How I Passed CISSP — Strategy, Tactics, Materials and Creativity
I failed the first CISSP attempt on 26th October 2022. After more than a year of preparation, I had no determination to face the exam again. But the report card forced me to look at the shiny side.
The exam summary indicated I have passed four domains and require proficiency in others. After retrospection and a few long walks, I told myself to measure the gain, not the gap. At least I was 50% there.
It was a financial relief thanks to (ISC)2, who offered a free voucher. However, the mental game was still on. I booked the exam on 21st December 2022. I had roughly three months. My focus was to work on weak domain areas and work on more practice exams. Mainly, I was keen to know why other answers were wrong.
CISSP Exam Day
On exam day, the mantrap kind of entrance door reminded me of physical control. I saw CCTV cameras everywhere that could be used for preventive and detective controls. I was given NDA (Non-Disclosure Agreement) to read for the exam rules, and it recalled how trade secret is used as NDA. They scanned my palm, and all that biometric security Type 1 & Type 2 error flashed before me.
The CISSP material was ingested in every nerve of my mind and body. For the first time, I felt what it means to sleep, eat and walk CISSP. Still, I needed more confidence to pass the exam.
My strategy was to complete 120 questions in two hours. I took a break after two hours and completed the remaining 55 questions at my own pace. When I was about to answer the last question, I knew I didn't pass, but I was happy for some reason. I was content that I had improved in those four domains and as an overall security professional.
I came out and had no courage to look at the report. When the exam facilitator gave me the printout, I told her, "I need another attempt." She smiled and didn't s"y anything.
I opened my report after five minutes and wanted to see which domain still needed work. Instead, I see the keyword "Congratulations!"
"You did it," " I told myself with wide-opened eyes and a state of shock.
Although the entire journey wasn’t a piece of cake, I rushed to the bakery and ordered a pineapple cake.
CISSP is not just an exam. It's an emotion.
CISSP is an exam that makes you feel emotional whether you pass or fail.
CISSP is not a sprint. It's a marathon.
CISSP is about more than just getting certified. It's about opening your mind to look at your organisation's bigger picture.
CISSP becomes your destiny once you commit your heart, mind and soul to it.
If you religiously consume the CISSP material, you will always be different from the same person.
Although the exam format, structure and material are static for everyone, the individual journey to achieve the certification is dynamic.
I read many stories about exam cracks stories and was inspired by how others cracked their CISSP Exams. You can read as many success stories as you like to get inspiration. However, in the end, you have to fine-tune your strategy and create your path. I am privileged to share mine today, and I hope it motivates you.
I will highlight five areas in this article.
- Background (The Mindset)
- Consumption of material (Acquisition)
- Leverage Creativity— (Retention)
- Connecting the dots — (Strategy)
- Thought Provoking Ideas
Background — The Mindset
I am starting with a brief background because it plays a vital role in your CISSP journey. You may only realise that your career background is your mindset once you start facing CISSP practice questions.
I had a 100% technical mindset due to my security engineering and architecture career background. I needed a significant mind shift to think like a manager for the CISSP exam. If your exposure is related to a managerial position, it would be easy to adapt to the taste of the real exam.
You want to address problem-solving and troubleshooting attitudes as early as possible. Luke Ahmed's How To Think Like A Manager For CISSP Exam helped me adapt to the new mindset.
Once your mind is ready on what to focus on, the next step is to consume the material with that mindset.
Consumption of Material (Acquisition)
I started by reading every word of the Official (ISC)2 Sybex Study Guide from the first to the last page. I took practice exam questions at the end of the chapter and from (ISC)2 practice exam book. Those are far from the actual exam but require gaining momentum and testing your solid understanding.
The most important thing that helped me was taking handwriting notes. I plan to scan all the handwritten notes and put them in the public domain for the community.
After reading the book, I subscribed to Study Notes And Theory and watched all the videos and read articles.
Leverage Creativity (Retention)
CISSP is a beast only if you ride without interest. Finding your way to make the entire journey as joyful as possible is crucial. You should have the same urge to sit and read CISSP as eating a pizza with beer! The below sketch depicts what it means to eat and drink CISSP.
I was always into writing and learned digital sketching during the pandemic. I used art and creativity to express CISSP concepts on LinkedIn with digital sketches. All those likes and comments from LinkedIn encouraged me to keep going on and sustain my study momentum.
The best way to retain is to teach others. Writing articles on LinkedIn, making videos on YouTube or publishing podcasts certainly amplifies the study experience. But don’t spend so much time on the creative side. You can continue after passing the exam. I am expanding those sketches into full-length articles on my blog — Dave On Cyber.
Connecting The Dots (Strategy)
The thing about CISSP is you can read forever, but you have to face the practice questions to test your knowledge. I failed the first time because I spent most of my time reading and less on practice questions.
I called a few people who passed CISSP and understood their strategy. I tweaked a few things and came up with my custom strategy.
- Take BOSON Exam A — review incorrect answers and pay attention to weak domain areas. Study those topics from (ISC)2 official study guide and All In One. I would also read at least three articles on those topics. Repeat these for the rest of the BOSON exams. This exercise gave me a good grip on handling technical questions.
- Practise the 25 most challenging questions of How To Think Like A Manager For the CISSP Exam. I would hide the answer on the right page. My overall score was 13 out of 25 (52%). Note those questions are tough, and they are crafted and designed to test your manager’s mindset. Whether I got the right or wrong answer, I religiously read every word in the explanation. This workshop elevated my managerial approach to handling questions.
- Take Adam Gordon’s CISSP Question of The Day on LinkedIn and apply the same approach. I would dedicate two hours to answering 120 questions. This intense exercise aimed to complete 120 questions in the first two hours of the real exam. I would review incorrect answers and spend dedicated sessions understanding those topics/ processes.
- Prabh Nair's Coffee Shots — I would pause the video when the question pops up and
- List core CISSP processes and write articles on Medium. I read various materials and document procedures in my own words, such as the Simplified Change Management process. When I spend a day on BCP/DR, I also write an article on my blog with sketches and simple analogies. It's the best way to test your knowledge.
- Discord Certificate Station is a 24x7 community to discuss doubts, but I mainly used it for practice questions.
- Driving sessions with Destination Certification — I made a dedicated 5 km circuit to listen to Rob’s videos in the car. It was my go-to playlist whenever I was driving. It gives you a solid mapping of concepts in the CISSP domain in less than 15 minutes.
- Eleventh Hour CISSP — I use this as a handbook wherever I go. Whenever there is a little timeslot (five or ten minutes), I read a few pages of the weak domain.
Thought Provoking Ideas
There are a few ideas that are thought-provoking to pass the exam.
- Be the master of elimination — if you don’t know the correct answer, train yourself to find wrong answers. I used this as a critical tactic in my preparation. If you get the correct answer during the practice exam, invest a minute in understanding why wrong answers are wrong. Think about which domain is connected towhat'shat's the rationale.
- Everything is connected to everything in CISSP — this is mindblowing. Once you see CISSP as a big tree, you will see all the domains are not separate. Invest time and see how to connect one topic from domain 1 to all the domains. Luke has explained so well in one of the Study Notes And Theory videos.
- Dedicate an entire day to a specific topic — there are core CISSP processes and topics that deserve a day of research and reading, such as DR/BCP, Risk Management, Kerberos, SAML and OAuth 2.0
- Learn to read the keywords — invest good time in reading the question and train your eyes for the keywords such as “least”, “most likely”, and “most important”. Once you know that every question has a keyword, it will help you eliminate the wrong answers.
- Prepare with intensity. For example — practise exams with a clock timer and make them more intense than the actual exam (time-wise). The idea is more intense your preparation, is less anxiety you will have in the real exam. But if you take a practice exam with ease without a timer, you might get anxious in the actual exam. I almost ran out of time on the first attempt, but I came out 40 minutes earlier on the second attempt.
- Ensure every practice exam is an improved iteration. For example — if you take 150 question exam and incorrect answers require an understanding of Kereberose, MAC and DAC. Take a break from the practice exams and study those topics from all the material, Internet and discuss with your buddies. Once you work on the current iteration, you should have a revised understanding during the next practice exam. I repeated this approach for all the practice exams.
- CISSP for slow readers — CISSP is like a raw salad! You have to chew it properly to digest it. You rush into it. It’s better to spend an hour deeply understanding one concept than finishing a chapter. From this context, whether you pass or fail the exam, you will be a better security professional.
If you are after boosting your study motivation, check out my article on 10 Japanese Concepts for Self Study.
Please follow and subscribe to get an update when I publish a new post.