How to prepare for the CISSP exam: Tips from industry leaders – Help Net Security

The Certified Information Systems Security Professional (CISSP) is the most widely recognized certification in the information security industry. CISSP certifies that an information security professional possesses extensive technical and managerial expertise for designing, engineering, and managing an organization’s security stance.

In this article, CISSP-certified cybersecurity leaders provide practical tips and strategies to help candidates navigate the extensive study requirements and effectively manage their CISSP exam prep time. Whether you’re just starting your study journey or in the final stages of preparation, these guidelines will help ensure you are well-equipped to tackle the CISSP certification exam.

My preparation for the CISSP exam took exactly 10 sunny afternoons while working on a project in Palo Alto. Every day after work, I took “Shon Harris,” at that time the so-called “CISSP exam prep Bible.” I remember studying by the pool, swimming in between the chapters, so overall, it was a fun way to spend these afternoons without feeling like I was missing the sunny California weather.

I divided the contents of the book in a way that allowed me to read it all in eight days, while I dedicated the last two entire days to practicing exam questions and revisiting domains where my answers were incorrect, studying them a bit deeper. I remember that at that time (2013), there was a very popular site where colleagues from the profession would discuss questions or topics they struggled with, and “talking” to colleagues on that platform was of huge help.

The exam itself, I think, took about an hour and a half, and I passed on the first attempt. Now, this may all sound easy, but the truth is that by the time I decided to pursue the CISSP, I already had 13 years of experience, numerous other industry certifications, and had been deeply involved in the cybersecurity field since the day I graduated; my Master’s thesis was also in cybersecurity.

Looking back at the exam itself, I believe that having a strong knowledge foundation, coupled with real-life experience, and a network of colleagues you can always turn to and discuss certain topics you are less familiar with, is the key to success in passing the CISSP exam.

Passing the CISSP exam is an ambitious goal, especially if you hope to pass on your first attempt. I recommend a 90-day preparation plan tailored to reinforce key cybersecurity concepts and identify weaker areas through regular practice.

Being intentional with your time is crucial; consider mapping out each domain as a “sprint” and mapping core concepts to learn each week. Schedule daily dedicated study time and regular practice exams. Testing with approved sample questions helps gauge your readiness and pinpoint specific topics you need to shore up on.

Most security professionals will find themselves very strong in the domains they work in most often, and weak in others. Cryptology is the Achilles’ heel for many.

I incorporated tools like handwritten index cards for constant review to boost memory retention. This method of repetition embeds critical information, making it more readily recalled.

An important element of my preparation was participating in a 6-day bootcamp. The bootcamp was a source of confidence because I had the benefit of a thorough review of the all the content that was necessary to understand. It also helped me build a new network of peers who supported each other as accountability partners and encouragement.

Make sure you take the exam within two weeks of a bootcamp to maximize the “cone of learning” on memory retention.

Lastly, don’t forget about the physical dimension, staying focused on your health and wellness throughout your preparation. Deep sleep is required for memory retention and recall, so avoiding alcohol and practicing sleep hygiene will improve your score. I brought a jump rope to my test and stepped out regularly to infuse fresh blood to my brain, vastly improving my focus.

This strategy worked for me to pass on my first attempt, I hope these ideas might work for you.

Here’s how I effectively studied for the CISSP certification, relying solely on comprehensive study materials rather than quick-fix dumps or quizlets. This method ensured a deep understanding of the content required to pass the CISSP exam:

1. Bootcamp: I started my preparation with a rigorous week-long bootcamp (40 hours). This intensive course helped establish a solid foundation and highlighted areas where I needed further study. Even though I had over five years of experience in cybersecurity and over ten years in IT, my practical knowledge was only in specific domains (i.e. Security and Risk Management, Asset Security, Communications and Network Security, etc.). A good bootcamp will expose your weak areas and help you to hone in on where you need to obtain more knowledge.

2. Targeted reading: After identifying my weak spots during the bootcamp, I skimmed the Official ISC2 CISSP Common Body of Knowledge (CBK) specifically focusing on those areas.

3. In-depth study guides: I read the ISC2 CISSP Official Study Guide from cover to cover to ensure a comprehensive grasp of all domains. Additionally, I went through the Eleventh Hour CISSP: Study Guide twice, which is excellent for refreshing your memory due to its concise format.

5. Motivational prep: Before the exam, I watched Kelly Henderhan’s motivational video, “Why you WILL pass the CISSP”. This not only boosted my confidence but also put me in the right mindset to tackle the exam.

This structured approach to studying for the CISSP took approximately 6 months, using a mix of reading, practical exercises, and motivational content, equipped me with the knowledge and confidence to successfully pass the exam.

For most people, passing the CISSP exam is the main obstacle. In addition to passing the exam, you must also document at least five years of experience in two or more of the eight CISSP knowledge domains. But don’t worry, if you miss that experience, you can get an associate status while you work on gaining the needed experience. Once the experience is documented, you will get upgraded without the need for a new exam.

You don’t need to follow any official course to sit for the CISSP exam and get CISSP certified, but the feedback from almost all students is that following an official course with an official instructor helps – a lot.

In my experience, there are three critical success factors for passing the exam:

1. Understand the basics of cybersecurity and information technology.
2. Understand how management systems work for the key processes in information security.
3. Be able to apply that knowledge to real life situations or imagined scenarios.

If you are unable to explain how the encryption in AES actually works, you are still fine with regards to the exam. If you don’t know that AES is a symmetrical algorithm and what it can be used for, you have some learning to do before sitting for the exam. This is just one example. CISSP is not a technical course, but as a cyber- or information security leader, you must know the basic technology you are going to use.

Management systems ensure the quality of the security implementations. Standards like ISO/IEC 27001 contain some of the framework for having measurability and the ability to improve your cybersecurity. There are such standards in almost all areas of cybersecurity. Knowledge of them is key to passing the exam.

The exam itself often asks for “best”, “most” or “not”. The key here is that you are to apply your knowledge and experience to find the right answer. Even if you don’t know a specific answer, you should be able to apply your knowledge to find the right answer through the process of elimination. That means you have to think and not just recall from memory when you sit for the exam.

This is also why many find the exam to be very exhausting. For each question, you need to read the answer alternatives and the question, think – and then answer. The good news is that for almost all questions, there will be two answer alternatives that you can easily eliminate – if you know your cybersecurity – and have read the question properly. Then you spend your time to choose between the two remaining.

And another piece of good news: You don’t need to be 100% right, 70% is the requirement for passing. And to destroy a myth: Time is not a key issue. Exhaustion is. Take breaks, even if the clock is not stopping during the breaks.

When I decided to get CISSP certified, I signed up for local training, but honestly, I learned more independently than in class.

The CISSP is unlike other exams where you can memorize the answers. You must understand the security domains. When I took the CISSP exam, the cloud and third-party risk sections were a big focus. However, these topics were not discussed in detail in the study materials.

I gave myself a deadline, registered for the exam, and spent six months studying. I read all the study materials and did practice questions, but I also kept up with news and new technologies.

I tried to set aside 30 minutes each day to review materials. I read on public transport, at the beach, and pretty much everywhere else. The most significant help arrived via my network. They helped me out with questions and motivated me during these challenging days.

You might be asking yourself – why bother getting the CISSP certification in the first place? It makes you more recognizable to employers who trust people holding the certification. And let’s be honest, they’re more likely to pay you more. So, go for it, good luck!

Earning my CISSP in 1999 was a different experience from today’s process. Back then, comprehensive study guides and boot camps weren’t a thing. We had a two-week course delivered in segments—a week-long session followed by three weeks off, then another week to wrap up. We relied heavily on ISC2’s list of recommended books.

Sitting in that George Mason University classroom in Virginia, I was surrounded by a wealth of information security knowledge, a term not yet replaced by cybersecurity. I wanted to absorb everything. The discussions were phenomenal – a constant back-and-forth exchange of ideas among experienced professionals. I mostly listened, soaking it all in, occasionally contributing my thoughts. This became my learning model throughout my career.

The saying goes, “If you’re the smartest person in the room, you’re in the wrong room.” This held true for me. I actively sought out those more experienced in cybersecurity.

My advice is to start small, find mentors, and become a knowledge sponge. Don’t limit yourself to books—seek practical knowledge as well. Talk to veterans in the field, learn from their experiences, and integrate your ideas as you grow.

Fill out the form to get your guide:
Please enable JavaScript in your browser to complete this form.First name *Last name *Email *Job title *Please selectChief Information Security OfficerChief Security OfficerChief Technology OfficerCybersecurity DirectorCybersecurity ExecutiveCybersecurity LeadCybersecurity ManagerCybersecurity Product ManagerHead of Cyber SecurityHead of Information SecurityHead of ITInformation security DirectorInformation security ExecutiveInformation security LeadInformation security ManagerInformation security Product ManagerIT DirectorIT ExecutiveIT LeadIT ManagerIT Product ManagerOther CybersecurityOther ITOther Information SecuritySOC ManagerVice PresidentCompany *Country *Please selectAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d’IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Republic of)KosovoKuwaitKyrgyzstanLao People’s Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaZambiaZimbabweÅland IslandsState *StateALAKAZARCACOCTDEDCFLGAHIIDILINIAKSKYLAMEMDMAMIMNMSMOMTNENVNHNJNMNYNCNDOHOKORPARISCSDTNTXUTVTVAWAWVWIWYPrivacy policy *I have read and agree to the Privacy Policy and would like to be updated on ISC2 certifications, educational resources, and offers.Submit