While there aren’t any technical requirements to taking the CISSP exam, to wear that shiny badge (I mean this literally as you get a badge once certified) you’ll need to prove a minimum of five years full-time experience in two or more of the eight domains in the CISSP Common Body of Knowledge (CBK). One of these five years is waived if you hold one of several professional certifications detailed on the experience requirements section on the ISC2 website. Part-time work and internships may also count towards the experience requirements, all of which you have six years to build-up from the date of passing.
Deciding to study for the CISSP should not be taken lightly. While the amount of study can vary greatly from person-to-person, you should plan for around four to six months of intensive study time. The first step is to gather the material you’ll use for studying. Your main and authoritative source of material is the ISC2 CISSP Official Study Guide (9th edition at the time of writing this article). The details of this book and where to purchase it are available on ISC2’s website in their self-study section, along with some freely available resources.
Next is deciding whether you are going to go down the instructor-led course pathway, self-study, or combination of both. While an instructor-led course is a great way to kick off your learning journey it is quite expensive. Self-study is an option that is very commonly used, with many resources available such as computer-based training (CBT), as well as lots of freely available content on YouTube. Not all CBT courses are created equal, so some careful research is required to ensure it is provided by a reputable person or company. It would not be appropriate to recommend any specific organizations who offer such training material or courses, but some time spent on the CISSP sub-reddit will point you in the right direction.
The last tool in your preparation toolbelt is the official practice quiz app from ISC2 called “Learnzapp”. It’s regularly updated with new content, and amongst other features, provides a ‘readiness’ score based on how well you answer the practice questions. Another app called “Pocketprep” also offers many practice questions and if your budget allows, using both is worth the investment. The reason for this (I talk about it further on) is that getting exposure to as many questions as possible is incredibly important to help when preparing.
Finally comes the study plan. A well-structured study plan is vital and is going to be your best friend (arguably the worst). The plan needs to be customized to your own environment and situation. For example, there’s no point allocating four hours of study time a day if you’ve got a young family and holding down a full-time job. The study plan is not set in stone, so be flexible as you work your way through it. Things happen, life happens. Simply adjust the plan to accommodate, ensuring you are doing some form of studying every day. Plan to spend at least 1-2 hours every weekday, and double or even triple that on the weekend. That might sound outrageous, but that’s the reality of the tempo needed.
The study plan should include a mixture of:
- Going through the entire book
- Watching instructional videos
- Participating in an online study group where you can test each other
- Practice questions
A mixture of all these is necessary, and chief among them are practice questions. Lots and lots of practice questions, some of which are freely available as well as paid. Any person who has achieved CISSP certification will attest that attempting many practice exam questions (at least 1,000) is necessary to prepare yourself for the exam. This is particularly important as going through these questions will help with adjusting your mindset for the exam, which is to think like a manager. This is an important point, so I’m going to go into a bit more on this. While some of the questions may be phrased in a technical manner, and in fact have a technical answer, you’re being tested on whether you can answer these questions in the context of what is best with respect to the organization, and how your decision could impact the business.
Lastly, it’s important to emphasize that memorizing content alone will only take you part of the way. The questions are phrased in a way that requires you to fully understand the concept, not just regurgitate the answer. Let’s take Incident Management as an example and the seven steps involved in this activity. Instead of a question which simply asks you to name the steps in the correct order (memorizing), the question will be phrased in such a way that demands you fully understand the concept, as well as understanding what is conducted during each step, why that step is necessary, who’s involved, and so forth.
All of this is critical to ensuring you are prepared and confident walking into that exam room.