Six Tips for Passing the CISSP Exam on Your First Attempt
Preparing for Success and Reducing Your Exam Risk
I am writing this coming off a pass on the CISSP exam; I completed it this morning after preparing for over a month for the actual exam. The exam itself is just as formidable as the online forums will have you believe, so I thought I would document my top tips while they are fresh.
Some of these tips may seem a bit generic, but my strongest recommendation would be to make sure you have the experience to take the exam first. If you are on the fence about whether you have the required knowledge, maybe try some practice tests and if you score under 50%, you will struggle and may want to save your money for when you have gained the required experience.
I initially looked at completing CISSP over five years ago when it was a paper-based test, and I did all the preparation required, including weeks of practice tests. However, at the time, I decided not to risk failure (and my cash). I had over the required five years of experience in cybersecurity at the time (and 15 years of development experience). The depth of understanding I have now is so much more significant, and in hindsight, I am not sure if I would have passed the exam that I took today.
I am glad that I did take the time to gain additional experience because I felt that it helped me this time around. The previous preparation also helped me this time around.
I have no idea which questions I got right, I passed in 115 questions, and it took me around 85 minutes, which leads me to my first tip.
Make sure you understand what the exam entails.
I read a lot about the exam before I booked my test date. There is a lot of out of date information online, and some people seem surprised by the actual format of the test, so here is my summary:
- The first thing you do is complete an NDA, which is why I’m not being specific in this article and won’t divulge any exam material.
- It is a computerised adaptive test with between 100 and 150 questions which you complete on a computer with a mouse.
- You will not be able to go back to a previous question and change your answer. When you click next, that answer is locked in.
- Questions will be multiple choice with four answers and interactive questions.
- You will get a wipe-clean board to write notes.
- One surprise is you don’t get a score, most sites refer to 70% but you actually just get a pass/fail.
The Boson Practice test is a good simulation of the look and feel of the test.
Your breadth of experience is vital.
The CISSP exam covers a vast range of topics, from physical security to encryption algorithms to software development lifecycle. It is therefore essential that you have a deep understanding of each of the areas for the exam.
If you are coming in as a Network Security Manager, with deep network experience but limited development experience, then you may struggle. Even with the breadth required, there is still depth on many topics within these domains, just understanding the process may not be enough.
In my background, I have been a software developer, as well as Information Security Manager as well as Senior Manager. So I cover multiple domains of experience, and I relied on all of those skills to complete this exam.
I can see exactly why some people feel the exam is too technical or too focused on management; it has a healthy mix of both elements. If you lack in experience in one of those areas, you will feel quite beaten up after the exam.
Use the official reference book, it is good.
I found the Official Study Guide to be excellent, and it prepared me well for practice tests. The actual exam goes way beyond the information in the reference book. You will rely on your experience as well as the information in the reference book.
There were questions in the exam, including concepts that go beyond the reference material. You have to rely on your experience and knowledge to complete those.
I believe there is more detail in the Common Body of Knowledge, I didn’t read that in the same detail that I read the Official Study Guide.
The exam is about the application of knowledge over rote learning.
I found that many of the practice tests focused a lot on the trivia of cybersecurity, The DoD Red/Orange book and general trivia around the subject matter.
In practice, I found the actual exam to be a lot less trivia and a lot more about the application of the concepts in the reference material. You need to be able to understand the subject matter in enough detail to combine different elements of knowledge, experience and inference to answer the questions.
In my opinion, if you learn the material rote, you will fail.
Read the questions carefully; you will need to infer information.
I found that the Boson Practice Tests were relatively good preparation for the test-taking techniques. However, I thought they focused too much on the trivia of the subject matter, which may be a throwback to the paper-based test of old.
There were questions where I had to read carefully and infer information from them. In the practice tests, these are the questions that feel like they are trying to trick you. I didn’t feel any of the questions in the actual exam wanted to fool me; I just thought that they required some deduction. This deduction element the most significant area that differs from the practice exams.
Without specifics, a question might ask, an attack happens with X, Y and Z steps. What would have been the BEST way to prevent the attack? This type of question relies on you understanding the attack methodology and working back to understand what opportunities you had to prevent it. Y and Z could not happen without X happening first, so if you can prevent X then the attack would have been prevented.
Alternatively, it might rely on a deduction that X+Y = Z, and Z means that this occurred. Therefore Q would be the best way to prevent the attack.
It is impossible to learn that from the reference material, it relies on experience and background knowledge in the subject.
Learn to think like a Senior Manager
Lots of people say that you need to think like a manager to pass CISSP. It is actually beyond that; you need to think like a senior manager.
You need to have a good understanding of risk management, some technical depth and a sense of when to manage a process rather than getting stuck in to fix it.
If you are unsure, then err on the side of managing the process rather than jumping in with a technical fix because that is what a manager would typically do!
CISSP is a daunting exam that requires both significant experience and preparation before embarking on an attempt. At $700 for a single exam attempt, it is expensive if you fail and online forums are full of people that are on their second and third attempt.
My recommendation is that if you are unsure, then take the time to prepare for the exam and try to build an understanding of whether you have the required experience to pass it. It isn’t just about having the required five years; you need to have applied knowledge and expertise beyond time-served.
