Monday, May 5, 2014

CISSP - Passed exam in 2 months and at the 1st attempt

My journey to get CISSP certification started with my wish to prove my experience and competency on Information Security, almost a year ago.

My first decision was to get CISM certification which by its name is for people who aim to be “Information Security Manager”s. I did my research, adhered to ISACA and the local chapter and ordered the book. Once the book in hand I was very enthusiastic to get to know what is inside the book and my first disappointment dates back that moment. It was a book of 250 pages, very dry and not really for a person coming from a technical background. During the first week, my record was 4 pages before sleeping on the book and that for 6 days on a row. Plus after that week I almost retained nothing from what I read that far, so I decided to take things a bit easier.

When sharing my experiences with a colleague, he told me about CISSP which seemed to be a more complete program both covering the technical aspects of Information Security and Information Security Management. When I read more about CISSP, I was convinced that giving CISSP the first chance would be a better idea and I very slowly started reading about it.

An interesting series of events made me leave the company I was working for, creating the ideal environment for me to spend more time on my personal development, including the certifications for which I was really not able to spare time and focus. So I started studying seriously for CISSP by the beginning of March 2014.
At the beginning finding the correct resources to study was very important. There are tons of resources both for studying and for practice tests and if you are like me which means if you always want to be 150% sure of what you are doing, that may be very confusing. Techexams.Net Forum on CISSP was a great place to follow as many people who were about to pass the exam and who already passed it share their experiences, creating a very nice community. I would definitely suggest you to follow that forum if you need guidance or a second opinion (even if you do not need anything, go and read! :) )

After reading people’s comments, I decided to use the famous All in one (AIO) 6th Edition book from Shon Harris to study. Many people find that book overly detailed, dry and containing bad humor (I personally would not be that harsh) but like it or not, the book explains everything you need for CISSP easy enough for a 5 years old (That’s the way I like it, that’s a shame but I assume). I can even say that although many people insist that the best resource for CISSP is naturally the ISC2’s Official Guide, the bible of CISSP is the AIO book. You can definitely count on it and use solely that book to pass the exam… If only you have too much time and that much of interest in detail, which I did not have (both).
At that moment Eric Conrad’s CISSP Study Guide 2nd Edition came as a life saver, which is half the pages AIO makes and a lot easier to read with very nice examples (I will never forget the example about Object Oriented Programming concepts thanks to that perfect example). That book helped me to cover all of the 10 domains in a month.

So by the beginning of April, I was finally able to test myself with practice tests covering questions from all domains to give me an overall opinion, which also encouraged me to take some full length practice tests in a very short period. So basically what I have done during April was to do a full length test per day at least and then evaluate the wrong answers to understand why I was mistaken. Surprisingly from the beginning till the end no matter what test engine I used I was constantly getting scores in 79% and 81% range. By mid-April, I was confident enough to schedule the test for the last week of April or the first week of May. Some domains were really tough for me because I did not have specific work experience on those domains (Almost nobody can have I believe) and the reasoning behind some choices was not logical and clear. You will also meet such situations quite often. My advice is to listen to yourself built from your proper real life experiences and  the voice of common sense in such situations, instead of what book A or book B says (There are surprisingly many points that they disagree, that’s also why using more than 2 books is distracting and confusing).

Be careful about selecting the date and the test center because as in my situation, you make your plans to take the exam next week without doing any arrangements (of course doing arrangements is a bit scary, exam costs 520 euros or USD, that is nothing to joke) and find out that the only test center in your city is fully booked for next 2 months.

So finally made up my mind and booked the test in the nearest city for the first week of May. No matter how much you study, after reading the experiences of many different people with totally different experiences and background, without taking the exam once, you will never be sure enough.
Many people who took the exam say having the managerial (high level) mindset dealing with the questions is essential and most of the questions are long and scenario based…I do respect them but that is not what I think. First of all, in my short working experience of 10 years, I have never seen a manager interested with such level of technical details; most of the stuff in the exam are very technical indeed. And secondly, to my opinion scenario based questions are not like what you have seen in AIO book, very short and easy to get ones and only cover very limited part of the exam, so relax.

Finally I went to the nearest city (500 kms away) and entered the exam. At the end of 20 questions, I already knew that I was going to pass because it was not that much different from what I have seen in practice tests. I was already thinking about my blog entry about passing the exam during the exam, which I would not suggest to anyone :). It took me 4 hours to answer 250 questions in one round and 30 more minutes to revise 25 flagged questions, including the breaks. One’s ability to handle questions greatly decrease along the exam, in the last 30 questions or so, I remember myself reading the same short question 3 or 4 times. If your proctor is not an annoying person, take a break of at least 5 minutes for every hour. What I mentioned is even more valid for those whose native language is not English. Time to answer a question literally increases exponentially. My right eye was f..ked off after carefully staring at the screen for almost 5 hours and I still had 5 hours to drive back to home at night.
So to resume, if someone asked me a prescription for passing the exam I would say:

Read
  1. AIO 6th Edition from Shon Harris (Do all the tests in the book)
  2. CISSP Study Guide 2nd Edition from Eric Conrad (Again do all the tests)

Study
Equivalent of 150 hours including the reading sessions at least in dedicated mode (another clue :) )

Practice
  1. Software included in AIO book (Total Tester, the best resource IMHO)
  2. Eric Conrad’s 2 Free Full Length Tests
  3. Cccure.org’s paid practice tests (Just because every else does it IMHO)
  4. McGraw Hill’s free practice tests

Know
Cornerstone concepts that one sees everywhere and every day such as Business Impact Analysis, System Development Life Cycle, BCP/DRP, Incident Response Plan, Risk Analysis and Assessment. Do not memorize the steps but know the flow, the logical order.

Don’t
Memorize the Orange Book levels :)


I wish all of you good luck in your quests to pass the exam and I will definitely keep my blog live with Information Security related article which can be useful for CISSP preparation.