20 Tips For Passing the CISSP

March 9, 2017
|

Luke Ahmed

More than helping folks pass their CISSP, I like reading about their study experiences after passing the exam even more!

Here is a collection of some great quotes from those who already cracked their CISSP and shared their experience!

 The key to pass this exam are 2 things: 1) how bad you want it, and 2) the force behind you (your wife/husband, your family, your

sons/daughters, your friends, love, a better position, a rise in salary, a better world….the list ca go on and on…you have to find

yours) – How Eduardo Cracked His CISSP Exam!

 Well there’s one thing in this world that has the ability to change our whole life in an instant. It’s action. The secret to getting ahead

in this world is first getting started. This is my first tip for you: MAKE A REAL DECISION! It’s not a half decision, a more or less

decision. You need to have a different mindset for this test. My second ip: Schedule right now your exam. Believe me , you will

begin to take your studies seriously when you schedule your exam – How Matheus Cracked His CISSP Exam

 Inter-domain knowledge is must. In the scenario based questions they may include more than one domain. – How Amit K. Cracked

His CISSP Exam

1
 As others mentioned, the first 15-30 minutes or so was the most stressful as you will begin to get acquainted to what you are
expected to do. Then if you are well prepared you will begin to see the pattern. Its an exam that will make you discover things that

you would not have been able to tackle without the intense reading, note-taking and practicing. Its really an exam that test your limits

in terms of knowledge, management of time and common-sense as a manager. –How Irshaad Cracked His CISSP Exam

 You will be able to eliminate 2 options easily, selecting the correct answer of the last 2 would depend on your comprehensive skills

of understanding the question and how fast you recollect the asked topic – How Viral Cracked His CISSP Exam

 CISSP is the COMMON LANGUAGE which security folks speak throughout the world! And the easiest method to learn any

language easily, is to surround yourself with it. – How Mohammad R. Cracked His CISSP Exam

 I referenced many question banks and almost did 6000+ questions and it was not only clicking the question and seeing the answer

right or wrong but I used to read explanation even if I choose the right answer because onceyou read explanation then your concept

becomes concrete and if it’s wrong then it will become beacon on information for that concept. – How Rahat Cracked His CISSP

Exam

 I read CBK full, sybex about half.. cybrary videos, 1 boot camp then some online searches and few units from here and there, around

2500 q from cccure and another 3000 probably from other sources.. review questions from books + eric’s book – How Mudit

Cracked His CISSP Exam

2
 I would recommend that you schedule your exam on a Monday or Tuesday. Take Friday and Monday off to tie up loose ends that
you are still shaky on, watch Kelly’s video, and maybe take one more practice exam. But be careful – a solid practice exam will take

a lot out of you, so do it at least 48 hours before your real exam to rest appropriately – How Claudia Cracked Her CISSP Exam!

 Advice: Don’t fear the exam. If you have learned the basic concept you can pass. Don’t spend time in memorizing the numbers

– How Jey Cracked Her CISSP Exam!

 The week before the exam I took the week off from work. I reviewed the chapter summaries and did the end of chapter exams in

Shon’s book. Of course this helped me to see what my weak areas were so I’d then reread those sections of the chapter. I also used

this time to take one or two 250-question practice exams each day. This was useful for me to know that I can sit for hours for a full

exam. Typically I was completing these full practice exams in 2 to 3 hours. Of course any questions I got wrong meant it was an area

I needed to study more – How Thomas Cracked His CISSP Exam

 All tests are different, so I do not think there is any magic idea of what to make sure you know. Study all of the domains, understand

them, and remember you will need to apply the knowledge when answering questions. I recommend doing the practice tests and try

to be proficient in each domain. I was scoring about 80% average on most of the domains except my weakest (Security Engineering)

which I was scoring about 70-75% – How Lisa Cracked Her CISSP Exam!

3
 I would recommend covering all 8 domains. There are no top 4 domains. You need to make sure you must have practice at least 3
test of 6 hours before facing real exam; otherwise exam will be very exhaustive to you – How Parvez Cracked His CISSP Exam

 I started my preparation around mid of December and took almost four months to clear the exam. The exam is all about 50%

preparation and rest your day to day experience in security domains, some logical thinking, strategies during exam and your

temperament. Practiced almost 6000+ questions but the real exam was completely different. Practice helped me in understanding and

retaining the concepts and so important – How Ajeet Cracked His CISSP Exam

 Pick a book. Be loyal. Read it end-to-end. Do NOT skip any pages: Like most people, I’d always think it’d be nice if there was just

one book that I could study end-to-end to clear the exam. The answer is “Yes, there is one book – ANY BOOK.” All the authors out

there are very knowledgeable people who have put in years of research and study into their “copyrighted” works. The answer you

must seek is which author’s style suits you best. To get an idea about that, just pick a random topic – Kerberos, for example – and

read it from all the options available. Whichever option suits you best, read it. But be advised, the universe judges your loyalty

– How Rishi Cracked His CISSP Exam

 Kelly does an excellent job by the way. After completing the reading I would keep logs in a book of my quiz results so I could go

back and KNOW where I stood with a given domain. I then read Eric’s 11’th hour (10 domain format) and listened to his podcasts.

While reading the 11’th hour I joined a Facebook group called “CISSP Study and Theory” and would answer questions others posted
as well as post my own. This gave me confidence to schedule the test and a general idea of where I stood (knowledge wise)

4
 compared to those who have passed, and others who plan on testing soon – How Robert Cracked His CISSP Exam

 After you will complete your readingsvideos download quick notes of any kind. Sunflower, CCCure notes whatever. Read it. Try to

mark all unknown definitions for you. Drill into these words (techs, practices, laws, processes, etc). For success, you should not have

unknown definitions. You should want to know what the meaning of this thing and this thing is. What is the cons and pros of this

thing? What is better thing1 or thing2? Why? – How Oleg Cracked His CISSP Exam

 As many have already said, don’t waste time learning lists. You probably won’t see any, Learn the concept. Think of the answer that

fixes the problem permanently, and not temporarily. Pay attention to the MOST, FIRST, verbiage on the questions, and keep a

managerial perspective. Every decision must be based on RISK MANAGEMENT. Read the question, read the question and then re-

read it. Try and learn what is the best and worst of something and why. EG what is the best Symmetric encryption, what is worse.

Why?- How Andy W. Cracked His CISSP Exam

 Last but not the least, I am very thankful to StudyNotes AndTheory for this platform and for all the posts he puts up summarizing the

hard to understand topics and Ahmed for the wonderful whatsapp group he manages. You guys played a major role in helping me

making right choices through out this Journey – How Mohammed Cracked His CISSP Exam

The Core CISSP Concepts

5
CISSP is a conceptual exam, that needs a reasonable, prudent guy with a managerial mindset. CISSP candidate needs to build their
mentality around the following general bullet points and apply it on each and every domain. The list is by no means, a full list; you are

kindly asked to add your comments, or debate and contradict those listed so that to build a more solid mindset for the exam and the

real career life as well.

The list below is written by me from my humble experience in the info. sec and the CISSP study guides and expert inputs and ideas:

- Security can never and should never preempt safety. People are the utmost important asset in your organization.

- Info. Sec people are not the ultimate decision-makers; it suits them accurately to be described as reflectors who can represent their

recommendations to the senior management regarding security initiatives.

-Senior management on the other side are ultimately responsible for approving, steering and overseeing security projects within their

corporation.

-Security people should always be prudent, take initiatives and see what other people can't see.

-Your organization is not here to merely invest on security, it is in the market ONLY to make profit, security is just another function
subject to ROI calculations. So your controls needs to be evaluated against these ROI calculations, so only the most cost effective

6
controls are being selected.

-Security is all about maintaining the CIA triad, threats/risks against this triad should be assessed all the way down the security

journey.

-Security is a PROGRAM which being broken into PROJECTS. You can not treat security as merely project.

- Your internal staff is the deadliest threat to your security, be aware of them.

-There's NO way you can totally eliminate risk, you will do your best efforts to mitigate it with the most cost effective manner.

-Be it, a technical control or physical control, building those controls around defense-in-depth methodologies is always the best thing

to do for your organization.

-Complexity is security's biggest enemy. Make it simple.

-You can not install a firewall in your back server room and call it a day "we're safe now". Planning, Planning, Planning. A security

program without a plan, is just mess, ad-hoc kind of thing, that leads only to one way: false sense of security.

7
-Risk assessment is about identifying threats and vulnerabilities to determine appropriate security controls. While risk analysis
provides cost/benefit comparison to security controls (this is where qualitative/quantitative concepts applies). However only senior

management will agree on those controls. Our part is to hand it to them.

-You can't tell your senior management "we are facing XSS attacks on our infrastructure so we need an application layer 7 firewall"

the senior management only understand figures, numbers and charts.

-Every and any member of your organization is part of your security program umbrella (from the security guard up to the CEO).

-Relativity as it applies to physics, it also applied to info. sec. Security goals for military missions can't be the same as those of the

Pizza restaurants. Also CIA triad is relative to each organization, e.g military facilities care more about the "C" of the triad, while

finance and call centers care more about the triad's "I" and "A" respectively and so on.

-Security needs to be periodically (preferably annually) audited and refined. Some times your biggest enemy would be the "false sense

of security".

-Training and awareness on security should be part of the security program and should never be underestimated.

8
-Compliance to the country laws and legislation surpasses those of the company.

-Ethics and morals is what makes a security guy a security guy.

9
 NIST Special Publication Documents Relevant to the CISSP CBK

SP 800-12 - An Introduction to Computer Security

SP 800-14 - Generally Accepted Principles and Practices for Securing Information

Technology Systems

SP 800-30 - Risk Management Guide for Information Technology Systems

SP 800-34 - Contingency Planning Guide for Information Technology Systems

SP 800-86 - Guide to Integrating Forensic Techniques into Incident Response

SP 800-88 - Guidelines for Media Sanitization

SP 800-137 - Information Security Continuous Monitoring

SP 800-53 - Security and Privacy Controls for Federal Information Systems and
Organization

SP 800-145 - The NIST Definition of Cloud Computing

10
11
12
13
14
Types of Access Control

Access controls are necessary to protect the confidentiality, integrity, and availability of objects (and by extension, their information and data).
The term access control is used to describe a broad range of controls, from forcing a user to provide a valid username and password to log on to
preventing users from gaining access to a resource outside of their sphere of access.

Access controls can be divided into the following seven categories of function or purpose. You should notice that some security mechanisms can be
labeled with multiple function or purpose categories.

Preventative access control A preventative access control is deployed to stop unwanted or unauthorized activity from occurring. Examples of
preventative access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data
classification, penetration testing, access control methods, encryption, auditing, presence of security cameras or closed circuit television (CCTV),
smart cards, callback, security policies, security awareness training, and antivirus software.

Deterrent access control A deterrent access control is deployed to discourage the violation of security policies. A deterrent control picks up
where prevention leaves off. The deterrent doesn't stop with trying to prevent an action; instead, it ges further to exact consequences in the event
of an attempted or successful violation. Examples of deterrent access controls include locks, fences, security badges, security guards, mantraps,
security cameras, trespass or intrusion alarms, separation of duties, work task procedures, awareness training, encryption, auditing, and firewalls.

Detective access control A detective access control is deployed to discover unwanted or unauthorized activity. Often detective controls are
after-the-fact controls rather than real-time controls. Examples of detective access controls include security guards, guard dogs, motion detectors,
recording and reviewing of events seen by security cameras or CCTV, job rotation, mandatory vacations, audit trails, intrusion detection systems,
violation reports, honey pots, supervision and reviews of users, incident investigations, and intrusion detection systems.

15
Corrective access control A corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has
occurred. Usually corrective controls have only a minimal capability to respond to access violations. Examples of corrective access controls include
intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies.

Recovery access control A recovery access control is deployed to repair or restore resources, functions, and capabilities after a violation of
security policies. Recovery controls have more advanced or complex capability to respond to access violations than a corrective access control. For
example, a recovery access control can repair damage as well as stop further damage. Examples of recovery access controls include backups and
restores, fault tolerant drive systems, server clustering, antivirus software, and database shadowing.

Compensation access control a compensation access control is deployed to provide various options to other existing controls to aid in the
enforcement and support of a security policy. Examples of compensation access controls include security policy, personnel supervision,
monitoring, and work task procedures.

Compensation controls can also be considered to be controls used in place of or instead of more desirable or damaging controls. For example, if a
guard dog cannot be used because of the proximity of a residential area, a motion detector with a spotlight and a barking sound playback device
can be used.

Directive access control A directive access control is deployed to direct, confine, or control the actions of subject to force or encourage
compliance with security policies. Examples of Directive access controls include security guards, guard dogs, security policy, posted notifications,
escape route exit signs, monitoring, supervising, work task procedures, and awareness training.

Access controls can be further categorized by how they are implemented. In this case, the categories are administrative, logical/technical, or
physical.

16
Administrative access controls Administrative access controls are the policies and procedures defined by an organizations security policy to
implement and enforce overall access control. Administrative access controls focus on two areas: personnel and business practices (e.g., people
and policies). Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classification,
security training, vacation history, reviews, work supervision, personnel controls, and testing.

Logical/technical access controls Logical access controls and technical access controls are the hardware or software mechanisms used to
manage access to resources and systems and provide protection for those resources and systems. Examples of logical or technical access controls
include encryption, smart cards, passwords, biometrics, constrained interfaces, access control lists (ACLs), protocols, firewalls, routers, intrusion
detection systems, and clipping levels.

Physical access controls Physical access controls are the physical barriers deployed to prevent direct contact with systems or portions of a
facility. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections,
laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.

17
18
19
20
21
22
23
24
25