Passing CISSP in 6 Weeks or in 3+ Months (Choose What’s More Suitable for you) [updated to reflect the 2024 exam outline]

Ok, so most people will think this is just another CISSP exam spill. It actually isn’t. I tested the below plan (following approach 1) when studying and it worked perfectly for me. I will be discussing two approaches:

1. A very intense plan for anyone really having a lot of experience in the various domains plus is willing to dedicate quite a lot of study time within each day.
2. A less intense plan using added time for anyone less experienced or knowledgable in the various domains plus not able to utilize many hours within each day (study plan requires spreading out).

Reality check

Preparing for an ISC2 exam will not be easy. And trust me, this is a tough exam. But that’s why it’s so valuable.

That said, it’s definitely doable. All you have to do is prepare and be methodical in your approach. You definitely shouldn’t rush it, especially since the exam fee is considerable.

There’s an abundance of resources you can use for your preparation, from books, online test engines, videos and a whole lot more. Let me list the ones that I found most useful:

1. Destination CISSP: A Concise Guide (Full disclosure — I am a co author on this title but I firmly believe we did a great job at creating a great aid for all exam takers and so do hundreds of people leaving us their reviews): https://www.amazon.co.uk/Destination-CISSP-Concise-Rob-Witcher/dp/B0BT1Y6DYL/
2. Changes between the 2021 and 2024 version are outlined in detail at https://destcert.com/resources/cissp-exam-refresh-2024-what-you-need-to-know
3. YouTube Channel “Destination Certification”. Rob Witcher’s CISSP MindMap videos (https://www.youtube.com/@destcert). If I had a single resource to use, I would choose Rob’s videos without a second thought. They are extremely high quality (which Rob graciously has provided for free) going over all of the most important CISSP concepts and are simply brilliant to watch.
4. CISSP Exam Outline (2024 update)
   Taking a look at the exam outline is a great starting point to know what you’re getting into:
   https://www.isc2.org/certifications/cissp/cissp-certification-exam-outline
5. Mike Chapple’s LinkedIn Learning course (really great resource): https://www.linkedin.com/learning/isc2-certified-information-systems-security-professional-cissp-2024-cert-prep
6. How to think like a manager for the CISSP exam book by Luke Ahmed (https://www.amazon.com/Think-Like-Manager-CISSP-Exam/dp/1735085197)
7. Kelly Handerhan’s YouTube video “Why you will pass the CISSP” (https://youtu.be/v2Y6Zog8h2A). In it, Kelly provides a top 10 list of tips on how to get into the mindset of the exam. All are very useful.
8. Larry Greenblatt’s YouTube video “CISSP 2023 Exam Tips” (https://www.youtube.com/watch?v=HrdNCTA7n6Q). Larry has a very playful way of transferring his points across, which I find particularly useful for a variety of audiences.
9. Thor Pedersen’s course is also quite good (https://thorteaches.com/cissp) and come with optional Boson test engine vouchers. If you don’t want to buy a full course, you can always just get a subscription to Boson’s test engine (https://www.boson.com) or use the official ISC2 one if you prefer (https://www.learnzapp.com/apps/cissp/).
10. This wouldn’t be a full guide without mentioning the official study guide and practice test books to ensure full coverage of all concepts: (https://www.amazon.com/Certified-Information-Security-Professional-Official/dp/1394258410). However, note that the theory book can be quite difficult to read at times and does have a lot of dry text so you may need to skip over quite some parts.

The list can continue with Pluralsight, Udemy, LinkedIn Learning, Cybrary courses and a whole lot more. I don’t see a need for that as it would probably confuse you rather than help out. The trick now is to choose your approach.

The 6 Week Plan — Requires About 3-4 Hours Each Day (Weekdays and Weekends)

Start with Kelly’s, Larry’s and Rob’s CISSP Mindmap videos which should only take you a few days (no more than 4–5). You then need to revert to your book of choice. I recommend using one of the above and go over all the concepts in detail.

A note of attention here. A lot of people will tell you don’t be technical at all and totally be a manager (in fact I even touch upon that later on). While that may be true in principle, don’t forget to ensure you are aware of the various technical concepts so you can assess questions and answer them appropriately. An analogy I like is, you don’t need to be a car mechanic but when you car breaks down, you need to be able to change a tyre or at least know that it’s a flat tyre that seems to be the issue. Reading the whole book should take about 21–23 days, if you commit to reading one chapter a day (some are a bit big so you will be better off covering those during the weekends). Account for busy days at work which may result in less to no studying time during those weekdays which means that weekends are your friends.

I recommend giving your book of choice a good first pass and take necessary notes. After you finish that, a quicker second pass will also be required. This will take about half the time of the first pass, so account for about 10–14 days to be safe.

As you read each chapter, ensure you answer the end of chapter questions. I didn’t use a separate testing engine (like the ISC2 one or Boson’s). I wanted to ensure I know the theory pretty well so I am prepared to answer any possible questions which is why I only focused to the ones the official book had. Don’t waste your time answering 2,000 questions. Study so you’re ready and then you can answer all sorts of questions that may come up. The goal of answering more questions is to identify pain points so you can go back and enhance your studying. During the last week, I used Eric’s book to revise and again watched some of Rob’s videos, and also Kelly’s and Larry’s. The more solid your background and experience are, the more concepts you will be aware of and may be able to skip over when studying. For example, I had to dedicate less time in incident response and anything network security related as those are some strong areas of mine. This is always different for everyone so don’t worry about it. Focus on enhancing your overall knowledge.

The Lengthier Approach (3 Months+ with 2 Hours a Day and Emphasis on Weekend Studying)

If you need to spread your studying to a lengthier time, then you will probably end up using additional resources but my advice is not to get lost in reading 5 books, watching 30 videos and attending 4 different online courses. You can still use the previous approach and spread your studying in more days (i.e. you can make a first pass in 60 days vs 21 or a second pass in 30 days vs 12). It all depends on how solid your knowledge is and areas you need to build upon. Remember there’s quite a lot of different concepts so you will never remember everything. Best to accept it and move on. Just ensure you don’t skip over anything when studying because you may be excluding something you will need to know down the line. If you dedicate more time, you will also end up taking more tests and answering more questions. Both of those are fine but again remember not to go down to the weeds of answering 2,000 questions correctly before taking the exam. If that’s the case, you will probably never feel ready to take the exam.

5 Exam Tips

I will highlight some things that I personally found useful but the above mentioned videos also cover some of these in great detail:

1. CISSP CAT Based Approach (https://www.isc2.org/Certifications/CISSP/CISSP-CAT#:~:text=CISSP%20CAT%20is%20a%20variable,more%20than%20125%20operational%20items): Ensure you read the ISC2 details about the CAT (Computerized Adaptive Testing) CISSP nature so you it doesn’t come as a surprise. Don’t try to think what the algorithm is doing in the background. You’re not there to beat the machine. Just do your best and answer the questions at hand to the best of your ability.
2. Exam Scheduling
   Now a lot of people suggest to schedule the exam way in advance so you commit to it. BUT you need to note that each time you reschedule the exam, you will need to pay a rescheduling fee. So my 2 cents of advice say book your exam for a date you’re comfortable with. It’s a shame to end up rescheduling it 2–3 times and end up paying 25% of the exam fee in rescheduling fees.
3. Mindset Main Tips
   a) It’s definitely crucial to switch off your technical mindset to the extent possible. For some of us dealing with technical roles all the time, this is something quite difficult to do but please try. The whole point is to ensure you approach this from a management point of view. For example, do you think a manager would ever re-configure a firewall ruleset? Of course, some of us may be doing so but that’s not commonly what a manager would do.
   b) Always read the questions carefully and answer baring in mind any given constraints (time, cost, resources e.t.c.).
4. Don’t try to Solve All the Issues of the World
   Focus on the question at hand. What does the question specifically expect you to answer?
5. Be Aware of Time
   The current exam format contains a minimum of 100 and a maximum of 150 questions (which came into effect since 15 April 2024 ).
   As you progress through the exam, be mindful of the elapsed time. Assuming you get 150 questions, you will have 1.2 minutes per question (180 minutes/150 questions) to answer all of them. I recommend adding checkpoints to your notepad. Worst case scenario is getting a maximum of 150 questions to be answered within 3 hours (180 minutes).
   As such, you could use something like the below, as a spot check of where you should be at any moment in time:
   Minute 180 — Question 1
   Minute 150 — Question 25
   Minute 120 — Question 50
   Minute 90 — Question 75
   Minute 60 — Question 100
   Minute 30 — Question 125
   Minute 0 — Question 150

Final Thoughts

There’s no doubt this is a challenging exam, but don’t worry about that. Just ensure you spend enough time studying and ask yourself one thing as you prepare for the exam date “If I had more time, would I do things differently?”. If the answer is no, then you are good to go.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles”. (Sun Tzu)