CISSP Reflection
I have just passed my CISSP exam (28th January). It took me around 2 hours and I had to complete the full 150 questions.
My main takeaway from the exam is that the exam is much harder than any of the test questions.
Without exaggeration, I would say that about 70% of what I studied did not appear in the exam. Often when studying, i could make educated
guesses at some of the options, but in the actual exam the answers were so similar that it was often a complete gamble.
That being said, 70% of 150 questions means that you can get 45 questions wrong and still pass, which is quite a lot.
I cant talk too much about the exam as I signed an NDA, so i’ll abstract it.
I read the student guide cover to cover, then I did the practice questions in the study guide. I then did all the mock exams online and was
averaging about 80%. I was pretty confident going into the exam but as soon as I started, I instantly knew I was going to struggle. After the
first 10 questions I did not feel that I was going to pass. Im usually pretty confident about most things and but I instantly struggled. I would
say that I only got about 3 or 4 questions that were “easy” and the rest were difficult. In the practise questions, you can usually rule out a
couple of answers, but in the exam I really struggled to do that. The answers were very similar and it was much more difficult to have
perspective for what they want the answer to be.
Coming from a technical background I really struggled with some of the questions and I definitely overthought some of the answers. I found
that when doing the mock questions, you could easily argue against many of their answers, but in the exam it was much harder to do that.
There is an awful lot of information about CISSP online and I made sure to only stick to official resources.
The CISSP is regarded as non-technical, but as I was studying I was really starting to doubt that. I thought I was becoming more of a
memory exercise – regurgitating encryption block sizes and information security models (bell lapadula, clark Wilson etc…). I had memorised
a lot of the information and that’s what gave me a lot of confidence. As ive said, that confidence was ill founded and none of those questions
appeared for me. I felt that the exam itself was not representative of the study material. The exam was much less technical and more process
/policy orientated which I what I initially thought the CISSP would be like. Its almost like the study material mislead me into thinking it was
more technical than it actually was.
The exam uses this variable learning algorithm to target areas you are weaker at, but it must have been really good because I don’t recall
getting many questions about crypto/network/application stuff, which is defiantly my stronger areas.
The exam is much more abstract and assessor focused than any of the mock tests lead me to belive. For example, its not enough to just know what the various types access control are, I never had a question like that. They give you a kinda complicated scenario and ask which one would be best. I don’t recall having questions like that in the mocks. Nothing as simple as “what type of access control uses labels”, it would be something more like “company x wants to implement 4 different types of user controls, with so and so having this access, department x having this access” kind of thing. Those types of questions were actually some of the easier ones
Learning
I attended the bootcamp in July and I didn’t get much out of it (except for the voucher!) It reminded me that I do not learn as well in instructor
based sessions. I tend to learn but just locking myself away and trawling through documentation and handwriting notes at my own pace.
That’s what works for me, but others have a lot of success with video and classroom based lessons.
After the bootcamp, I didn’t do much studying at all. It got to around Christmas time and I decided I needed to book the exam otherwise I
would never do it. I booked the exam for Jan 28th, thinking it was plenty of time. My exam was at 3pm, in hindsight I wish I booked an AM
slot. I’m much less active in the afternoons as I normally start work around 6.45. I was also sort of floating around in the morning, not wanting
to do last minute study, but not wanting to loose focus; so it was just kind of dead time. It took me 6 months to make it through the student
guide that was provided in the bootcamp. The majority of that was completed in December. So I spent December reading the material and
then January was more revision even though that’s when I learnt the most. I wish i hadnt read the student guide and had read the study
guide instead. I never read the study guide end to end, but it is undoubtedly much more comprehensive. A lot of the material in the mock
exams isnt covered in the student guide.
Prior to the bootcamp, I went and got the CISSP study guide. I wasn’t aware that we were going to be given any physical materials in the bootcamp. It turns out that this was one of the best things I did, as the student guide
is not good enough for this exam. The only benefit it has is that it contains additional test questions. The book itself does not cover a lot of the material in the exam.
Student Guide - BAD
Study Guide - GOOD
I would highly recommend not bothering at all with the student guide and read the study guide instead. The study guide comes with more than 1300 questions. Although the questions that are in the book at the end of each chapter are also in the online questions
Revision
Looking online, people spend months and months preparing for the exam. I think I was a little over confident in my ability and I would say
that I only started properly studying about 2/3 weeks before the exam.
I did the mock exams at the end of each chapter in the study guide and the student guide and then revised each wrong answer. If there was
an option that I didn’t know what it was, I went away and studied that option. This is a good technique, because if the same option pops up
elsewhere, you’ll know what it is and potentially select it or rule it out.
In the two weeks leading up to the exam, I spend an hour every weekday morning going through the mock exams online – pausing and
going through the answers. And then the last two weekends before the exam, I spent 3 hours each day studying. So in the last 2 weeks, i
must have done around 22 hours. The time before that was just bits and bobs (with the exclusion of reading the student guide).
Exam Process
I booked my exam for 3pm, but me being me I arrived way to early. I got there around 1.45 but they were able to put me straight through, so
I did my exam early.
I brought some water with me, but you’re not allowed to take anything in. This was annoying because it was quite hot in there. You have to
leave everything (bar your two forms of ID) in a locker.
The room was really hot and full of people taking their driving theory. I found it quite distracting with people walking in and out, the voices in
the room outside and the heat. Its quiet, but not silent. They provide earplugs but I didn’t use them. I remember about 30 minutes in the
exam wishing i was taking the driving theory again rather than this exam haha!
The exam is 150 questions, but everyone ive spoken to seems to have finished around 110 questions. After the first handful of questions my
confidence vanished because the questions were on a different level to everything I had studied.
Obviously I knew I hadn’t failed already, but I was not feeling great. As the exam approached the 100 question mark, I was pretty sure I had
failed. Honestly, a lot of the questions I had to guess. I was getting very frustrated at some of the questions because the answers were so
similar. Much more so than in any mock/practise questions I had done. Regardless, I decided I would try and get as much out the experience
as possible. As the company were paying, I really had nothing to lose.
I purposely didn’t keep it a secret that I had my CISSP exam. I think its important to be open and not embarrassed of failure. Failure isnt
something to be embarrassed or scared of. I have enough confidence in myself to know that if I failed the exam, it doesn’t mean im an
idiot. I honestly feel that I was extremely lucky to pass. Having completed the process, its not something I am keep to repeat. I invested a lot
of time learning things I will never need. It not that I don’t respect the CISSP certification – it was very difficult. I just honestly do not believe that I am a better cyber individual after completing the exam.