In this blog post, I will share with you my CISSP exam study plan, what are the books and resources I used and why, how I prepared for the exam in three months and pass at the first time, and how to adopt a new security mindset that helps you pass this exam.
To verify I actually passed the exam, you can find my CISSP badge here. This blog post is part of a blog series:
- How To Prepare for The CISSP Exam Day and Pass
- How I Passed CISSP Exam – My Personal Experience
- How I Passed CISSP – My Three Months CISSP Exam Study Plan
CISSP Exam Is Different
The CISSP certification is not like any other IT certifications in the industry and especially it is not like Microsoft certifications and the reason is that the CISSP certification program is very very wide.
There are a lot of topics to cover and you need to rely heavily on your previous work experience, and because you are dealing with 8 domains here, the chance you are a master in three or four domains is very very small. This means there are going to be a lot of domains that might be challenging for you. That is the reason why before you go and start studying for the exam, you have to have a proper CISSP exam studying plan and a timeline (three months for example).
There is no shortcuts to pass the CISSP exam. It is not enough to set and answer CISSP questions, and it is not enough to just study the materials without solving a lot of exam questions in advance.
It is also not enough to go and attend a CISSP training for 5 days for example and then directly go and take the exam, because the amount of information you receive will most likely make your head about to explode and you need to spend time by your own reviewing the CISSP exam domains and really understand the materials.
This is why I have put together my own CISSP exam study plan on how to start from step one and go to the end and complete your CISSP preparation.
The Importance of Having a Study Plan
To prepare for this exam, you should have a good CISSP exam study plan a head of time because there are many thing you need to study for and a lot of security theories. It is hard to find someone who knows or works in every of the CISSP 8 domains, but at least you should have good knowledge in two domains at least.
Any study plan should have a timeline, study materials of choice, studying methodology, and practicing method. I will share with you today my CISSP exam study plan and how I got my CISSP exam from the first time in three months.
Books of Choice
The first book is the official study guide with 1000 pages and 21 chapters that cover all the 8 CISSP domains, and the second book is the practice tests book with 450 pages and 12 chapters of test questions covering all CISSP domains. You can buy them both in Amazon as a bundle here.
I like Sybex books and I think they have a good balance between simplicity and material coverage. As the CISSP exam was updated recently and the materials got updated, make sure you get the updated materials that reflect the updated exam objectives. All links in this blog post point to the updated materials in Amazon.
Other books I purchased but didn’t use
Another famous book for the CISSP exam is this one authored by the famous Shon Harris (Eight edition) that also comes with a separate practice exam book. This book is huge (1200+ pages) and comes with 8 chapters, a chapter per CISSP domain. The practice book is 350 pages with 8 chapters, each chapter contains questions for a specific CISSP domain.
I found that this book (while being a very good book) contains more details and extensive information that even the Sybex book does not contain. For example, the Sybex book mentioned the different physical locks in a brief way, while the Shon Harris book goes deeper and list the details of each physical lock which I believe is overwhelming and requires more studying and memorizing.
Shon’s book also contains a lot of theories and talks about each subject in great details while the Sybex book covers the overall picture and prepares you well for the exam in shorter time. It depends on your preference I believe, but for me the Sybex book was my top choice and it helped me pass the exam from the first time, with a good preparation and less time.
I also saw many people talking about the 11th Hour CISSP study guide (third edition). This is a 200 pages long mini book that helps you review all material in short time after reading a full CISSP study guide. I purchased this book but never used it as my study plan was good enough and didn’t want to allocate more time to go through a different book. Think of this 11th hour book as a collection of flash cards that helps you review all the CISSP main points in one day before taking the CISSP exam.
My CISSP Exam Study Plan
After purchasing the Sybex book, it is time to start studying. The Sybex book contains 21 chapters and tt the end of each chapter you have 20 questions with their answers to test your knowledge. My study plan is:
- Step 1: Read the full book cover to cover to get myself familiar with the CISSP material. This is a quick reading and even if I didn’t understand specific topics, I just keep reading. The idea is to familiarize myself with the content and get a full overview on what to expect. Read it like a novel (like harry potter) and try to observe all the knowledge. It took me between one to two weeks to do so. You can skip this step and start with step 2.
- Step 2: I read 4 chapters per week and I don’t move to the next chapter unless I score at least 80/100 on the 20 questions that come with each chapter. For each chapter I study, I make sure I understand the material 100% and even google some topics that I found difficult. This means it took me 5 to 6 weeks to complete step 2.
- Step 3: I read the whole book again, and for each chapter, I tried to summarize the material in my head, and even talk about the material covered in each chapter as I would explain it to someone in front of me. This took me another week. You can skip this step but I feel it is important to re-enforce what I’ve learned so far.
- Step 4: I then used the official practice test book to test my knowledge. It comes with 12 chapters. Each of the first 8 chapters cover one of the 8 CISSP domains (with 100-125 questions per chapter) and the remaining 4 chapters simulates a full CISSP exam. I made sure I score at least 75% for each of those tests and If I don’t, I will go back and work on my weak areas. The test questions in this book are really good and challenging. You will have a lot of fun trying to test your knowledge here.
- Step 5: I then watched all the videos published by IT Dojo on his YouTube channel. This is a must to watch for every person trying to pass the CISSP exam and he is the most famous guy in YouTube when it comes to CISSP exam. Each of his videos is 8-10 minutes long and in each video he asked you two CISSP questions. The great thing about his videos is that he explained in great details why the wrong answers are wrong and why the right answer is right. It helps you understand the CISSP material in different ways. I watched his videos on my iPhone before I sleep to test my knowledge.
- Step 6: I then find the topics I feel I don’t fully understand or the topics I feel I should prepare for more, and then look in YouTube or Google to learn more about that topic. It is very important to watch up videos because it allows you to get ideas in more easier fashion because they are made by people who really understand it and they are good in explaining it and this will help you master the fundamentals of the 8 areas of the exam. Here is a Pluralsight course that might help you out preparing for this exam (you can subscribe for one month for free).
- Step 7: I schedule my CISSP exam to commit my self and to reserve my exam seat. I usually book the exam at lest 2 weeks before taking the exam as I know I might need to practice more with at least two separate test engines. I have a separate blog post talking about the CISSP exam day and what to do and what not to do couple of days before the exam day that I highly recommend you look at.
Important Tips for Passing The CISSP Exam
Passing the CISSP exam is about 50% studying and 50% practicing and solving questions. No matter how well you prepared, you will be shocked with the CISSP actual questions you will see in the exam. You need to practice on solving as much questions as you can (at least 1000 questions) to learn how to get the mentality of answering so many questions in less time (you get average of 1.2 minute per question) and how to master the art of eliminating the wrong choices. In my case, I believe I did 2000 to 3000 questions before taking the exam.
The other tip is to have a full commitment for taking the CISSP exam. I remembered back in 2013 I planned to take the exam, but I didn’t have a proper study plan and didn’t have that commitment, so I ended up reading the first two chapters and then forgot about the whole exam until 5 years later, when I decided to take the exam with full commitment and with a proper CISSP study plan.
You can force yourself to have such commitment by scheduling the exam today, pay for the exam, and put the exam date three months from now. This will creates the urgency to commit yourself into studying and preparing for the exam.
The other tip is to try to study in a continuous manner. It is hard to study for two weeks for example, then get busy doing something else for another two weeks, and then go back and continuing studying for the CISSP exam. You will loose focus and momentum, so make sure to have a commitment for a continuous three months of your life for the CISSP exam.
It’s a big commitment and you need to allocate time each day for your study plan. I spent at least three hours of studying each day excluding the weekend day as I would spend it with family. Just remember why you want to take the exam in the first place, and how this exam will help you in your career. Try to stay focused and motivated a long the way. It is going to be a long journey and there are no shortcuts. You will have weak moments where you will find that the exam material is too long or perhaps difficult at times, but remember that many people already took and passed the exam, so why don’t you.
Finally, when you solve CISSP practice questions as part of your preparation, don’t get demotivated if you could not answer well. It happened to me a lot. I used my mistakes to go back to the material and focus on my weak areas. I believe that the best way to prepare for the exam is by taking as much practice questions as you can and then go back to the material and work on your knowledge gap.
The Four CISSP Exam Frameworks
A good way to look at the CISSP exam is to view in through the lens of four different frameworks:
- CIA: Confidentiality, Integrity and Availability.
- Technology: technical skills.
- Management: what is the best approach to do something from a security manager’s perspective?
- Risk: risk management which is very important topic in the exam
Every time you see a CISSP question, you should be able to look it from one of those perspectives or frameworks. If you get a question about symmetric vs asymmetric encryption, then that’s the technology perspective and the question is testing your technical knowledge.
A question about the company’s best approach for security, is challenging your management perspective, and here you should put your self in the place of a security manager and think how would a security manager act in the situation.
Then you have questions about availability vs confidentiality vs integrity and this is the CIA perspective, while a question about the annual loss expectancy (ALE) is related to risk management.
A lot of people fail this exam because they look at the exam from the technical and technology perspective, and I am a technical guy, so if I was to solve all questions with my technical perspective, I would fail the exam.
The 8 Rule Of The Game
When it comes to passing your CISSP exam, all what you need is to know the rules of the game, and once you know the rules of the exam, you can use them against it.
The divide and conquer rule: try to eliminate two obvious wrong answers which leaves you down to 50% 50% shot and you’ve turn it to a true and false test. This can also be that A, B, and C might be the right answers but definitely not D.
Sometimes you find your self dealing with a choice that you never heard about, most likely this is a distractor and you should get rid of it because it might be there to make you intentionally choose the wrong answer.
Rule number two: always apply the golden rule: IT IS ALWAYS PEOPLE SAFETY FIRST. Any answer that talks about human safety is 99% the right answer. People safety is the first priority for every security manager.
Rule number three: always look for wrong answers first. You have been trained all your life to choose the right answer, well that’s too hard. Sometimes it is easier to pick something that does not belong than something that does.
Rule number four: remember that policy is key, everything you do has a policy attached to it. Also, always choose the broader answer from the list of choices. If you are suspecting two answers and one of them includes the other one, then pick the broader answer.
Rule number five: don’t look for an in-depth answer, it is mile wide and inch deep exam. If you find your self thinking this is what we do at work, you have gone so far. Sometimes the simplest answer is the right answer.
Rule number six: don’t choose an answer that is correct some of the time. Your answer should be correct all of the time.
Rule number seven: when dealing with negative statements, turn them down to positive statements because the human brain does not process negative statements that well.
Rule number eight: when the question asks for MOST, BEST, WORST or LEAST, remember there can be more than one possible answer, but there is always going to be one best answer. Think hard about these questions and by practicing more with test questions, you will increase your chances in getting these type of questions right.
Getting The CISSP Mindset
There is a very specific mind set that unfortunately many people don’t know walking to the exam, and in this section, I am going to help you get the right mindset for the CISSP exam. The most important thing I can tell you is your role is a risk adviser on this exam. Don’t fix problems. You are going to be tempted. Most of us have our jobs because we are problem solvers, we know how to fix things, but this is not your role in the exam.
1. Your Role Is Not Fixing Things
Your role in this exam is to collect information, report this information to senior management, give them your advise based on risk management, and then the choices and decisions come from the the top management down. So if in the exam you get a question that one of our employees get terminated and we expect it to be contentious termination, what is the first thing you should do? I guarantee you 90 % of you will say “revoke their credentials”, but that’s fixing the problem. if I’m truly your company risk adviser then, “will I go to the basement to logon to the server and disable an account?” I don’t do that right? What I would do?
I call and advise the appropriate parties, I have influenced policy within the organization to have set of processes and procedures, but you (in this exam) are not a doer, you are a manager and you should act accordingly. This is not type of exams where you are blocking ports on the firewall, you don’t do that. However, you have to understand enough information about the hands on to make good suggestions to senior management. Again, don’t fix problems.
One thought here, when you rush into fixing a problem, you are violating change control. There should be a specific set of steps on how you approach changes in your organization. If everybody is just jumping to their feet running around fixing problems, we don’t have the control over those changes, we don’t have documentation and we don’t have rollback strategy. What if I were to just patch systems in my organization every time Microsoft releases a patch? This might not be the best thing for my career, so the idea of running and fixing problems violates change control. What we want to do is to pay attention to the process and then problems will fix themselves.
Saying that, don’t look for solutions like configuring a firewall in the exam or things that are too heavy in technology. Firewalls come and go and brands come and go, but the security mindset does not change. Things like incorporating security into your application design, the concept of isolation and layered security, that’s a foundational security that you should be focusing on.
I know so many good technical people that faced hard time taking the exam. if you are going to go after the answer of hack the registry, that’s the wrong answer. Instead, fix the process, think of the good of the business, understand that the only reason that any of us have jobs is because something that we do supports the business. So, when it comes to decision making, the business leads. You don’t need to know what the Windows event ID 121 is, you need to know why we review the security log and what information you can get from them
2. Challenging Your Mindset
Let me ask you something: “who is responsible for security?“. We all heard that everyone is responsible for security, well that’s not true. When you hear that idea of responsibility, I want you to think about who is held legally responsible for the security of the organization, it is senior management. Well, don’t we all have security responsibilities, sure we do. My responsibility is to follow policies and procedures as laid out by senior management. Remember that our job is to advise senior management but they make the decisions, why? Because they are ultimately responsible.
Let me ask you something else: “How much security is enough?” Of course sometimes you hear “oh you can never have enough security”. But the reality is sure you can. You have too much security when you are spending more to protect an asset than that asset worth. I’m not going to spend 50$ to protect a 30 $ bill, so do you know how much security is enough? Well, just enough, just enough security is enough and this is not easy as you need to know how much just enough is.
So, how do I know that? Well, by using risk management, that is, figuring out what my assets are, what am I protecting, and what they are worth. But I also have to think what are the threats and the vulnerabilities and what’s my potential for loss. Where companies get in trouble is when they underestimate their assets, so if I look at a computer and I say that thing worth 800$, that might be true for the hardware, but the real value of this computer comes from the data that’s on it. So if we don’t properly understand how valuable what we are protecting is, then we would not know how much security to put in place, and don’t forget about reputation, brand recognition, customer loyalty and those are very hard to quantify but that all makes the value of an asset.
Once we understand that properly, then we truly understand the value of what we are protecting and what we will spend. So, how much security is enough, well risk management will tell you. That’s why you start your risk management by figuring out the value of your asset.
I hope these questions will make you think twice about how to approach the material. Don’t go and memorize stuff, instead you really want to understand security concepts and how everything fit together. The CISSP exam will not challenge your ability to memorize things! This is the ugly truth and the main reason why people fail the CISSP exam so often. To pass the exam, you should really understand how security works, how all pieces fit together, and what your role in all this as a security manager.
3. Think of The End Game
What do I mean by that? You are going to see a lot of questions that say which is the best or which is the most and the answers all sound pretty good but one is our ultimate goal. If I ask you why we classify data, and I give you a choice of (A) is to indicate data sensitivity, (B) indicate the harm if data is compromised, (C) to indicate the requirement of data availability or (D) to dictate how data is protected. It is not that A,B,C are wrong, classification of data indicates its sensitivity and harm if it is compromised, availability stuff can be used as well, but that’s not why.
If all what I do is to say “wow look at this laptop It has some really sensitive data” and then walk away, that does not help me at all, that’s not the end game. The reason why I say this data is top secret is because by labeling it as top secret, we have a set of minimum security standards and settings that are applied to that asset, so the end game is “what is the point where I can say I’ve done what I said I was going to do”.
For example why do we train people? It is (A) to raise security awareness, (B) to educate all users on security topics, (C) is it to give users greater understanding or (D) to influence their behavioral change. A,B,C sound great but these are not the reason why we train people. Do you know why we train people? Because we want to modify their behavior. You might be asking “but what abut security awareness?”, honestly, I’m not so concerned about what users are aware of as what they do, because remember your company’s senior management are held responsible of what users do, not what they know. Therefore, raising security awareness sounds good, but what I’m really after is to have my users do different things, that’s end game.
Note: Credit for this whole section of CISSP mindset is given to Kelly Handerhan and here valuable YouTube video about CISSP mindset.
My Secret Studying Tip
For each chapter that I study in the book, I try to understand the full story about it. Take Chapter 4 of the Sybex book for example (Laws, Regulations and Compliance). For me, I didn’t know anything about laws and when reading this chapter, it was full with laws and details that made my mind about to explode.
So I tried to draw a story about how these laws came together and why they exist. Understanding the story and context of each law can help. I put all the laws and regulation in a paper, and then I made a small drawing in a piece of paper to understand the big picture.
So my story goes like this. When they invented the computers back in the old days, will I be punished if I hacked into a system or the FBI for example? I believe someone did, and since there was no laws in place to handle this situation, there was a need to come up with one. So they came up with the (Computer Fraud and Abuse Act or CFAA). It mainly punished those who access classified information or financial federal information without authorization. This law was initially protecting government and federal computing systems.
You can imagine that this law was not perfect or not complete as it is one of the first laws, so we have many other amendments. It also evolved to cover even national infrastructure such as railroads, gas pipelines and electric power grids in 1996 in what is called the (National Information Infrastructure Protection Act).
All this I call it the old era, which means a new era has to start in 2002 with the Federal Information Security Management (FISMA) Act. Think of this as the baselines and security measures that every federal agency should implement.
As cybersecurity becomes a huge topic, Obama signed couple of laws. First, we have a new FISMA but this one stands for (Federal Information Systems Modernization Act) to empower homeland with cybersecurity issues and the Cybersecurity Enhancement Law that charges NIST with coordinating nationwide work on cybersecurity standards.
These are all government related laws, but what about laws concerning your privacy. I mean if you hack into federal agencies, then the previous laws take care of it, but what if federal agencies try to screw with you (the other way around). You need some privacy laws to protect you like the Fourth Amendment that we all hear about in Hollywood movies.
I had many mind maps and scenario based drawing to help me understand key concept in the CISSP material and here couple of them to give you an idea.
You see, instead of reading the book and trying to memorize things out of order and context, try to organize the content in a way that tells a story that is easy for you to digest and understand. Remember, it’s not only about passing the exam, but your ability to learn new security related topics that could help you advance your career.
If you are considering taking other security exams, then I have blogged about how I passed couple of security certifications. Here is how I passed CISM (Certified Information Security Manager) from the first time, how I passed AZ-500 Azure Security Engineer Exam, and how I passed MS-500 Microsoft 365 Security Administration Exam