How I Passed CISSP Exam: Everything You Need to Know
Introduction
In this article, I will share with you how I passed CISSP (Certified Information Systems Security Professional) exam and certification. Besides, I will explain which study materials will help you prepare better and overcome one of the toughest exams in cybersecurity. And International Information Systems Security Certification Consortium (ISC) 2 maintains and offers the CISSP certification program.
CISSP is global and gold standard certificate in the industry. Despite of its difficulty, cybersecurity professionals acquire it to advance their carriers. In addition, I will also share with you the strategy I employed to pass the exam.
I will discuss important tips and mindset issues to have before and during the exam. Furthermore, I will forward some recommendations and insights on what to do after passing the exam as well. Beware however that there is no one-size-fits-all strategy when it comes to preparing for exams likewise CISSP. Besides, I recommend aspirants to explore more preparation techniques, resources and study strategies before settling with one or more approaches that suites them.
First things first, you have to create an account and review all exam guidelines from (ISC) 2 just from the onset. Furthermore, you will find amazing resources there to start with your certification journey. In fact, this platform should be your primary source of information for everything you need on CISSP.
My Background
I have been working in cybersecurity for more than a decade now. And I aspire to grow career-wise, contribute to the field and help others who are interested to pursue cybersecurity as their career.
I believe certification is the best way to showcase and tell the world that you are fit-for-purpose. And I passed both CISSP and CISM exams within one year period and still aiming for more certificates in the field.
In this particular episode, I will share with you my practical experience and journey particularly in passing CISSP exam. And thereby help you do the same. This is my electronic CISSP badge for your verification. Additionally, if you are interested to find out how I cracked CISM as well, I recommend you to visit “How I Passed CISM Exam” page.
Why CISSP and other Certificates?
For professionals and aspirants alike, it is perfect time to acquire any certification in information security and cybersecurity fields. Further, according to cyberseek and Gartner, the demand for cybersecurity professionals is in deficit in the market. That means, currently there are more open job opportunities in the market than certified professionals and managers in information and cyber security. Unlike other industries and professions, this is uniquely huge opportunity to seize, grow career-wise and contribute to the field.
Practicing cybersecurity professionals and practitioners should commit and work really hard to earn one or more certificates in the domain in order to remain competitive in the realm of cyberspace. And I believe that CISSP is one of the top choices to pick from the basket of certifications. Afterwards, you will have guaranteed job opportunity. To those of you who are interested to join cybersecurity and perhaps transition or change career path, without due procrastination, now is the perfect time for you to do so.
Bird’s Eye View of Cybersecurity Certifications
Before diving deep into the main point of discussion, let’s take a high level overview of some of the most sought-after and reputable certifications in the industry. In fact, security professionals and candidates nowadays have plenty of certification and training programs to choose from. These security certificates are provided either by specific vendors or neutral non-profitable organizations.
As a reminder, It is wise decision to firstly look for vendor-agnostic certifications to have deep and unbiased understanding of information security. However, prospective employers may require you to have detailed technical skill sets and knowledge on specific security products and services to assume some positions.
In this section, let’s briefly discuss some of the most common and foundational vendor-neutral certifications in the industry. In other words, these certificates are equally important and required by government and private sector prospective employers.
Certified Information Systems Security Professional (CISSP)
CISSP by (ISC) 2 is by far the most reputable and prestigious certificate in the industry. And CISSP is for individuals working in the leadership and operation functions. Further, it is for people who are responsible to design, engineer, and manage the overall security posture of an organization. Besides, it covers almost every concept, technique, framework and architectures of information security. Moreover, professionals who grasp and digest the contents in CISSP exam will be in a rock-solid position to manage other certification programs.
In my opinion, experienced professionals should take CISSP first before attempting any other certification. Unless otherwise, they are looking for a more practical and hands-on certificates. Because, you will find almost all fundamental aspects of information security in this certification. But the other way around does not often hold true. Additionally, professionals who lack commendable experience in cybersecurity should not initially settle for CISSP exam. Because, firstly it is required by (ISC) 2 to have at least five years of work experience. Secondly, it is going to be too much for you to garner and grasp all the concepts covered.
After managing to pass CISSP and positioning oneself in good standing, it does not matter which order professionals pledge to take their consecutive certification and training programs. That means, after earning CISSP certificate, cybersecurity professionals will be facing less bumpy road ahead. And they will be able to specialize with less effort and time. Thus, they will be confident, in good shape and composure to tackle any other certifications.
Certified Cloud Security Professional (CCSP)
CCSP (Certified Cloud Security Professionals) is collaboratively maintained by (ISC) 2 and CSA. Moreover, is one of the best and emerging certification for personnel working to secure the clouds and related fields. Plus, this certification program is the de-facto standard of cloud security. And it addresses almost all aspects of cloud computing security concerns.
It is designed for experienced professionals. And candidates should have at least five years of work experience to earn this credential. However, candidates with CISSP in good standing will have a waiver for the entire CCSP experience requirements.
Systems Security Certified Practitioners (SSCP)
SSCP offered and maintained by (ISC) 2 is the mini-CISSP certification content-wise. However, it is more hands-on and technical than CISSP certificate. Additionally, SSCP is ideal for professionals and aspirants who want to comprehensively understand information security and its technical hands-on perspectives. Further, the content of this certificate is highly detailed, technical and comprehensive. And less experienced professionals who want to have solid foundation in information systems security can acquire SSCP.
Certified Information Security Manager (CISM)
CISM certification by ISACA is the most sight-after and credible certification for information security managers. As the name implies, this certificate is ideal for individuals who are bestowed to develop and manage information security strategies and programs of enterprises. Moreover, it is a certificate for people who manage, design, oversee, and assess an enterprise’s information security functions.
The certificate empowers and emboldens information security managers to portray security as strategic and business issue rather than operational and tactical one. Further, it emphasizes the importance and commitment of board of directors and senior management to the successful implementation of information security programs.
Most embarrassing and humiliating security incidents occur due to lack of governance at the top. Thus, CISM certificate enables information security managers to develop persuasive business cases. Moreover, it will help aspirants to educate people at the top about the importance of alignment of information security programs to their business strategies.
Certified Information Systems Auditor (CISA)
CISA by ISACA is the de-facto standard for information systems auditors. Additionally, this certification is for professionals with high work experience. And it is for people who have direct work experience in information systems auditing, cybersecurity and related domains.
It is a certificate for information technology or information systems auditors, security control and assurance people, and information security professionals. Moreover, this is one of the most reputable and sought-after certificate in the industry. CISA is therefore a must have certificate for information security professionals. And aspirants who want to specialize in auditing enterprise information systems and information technology should earn CISA.
Certified in Risk and Information Systems Control (CRISC)
CRISC is another fascinating certificate by ISACA. And it is a certificate for professionals experienced in the management of information technology risks and the design, implementation, monitoring and maintenance of information systems.
Professionals who aspire to be certified in CRISC should have minimum of three years of direct work experience in information technology risk management and information systems controls. More specifically, this is ideal certificate for individuals who work in risk management and governance positions.
GIAC Certified Forensic Analyst (GCFA)
GCFA (GIAC Certified Forensic Analyst) by GIAC is one of the best certificates for security professionals. And it is for people who are interested to advance their career on digital forensics investigation and incident management. Maintaining chain of custody and preserving integrity of evidence are cornerstones for evidence to be admissible in cart-of-law. As result, highly skilled forensics professionals are in critical demand to bridge the gap between cybersecurity and law enforcement endeavors.
Forensic analysts should further cooperate with system administrators and law enforcement authorities. This will help to deliver better result. Moreover, GCFA certifies candidates’ knowledge, skills, and ability to conduct incident handling and investigation tasks. The certificate focuses on skills required to collect and analyze computer data.
GIAC Certified Incident Handler (GCIH)
GCIH by GIAC is another reputable certificate required by incident handlers in organizations. And it validates security practitioner’s ability to detect, respond and resolve computer security incidents. Besides, GCIH certified professionals should work on incident handling procedures and computer crime investigations. Furthermore, candidates should have advanced knowledge and practical hands-on skills on hacking tools . And they should be able to exploit attacks and resolve incidents.
GIAC Network Forensic Analyst (GNFA)
GNFA by GIAC is one of the sought-after certificates for professionals who want to specialize in investigation of network systems forensics. These candidates should have solid understanding of network architectures and protocols. In addition, they should have Knowledge and skills on incident log management, protocol reverse engineering, and attack visualization and analysis tools.
Certified Ethical Hacker (CEH)
CEH by EC-Council is one of the most common and sought-after certificate to work on penetration testing and related areas. This certificate is provided in two flavors. One is more conceptual multiple choice questions. And the other version is hands-on practical exam. Moreover, it covers ethically hacking into systems, web applications, mobile platforms, cloud computing, cryptography and so forth domains.
E-Council Incident Handler(ECIH)
ECIH by EC-Council is for professionals who wants to pursuing incident handling and response as their career path. And it is a program that employs holistic approach to incident handling. It concerns with incident handling starting from preparation of procedures up until recovering assets.
Security+
Security+ is offered by CompTIA. And it is one of the popular entry-level security certifications. Moreover, candidates will have a glimpse of cybersecurity in this basic certification. To the beginners, I highly recommend you to start earning this certificate before advancing to other certification options.
Cybersecurity Analyst (CySA+)
CySA+ by CompTIA verifies candidates’ knowledge and skillset required to leverage threat intelligence and detection techniques. It further verifies candidates’ ability to analyze and interpret data, identify and address organizational vulnerabilities. In addition, candidates should recommend preventative measures. And at times, they should effectively respond to and recover from incidents in an organization. Besides, it is one of the best certifications for intermediate cybersecurity analysts.
Project Management Professional (PMP)
PMP by PMI is one of the best and must have certificates by cybersecurity professionals and information security mangers. Even though this certification is not in cybersecurity category, it is highly recommended to have it for better management of security projects and programs.
Understanding project management methodologies and standards will serves as a bridging platform between security professionals and business owners.
Overview of the 8 Domains of CISSP
For high level information about the domains of CISSP, Please refer Overview of the 8 domains of CISSP.
My Study Resources
Firstly, I personally recommend you to critically read the official documents from (ISC) 2. This strategy will serve to understand the nature, depth and unique characteristics of the domains covered by the exam. By mainly relying on the officials CBK and study guides, candidates will be able to identify the scope and boundaries of their preparation.
I believe this opinion stands true with all certification endeavors from all vendors. This will serve as a blueprint for you to capitalize on the topics covered in the certification and look for further references if needed. You only understand the true color, format and context of the actual exam questions from the official resources.
These official materials will be your compass to genuinely navigate through the resources required to pass the exam. This strategy will help you to be more specific for the exam. And it protects you from information overload and fatigue.
I have listed below the resources I used in chronological order and iterative fashion to pass the CISSP exam.
The Official (ISC)2 CISSP CBK Reference
Objectively and iteratively reading this book is ideal to pass the exam. And this will give you real image about the exam and the domains you must know in detail. Furthermore, every candidate should rely on this publication for firsthand information, guidance and understanding.
It is the blue print of the exam. And candidates are at least recommended to comprehend each concept covered in this book.
CISSP Official Study Guide
CISSP Official Practice Tests
This official practice test will help the candidate to understand characteristics of (ISC) 2 questions and expectation to pass CISSP exam. And the candidate must understand the nature and standards of questions from the provider’s point of view.
I highly recommend you to practice the questions in this book to have a glimpse of understanding about the questions.
The candidate must definitely know that no question in any book is similar to the actual exam questions. And it is therefore imperative to build strong mindset to approach the questions through continuous practice.
Candidates should spend half of their preparation time on practice tests to develop a proper mindset to answer questions objectively. And attempting to answer questions of the actual exam by memorizing snippet of questions from reference resources will have disastrous end.
CISSP All-in-One Exam Guide
This book is one of the best resources outside of the official study materials. It covers the eight domains in depth and comprehensively. And I recommend you to read this beautifully organized and content rich book after reading the official resources.
CISSP Practice Exams
This practice book should be a companion of the CISSP All-in-one exam guide mentioned earlier. Candidates should read this book after practicing questions from the official materials.
Note: The reason why I firmly recommend firstly to heavily reply on official study guides and references is that the people preparing and reviewing these materials are the closest to and the most familiar with the exam. The main theme of this approach however is not to draw a line and compare official and unofficial resources. As a matter of fact, we have to acquire firsthand information from the source itself. We can then aggressively expand our horizon by consuming as many additional resources and references as possible. Finally, know that it is through intensive practice tests you sharpen your saw of passing the CISSP exam.
How to Think like a Manager
I think this book is one of the most valuable resources to read to pass the CISSP exam. Because the questions and explanations provided in this concise book are extremely helpful in the exam. Moreover, questions and explanations provided in this book will help aspirants to understand the nature of the questions and the mindset required to approach them.
The author cordially advises his readers to think like a manager to answer the questions. The author of this book then clearly paves and depicts the way for you on how to think like a manager using his well thought explanations. I highly recommend you to repetitively read this book and deeply understand and apply its intent in decoding the questions in the real exam.
CISSP Study Guide 11th Hour
This book is highly summarized version that you must read at the eleventh hour. When I say at the last hour, I don’t necessarily mean you have to wait up until the end of your preparation period. You can read it at the beginning, middle and anytime that works for you. But, note that this is summary and you cannot rely heavily on this book to comprehensively understand the contents of CISSP. However, make sure that you read this book in the course of your preparation and before you seat for the exam.
It is well-written and organized book to understand the domains of the exam at helicopter-view. After reading all these study materials and watching some of the video resources and surfing the websites recommended below, you should deeply and wholeheartedly feel that you will 100% pass the exam.
CISSP Videos and Web Resources
For detail information on CISSP videos and resources, Please refer CISSP Videos and web resources.
Preparation Period Mindset
Some security folks out there preaches quite often and tell us it is ok to “FAIL”. But I say to them and others, not until you just PASS the exam. Just aim to pass the exam, no more no less. Meaning, you have to avoid any seeds of doubt about your passing by just committing and working really hard as per your plan.
I believe you can do it and just do it. Even though it is out of scope, you may think of what to do perhaps after you will have failed at the end. However, during your preparation period, you must constantly avoid the failure mentality and only focus on how to pass the exam. I am telling you, just try to focus 100% only on passing the exam.
It is inevitable that you will be distracted now and then to pause and think about failure during the course of your preparation. I advise you nonetheless to keep adjusting and nurturing the success mode through dedication and hard work. Moreover, you have to keep trying to close the valves of failure popping up here and there in your brain throughout your journey.
Positive Energy
Your day to day mantra and spirit should goes like when I pass the exam, not at all if I fail in the exam. If failure mode diffuses your conscious and subconscious mind, you will be probably in fear and panicked state even during your preparation period. Thus, you will be doubtful and disturbed the whole journey just until for sure you will finally miserably fail in the exam date. In my opinion, you will be doomed to fail if you keep thinking about failure during the course of preparation process.
So, I did not sit by idly, rather devised a simple and proactive technique to nurture victorious feeling and mindset throughout my journey to alleviate issues with failure mentality as presented below.
The Magic Note: Celebratory Mode
Dr. Covey in his bestselling book titled as “The 7 Habits of Highly Effective People” published seven highly regarded habits anyone who strides to be successful in life must inherently practice. The second habit in the book reads as “Begin with the End in Mind”. Dr. Covey in his book firmly advises his readers’ to start with crystal clear understanding of their destination. I found this habit to be pretty applicable and inspirational to anything we do in life including during preparation for our certifications.
Hence, I highly recommend you to stick a note that reads exactly as “I PASSED THE CISSP EXAM” be it on the wall of your room, office, computer desktop or smartphone wallpapers right after you schedule your exam and way before the exam due date. It should be on visible surface that you can check on daily. I coined this phrase during the course of my preparation for the exams. And it helped and uplifted me greatly to fine-tune things when I was desperate and exhausted at times.
I believe it will send you quite encouraging positive signals and thus setting you up on achiever mode by picturing yourself just after the fact of passing the exam. Besides, it will bring smile and happiness to your face. And this will motivate you to keep moving forward in pursuit of achieving your certification goal. Moreover, I trust it will empower you to prepare well and bridge your gaps or weaknesses to finally succeed and congratulate yourself. But, this approach should be continuously backed up with absolute dedication. Good preparation and hard-work are perhaps irreplaceable and the best antidotes to the bubbles of failure that may keep nudging you what you will do after you fail.
Think like a Manager and Act like an Advisor
You have to always think like a manager and act like an advisor when facing the questions. And the whole purpose of the exam is not all about evaluating your deep technical knowledge and skills. It rather asks about your level of fundamental understanding of each domain covered in the CISSP exam.
You are expected to be a knowledgeable and skillful facilitator between the technical professionals and the decision makers at the top. All your answers should thus be based on the viewpoint of a catalyst who galvanizes the middle field between the top and the bottom. You don’t fix technical issues and you don’t have the responsibility of approving decisions that will bring about significant change to the business either. Specifically, your role is purely risk advisor and you have to always understand and answer each question with that in mind.
Planning and Scheduling Considerations
Another important ingredient to pass the exam is to commit early and schedule way ahead of your exam day. In fact, you have to take your time and cautiously plan ahead to succeed in the exam. After all, you are willingly choosing to become member of highly vibrant community who must steadily and continuously update themselves to stay competitive. Frankly speaking, quick fix does not often work in cybersecurity as it will sometimes be source of further exposures, incidents and sometimes disastrous ends.
Well thought and proactive preparations and working plan always come to the rescue of information security professionals’ disastrous and embarrassing failures. That means, the candidate must therefore prepare working study plan and schedule. In addition, you must strictly follow your study plan and schedule. If aspirants keep procrastinating and do not follow their study plan, it is highly likely that they will be doomed to fail. Another reminder, the candidate must minimize social media scrolling as much as possible and focus more often on studying. Finally, I advise you to stick note of the final day of the exam on visible surface or mark it on calendar of your choice.
Avoid Study Fatigues
You have to avoid cramming approach at any cost and allocate enough preparation time ahead. As the saying goes “Don’t bite more than you can chew”, our mind is not created and trained to handle so many parallelisms and bombardments at once. I would rather recommend you to move and attack step by step to understand and digest each aspect of information security required to pass the exam.
You will encounter people in youtube and other websites brag on how to pass CISSP in one or two weeks. These are probably rogue individuals who try to manipulate people to increase their number of viewers or visitors. Maybe these must be individuals who have been in information security for more years than we can even remember. Perhaps, they already know and are experts on the domains covered in CISSP certification. Even so, it is going be a 50-50 probability to pass the exam. I nonetheless recommend you to formulate a steady preparation approach that will render very less fatigue to your body and mind.
A Marathon Journey
You should better know that it is going to be a marathon journey and thus you don’t need to be in hurry and turn everything upside-down. Here is one million dollar question for the purposeful candidate, why do you have to rush and be in hurry in the first place please?
The whole process is all about very important deal in your life and career. You cannot therefore fix things that way and make yourself marketable in-front of the eagle-eyed recruiters and prospective employers waiting for your expertise. Thus, you must very well plan it way ahead of time. Last but not least, I advise you to deeply understand and internalize everything covered in the domains.
Exam Day: Deep Breath and Relaxation
It is time to breathe deeply and relax. Because, I trust you have left no-stone-unturned and there is nothing left for luck by this time. It is time to reckoning and breathing deeply to acknowledge the fruitful journey you have been through. You must sleep well before the big day. It is highly imperative to avoid stress, be relaxed and rested as much as possible during the exam day.
It is now time to celebrate your successful journey in covering all the portions and study materials required to pass the exam. And by the way, you should be thankful that you are in good shape, healthy and fit to sit for the exam. In other words, you have to fill yourself with positive energy. Because, you have been preparing for this day for so long and it is time to fight head-on and crash the exam. More importantly, you should feel energetic and determined to cross the finish line gracefully and confidently. Besides to that, you have done everything at your disposal to pass the exam, Haven’t you? Moreover, you must arrive at the exam center earlier and spare some minutes for yourself to relax and seep a cup of coffee.
Exam Techniques and Time Management
You must manage your time to complete all the 150 multiple choice questions within the given 180 minutes. And the time information will be visible for you at the top most right corner of your screen. Moreover, you have to pay attention to the ticking time and adjust your pace accordingly. In addition to that, you must read each stem question and the choices provided very carefully. Besides, cautiously apply cancellation procedure to eliminate the obvious wrong choices and focus on the remaining choices to select the best answer.
The CAT Algorithm
The algorithm of CAT (Computer Adaptive Testing) that runs behind-the-scene will evaluate your exam performance in real time. It works by setting a threshold that a candidate must maintain and achieve to pass the exam. I strongly advise you to try your best in answering the first 20 questions correctly. If you start badly in the first 20 questions, you will have stiff slope to climb and may affect your whole journey until the finish line. Additionally, you should never rush to answer questions quickly as you will be easily tricked to fall in the trap.
You must avoid overanalyzing questions so that you will not attempt it in a more subjective thinking. Further, you should discard pre-existing assumptions and answer questions objectively based on the provided information ONLY. Plus, you should never try to rote-memorize an answer for a given question from practice tests you might have taken previously. Beware of double negative questions and nested choices as well. The choices should be evaluated critically to pinpoint and select the most inclusive answer of all in regards to the question under consideration.
As Luke Ahmed loves to say, you have to always think like a manager to pass the exam. You should not try to fix things by yourself rather think one step ahead of technical jargons and make business function.
After Passing the Exam
Hooray…It is time to officially celebrate the achievement and self-reflect on the amazing journey you have been through. And the next move after passing the exam is to apply for endorsement and certification. Furthermore, the candidate should be able to submit all relevant reference documents that support the experience claims.
Once proof of experience and maintenance fee are delivered to (ISC) 2, a digital version of the certificate will be available on the official website of the same. Finally, beautifully packed hard copy credential will be sent to the candidate within two months. To retain the hard earned credential, the CISSP should then pay maintenance fees and collect at least 40 CPEs (Continuing Professional Education) annually for three years.