Didier Stevens

Monday 26 February 2007

How I prepared my CISSP exam

Filed under: Certification — Didier Stevens @ 12:00

As promised, I’ll tell you how I prepared for my CISSP exam. Of course, this is no recommendation for a guaranteed path to success, your results may vary. For example, I studied the Common Body of Knowledge on my own, I didn’t take a CBK Review Seminar and I didn’t join a study group. Self-study works great for me (I like reading books in my easy chair), but it may not for you.

I spend about one year (elapsed time) preparing for the exam. My original planning was 6 months, from fall 2005 until spring 2006. Unfortunately, this time there was no spring exam in Belgium, so I had to wait for the fall exam. It allowed me to take a break of several months. I cannot tell you how many man-days I spend, but it must be at least a man-month.

The “Official (ISC)² ® Guide to the CISSP Exam” was the first book I started reading. To wet my appetite, I didn’t start reading the book from the first chapter, but I started with a fun chapter: cryptography (well, I consider it to be a fun read, you may think otherwise). But the official guide turned out to be quite terse prose, so I looked for other books. Shon Harris’ “CISSP All-in-One Exam Guide” popped up a lot in my search results, so I gave it a try. And it turned out to be an excellent study guide. I read it from cover to cover, and occasionally referred to the official guide for more reading material, when I wasn’t so familiar with a particular domain. The chapter about the exam itself is also very good, Shon gives a lot of good tips.

I would read a chapter, and then I would take the quiz at the end of the chapter. This is quite a strict procedure I follow (I also did this for my other certs): I write down my answers in a spreadsheet, with a special mark if I feel uncertain about my answer, and only after answering each question, I’ll look up the answers. If I answered incorrectly or if I marked a correct answer as “uncertain”, I would carefully read the explanation. If it turned out I misread the question, and would otherwise have answered correctly, I just moved on. For example, it happens that I misread a “not”: it reads “what does not apply” and I read “what does apply” …
However, if I didn’t misread the question, I reviewed the sections of the chapter pertaining to this particular question until I understood what the correct answer was.
It turned out that I would always answer 80% or more of the questions correctly.

For many domains I consulted extra information on the Internet (Wikipedia is a good source for technical information), and I also tried to find practical uses for the concepts I was learning. For example, I applied cryptography in my tool ZIPEncryptFTP. I can also recommend CrypTool to study crypto algorithms.

After studying all the domains and feeling confident, I rehearsed the exam itself: I answered all questions of the trial exam provides in Shon’s book in one go and timed myself. This took me several hours. Although I had about 73% correct answers, I still I reviewed the wrong answers (several of them were of the “not”-type).

I also took a trial exam with all the questions of the official guide.

Finally I took a few days before the exam to cram. There is always stuff you need to memorize unless you’ve a lot of experience in the domain. For example, I had to memorize the list of the different types of glass and how they compared to each other for their impact-resistance.

An upcoming post is about the exam taking strategy I followed.


  1. Hello there, I hope you pass the exam. Last december I took and passed the exam after six months been studying. My preparation was this: as a base I used Shon Harris AIO (excellent! but poor in Operations Security), I did all the chapter’s questions and write them down to a spreadsheet too, later reviewing the wrong ones (as you are doing). Also make a lot of quizzes in http://www.cccure.org (it’s free and very handy) domain by domain and finally a “real” exam simulation, after getting 80% I was happy and felt prepare for the examination.

    During the examination the strategie was this: answer every easy and know question leaving every question that I had a minimal doubt (first review) after that I spend about 5 minutes for every hard question and asnwer it (second review) and try to make the right answer to the really difficult questions (third review) at this time there were just three really hard questions. The important thing is do NOT leave any question unanswered because they do not rest score by wrong ones.

    In my case the exam was mainly focused in: Network and Telecomunications, IS Management, Code of ethics and Access Control. The other less important are System Architecture, Development, BCP/DRP, Crypto, Operations, Legal and Physical (in that order) and toke me 3 1/2 hours to complete it. Do not cram and learn concepts concepts concepts concepts concepts concepts concepts concepts and more concepts

    That works fine for my (My english is no native so apologies to everyone)
    Good luck!

    Marcelo V., CISSP, Security+

    Comment by Marcelo V. — Tuesday 27 February 2007 @ 12:33

  2. Marcelo, thanks for your comments. I agree that concepts are important, but still, there is stuff to cram because it’s not related to concepts explained in the study guides. Take my example of impact-resistant glass: unless you understand the detailed fysics (concepts which are not explained) behind it, you will have to memorize which glass is harder.

    And I did pass the exam in December 2006.

    Comment by Didier Stevens — Tuesday 27 February 2007 @ 13:29

  3. […] followed during my CISSP exam Filed under: Certification — Didier Stevens @ 8:54 In a previous CISSP exam post I promised to blog about the exam-taking strategy I […]

    Pingback by About the strategy I followed during my CISSP exam « Didier Stevens — Monday 16 April 2007 @ 8:54

  4. Thanks for the tip on Cryptool it would have been an oversight on my part. Thanks for sharing this exams proves that it will be hard.

    Comment by CISSPME — Thursday 18 December 2008 @ 22:37

  5. Hi all,
    I am actually currently preparing for the CISSP exam and still confused regarding which book is really the one that I need to rely on! I know that such an exam requires deep studying and wide readings from several books but yet I feel more comfortable if I get a one book that covers all needed information (80%) will be fine. I skimmed several books and still can see that Shon’s book does not really reflect the exam’s difficulty level that we hear about and some areas are not deeply covered, unless, based on the writer’s experiance such domains are not intensively coved in the exam – operations security is a good example. thanks.

    Comment by BM — Tuesday 29 December 2009 @ 7:07

  6. […] How I prepared my CISSP exam (של Didier Stevens) – מעבר לבלוג הנחמד, סיפור המבחן של Didier Stevens […]

    Pingback by הדרך הארוכה להסמכת ה-CISSP – חלק א' (התארגנות) | CYBLOG.INFO — Saturday 4 August 2012 @ 10:59

  7. Thanks for sharing your experience. I have just begun my CISSP studying and have already found the information both relevant and interesting.

    Comment by Sean Coyne — Wednesday 10 July 2013 @ 14:05

  8. Hello All,
    I hope you have an excellent time.
    Well, I have completed my Masters in Computer Science from IGNOU in year 2012 and after that I started working in education field as an computer Instructor.
    Now, I want to do the CISSP Security but I have less knowledge about it and I have never working in any IT company. I am ready to work hard please suggest me how I can start as I cannot join any training I have to study myself due to financial issues.
    I took this step as because all of my friends is working and they all stop interacting with me as I am not in any IT field and they feel inferiority and also back at my home I have to support my family. So, please suggest me. I am also 29 years old now is it too late.
    I hope to get the quick response.
    Thank you.

    Comment by shaz — Friday 30 May 2014 @ 18:47

  9. You need 5 years of professional IT security experience for the CISSP certification.

    Comment by Didier Stevens — Saturday 31 May 2014 @ 1:02

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.