This post is about studying for and taking the (ISC)2 CISSP exam. I’ll talk about my experiences, what I thought was useful, what I thought wasn’t useful, and some high-level information about the test. I will not go into specifics about the questions on the test.

Studying

I primarily used five sources for the exam:

• Sybex CISSP Official Study Guide
• Sybex CISSP Official Practice Tests
• LearnZApp CISSP official practice test app
• Anki
• r/cissp subreddit (for meta-information)

I had access to the first two resources through O’Reilly’s online learning subscription – which I had for free through my alma mater’s library. Both were good resources, but had multiple clear errors in the answer key (as in, mentioning something not even referenced in the question or having same answer associated with a different letter).

I took the first practice test before starting on the Official Study Guide (OSG) book. I scored a 60%. I completed the chapter questions after reading each chapter of the OSG, then did another two practice tests. By the end, I was scoring ~80%.

I cannot really recommend paying for the official practice test app if you have the practice test book. A good number of the questions in the app were identical to the ones in the book. Also, the “readiness score” isn’t helpful – I had a 55% when I took my exam.

Anki

Anki, for those unfamiliar, is a spaced-repetition software for flashcards. I’ve used it for Japanese, trivia, grep flags, tmux keybinds, and more. It is one of the most useful pieces of software I’ve ever used.

I used two Anki decks: one of my own creation, and lfionxkshine‘s CISSP 10k deck. While lfionxkshine‘s deck is very impressive for it’s size, I didn’t continue using it for a few reasons:

• There are a very large number of cards that are things I’d already committed to long-term memory. It makes no sense to spend such a large amount of time sorting through to find the useful cards instead of making them myself.
• Some of the cards were contained incomplete or incorrect information.
  • One question was “What layer of the ring protection scheme is not normally implemented?”
    This question is both in the Anki deck as an open-ended question, and in the official practice test app as a multiple-choice question with the options 0, 1, 3, and 4. Both formats list “Layer 1” as the correct answer – but the practice test app goes on to tell that the full answer is layers 1 and 2.
    It’s better to not study the card at all than to memorize the wrong thing.

It’s worth noting that I’d made over 700 cards while studying but only reviewed about half of them by the time I took the exam (see below in the Taking section to see why).

r/CISSP Subreddit

I spent a good amount of time before the exam browsing the r/cissp subreddit to see what others’ thoughts were on exam prep materials and the format of the exam.

College Degree and Hands-On Experience

I have a four-year degree in computer security, and just under 2 years’ experience doing penetration testing. I think that had a significant impact on how much less I had to study compared to others.

Taking

The days leading up to my test were, in short, a mess. The clothes dryer broke. The AC broke and it would get into the 90s some days. I was doing prep for a job offer I had just accepted. I’d already bought the exam voucher and wanted to use it before things got even more hectic. I was prepared to fail the exam, but come out with better knowledge of what the questions would be like and where I would need to study more.

The sign-in process for the exam was uneventful. The only difference between it and any other certification test I’ve taken (Sec+, CC, etc…) is that I had to get my palms scanned a bunch.

Again, I will not discuss details of questions. All I will say is that the questions were generally less technical than I expected, and slightly easier than some of the practice questions.

I would often see comments on the subreddit about the exam drilling you on whatever it thinks is what you struggle with the most as you get further in the exam. I don’t think that I experienced that. I’d have a difficult question from a random domain, followed by a really easy question from a different one. I was fairly certain that I was going to fail with how easy some of the questions near the end were. Then I hit submit on Q125 and was told my test was over. I passed.