CISSP Study Resources

Material and Resources pursing CISSP Certification!

This is my collection of resources, study materials, notes, and advice gathered as I worked towards certification. Happy to say I passed the exam at 100 questions in April! I will continue to update this repo as I have time with additional items that helped me pass.

Because there is so much material available, when you start out it can be a bit daunting to know where to begin, and what really merits your time and effort. No compilation is exhaustive, but my goal is to put together information that will be useful and encouraging to you as you undertake this effort. At the least, it provides a list of resources, tests, and reference material to review.

My study notes/guides are based on the 2021 Official Study Guide, 9th edition (“OSG-9”). For an overview of what’s been added and changed in 2024+, take a look at Destination Certification’s CISSP 2024 Exam Changes.

Feel free to share this repo or any of the resources if you find them useful. Tell me about mistakes or improvements you think should be made! Connect with me on LinkedIn

Table of contents

• Overview of CISSP exam and content.
• Reference Material including books, articles, courses, videos, and test banks.
• My Study Guides By Domain built as I’m progressing through the reference material.

Overview

There is a lot of information on the CISSP exam available, including from (ISC)², associated & third-party instructors and authors, as well as guides put together by those in preparation. If you’re just starting out, I’d recommend the Sybex Study Guide and Practice Test bundle (note that I get a small commission for purchases made through Amazon links).

• Who is qualified to obtain the CISSP certification? Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four-year college degree (or regional equivalent) or an additional credential from the (ISC)² approved list will satisfy one year of the required experience. Pursue associate if you have less than that.

• Think like a CEO. The CISSP is a management-level certification. You’re expected to understand concepts, and be able to synthesize and apply them from across knowledge domains. Thinking like a manager or the CEO means that you are a business enabler, finding solutions that reduce risk in a cost-effective manner. It means answering test questions from a management or ownership point of view. What choices maximize business outcomes? The board / senior management is relying on you to put security issues and options in business language, work to reduce risk, provide the governance and controls that will help the organization fulfill its mission, and achieve its goals. You are accountable (have ownership) for this process.

• Test-taking strategies
  • Take practice tests (see references below), and time yourself. You should get comfortable with the process, and the exam’s proclivities (e.g. you can’t skip and go back to a question, so answer and move on).
  • The number of questions have dropped from 125-175 (2021), to 100-150 (2024), and the amount of time given to take the test has dropped from 4 to 3 hours, which gives us a little less time per question (from 1.4-1.9 mins (2021), to 1.2-1.8 min (2024)). All domains comprise between 10-16% of the total score.
  • Try reading the question without looking at the answers. In a perfect world, what is the best solution to answer the question or resolve the scenario? I found it helpful to skim the question, and then re-read it looking for key words (MOST important, BEST option etc).
  • Now that you’ve read and processed the question, look at the potential answers. Remember that IRL, you might be able to apply several answers to satisfy the question. But in the test, you can only choose one! In other words, if it were your money or time being spent, which one provides the most “bang for the buck?” Argue with each potential answer: does it meet all requirements in the question? Are any other answers more efficient for time and cost? Does one answer encompass the others?
  • If you have no idea what the answer is, you can generally eliminate at least two answers by thinking about the language used in the question. For instance, the question could be asking for a technology, and two of the answers are about process. Try to avoid answers with absolutes. If you’re still stumped look for one answer that stands out because it’s not like the others.
  • Remember that the first priority for any incident is saving human life.
  • You can pass/complete or fail in first 100 questions. If you go beyond 100, you are somewhere in between.
  • Finally, believe in yourself. Know that you are able to accomplish this! Trust the process: your study and preparation will pay off.
• Questions to ask on Material Coverage: common challenges during exam preparation relate to things like finding best resources for the way you learn, and staying on track. There is a large amount of preparation required to be ready for the exam, and it can be tough to know if you’re covering the right material, in enough depth, and at the right pace. It can also be challenging to stay accountable during your preparation.
  • Ways to tackle this challenge include staying in touch with others in the community who are also preparing to take the exam (see General & Communities section below). Ask yourself how different concepts relate, and look for areas across domains that are referential. Use test banks to find areas where you need further study.
• Questions to ask on learning resources: aligning resources with the way you best learn is important. For me, reading, and writing out concepts helps me internalize them. Audio or videos help reinforce what I’ve learned. Your best learning modalities may be the opposite of mine. But it’s important to recognize and pursue the types of resources that best help you learn. See the areas below for different types that may best meet your needs.
• My Approach: in preparing for the exam, I drew from a variety of sources to get a balanced viewpoint. I’ve used the Sybex Official Study Guide as my baseline, incorporating other material (such as the All-in-One guide by Maymi, Harris et al. – see below) to supplement with alternative explanations. Pete Zerger’s Exam Cram, and Destination Certification’s Mindmap YT videos are good resources that can help you keep perspective on how concepts fit together. For testing, I used the OSG practice tests to start, then incorporated Learnzapp, and QuantumExams to gauge weak areas.
• Memorization approach: my memorization techniques include using acronyms to remember items in a list, and creating visualizations and picmonics to aid recall. Don’t discount mindmaps and diagrams to help in keeping track of how areas or components fit together. And verbalizing answers via flashcards or studying with a friend (instead of just passively reading) can provide an additional channel to help your brain synthesize the material.

Reference Material

• Books:
  • As mentioned above, the Certified Information Systems Security Professional, Official Study Guide (10th edition) and Practice Tests is a great study baseline, with 100 questions for each of the 8 domains & more than 1300 questions total.
  • CISSP All-in-One Exam Guide (currently Ninth Edition is available, from May, 2023) - I’ve found the book valuable, as it reinforces core concepts, and provides additional clear explanations to supplement the OSG.
  • 11th Hour CISSP:Study Guide, 3rd Edition this book is a bit older, but it’s compact, and prep’d “for ease of last-minute studying.”
• Courses/videos:
  • Thor Teaches:
    • Thor Teaches CISSP Study Bundles
    • Daily CISSP Questions
  • Destination Certification MindMaps these help connect key topics.
• Mobile Apps:
  • I’ve found the Learnzapp to be useful, with study questions, flashcards, and practice tests (note that you’ll need a subscription to take advantage of most of these features).
  • Destination Certification app is a great resource with flashcards, acronyms, and glossary.
• Practice Tests:
  • OSG and All-in-One Exam Guide practice tests: once you’ve traversed the OSG material, these tests are a good baseline.
  • CISSP Exam Prep users have commented on the “tricky questions” in this test bank; that might be a distraction or conversely force you to pay closer attention, depending on your POV; note that you’ll need a subscription ($24.99 for 6 months).
  • CertPreps user comments range from “very realistic” to “will make you worry unnecessarily.” Many questions focus on identifying the “most” significant/effective strategy/benefit, or “highest” priority.
  • CCCure freepracticetests.org redirects to CCCure, which requires a subscription (from single-user 1 month @ $59.99 to 12 months @ $149.99). I took a practice test and found it underwhelming, but YMMV.
  • QuantumExams helps to identify where you need work on understanding concepts holistically. The questions are challenging, but scenarios and descriptions are more like the exam than other tests.
• General & Communities:
  • Understand Bloom’s Taxonomy: a framework used by educators and exam creators to guide learning or exam objectives. Cross-reference words used in the exam objectives with the framework to understand the specific meaning, and to guide the level of study required to master.
  • CISSP Study Group: this is a great place to share resources, get advice, and connect with peers studying cybersecurity.
  • Head over to the Certstation for support and communion with fellow travelers.

Note: You are advised to do your own analysis to determine what will be helpful to you in your study. There are no guarantees, implied or otherwise, that these notes are complete, free of mistakes, or will meet your needs to pass the CISSP test.

Study Guides By Domain

• Domain 1 - Security and Risk Management
• Domain 2 - Asset Security
• Domain 3 - Security Architecture and Engineering
• Domain 4 - Communication and Network Security
• Domain 5 - Identity and Access Management (IAM)
• Domain 6 - Security Assessment and Testing
• Domain 7 - Security Operations
• Domain 8 - Software Development Security