I am currently preparing for the Certified Information Systems Security Professional (CISSP) exam and wanted to hear from people who have taken it recently. I am trying to understand how the exam is structured today and what areas matter most. A few things I am curious about:
Is the exam more focused on security management thinking or deep technical implementation
How important is it to think in terms of risk, governance, and architecture decisions
Were there any domains that felt more emphasized or tricky than expected
Which study resources helped you align with the exam style and mindset
Any recent experiences or advice would be really helpful.
While I passed a while ago (2018), my resources and study method still apply. The CISSP is a very static test…
NOTE: I am not telling you to buy any product or use any resource, but I will list the ones I actually used.
Here were my primary study resources:
1.) Kelly Handerhan. This is STILL one of the best video preps for the exam. Kelly puts the focus on being a MANAGER and not a practitioner, which is where your focus needs to be.
2.) Get the right mindset:
3.) I used the following test engines:
N2K right here on Cybrary
Pocket Prep (excellent question bank)
Boson (CEH level garbage, avoid)
Thor Petersen Tests on Udemy (annoying questions, just like the real ones)
4.) Study method (the KEY to passing)
With the N2K and Pocket Prep tests I would study one domain at a time until I was scoring >>>95%<<< or more every time. I would conquer a domain in N2K first then switch to the same domain in Pocket Prep, then back to N2K, and then back to Pocket Prep to make sure the knowledge was sticking. I would also take tests made up of only wrong answers to ensure I was remembering what I learned.
When starting out I would take 2-5 25-question tests a day in learning mode (so you get immediate feedback). Every time I saw a question I would try to recite in my head what the right answer is, why it was the right answer, and why the other answers are wrong. You will gain a LOT of knowledge doing this. I would then take a Thor Pedersen test to shake things up.
When all domains were mastered I would start to take 1-3 50-question tests a day across all domains. Again anything under 95% was FAIL for me. I would test 2-3 hours a day ramping up to test day.
5.) What I learned by taking the actual test is that ALL the test preps above think that the CISSP is a practitioner’s exam. You need to know the processes and lifecycles as much or more than the technical information. So know this document like the back of your hand:
(With thanks to the late Fadi Sodah who created the process guide)
6.) Avoid brain dumps. There are no good brain dumps for the CISSP. I am not morally opposed to brain dumps as a final check after you have mastered the material, but they will do more harm than good for this test.
7.) Now to the question asked: what does the CISSP actually test? They test your 5 or more years of real world work experience managing a security operation (risk management, asset security, secure architecture, network security, identity management, testing, operations, and software development).
The questions are written in such a way to make you doubt your sanity. There will seem to be multiple right answers or no right answers: but there is always one best answer, and that answer will always align with a managers mindset and life cycle best practices.
