In August I passed my CISSP exam. For those of you who are unfamiliar, CISSP is the Certified Information Systems Security Professional certification. This certification is delivered by ISC² and tests for the knowledge to successfully design, implement and manage a security program. I found this test to be unique compared to other certification exams I’ve taken. The questions were more challenging and often abstract. I wanted to share some tips in-case you were interested in the certification yourself.

How I passed

In preparation for the CISSP exam, I enrolled in a five-week prep course and dedicated hours to studying. These are the materials I used.

Technical Institute of America (TIA)

My first step towards passing the CISSP exam included taking a five-week instructor-led course at the Technical Institute of America (TIA). I found the class very useful. TIA focused on topics that were cutting-edge and relevant, as the official ISC² study guide includes an array of topics that have become obsolete and are often not tested on. This course allowed me to use my studying time on relevant topics that were likely to come up on the test.

CCCure

CCCure is a website that provides practice questions for various IT related exams. CCCure allows you to practice questions on particular topics. When reviewing your practice tests, you are given the opportunity to read explanations of right and wrong answers. I found these explanations to be the most helpful component of my study plan. I reviewed the explanations for every question regardless of getting them right or wrong. I did every question for CISSP available on CCCure (yup, all 1,869 of them). I even went back and did 500 questions I had initially gotten wrong. Since all of the domains are interrelated, I found that as I completed a preceding domain, I would score higher on the subsequent one as I applied some of the topics I just learned from my review.

Independent Research

There are a few topics that aren’t covered in the official ISC² study guide nor CCCure. For these I had to do some independent research. These topics included SAML, SDLC, & HTML5 attacks among others. For these topics, I watched YouTube videos and read white-papers.

Test taking tips

Read the answers first

Read the answers before reading the question. I found in my studying that I was often biased to select answers that appeared earlier in the choices after reading the question. Reading all answers before even glancing at the question helped remove that bias.

Explain all the answers

Make a practice of explaining or defining every choice mentally before choosing the correct one. It’s integral when taking the test that you are familiar with all the answers presented anyway. Identifying the wrong answers and why they’re wrong will help you justify the correct answers.

Read the question and answer before proceeding

After you’ve selected the correct answer, read the question and answer together, confirming that the answer makes sense and that you didn’t fall into a trap or miss a keyword. Remember, you can’t go back when you take this test, so once you proceed to the next question your answer is locked in!

There are two right answers

In the style of questions that ISC² uses, there are often two correct answers. You’re often required to choose the most correct answer. This can come in two ways.

1. One choice is just better than the other.
   If they were to ask Why is the sky blue?
   A) Because of the way the atmosphere interacts with sunlight
   B) Blue light is scattered more than the other colors because it travels as shorter, smaller waves
   C) It is light reflecting off of the ocean
   B is the correct answer because it is a better answer. Although A is not wrong, B is better because it’s more specific.
2. One choice addresses what’s specifically being asked. In a lot of questions you’ll be asked about the best or first thing to do in a specific situation. Keep an eye out for those, as your choices will likely include both the best and first thing to do. Be sure to choose the correct one.

Don’t panic at the 100 question mark

The CISSP exam utilizes Computerized Adaptive Testing. For those unfamiliar, the test can be 100-150 questions. If you are able to establish expertise or lack of expertise at any point after the 100 question mark, the test ends. This means if you’re knocking it out of the park, the test will end at question 100. Or if you’re totally bombing, the test will also end at 100 questions. After the 100 question mark, you’re tested in domains that you haven’t yet proved your expertise in. Once proven (or not) the test will abruptly end.

My test lasted 102 questions. So naturally, I freaked out after question 100 was submitted and was presented with another. I had to take a few minutes after this to calm myself before proceeding. This was valuable time that I could have wasted. I think the moral of my experience is don’t fret, if you’ve made it this far, you have a chance.

---

I hope you found these tips helpful in your preparation for the CISSP exam. Feel free to reach out from the contact page if you have any additional questions.