CISSP Study Resources
Material and Resources pursing CISSP Certification
This is my collection of resources, study materials, notes, and advice I have gathered, working towards certification. Because there is so much material available, when you are starting out it can be a bit daunting to even know where to begin, and what really merits your time and effort. No compilation is exhaustive, but my goal is to put together information that will be useful and encouraging to others undertaking this effort. At the least, it provides a list of resources, tests, and reference material to review.
My study notes/guides are based on the 2021 Official Study Guide, 9th edition (“OSG-9”). For an overview of what’s been added and changed in 2024, take a look at Destination Certification’s CISSP 2024 Exam Changes.
Feel free to share this repo or any of the resources if you find them useful. Tell me about mistakes or improvements you think should be made! Connect with me on LinkedIn
Table of contents
- Overview of CISSP exam and content.
- Reference Material including books, articles, courses, videos, and test banks.
- My Study Guides By Domain built as I’m progressing through the reference material.
Overview
There is a lot of information on the CISSP exam available, including from (ISC)², associated & third-party instructors and authors, as well as guides put together by those in preparation. If you’re just starting out, I’d recommend the Sybex Study Guide and Practice Test bundle (note that I get a small commission for purchases made through Amazon links).
-
Who is qualified to obtain the CISSP certification? Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required experience. Pursue associate if you have less than that.
-
Think like a CEO. The CISSP is a management-level certification. You’re expected to understand concepts, and be able to draw-from, synthesize, and apply them from across knowledge domains. Thinking like a manager or the CEO means that you’re not necessarily enamored or concerned about technical nuance, you are a business enabler, finding solutions that reduce risk in a cost-effective manner.
- Test-taking strategies
- Take practice tests (see references below), and time yourself. You should get comfortable with the process, and the exam’s proclivities (e.g. you can’t skip and go back to a question, so answer and move on).
- The number of questions have dropped from 125-175 (2021), to 100-150 (2024), and the amount of time given to take the test has dropped from 4 to 3 hours, which gives us a little less time per question (from 1.4-1.9 mins (2021), to 1.2-1.8 min (2024)). All domains comprise between 10-16% of the total score.
- Read the question and answers twice: skim the question and answers,then go back and read through the question carefully. Argue with each of the answers. Does an answer meet all requirements in the question? Are any other answers more efficient for time and cost?
- If you have no idea what the answer is, you can generally eliminate at least two answers by thinking about the language used in the question. For instance, the question could be asking for a technology, and two of the answers are about process.
- The first priority for any incident is saving human life.
- You can pass and complete or fail in first 100 questions. If you go beyond 100, you are somewhere in between.
- Finally, believe in yourself. Know that you are able to accomplish this! Your study and preparation will pay off.
- Questions to ask on Material Coverage: common challenges during exam preparation relate to things like finding best resources for the way you learn, and staying on track. There is a huge amount of preparation required to be ready for the exam, and it can be tough to know if you’re covering the right material, in enough depth, and at the right pace. It can also be a challenge to stay accountable during your preparation.
- Ways to tackle this challenge include staying in touch with others in the community who are also preparing to take the exam (see General & Communities section below). Ask yourself how different concepts relate, and look for areas across domains that are referential. Use test banks to find areas where you need further study.
- Questions to ask on learning resources: aligning resources with the way you best learn is important. For me, reading, and writing out concepts helps me internalize them. Audio or videos help reinforce what I’ve learned. Your best learning modalities may be the opposite of mine. But it’s important to recognize and pursue the types of resources that best help you learn. See the areas below for different types that may best meet your needs.
- My Approach: in preparing for the exam, I have tried to draw from a variety of sources to get a balanced viewpoint. I’ve used the Sybex Official Study Guide as my baseline, incorporating other material (such as the All-in-One guide by Maymi, Harris et al. – see below) to supplement with alternative explanations. Pete Zerger’s Exam Cram, and Destination Certification’s Mindmap videos on YouTube are good resources that can help you keep perspective on how concepts fit together. For testing, I used the OSG practice tests to start, then incorporating Learnzapp, and QuantumExams to gauge weak areas.
- Memorization approach: my memorization techniques include using acronyms to remember items in a list, and creating visualizations and picmonics to aid recall. Don’t discount mindmaps and diagrams to help in keeping track of how areas or components fit together. And verbalizing answers via flashcards or studying with a friend (instead of just passively reading) can provide an additional channel to help your brain synthesize the material.
Reference Material
- Books:
- As mentioned above, the Certified Information Systems Security Professional, Official Study Guide (10th edition) and Practice Tests is a great study baseline, with 100 questions for each of the 8 domains & more than 1300 questions total.
- CISSP All-in-One Exam Guide (currently Ninth Edition is available, from May, 2023) - I’ve found the book valuable, as it reinforces core concepts, and provides additional clear explanations to supplement the OSG.
- 11th Hour CISSP:Study Guide, 3rd Edition this book is a bit older, but it’s compact, and prep’d “for ease of last-minute studying.”
- Courses/videos:
- This course has been highly recommended by several people: CISSP Overview by Kelly Handerhan
- Thor Teaches:
- Destination Certification MindMaps these help connect key topics.
- Mobile Apps:
- I’ve found the LearnzApp to be useful, with study questions, flashcards, and practice tests (note that you’ll need a subscription to take advantage of most of these features).
- Destination Certification app is a great resource with flashcards, acronyms, and glossary
- Practice Tests:
- OSG and All-in-One Exam Guide practice tests: once you’ve traversed the OSG material, these tests are a good baseline.
- CISSP Exam Prep users have commented on the “tricky questions” in this test bank; that might be a distraction or conversely force you to pay closer attention, depending on your POV; note that you’ll need a subscription ($24.99 for 6 months).
- CertPreps user comments range from “very realistic” to “will make you worry unnecessarily.” Many questions focus on identifying the “most” significant/effective strategy/benefit, or “highest” priority.
- CCCure freepracticetests.org redirects to CCCure, which requires a subscription (from single-user 1 month @ $59.99 to 12 months @ $149.99). I took a practice test and found it underwhelming, but YMMV.
- QuantumExams helps to identify where you need work on understanding concepts holistically
- General & Communities:
- Understand Bloom’s Taxonomy: a framework used by educators and exam creators to guide learning or exam objectives. Cross-reference words used in the exam objectives with the framework to understand the specific meaning, and to guide the level of study required to master.
- CISSP Study Group: this is a great place to share resources, get advice, and connect with peers studying cybersecurity.
- Head over to the Certstation for support and communion with fellow travelers.
Note: these are the notes and resources I’ve found helpful in my study so far. You are advised to do your own analysis to determine what will be helpful to you in your study. There are no guarantees, implied or otherwise that these notes are complete or will meet your needs to pass the CISSP certification.
Study Guides By Domain
- Domain 1 - Security and Risk Management
- Domain 2 - Asset Security
- Domain 3 - Security Architecture and Engineering
- Domain 4 - Communication and Network Security
- Domain 5 - Identity and Access Management (IAM)
- Domain 6 - Security Assessment and Testing
- Domain 7 - Security Operations
- Domain 8 - Software Development Security