I got asked the other day at work on how I studied to pass the Certified Information System Security Professional (CISSP) back in Dec 2011. While I was relaying my experience, I made a few notes, and I figured it would be good to document the endeavor in a blog post.
I think my main advantage was that I was able to get access to SANS Management 414 class via their self-study content using training dollars from work [direct link for more info]. While expensive, the 'do it on your own time' offering was much better for me than going to a class (which can also be expensive).
One of the other key features that I liked about the self-study offering was there were seperate MP3s of all the sessions plus the online course review material. This allowed me to binge listen to the audio content during my daily exercise, drives in the car, and while on travel (which happend about 5 times during my prep time before the test). The only bad news about all this 'listening' is that when I have a CISSP related nightmare I still hear Dr. Eric Cole's voice.
The package included printed slides for all the material (sync'd online to the audio feed): [Domain 1 - Information Security Governance & Risk Management; Domain 2 - Access Controls; Domain 3 - Cryptography; Domain 4 - Physical Security; Domain 5 - Systems Architecture & Design; Domain 6 - Business Continuity & Disaster Recovery Planning; Domain 7 - Telecommunications & Network Security; Domain 8 - Application Security; Domain 9 - Operations Security; Domain 10 - Legal, Regulations, Compliance, & Investigation], and a copy of the following book - "CISSP Study Guide" by Eric Conrad, Seth Misenar, Joshua Feldman. Also included was a series of pre-tests both online and paper and then a full practice test that was online.
Other books I used for reference included:
Once I went through all the material one time via MP3/Slides, I then deteremined when there was a class about 16 weeks/4 mouths in the future and signed up for that one. I found it very useful to have a target date on the calendar to motivate me to block out time for studying. I then spent every Off-Friday from work and ~4 hours each Saturday and Sunday studying the material up to the test week. The test was on Tuesday and I pretty much studied full time Friday, Saturday, Sunday, and Monday before the test. If my math is correct that was about ~250 hours of studying (not including the MP3 material listening which I continued doing during my exercise, driving, etc times up to the test).
In addition to the study reference material above, I also took a great deal of practice tests. If there was a test I could take I took it. My prevous experience getting a Windows OS certification and Security+ was that there was a ton on of value in reviewing as many questions as possible. This turned into a a pretty detailed stats tracking on how I was doing and where I needed extra focus. Here is the "final" view of my spreadsheet tracker I setup in Google Docs:
The other thing I did that really helped was that any question I missed during any of the tests I took and turned it into a 3x5 study card. I also kept the cards organized by the 10 major topic areas of CISSP. This helped me really focus on studying the areas that needed the most work. By the end I'm pretty sure I had 400 cards, and on the day of the text all I did before the test was drill through those cards.
What about the actual test? Yes, it was very hard. Definitely the hardest test I've ever taken. I was the last one to leave taking up all but the last 5 minutes before the scheduled end time. I don't know how well I did other than I passed. And since that was the goal -- mission accomplished!
If you have any additional questions, comments, etc. then please let me know.
[Originally written on 2/24/2012 but updated 2/23/3014]