TL;DR: My CISSP study largely boiled down to reading the Sybex book cover to cover and taking all the practice exams. I highlighted anything that was new to me and used this to target my review. I spent the two weeks leading up to the exam with the exam cram video and discovered Pocket Prep two days before. Remember that there are a significant number of ungraded questions on the exam.
Estimated Reading Time: 10 minutesI ordered my CISSP study materials in January of 2025, and passed in October that same year. Quite a gap, if we’re being honest. Looking back on it, I easily could have done it in four months instead of nine. In this post I will share what I did, what worked, what didn’t, and what I would have done differently. I’ll also share some general advice that helped me during the exam.
What I Did
Going into things, I honestly didn’t have much of a plan. I knew it would involve a book, and practice tests, and probably a good amount of auxiliary material. And in the end that’s mostly what it came down to. I hadn’t needed to really study to this degree since college, so I was a little rusty in that regard. Looking back on things, I also had the idea in my head that the material would be a lot harder than it was, so that probably added some stress to it.
I’ll cover my study strategy first then analyze its effectiveness.
Sybex Study Guide
My main source of study was the ISC2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) 10th Edition which is a lot of words so I’ll just call it “the Sybex [book|guide]” from now on.
I also got two related books:
- ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests 4th Edition, hereafter referred to as “the practice tests”
- The Official (ISC)2 CISSP CBK Reference (Cissp: Certified Information Systems Security Professional) 6th Edition, hereafter referred to as “the CBK”
(Technically I got the Sybex book and the practice tests in a bundle but it was three books all told.)
Of the three, the CBK was the least helpful. Mostly because I only read the first chapter, and even then only after finishing the Sybex book and practice tests. It was just a little dry for my liking, so I found it hard to get into. Being the official material from ISC2 I initially felt that gave it some prestige, and that may well be the case. But as a teaching aid, Sybex was much better.
The Sybex book sits at around 1,100 pages of content, and is divided into 21 chapters, each of which cover parts of the 8 CISSP domains. At first I didn’t like the division, thinking it was a clunky way to teach the material. I worried that it would be hard to keep track of which chapter(s) mapped to which domain(s). But as I got through it I discovered that it made sense to group certain information together or to cover some concepts before others. The exact mapping didn’t really matter at all.
My book study timeline breaks down as follows:
| Month | Study Time |
|---|---|
| January | 9h27m |
| February | 12h55m |
| March | 6h36m |
| April | 3h10m |
| May | 4h5m |
| June | 6h42m |
| July | 10h36m |
| August* | 0h0m |
| September | 1h40m |
| October | 10h17m |
| Total | 65h28m |
* August was a zero month for me. We did our first family road trip, went to the Renaissance Festival, and went to a gaming convention. We all got sick. It just wasn’t a conducive environment for learning.
Averaged out, that’s about four hours per week. Very, very manageable. But I wasn’t consistent – I would do four hours in a single session when the content was interesting, then drag my feet during some of the slog (GRC stuff mainly). As you can see, it forms something of a triple curve. I started off strong, slumped a little, got back into it, slumped a lot, and finished off strong.
Work and my personal life also had to take priority, which is something I’ll stress to anyone considering taking this (or any) exam: your mental health and well-being are more important than any test, and you won’t do well if you are burned out come exam day.
Reading each chapter, I used a blue highlighter to highlight anything that was either net new to me, or which I felt could use some reinforcement. I used a regular black pen to underline key distinctions between concepts, and in a few cases to add margin notes clarifying confusing wording (or pointing out typos, of which there were a few).
After each chapter, I would take the 20-question practice exam and time myself. I tracked what percent I got right, and how many seconds it took me to answer each question. If I got under 70% I would do a chapter review and re-test in a few days. My average seconds per question sits around 15 I believe, with some of the GRC stuff (which was nearly all new to me) skewing the high end up over 25.
After finishing the whole book, I took two of the longer practice exams from the dedicated practice tests book. I scored 82% and 83% respectively, taken a few days apart. That was cutting it a little close for comfort, so I continued my studies with online resources and Pocket Prep (discussed later). This ended up rounding out my knowledge gaps and helping with a lot of the memorization.
When I was studying, it was a mix of dedicated time and whenever I could steal at least half an hour. I used the Pomodoro technique and an app called Insight Timer to track my stats. I used a 25-5 timing, up to four focus sessions before calling it for the day. I would usually do no more than two sessions in a row unless it was a dedicated chunk of time and I was locked in.
Noise canceling headphones helped immensely here. Much of the time I was studying was when we’d be out to a play place or something for our kid. He’d get to run around and make friends, and I’d get to focus for a bit. But it was loud, and the headphones were critical. I’d put on music, usually a lofi mix lasting around 25 minutes to coincide with the timer. This turned out to be another key to success, as playing the same mixes trained my brain to go into study mode when the songs started. Eventually I didn’t even need to look at the timer because I knew how much time was left based on what song was playing.
CISSP Exam Cram and Others
In the week before the exam, in addition to just some general research on my weak areas, I watched the CISSP Exam Cram video by Pete Zerger. It was helpful in a few ways. For one, it was encouraging to listen to the topics and basically be able to fill in what he would say next. That gave me confidence that I knew the material. In addition, he gave some practical memorization techniques such as DRMRRRL (“drumroll”) for the incident response phases. These would prove useful during the exam.
I didn’t end up recording any timing for this study, but the video is 8 hours long and I watched it twice at double speed, so I’ll leave that math as an exercise to the reader.
One of my weak areas was the Bell LaPadula vs Biba models (and Clark Willson, Brewer Nash, Take Grant, etc.). For those, I’d find a few different videos that explained the concepts until I was able to watch a new one and mostly predict what was going to be said next. Specifically, the CertMike videos helped a lot there:
Critically, a lot clicked when he said that these are nearly impossible to implement in real life, and are mostly theoretical models. My technical brain was having a hard time trying to understand how these would work in practice. His example scenarios contrasting the two really drove home the intent of each.
Pocket Prep
Literally like two nights before the exam I started to get nervous, feeling like I didn’t have as firm a grasp of the domains I was weak in. After looking around a bit for some online practice exams which track your focus areas, I found Pocket Prep (that’s my referral code if you do end up using it).
It’s… pretty good. I’d give it a 7/10, and I’m using it currently for my CISM study. The mobile app is solid, and the desktop experience is comfortable for the longer practice exams. The practice questions are relevant and give you references to the main books you’ll encounter. Some of them I did end up flagging for review due to wording, incorrect references, and in a few cases even outright incorrect answers. To their credit they did address these issues quickly.
My main complaint is that the weak domain tracking does not count the longer practice exam results, only the question of the day, “Quick 10”, timed quiz, and possibly others. This is a disappointing aspect of the program, and I’ve shared that feedback with the support team. If you’re looking for this functionality, look elsewhere.
Exam Day
The nights leading up to the exam, I made sure to get good sleep. I took Melatonin if needed, but mostly just tried to go to bed a bit earlier than usual and read some non-fiction for a bit to calm my brain (lots of food literature, nothing related to computers). I also took Magnesium Glycinate before bed, which I’ve noticed has helped with my memory and focus in the past.
Day of, I had a small breakfast and got to the test site early. Spent half an hour or so reviewing, making sure to target a lot of the memorization stuff (acronyms like DRMRRRL, bit sizes for crypto operations, etc.) as well as things I had highlighted in the book.
As the start time loomed closer, there was nothing left to do except take the exam. The proctoring center was pretty thorough, even going so far as to check my glasses for cameras. Make sure you use the restroom beforehand, as any breaks will not stop the timer. Then you sign some papers and… take the test.
And hopefully pass.
After I finished the exam, I had to wait for the proctor center to print my results. I thought they would display on-screen right after, but at least at my place they did not. It was only about a minute wait though, so not too bad. I passed at 100 questions at a little over the 90-minute mark. The last 10 minutes were pretty nerve-wracking, as I felt like I was guessing a lot. I had to remind myself that there are always 25 ungraded questions in the first 100, so my feeling of guessing was not unfounded. The questions are also adaptive, so the fact that they felt harder at the end was actually a good sign. Remember this.
After The Exam
Waiting was almost harder than the studying. After the exam, you have only provisionally passed. They still need to review your results and that can take a few days. And after that, assuming everything checks out, you’re still not done. You now need to complete the application process. It’s a lot like applying for a job, in that they ask for your work history including contact info. This was a slight challenge for me, as my previous job was at a company which was bought out by another, and the buyers didn’t have any public contact info. But I guess my current job was evidence enough because it never came up.
Then you need to find another person who holds an ISC2 cert to vouch for you. This was the longest part. Not the finding – I had like eight people volunteer when I said I had passed. But the whole vouching process can take 4-6 weeks according to ISC2, and they mean it. I think mine clocked in at just under the 4-week mark, so I got lucky. But it was a long four weeks.
After that it was pretty quick. You pay your $135, and that’s about it. You’re a CISSP! Now go get those CPEs.
What Worked
For not planning my study that much, I actually feel like I intuitively figured out what would work well at the beginning:
- Pomodoro technique
- I’m old. Ancient. Decrepit. Nearly 35 at time of writing. I have a small son who is the beneficiary of a lot of my attention. It’s hard to focus on just one thing anymore. Breaking the study into manageable chunks made it easier to focus for long periods, and made it possible to still little study breaks here and there.
- Music for studying
- This one surprised me. I’ve always been pretty comfortable reading in silence, but studying seems to require more of a buffer between my ears and the outside world. The noise-canceling headphones helped with that, but only to a point. Having music going masked even more of the noise. It also kept me motivated and essentially Pavlov’d my brain into efficiency. I avoided anything with too many vocals, and mostly stuck to the same two 25-minute mixes.
- Highlighting
- Another slight surprise but it really should not have been. I think I went my entire grade school and college career without highlighting anything, though it has always been recommended. I thought it was cheesy, one of those performative “Ohh look at me and how organized I am” flexes along with using those little colored plastic bookmark tab things, but it’s valuable. It helped sort out the noise of stuff I had known for decades and bring attention to the new stuff. Old dog, old tricks.
What Didn’t Work
There were also some things that did not work as well, and which I ended up abandoning partway through:
- Written practice questions
- The CISSP exam itself does not have any written portion, so while the Sybex book did include these, I think I stopped doing them at the end of Chapter 3. Call it taking the easy way out, but I didn’t want to spend time doing that sort of review if it wasn’t directly relevant.
- Sybex online test banks
- The Sybex books come with a free online test bank. While this could be handy for some people, I didn’t care for them. They didn’t show your weak domains, and something about the web interface bothered me.
What I Would Do Differently
Finally, there are some things I would have done a little differently and which I am doing a little differently for my current CISM study:
- Maintain a more relaxed but consistent pace
- This is probably the biggest one. As mentioned earlier, I could have taken the exam probably in April or May if I had been more consistent in my studying. I think I burned myself out a bit at points and lost momentum. Granted, when the course content slogs it slogs hard, but over time I was able to learn to power through it. Being more deliberate with setting aside dedicated time is important.
- Multiple highlighter colors
- I admit it, I’m a highlighter convert now. I’ll likely stick to blue for new things because it rhymes and I’m used to it, but I might throw in yellow or orange for making critical distinctions between similar concepts, and idk maybe green for something else. It’s a work in progress. Might even get some of those flimsy plastic page markers.
Some Exam Tips
I wish I could go back and time and smack myself over the head with these two things during the exam:
- Remember that there are 25 ungraded questions which may feel like they are entirely out of left field. If you are still under 100 questions and you feel like a quarter of them were not covered whatsoever, this may well be the case. Adjust your mentality away from feeling like you got 100% of them and toward 75% of them, and you’ll breathe easier.
- Remember that the questions are adaptive, so if it feels like they are getting harder that’s a good sign. The last 10 or so questions were just so incredibly specific that they took me over a minute each just to fully get the scenario in my head, let alone come up with plausible answers. Since I passed at 100 questions, there’s a good chance these were the hardest questions I faced.
Closing
And that’s most of what I have to say about the CISSP, or at least the study portions. I might write some more on my CPE strategy if there is interest, and my CISM study is about two-thirds done by now, so there’s some content there I’m sure. I haven’t been a CISSP long enough to remark on its impact on my career, though so far the “You’ll be bombarded by recruiters!” warning seems not to have panned out. Time will tell.
