subtitle: I passed the CISSP at 100 questions/70 minutes

subtitle: Cert Report: CISSP

this post contains affiliate links

About the Exam

The Certified Information Systems Security Professional is a certification created and maintained by ISC2. The exam covers eight domains, which can be found here. The eight domains cover, at a high level, all aspects that a general IT Security practitioner can be expected to encounter in the course of their work, and many that they would not . The exam itself consists of 100-150 questions with a maximum time of 3 hours. The passing score is 700 out of 1000 (70%), with a minimum accuracy of 70% in all domains. The exam like most modern certification exams is adaptive. To quote ISC2:

Each candidate taking the CISSP CAT exam will start with an item that is well below the passing standard. Following a candidate’s response to an item, the scoring algorithm re-estimates the candidate’s ability based on the difficulty of all items presented and answers provided. With each additional item answered, the computer’s estimate of the candidate’s ability becomes more precise – gathering as much information as possible about a candidate’s true ability level more efficiently than traditional, linear exams. – ISC2 CISSP Computerized Adaptive Testing FAQ Page

To put it simply, the test will present at least 100 questions and is able to tell which areas you are strong and weak in and will present questions accordingly. So if at 100 questions the test taker has passing scores across all domains the exam will conclude and be considered passed. If there is a score below 70% in any domain(s) the exam will continue to present questions on that domain, until the score is above passing, or the test algorithm determines that they cannot pass. The takeaway from all that is if you are not finished at 100 questions don’t worry! If there are still questions being presented, you still have a chance.

Additionally there are 25 experimental or evaluation questions on each exam. These questions are being tested to see if they will be included in future exams and most importantly do not count towards your score. There is no way to tell these questions apart from the “real” questions so it is in your best interest to answer all questions like they are real. Just keep in mind that if you see a very unusual question that you don’t know (and you have studied the proper amount) then it probably is a experimental question, and won’t count toward your score.

My previous experience

A bit of my background. I have a Bachelor’s degree in IT, 2 years in the Infosec field, and 4 years of help desk/sysadmin/netadmin work. I normally wouldn’t say that work experience is helpful on a certification exam. In this exam, however, I found that I was able to skim over several areas because of my past experience, and use the time to focus on areas I needed more understanding in. I would recommend to everyone looking to take the exam to carefully look at the domains and over the Sunflower Layout and plan studying around the areas they are not strong in. That being said, as one of my instructors said “If you do something different at work then what is presented in the material, put the answer that is in the material”. What he meant by that is there are real world answers and there are test answers, and this is a test. With that in mind, it is a good idea to go over all of the material, even if you have extensive experience with a certain domain to make sure you know the “test” answer. Also, ISC2 requires 5 years demonstrable infosec experience to be a full CISSP. If you do not have the experience requirement but still have a burning desire to take the CISSP exam, there is an Assoicate level.

My study path

When I first heard about the CISSP certification, I did not immediately have a desire to get one. I had heard the chit-chat about the difficulty, how the material is too broad to cover anything in a meaningful fashion, and how it was only for managers. That changed when I was gifted a free training from ISC2. At that point I felt obligated to at least give it a shot. My first conscience study effort was attending an online ISC2 CISSP bootcamp lead by Ben Malisow. Ben was a great instructor, he was very knowledge about the subject material, had great examples and analogies, good test taking tips, and cared about the understanding and goals of the students. As Ben noted, even the ISC2 bootcamp is not enough alone to pass the exam. Due to it’s wide coverage of topics, 40 hours just isn’t enough time to cover everything in the depth that is necessary for the exam. Specifically recommended additional study aides were The Sunflower guide, and the CISSP course on FedVTE (.gov email address required). Additionally while not study resources per se, the ISC2 Code of Ethics is a testable, as is the OWASP Top Ten, and it is recommended to read and understand both. While attending the bootcamp I felt like I had a good understanding of many of the domains from previous work and study experiences, and learned about the areas that I needed improvement in. That was until I took the course completion test, which was alleged to be more difficult than the exam. Up until this point I had heard tell of the horrors of the difficulty of CISSP exams, and mostly dismissed these stories as inexperienced test takers, non technical manager types, and non-infosec people trying to break into the field. Unlike myself, an experienced infosec professional, and seasoned cert collector, so therefore the exam should be easy for me. I was quickly proven wrong.

Though I got a passing score (remember it’s “only” 70% +) on every practice exam, it was not by a comfortable margin, and I was made a fool by many of the questions. With the realization that I was not as well prepared as I wanted to bet a $700 exam fee, I moved onto the Linux Academy CISSP course to try and fill in the gaps. I found the material informative and broken into manageable pieces, but it did seem to be very similar to the ISC2 bootcamp, and I did not find I was time spent to learning ratio was not optimal so I moved onto other sources. I do believe Linux Academy CISSP course would be good for a learner as their primary video study material, I just found that most of what is covered in the Linux Academy had already been covered in the ISC2 bootcamp. If I were using my own money, I would have to chose Linux Academy. If you have a spare $3k in the training budget, or would like to do an in person bootcamp, then the ISC2 would be a good choice. Both courses also come with digital flash cards and some extra study guides.

After taking a few more practice tests, my scores were consistently in the 70-80% range, which while passing, was still not a comfortable enough margin for me. I was fortunate enough to have access to the ISC2 bootcamp practice tests and the Linux Academy practice test. I additionally was loaned the Offical ISC2 practice test book by a helpful coworker (check out how he passed his CISSP here). At first I thought all the practice test questions were awfully written, overly vague, or too specific to be on the exam. Again I was proven wrong. As it turns out, there is a reason that the CISSP exam is regarded as a difficult test… because it is a difficult test. I highly recommend practice tests for any cert, and for CISSP especially so. Due to it’s broad coverage, practice tests can be a great tool to find your knowledge gaps. Every resource I listed will also show the questions you answered incorrectly with a short explanation on why, something that I find incredibly valuable in learning. Additionally taking practice tests will prepare a candidate for the little tricks that exam questions writers seem to love so.

With test day approaching I began the deep dive into the Sunflower guide. If you haven’t visited the site yet, the Sunflower guide is a free, open source CISSP guide created by Maarten de Frankriijker and revised by Christian Reina and Steven Warnock. There is a “graphical” guide that is laid out and color coded by domain and a more verbose “text” guide. Compared to the other guides it is shorter length wise, at 37 pages for the layout and 129 for the text guide. However if you look below at the screen shot

And that’s on an 11.5×8

you can see it is very dense, no wasted pixels here! I believe that if someone was motivated enough that they could prepare and pass an exam with only the Sunflower guides and decent internet searching skills.

To be completely honest, I was not able to make it all the way through the Sunflower guide before it was test time. Initially, on the suggestion of my boss, who insists that he only failed his first attempt because he had too much time between his training and his test, I had scheduled the exam for the Monday after the bootcamp. Due to some personal issues I had to reschedule for a little over 2 weeks later. That unexpected delay ended up being a lifesaver for me. Without the extra study time I would not have been able to go over the Linux Academy or Sunflower material, which I believe was instrumental in understanding the material in time. Total time from starting ISC2 bootcamp to test time: 22 days.

Test Day

As one of my colleagues said to me “You never feel ready for the CISSP exam”. At the time I was finishing low scoring practice exams and feeling like I barely understood anything from the Sunflower guide, certain I would fail the exam. Up until the moment I peeked tentatively at the printed exam results like a high school senior reading a college acceptance letter, I did not feel like I had passed. There were maybe 10 questions that I was certain on. Nearly every answer I selected wasn’t a solid choice, it was a 50/50 guess for what the “Better/best” solutions is, after eliminating 2 answers. It was a constant battle of wtf does any of this mean? Crap, what did the material say for this situation? What kind of sadist has only print results for a computerized exam? In the end I did passing at the minimum number of 100 questions after 70 minutes. My colleague could not have been more right.

Study Tips

1. take more time than I did. I had 3 weeks between the start of studying and the test date. While I was studying it was a constant stressor to be reminded of how close the test date was.

2. Take as many practice tests as you can. Not only will this help you identify areas you need to focus on, it can also help you map your progress. It will also prepare for the types of questions that will be on the exam and simulate some of the stress of the exam. Additionally I find that I learn best when thinking a question was absolutely right, and then reading the solution. This applies to both CTFs and practice tests.

Study material I used:

ISC2 CISSP 5 day bootcamp lead by Ben Malisow

Linux Academy CISSP course (referral link to Linux Academy)

Sunflower Guides

CISSP Official Practice test book

ISC2 Code of Ethics

OWASP Top 10

Stuff other people recommend:

Sybex CISSP Study Guide (Here’s one bundled with the Practice test book)

CISSP 11th Hour

CISSP All-in-One Exam Guide

Cybrary.it CISSP course

FedVTe (for those with .gov email addresses)

Bookshop.org List

Summary

What are your thoughts on the CISSP? Should I get another ISC2 cert? What’s the best cert in the infosec industry right now? Comment below to let me know!