Well the Certified Information Systems Security Professional from (ISC)² seems to have a fairly decent reputation. Interestingly enough, they even claim to have no brain dumps available – so this further adds to the prestige of the certification. Mostly I wanted to give this exam a go to add to my knowledge in everything security. As mentioned before in this blog, I’ve been on an information security kick for a while now and the CISSP was the next logical certification to get.
So what’s it like?
The first thing to realize here is that the CISSP is not a technical certification. You’ll be required to memorize various technical facts, but a command line or compiler is never needed.
The next thing to realize is that the CISSP covers a huge range of topics – everything from business continuity plans to the different types of smoke detectors. This is the type of exam that you really need to read the books, nobody has sufficient knowledge from their day jobs to pass this exam.
The exam itself was surprising difficult. I did thousands of sample questions from books, Skillset.com and other websites. There were possibly 5 questions that were not new to me. Every single question had one implausible answer, one possible though unlikely answer and two very probable answers. This is not an exam where you can “figure it out”, you really need to know the material.
The format of the CISSP has changed in December 2017. Originally, the CISSP was 250 questions and you had six hours to complete it. Today, the exam is supposedly a little more intelligent. Only 180 minutes are provided and the length of the exam varies from 100 to 150 questions. The variable in the number of questions is your past performance on other questions in the exam. I’m not really sure how it works to be honest, but I was both worried and pleased when my exam terminated at exactly 100 questions. In my mind I thought either I had failed so badly that there wasn’t any point going to 150, or I had done so well that additional questions were not needed.
Fortunately it was the latter and I had passed the exam on my first attempt.
Most of the questions had four options with one right answer. Most of the questions instructed you to select the “BEST” or “MOST” type answer. This leaves a bit of an opinionated answer as a possibility which I don’t particularly like – I prefer definitive answers. There were a few drag and drop, and these were mostly simple. No true or false questions, no free form writing, no videos or graphics at all.
How did I study?
I was a little all over the place when it came to studying.
- To start, any time I could listen to CISSP material, I did. I listened to the audio from Cybrary.it, Pluralsight and CBT Nuggets. These are all actually videos that I just listened to.
- I read and skimmed Eleventh Hour CISSP, The Sunflower CISSP, CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide and the CISSP All-in-One Exam Guide.
- Finally, I did thousands of practice questions from Skillset.com and CISSP Official (ISC)2 Practice Tests.
Take note that Skillset.com is supposedly a little “brain dumpy” on other exams, but when it comes to the CISSP their question base must be so large that this makes it impossible. Not only did I observe that all (except maybe five) of the questions on the exam were unique, but I also noted that the format was quite different. Again though, doing these questions was very helpful.
How much did I study?
Both not enough and way too much. They aren’t kidding when they call this exam a mile wide and an inch deep. There are still many topics which I do not feel entirely comfortable with, but there are also many topics where I didn’t even need to read the entire question in order to find the right answer. I spent five minutes on some questions and five seconds on others.