficult for me? any thoughts?
    Happy Diwali
    Rukmani

  9. Hi Rukmani, I’m glad that you found the post helpful and congratulations on passing CISA. As for CISSP it’s all about security concepts. Experience in Network/Security would be very helpful indeed but I think you should still be able to do it since you’ve already passed CISA.

    Good luck and Happy Diwali!

  10. CISSPME says:

    Thanks for sharing! I’m preparing for this exam as well. Wish me luck.

  11. KG says:

    Hi,

    This is indeed a nice write-up on preparation. I referred to your post while preparing for the exam & it was helpful.

    I passed CISSP exam recently. I have shared my study plan & experience on CISSP exam preparation on my blog here:

    http://ipositivesecurity.blogspot.com/2009/06/cissp-my-study-plan.html

    Best Regards,
    Ganeshen

  12. Gopal Balaraman says:

    Hi Niranjan:

    I am glad to hear about detailed study plan. I have been studying for CISSP off and on for the last year. It is that time for me to allow more time for studying and allow myself concentrate on the concepts. In addition, I went to SANS institute here in USA for training.

    I work in US as a DoD contractor and this certification carries a lot of weight for their 8570 initiative.

    Please provide more insightful advice and effective study habits to pass the exam. successfully. My goal is to pass the exam in 2-3 months as I have been studying on and off.

    Very Respectfully,

    Gopal.

  13. Good Luck Gopal! I think you should make a study plan to suit your goal and stick to it.

  14. mk_linux says:

    Congratulations , I think you do your best to study and pass CISSP exam ,congratulations again .
    I’ll do my best too to study and pass CISSP exam

  15. Thanks and good luck mk_linux!

  16. Irshad Mohammed says:

    Dear Niranjan

    Thanks for the details description you gave us to prepare for the CISSP exam …. because i was interested to move into security side and looking for some guidance …. your experience gave me a good overview

    Regards
    Irshad

  17. addelsbib says:

    Hi people, long time fan first time poster here

    glad to be a member, and I am looking forward to begin getting more active here

    In the mean time check out my site http://bricoleuses.com/keyword/?p=5

  18. Pascal Wessel says:

    Hi Niranjan,

    Found you blog recently: very good!
    I incidentally mentioned this CISSP exam prep post you wrote and I must say that I bookmarked it 🙂 as I am at reading the Shon Harris All-in-One 5th Ed: I’m at Chapter 7…

    BTW congrats!

    Cheers,
    //P (former mate @Vanco)

  19. thepushkin says:

    Купил недавно Рассылку могу говорить весь доволен приобретением, советую всем заказ делал через сайт, обработали быстрее чем я думал, консультанты на сайте вежливые и отзывчивые,приятно было.)) Вот доказательство на сам сайт,кому надо http://hodday.ru

  20. David says:

    I am very happy to read this post. It is very informative and helpful.

  21. Micle says:

    Nice Aritcle

  22. LastMarina says:

    I see you don’t monetize your site, don’t waste your traffic, you can earn extra cash every
    month because you’ve got hi quality content.

    If you want to know how to make extra $$$, search for: Mertiso’s tips best adsense
    alternative

  23. I have checked your website and i’ve found some duplicate content, that’s why you don’t rank high in google’s search results, but there is
    a tool that can help you to create 100% unique articles, search
    for; Boorfe’s tips unlimited content

  24. ShaniceChief says:

    I have checked your blog and i have found some duplicate content,
    that’s why you don’t rank high in google, but there is a tool that can help you to create 100% unique
    content, search for; boorfe’s tips unlimited content

  25. BestPam says:

    I have noticed you don’t monetize your website, don’t waste
    your traffic, you can earn extra bucks every month because you’ve got high quality content.

    If you want to know how to make extra money, search for:
    Ercannou’s essential adsense alternative

3 Pings/Trackbacks for "How I Prepared and Passed CISSP"
  1. […] This article originally appeared in Nirlog.com. […]

  2. […] look at what another non-fan of the cert thinks about the cert. In his blog entry he quoted another blog that […]

  3. […] NirLog:  http://nirlog.com/2007/05/03/how-i-prepared-and-passed-cissp/ (Links to an external site.) […]