On the 18th of December, I passed the CISSP exam on my first attempt at 125 questions, which at the time is the minimum amount, but will soon be changing.

I’ve been asked by several juniors how I passed, seen lots of people talking about how they struggled with the textbook, and seen even more people talking about struggling with the mindset, so I thought I’d keep this here and if anyone ever asks me again, I can point them here.

I prepared using four major resources:

  1. The Official CISSP textbook: https://www.amazon.com.au/Certified-Information-Security-Professional-Official/dp/1119475937
  2. Pete Zerger’s Video CISSP Exam Cram Full Course (All 8 Domains) - https://www.youtube.com/watch?v=_nyZhYnCNLA
  3. Andrew Ramdayal’s 50 CISSP Practice Questions. Master the CISSP Mindset https://www.youtube.com/watch?v=qbVY0Cg8Ntw&t=1s
  4. Practise Questions on LearnZApp.

I began by going through the LearnZApp questions on my commute to and from work each day for about 3 months. I answered nearly the entire question bank and started around 60% correct and progressed to around 85-90% on average. I also downloaded Pete’s video and converted it into an audiobook format and listened to it several times. It’s full of great mnemonics like “All People Seem To Need Data Processing” which for some reason just stick with me, even now I hear it in his voice.

I was making progress on some of the questions but continued to answer some in the wrong way. It wasn’t until going through Andrew’s Video that things really clicked. Understanding what was really being asked and the expected answer with the BEST or MOST or FIRST questions was crucial. I cannot stress enough that if you are an experienced cyber professional I believe that Andrew’s video is the number one resource, especially the question in which he explains that for the MOST CORRECT questions, you have to imagine picking only one option and ignoring all others. What would you do in that circumstance? It’s totally, bafflingly different to reality but such an important way of thinking for the exam.

Finally, in December, I took a week off of work and read the entirety of the CISSP textbook. With 8 domains to review over 9 days, it was a massive focus commitment with hours of uninterrupted focus her pay. All in all I put in around 50 hours of prep time in the 9 days preceeding the exam. I would read the chapter in full without taking notes, read the questions, go back through the chapter taking detailed hand-written notes, and finally do the multiple choice questions. Additionally, I re-read through all of my preceding notes 4 hours after I had taken them reinforce the memorisation with spaced repetition. I also repeated this at the start and end of every day. Anything that was unclear, I went and revised my notes. By continuously reinforcing the concepts daily, over and over, they were burnt into my brain.

Some of the subjects in the textbook, especially the first two chapters are incredibly dry and boring. I think this hurdle probably kills a huge amount of enthusiasm. The networking, cryptography and other chapters were really quite interesting for me, and I know it’s funny to have to remember fence heights and fire extinguisher types but I found the physical security section really interesting too. Some chapters were far easier than others to get due to my professional experience and I barely had to take notes - I think in the entire section covering types of attack there was a single type of attack that I hadn’t ever done, and that was my entire set of notes for the chapter.

On exam day, all of that prep paid off. I had basically every part of the required knowledge fresh in my mind and answered all questions nearly straight away. I passed in just under an hour. I think my approach was way better for me personally than stringing out the prep over months and just forgetting who the heck Gramm-Leach-Bliley are by exam day.