The CISSP is a difficult certification which requires you to have 5 years of experience to qualify for it, yet it is often used as an entry-level milestone for infosec jobs. It’s OK if you don’t have 5 years experience, or 4 years and a degree because you can still pass the CISSP exam and become an Associate of ISC2 until you meet those requirements. Last year I got a job that required it but I was lucky in many regards. I had access to training materials from co-workers, a boot camp paid for by my job, and I had a couple of years of masters level classes under my belt. In spite of all that I studied everything I could and here is a little bit about what I did.
First off, though the material is a little outdated, I had the CISSP all-in-one study guide by shon harris audio recordings and they were great. I read the Sybex CISSP study guide book and used the Sybex CISSP practice tests. I also watched some Cybrary videos at work to shore up my weakest areas, cryptography and compliance. Finally, to mix things up a little bit, a few weeks out from taking the test I picked up the 11th hour CISSP study guide because it is designed to be a review not a large study guide and it is beneficial to read a fresh take on the subject material. (This paragraph contains Amazon affiliate links. Find out more here)
I would start by listening to chapter 1 of the audio series during my commute to work. At work I would watch a video or two during breaks eating my lunch on a specific topic, or answer some questions from a practice test on chapter 2. On my commute home I’d listen to chapter 3 audio series. On my free time at home I would read the book and answer questions from chapter 4. I organized my study like this not only to cover each topic but also so that the info would stick and it wouldn’t get stale. I found this method to work but your mileage may vary, but change up what you study or it will get boring quickly.
Change your mindset
The most important thing people told me about the test was two-fold. The test takes a change in your typical mindset, whereas for a test you study everything as much as you can to be an expert. This test is only an inch deep and a mile wide, as they say, so you don’t have to be an expert in everything, just be familiar with basic terms and applications, and dive to a mid-level deeper with it. I was weak on crypto and I still don’t have it all memorized but I knew the difference between asymmetric and symetric, how kerberos works, and that sha2 is better than sha1. I focused more on learning compliance and international law because I had little experience there.
Finally, another shift in mindset for most of us taking the test is that you have to look at the questions from the mindset of the writers of the test. On many questions two or ore answers will be correct and you have to choose the one that is most correct. This usually means the answer from the management perspective (implementing a policy from the c-level versus middle management) or the answer that would have the largest impact (instituting a company wide anti spam training initiative versus purchasing a new spam filter on internal e-mail only).
Check out part 2 where I covered the boot camp class I attended as well as the actual test itself.