A Different Take on Exam Prep: CISSP

I just passed the CISSP examination. I saw what many did to prepare for their exam, and I did something else. I needed something faster to arrive at passing results.

First off, the CISSP is “Certified Information Systems Security Professional”. It is an advanced credential requiring not just a passing exam score, but also dedicated security experience as per https://www.isc2.org/Certifications/CISSP. The CISSP and this post are not for people new to Information Technology and Information Security.

From what I can tell, most prepare for the exam with some combination of:

  • Study every night for two months
  • Read the thousand-page Study Guide
  • Take Full Length Practice Examinations
  • Attend Training (real or virtual)
  • Read an “11th Hour” Book the last two days

These things are all awesome! Just not for me 🙂

A Mile Wide and an Inch Deep

The CISSP is very broad in scope (while being not very technically deep). I had little time with which to study for it. I would not have time to expose myself to every single concept that might appear on the test. Additionally, some test questions are not technical, instead being entirely situational or logical. The test makes you think and not just regurgitate technical facts. How then to efficiently prepare for that?

Many Short Tests

Only test questions prepare you for more test questions. The problem with questions however is that they come with tests. Ditch the long tests. Take many small tests. Shorten the feedback loop so that you more quickly review and learn from your mistakes, and then sooner use that new knowledge to take another small test. Helpful for this is a dynamic test generator that assembles questions from a large question pool. I found ISC2 CISSP Tests App by Learnzapp excellent for this, and on mobile too!

Countless times I took small tests of only 20 to 50 questions. Often the test was from only one of the eight domains. Those domains and their weights for overall scoring are:

  • 16% Security and Risk Management
  • 10% Asset Security
  • 12% Security Engineering
  • 12% Communications and Network Security
  • 13% Identity and Access Management
  • 11% Security Assessment and Testing
  • 16% Security Operations
  • 10% Software Development Security

Domain tests are great for targeting areas needing improvement.

Throw Your Weight Around

I have a stronger background in Software Development Security, but that is worth only 10%, so I gave it less attention. Two domains are 16% each. Through perfect preparation of these two domains, I could get by with much lower scores in the other six. I will spare you the math, but 60% on all other domains is still a PASS overall if acing those two sections. That’s a lot of benefit from relatively focused excellence.

Time Management

“Drop everything else from your calendar and exist only on test prep.” – Jerk Instructors Everywhere

Most advice on time management is self-important at best and downright insulting in its naivety. We are told to drop everything else and make THIS THING, THIS TEST your priority. Yawn. Not an option.

Instead what worked for me was a simple two-pronged approach:

  1. Casual Study
  2. Formal Study

 I got a ton of value from casual study with my phone and without eye strain or extensive typing on the well-designed Study and Test apps listed below. I often have a few minutes here and there to take a few test questions from a mini-test. These were 20-50 questions each and can be resumed at any time. Upon completion of every test, I reviewed both the incorrect and correct answers as both were informative.

As useful as casual study is, it is inferior to note taking in terms of recall from memory. Speaking of memory recall, if there is any poor soul willing to hear you describe your learnings, teaching is by far the best way to cement your learnings into your memory. (My long-suffering spouse is not that willing person.)

Formal Study involves spending hours of time with the benefits of a large screen and keyboard for research and note taking. Formal study can still be taking tests, even short ones. The difference from casual mobile study is to do web research and build a large notebook of concepts. The CISSP is expansive so organize many notebook folders. You might even make one for each of the eight domains.

I keep a folder of my gaps, like where a concept or acronym completely blindsided me. By noting gaps in one place, I can quickly resume whatever study or test I am on, knowing I will round back to my weaknesses later.

The mock tests and the actual exam will sometimes present you with made up or unrelated-but-familiar acronyms. By looking up every single word unfamiliar to me, I gained an eye for how the examination tries to trick you. It trained me to be precise.

Though I did not take formal video instruction, I watched several 1-2 minute YouTube videos. Avoid the longer ones as you could be learning faster elsewhere. Every good thing has an opportunity cost of some other way you could be learning. I also enjoyed scanning for facts from the video transcripts at crybrary.com. This was far faster than watching the videos. Again, this is all possible from being an IT and security professional. This method would not be optimal for complete newbies.

The resources I used in order of their relative importance:

With the examination behind me, I have returned to studying my security craft on my own terms. Because test or not, our profession is non-stop learning! Good luck on your exam, and please share your unique study or test-taking techniques!