Earlier this year I passed the CISSP on the first attempt. This is another of the many articles that exist on how to pass the exam and obtain one of the most prestigious (ICS)2 certifications. Based on my experience reading this kind of articles is quite useful, especially in the days before taking the exam.
To begin with, let us start by describing the CCSP certification. This certification requires the candidate to have some experience:
- 5 or more years of experience working in IT, of which 2 must be in one of the CISSP CBK domains.
- It is possible to substitute one of the years of experience if you have a university degree or if you have obtained one of the recognised certifications.
However, if you do not have the required experience, it is possible to take the exam and become an associate, with six years to meet the requirements and obtain the certificate.
It is not a basic certification, but is designed for those with experience who want to direct their career towards the leadership of teams dedicated to IT security. You can see the syllabus on their website, but it basically includes the concepts, architecture and design of IT security in a company, the security of data, different platforms, infrastructure, applications and operations, and the risks and compliance with the law for these technologies.
It is a highly recognised certification that opens many doors to management positions, whether or not you have a technical background.
If you don’t know me, I’ll tell you what previous knowledge I had before obtaining the certification. You can learn more about me in this link, but to sum up, I studied a degree in Computer Engineering at the UAM (Madrid) and a master’s degree in ICT Security at the UOC (Barcelona).
When I was in the last year of my degree I started working at GMV, and there I spent two years in the cybersecurity department as a Junior Pentester. There I got my CompTIA Security + certification.
I then moved to Ireland and worked there for two years as a Security Analyst for Global Payments, where I obtained the OSCP, CCSP and finally CISSP certifications.
I am currently working as a Security Consultant for BSI, where I am specialising in Red Team Operations.
Currently I want to keep a purely technical profile, but I have decided to prepare for this certification because I do not rule out moving into management in the medium to long term, and I thought it was a good idea to dedicate some time to it now that I have a very good study habit.
Although (ICS)2 offers a course to prepare for the exam, I decided to study for it on my own. To do so, I bought the book “CISSP Official Study Guide” ninth edition by Mike Chapple, James Michael Stewart and Darril Gibson, as well as the “CISSP Official Practice Tests” by the same authors.
Although in the book itself the authors say that this source is not sufficient to achieve the necessary knowledge to pass the exam, I consider that it easily covers 80-90% of the syllabus.
My modus operandi was the same as when I prepared for the CCSP:
At the end of each topic in the first book there are 20 questions on the subject. I did them as I read the topics. I used to have 3 or 4 failures in each topic on average.
After that I moved on to the test book, which are a bit more difficult and in my opinion the closest to the tests in the exam.
Finally I took the four assessment tests that appear in both books.
I recommend these books because you can register on a website and take the tests both on the computer and on a mobile app, with the possibility of taking a test with all the questions answered incorrectly, which is really useful for reinforcing the weaker areas of knowledge.
In total I estimate that I answered around 2000 questions before taking the exam.
There is a discord channel where users share questions and notes. I found it very useful as many users share notes, definitions and summary concepts. Discussions also take place on some questions and possible answers.
I also took the udemy tests “HARD CISSP practice questions” by Thor Pedersen. They were highly recommended to me, and I took advantage of the fact that I had udemy for business to do the EASY/MEDIUM tests as well. But in my opinion it’s not necessary and I wouldn’t pay for them.
The difficult questions are really difficult, much more difficult than the ones in the exam. But their difficulty is based on the fact that they are very tricky. They are not like the exam questions, and in general I found it less useful than the questions in the Official Study Guide. But I do think it can help you deal with the feeling that you’re going to fail because you’re facing an impossible exam in which you have no idea about anything. You will have that feeling during the exam, so it’s good to feel that tension beforehand to know what it feels like and try to control your nerves.
From 1 June 2022 the examination follows these rules:
- From 125 to 175 questions, of which 50 do not score.
- Duration of 4 hours.
- Correction system by Computerized Adaptive Testing. This system uses an artificial intelligence that evaluates you as you answer each question, personalising the exam and adding questions on certain topics based on your previous answers, so that if you fail several questions in a domain, more questions from that domain will appear. At least that is what most users who have taken the test have deduced, because there is no public information about how the algorithm works. When you reach question 125, the system checks the percentage of correct answers you have at that moment. If it is equal to or higher than 70%, the exam is over and you have passed. If it is lower, the system continues to ask questions until you reach 70%. If at question 175 you have not reached it, then you fail. Likewise, if you reach question 125 with a low percentage (say, 50% correct) and the system determines that you cannot reach the 70% required to pass even if you get the remaining 50 questions right, then the exam ends and you fail. This estimation is made for each question from question 125 onwards, so your exam may end at question 130, 149 or 174, for example, and you will only know whether you have passed or failed when the results sheet is printed.
I took the exam when there were 100 to 150 questions, 25 of which did not count (now they have added another 25 that do not count, so now there are 125 to 175 questions) with a maximum of 3 hours. My exam ended at question 103, and I left totally convinced that I had failed. When they gave me a pass, my face was a poem. The exam destroys your morale and you sink with each question. But if you train and are able to calm down, you’ve done the hardest part.
I think the AI system is better than the previous one, which was linear, with 250 questions and 6 hours to answer them. It is true that the fact that the AI determines the next questions based on your previous answers can make the exam more difficult, but you can also pass without having to answer all the questions. When you spend three hours on such an exam, you end up extremely tired. I can’t imagine what it must be like to spend six hours.
It is not a complicated exam on a practical level like the OSCP, but it is important to understand all the topics in depth and to know how to apply them to real life, as most of the questions pose specific cases in which you have to choose the correct way to act based on what is set out in the CISSP CBK. It is therefore necessary both to have acquired the knowledge and to know how to apply common sense. In addition, it should be noted that it is an exam that focuses on how someone should manage the security of a company. Therefore the management factor is key and your answers should reflect this. You have to think like a CISO would, and perhaps that is the most difficult part to understand: you don’t have to look for the most optimal solution, but the one that best suits each situation.
This is the methodology I followed to prepare for the certification and it worked for me, I hope this information can be useful for you too.