Get CISSP Certified: A Self-Study Guide to Success
When it comes to cybersecurity certifications, you have a lot of options, though the Certified Information Systems Security Professional (CISSP) stands out among them—it’s one of the most popular and recognized certifications in our industry, so much so that many companies require it as a prerequisite in their job postings or for promotion.
As such, if you’re a professional already in this industry, or you’re someone who wants to break into this field, you might be eyeing this certification as the right next step. If you are, and you’re beginning your preparation, you’ve landed in the right place.
Having just taken and passed the exam myself, in this article, I will provide details on how I approached the process and prepared for the exam, including what specific materials I used. I succeeded in getting CISSP certified solely through self-study—having read this, you’ll gain valuable insight that could help inform your training and better position you for success.
What is CISSP?
First, CISSP certification requires five years of demonstrable experience in at least two of the eight domains of the CISSP (check the official (ISC)² website for more details). That’s going to require a good amount of technical knowledge that covers these domains from the most basic networking concepts to more advanced topics like Kerberos authentication or wireless encryption protocols.
However, the main goal of the CISSP exam is not to evaluate such expertise—rather, it assesses your capacity to make the best decision after you’re presented with a specific scenario, which could include:
- Selecting a cloud provider based on the needs of a project;
- Securing a building depending on its location; or
- Deciding the budget for a business continuity plan.
While these may sound simple, in most cases, you’ll need to cultivate a specific mindset that will allow you to distinguish between valid and invalid options before determining the best approach.
Different Approaches to the CISSP Exam
There are multiple ways you can do this and learn all the domains needed to pass the exam:
- Some people prefer the onsite or online bootcamp, which are usually completed in a week.
- Others (like me) will prefer the self-study path.
What you choose to do will come down to your learning style preferences, your availability to study, and your previous experience. Keep in mind that even though the CISSP bootcamp is a very complete and practical option, you’ll still need to allocate a good number of additional hours to study.
CISSP Study Materials
When reviewing CISSP material, there’s a huge amount out there, and honestly, it is impossible to say which one is the best, but these are the ones I used, in order of helpfulness:
|CISSP Official Study Guide by SYBEX||
Check to make sure you use the latest addition, but I highly recommend this one—the official book to study for the CISSP:
Covers all the material and conveniently divides it into small videos, allowing you to also watch again if need be. Also uses some good illustrations that help you visualize some of the most advanced concepts—like the steps in the Kerberos authentication process.
A certification exam simulator that includes a total of six exams with 125 questions each—however, these questions were more technical and didn’t follow the same format as the real exam.
* You will need to purchase the CISSP practice exam on their website, which will give you access to their exam simulator tool that can be installed on Windows.
A simple PDF written by the author of the CISSP Official Study Guide, it covers the basics of each domain with some nice tables and charts, this helped me to structure all the knowledge and to focus on the most important areas. It only cost around $10.
Even after reading the official book or watching the videos of the Cybrary course, I found that there were still some terms or specific cases that I didn't understand, but a quick search on the Internet yielded some good illustrations, a variety of explanations from multiple websites, and some real-life scenarios.
(As an extra tip, Reddit is a very good source of information for CISSP—you can find even more people sharing their experience with the exam, as well as the material that they used, which may differ from the above choices.)
How to Prepare for the CISSP Exam
Those are the materials I used, but how did I go about studying them? Again, when you prepare, your previous experience and knowledge will come into play, and your methodology may differ from mine.
But I’ll still tell you the order I consumed my chosen study materials and why it worked for me.
1. The Cybrary Course
Being a visual learner, going over all those videos with charts, tables, and deep explanations using real-life examples helped me to have a first good understanding of all the material while also identifying the areas where I knew I needed more time.
2. The Official CISSP Study Guide
I found it was a lot easier to go over this book once I’d seen those visual images and gleaned a fair understanding from Cybrary. I recommend doing all the practice questions after each chapter and then checking any concepts related to the questions that you failed.
Also, I did go back to Cybrary’s videos again as I read and supplemented both with Internet searches for those concepts where I needed a different perspective.
3. Boson Practice Exams (Optional)
(I am adding the optional label for this one as using them will depend on your budget, time, and knowledge.)
These were my first practice tests, and while the structure of these questions is not like those on the real test, these tests helped me identify those technical concepts that I didn't understand correctly.
My recommended methodology for this one is very simple: take one test, check your results, and go back to study those questions where you didn’t respond correctly (using the CISSP book and Cybrary videos), then repeat the process.
(Something I really liked about Boson was the amount of feedback that it provided on each question—you could feasibly learn everything related to the topic from the simulator alone.)
4. Official CISSP Guide Alternate Materials
Having already read through the thorough technical concepts in this guide, I doubled back to the rest of its online assets, starting with a quick review of the flashcards and then the practice tests. My strategy was the same as with Boson—take one at a time, review those questions that I missed, and study more in those weak areas.
When it comes to these practice tests—and those from Boson—don’t take multiple tests in a row without a new study session. Remember, you’re not trying to beat the test simulator; rather, the idea is to understand the areas that you need to focus on so you can shore up your knowledge base.
So, if you do a test and score just 30% or 40%, you likely still don't understand most of the content, and you should spend additional time reviewing the book and watching the videos again. As you only get a limited amount of practice tests, it’s not wise to try another test after spending just a few minutes on further study—you may even need to pivot to other study material altogether to nail the concepts before taking another practice go.
5. YouTube, Mike Chapple CISSP Last Minute Review Guide, and Audio Reviews
At this point in my preparation though, I felt good about my technical standing and so I started using some YouTube videos to help memorize some of the tables and names that were unique for the CISSP exam. I also went back and downloaded the CISSP Study Guide audios and listened to them while driving or cooking. For further supplement, I read the last-minute review guide I mentioned.
Insofar as YouTube, here are some videos that I highly recommend—despite being a bit old, they helped with my mindset. I recommend watching these after finishing all your studying:
What to Expect from the CISSP Exam
Some people say that you need to score at least 90% on a practice test to be ready for the real exam, but to be honest with you, I only scored that number after studying and taking some of the tests multiple times.
When it came time for the real thing, I found that it was a total of 125 to 150 questions—twenty-five unscored questions—to be completed in a maximum of three hours. Question formats included:
- Multiple-choice with a single correct answer (the majority)
- Some were very straightforward while others were a little more challenging—a question may present a specific scenario and you need to select the best answer that applies to that scenario based on the information that was provided.
- True or false
- Drag-and-drop where the choices needed to be ordered correctly
Example Question and Suggested Answer Process
You come back home, which is located in a community with a Homeowners Association (HOA), after working the whole day, and you find that your cat is on the top of a tree that you have in your backyard. What will you do next? (Choose the best answer)
- Call rescue (911) so they can bring your cat down.
- Cut the tree.
- Buy a new cat.
- Wait for the cat to come down.
All these answers are valid to an extent, but again, it’s about selecting the best one using the details you’re given. In this case, note that the house is located in a community with an HOA. And, as your technical knowledge would come into play for an actual CISSP question, here you also need to understand what a community with an HOA is, what a cat is, what a tree is, and, finally, what calling rescue means.
Cutting the tree or buying a new cat sound very extreme, and while calling rescue could be a good option, is the tree so high that you really need to? Especially since we know that this community is in an HOA, which often put stipulations on what you can do, including with trees. So, in this case, waiting for the cat to come down sounds like the best option.
Questions requiring a similar methodology will be presented on the exam—remember that you’re a manager or a risk assessor, not a technician when selecting the best one based on the situation.
CISSP-CAT’s New Format
But there are even more important things to keep in mind about this new CISSP exam format as (ISC)² has introduced Computerized Adaptive Testing (now known as CISSP CAT):
- The difficulty of the questions will increase as you respond to more questions correctly.
- The test will present you with random questions at the beginning but later focus on those domains where you didn’t respond correctly. This is advantageous in a way since you’ll have the opportunity to try again with a different question to successfully demonstrate your knowledge in that domain.
- After each question, the test will reassess your chances of passing, and if it determines you won’t, it’ll end automatically. The same applies also applies in reverse (if you reach the threshold to pass).
Keep in mind that the CISSP exam is always receiving updates, so please check the (ISC)² official website for the most up-to-date information about the exam.
Achieving Successful CISSP Certification
I made the decision to forgo bootcamp and take the exam having studied on my own after speaking with some of my colleagues, all of whom told me that I’d need a good amount of studying, bootcamp or not. Since I had almost ten years of experience in the information technology and cybersecurity fields—giving me confidence regarding the majority of the CISSP domains—and I’m not a big fan of the invisible pressure that comes with taking a test after completing a bootcamp, I opted to take my time and navigate the material on my own.
But keep in mind that each of us is unique and even if this methodology and resources of study worked for me, it doesn't mean that it will work for you—it’ll be most important for you to find a learning method that works for you.
Good luck with the CISSP exam—it’ll be a lot of time spent, but worth it to add such a distinguished certification to your marketable tools and competencies. If you’re looking for other ways to expand your skills, check out our other content that explores other certifications and methodologies:
About Rene Guerra
Rene Guerra is a Manager and Penetration Tester with Schellman based in Florida. In this position, Rene leads test efforts against clients' web applications, networks, and employees through social engineering campaigns. Before joining Schellman, Rene worked as an IT Manager and IT Specialist, specializing in networking and infrastructure. Additionally, Rene works very closely with the new Pen Testers to train and mentor them.