As promised, I’ll tell you how I prepared for my CISSP exam. Of course, this is no recommendation for a guaranteed path to success, your results may vary. For example, I studied the Common Body of Knowledge on my own, I didn’t take a CBK Review Seminar and I didn’t join a study group. Self-study works great for me (I like reading books in my easy chair), but it may not for you.
I spend about one year (elapsed time) preparing for the exam. My original planning was 6 months, from fall 2005 until spring 2006. Unfortunately, this time there was no spring exam in Belgium, so I had to wait for the fall exam. It allowed me to take a break of several months. I cannot tell you how many man-days I spend, but it must be at least a man-month.
The “Official (ISC)² ® Guide to the CISSP Exam” was the first book I started reading. To wet my appetite, I didn’t start reading the book from the first chapter, but I started with a fun chapter: cryptography (well, I consider it to be a fun read, you may think otherwise). But the official guide turned out to be quite terse prose, so I looked for other books. Shon Harris’ “CISSP All-in-One Exam Guide” popped up a lot in my search results, so I gave it a try. And it turned out to be an excellent study guide. I read it from cover to cover, and occasionally referred to the official guide for more reading material, when I wasn’t so familiar with a particular domain. The chapter about the exam itself is also very good, Shon gives a lot of good tips.
I would read a chapter, and then I would take the quiz at the end of the chapter. This is quite a strict procedure I follow (I also did this for my other certs): I write down my answers in a spreadsheet, with a special mark if I feel uncertain about my answer, and only after answering each question, I’ll look up the answers. If I answered incorrectly or if I marked a correct answer as “uncertain”, I would carefully read the explanation. If it turned out I misread the question, and would otherwise have answered correctly, I just moved on. For example, it happens that I misread a “not”: it reads “what does not apply” and I read “what does apply” …
However, if I didn’t misread the question, I reviewed the sections of the chapter pertaining to this particular question until I understood what the correct answer was.
It turned out that I would always answer 80% or more of the questions correctly.
For many domains I consulted extra information on the Internet (Wikipedia is a good source for technical information), and I also tried to find practical uses for the concepts I was learning. For example, I applied cryptography in my tool ZIPEncryptFTP. I can also recommend CrypTool to study crypto algorithms.
After studying all the domains and feeling confident, I rehearsed the exam itself: I answered all questions of the trial exam provides in Shon’s book in one go and timed myself. This took me several hours. Although I had about 73% correct answers, I still I reviewed the wrong answers (several of them were of the “not”-type).
I also took a trial exam with all the questions of the official guide.
Finally I took a few days before the exam to cram. There is always stuff you need to memorize unless you’ve a lot of experience in the domain. For example, I had to memorize the list of the different types of glass and how they compared to each other for their impact-resistance.
An upcoming post is about the exam taking strategy I followed.
Hello there, I hope you pass the exam. Last december I took and passed the exam after six months been studying. My preparation was this: as a base I used Shon Harris AIO (excellent! but poor in Operations Security), I did all the chapter’s questions and write them down to a spreadsheet too, later reviewing the wrong ones (as you are doing). Also make a lot of quizzes in http://www.cccure.org (it’s free and very handy) domain by domain and finally a “real” exam simulation, after getting 80% I was happy and felt prepare for the examination.
During the examination the strategie was this: answer every easy and know question leaving every question that I had a minimal doubt (first review) after that I spend about 5 minutes for every hard question and asnwer it (second review) and try to make the right answer to the really difficult questions (third review) at this time there were just three really hard questions. The important thing is do NOT leave any question unanswered because they do not rest score by wrong ones.
In my case the exam was mainly focused in: Network and Telecomunications, IS Management, Code of ethics and Access Control. The other less important are System Architecture, Development, BCP/DRP, Crypto, Operations, Legal and Physical (in that order) and toke me 3 1/2 hours to complete it. Do not cram and learn concepts concepts concepts concepts concepts concepts concepts concepts and more concepts
That works fine for my (My english is no native so apologies to everyone)
Good luck!
Marcelo V., CISSP, Security+
Comment by Marcelo V. — Tuesday 27 February 2007 @ 12:33
Marcelo, thanks for your comments. I agree that concepts are important, but still, there is stuff to cram because it’s not related to concepts explained in the study guides. Take my example of impact-resistant glass: unless you understand the detailed fysics (concepts which are not explained) behind it, you will have to memorize which glass is harder.
And I did pass the exam in December 2006.
Comment by Didier Stevens — Tuesday 27 February 2007 @ 13:29
[...] followed during my CISSP exam Filed under: Certification — Didier Stevens @ 8:54 In a previous CISSP exam post I promised to blog about the exam-taking strategy I [...]
Pingback by About the strategy I followed during my CISSP exam « Didier Stevens — Monday 16 April 2007 @ 8:54
Thanks for the tip on Cryptool it would have been an oversight on my part. Thanks for sharing this exams proves that it will be hard.
Comment by CISSPME — Thursday 18 December 2008 @ 22:37