Having passed the CISSP exam last month it has become clear that many colleagues within my network would be interested in guidance on the resources I found particularly worthwhile when preparing for the exam. Having reviewed a wide range of resources for the exam I hope the following revision strategies and recommended resources prove useful. I have listed audio, video and written resources below. Being a PhD student who thinks herself pretty adept at determining value, this piece may be of particular interest to those who are self-funding. I won’t go into detail about the nature of CISSP (there are many pieces available online which offer sufficient overviews) other than to say you need five years’ experience to gain CISSP status (if you are yet to achieve this you can apply to become a CISSP associate instead). The following represents my personal view and there are no affiliate (money-generating) links on this page.
(Image depicting domains with associated weighting for current (2020) CISSP exam: Guru99.com) Contents:
1. Subscriptions and Courses
3. Recommended Revision Strategy
1. Subscriptions and Courses
There are many ‘bootcamps’ and training courses which will happily provide live/pre-recorded content via content experts. My advice would be that if your organisation has the capabilities to fund you through a course (and the exam) then go for it. If you do not have access to a training budget – don’t fret. A bootcamp is not required by any stretch – the advantage is that a live bootcamp condenses the material into an intense five- or six-day course. I had a redundancy support programme that allowed me to tap into some funds which I used to go towards the exam fee (£560) and the (ISC)2 Online Self-Paced Training (£646). This was the cheapest 'corporate' option by far and if you’re going to choose one anyway – it’s a pragmatic choice.
(ISC)2 Online Self-Paced Training: You have 120 days to go through the content, which is a long series of pre-recorded lectures covering the exam material at your own pace. It was nice to have (particularly direct from the certification body) and explained concepts extremely clearly but takes a lot of time to go through and can be hard to stay engaged if you’re studying in long blocks. Depending on your learning style, I think buying the Study Guide/ Student Guide and watching Youtube videos would be equivalent to this option (and work out significantly cheaper).
'Live' courses: Having looked up a number of live teaching options (London) you are looking at over £3k usually for an in-person course (pre and post-COVID-19, anyway). Firebrand training is an example of a well-reviewed premier provider – with an extremely high price-tag to match (£6,990 as of August 2020). There are other providers (I would recommend checking them via Trustpilot or other review bodies first before making any inquiries).
A word of warning: I would not recommend The Knowledge Academy. They offer the cheapest live courses by far (which first got my suspicions up) and applied arbitrary-sounding time constraints to reduced-price booking when I inquired (attempting to pressure a sale). Doing some digging through (many) negative online reviews, I would be wary of spending over £1k on this course.
Alternative resource platforms: There are two established practitioner-arranged resource platforms: Thor Teaches and Study Notes and Theory. These are much cheaper than the above course providers ($99-$180 one-off or $30 a month respectively) and come with community membership to group chats (see ‘Community Resources’ below).
Online modules: PluralSight, Cybrary and Udemy all host CISSP content. You may be able to access courses via your employer subscriptions (worth a check before subscribing). You may also be able to access to determine if you want to commit to a monthly subscription. In summary: if you are self-funding – I think you can do this simply buying the exam fee and 2-3 books (around £60 total) and relying on many of the freely available resources below.
You can find coursebooks via the usual channels. I would also recommend searching Ebay for second-hand copies. Think about whether you want e-books or physical – a physical book will let you scrawl all over it, while a digital book might let you digitally search for key phrases which will be useful when revising. Note: The exam was updated significantly in 2018. Do not buy books published before this date as the content will designed for a completely different exam structure. The exam will change again in May 2021.
(ISC)2 have the Common Body of Knowledge (CBK) and a Study Guide available for purchase. The CBK is extremely in depth while the study guide is more high-level. I found I did not use the CBK much (it was too high-level) and referred to the study guide to skim through material I was not sure about. For more in-depth coverage I read Shon Harris' guide.
Shon Harris' All-In-One CISSP Exam Guide: 8th Editions. I found this book an excellent resource and likely sufficient to prepare for the exam particularly as it includes over 1400 exam questions. £36 new on Ebay. Extremely comprehensive (as the title implies). Bonus: I have not read Eric Conrad’s 11th Hour but have frequently seen it recommended across forums as a concise test that outlines the core content (and is therefore useful for last-minute revision).
Supplementary Revision Tools
Youtube: There are an incredible number of resources on Youtube and I would recommend this wholeheartedly. A few accounts are dedicated to CISSP content though you can of course always search for technical concepts directly. For example, searches on different cryptographic techniques or VPN architectures are explained by various practitioners on the site. (a) I found Sagar Bansal’s CISSP overview excellent, particularly for technical concepts. His attached timestamps mean you can skip straight to the topic you are interested in (for example: Network Typologies at 6:05:32). (b) Capslock do excellent domain overviews.
(c) Destination Certification do 10 minutes domain mind-map exercises which you can use to mentally check you’ve covered each high level theme.
Audio: I used Phil Martin’s ‘Simple CISSP’ Audible audiobook to listen to a summary of material on the move. This helped me learn while multi-tasking and I would recommend it as a supplementary method (particularly if you have Audible anyway). A drawback is that domains aren’t marked through the audio so you will need to manually add clips to sections you wish to return to / highlight as a domain you want to focus on. Online Community groups: Thor has a popular Discord and Facebook Group (free to join) and Study Notes and Theory has a Facebook Group. I joined both Facebook groups which was useful to see additional practice questions. If you don’t understand why you got an answer wrong, or have questions about course content, these forums are the right places to go.
Flashcards: free on Quizlet (online or via app)
Memory Palace (content summary sheets – link will open the PDF). I found this extremely useful to print out and highlight as part of late-stage, colour-coding for the topic areas which needed extra attention.
3. Revision Strategy
Buy a coursebook before booking your exam. I can’t tell you how many hours/weeks/months you need to revise for as we all have different backgrounds – but you’ll be able to determine an estimate looking over the domain summaries and course content.
· As a VERY rough guide: If you have some time to commit most evenings, it would be reasonable to commit to an exam four-five months from starting the course content. Beyond this, it really depends on your revision style. I ended up cramming a lot in the last fortnight (six-eight hours a day in addition to my PhD/ part-time employment commitments) which is certainly not for everyone.
Start with the domains you are most familiar with. (As a less-technical colleague I chose to learn domains four and six last, which meant I did not forget the material I was least familiar with before the exams).
Be prepared to memorise: whether it’s privacy laws, physical cable capabilities, or network protocols, there will be some aspect of the exam that you will simply need to sit down and memorise. Allow yourself time to do this and draw up some lists/summary sheets to skim morning of the exam.
Extensive exam question practice is essential. It is not just the content that you need to remember; it is the mindset you need to approach the exam. I would thorough recommend (ISC)2’s CISSP Official Practice Test book (which has at least 100 questions per domain and four practice tests. Buying the book gives you access to an online platform to practice the quests digitally).
(a) I did the domain questions in blocks of 10, noting where I got the answer wrong and making sure I understood the rational for the right answer. Doing this highlights your knowledge gaps but also begins to nudge your brain to look at the questions in the right way
(b) Note the correct approach to the exam. Particularly when the exam question asks you for the best or most appropriate answer, you will need to remember that the exam is asking you to answer from a cyber risk management perspective.
(c) Kelly Handerhan’s ‘Why you WILL pass the CISSP’ (16.51 minutes) illustrates this excellently – watch for guidance on how to approach the exam questions
I hope this helps. I won’t go into the ins and outs of the content itself as I know others will have completely different skillsets and strategies approaching the exam. I would say that a commitment to the exam is a commitment to at least a month of intense revision beforehand – and more likely at least three to four months of evening and some weekend work. With the amount of content covered by the material, you will need to work smart as well as hard – repeatedly test yourself on the areas you are weakest in but do some general full-practice tests to avoid complacency on more straightforward domains. Good luck!