/r/cissp

Photograph via snooOG

This sub is for those that are pursuing the CISSP® and those that have taken the exam and wish to provide feedback on the study methodology and materials employed. This sub is not supported or managed by ISC2 or its affiliates. This is an unofficial CISSP® Reddit sub.

Information about experience requirements/endorsement/CPEs can be found at https://www.isc2.org/

A community dedicated solely to those studying for the CISSP and those that have taken the exam and wish to provide feedback on the materials and methodology used to prepare.


RULES

  1. ABSOLUTELY NO EXAM DUMPS OR CHEATING RESOURCES. This will result in a permeant ban. This career, and especially the CISSP, is built on ethics.

  2. Be professional. No personal attacks or name calling. This is a sub for professionals seeking professional certifications, and we should conduct ourselves as such.

  3. All posts/topics should be relevant to the CISSP and (ISC)2. Off-topic posts will be removed.

  4. Posts about study material sources should be about reputable, relevant, and legal study sources. Posts linking to sketchy or unauthorized sources for study material will be removed with a possible ban. Study material should come directly from publishers/authors, or from authorized resellers (tl;dr, no spam and pirating)

  5. Low effort, spammy, or grossly incorrect and misleading posts/comments will be removed at moderator discretion Examples include: "CISSP is bad you guys should feel bad", "EXAM TIP #2 DON'T FORGET TO ANSWER A ON ALL QUESTIONS IF YOU DON'T KNOW IT", etc.

In general, you should conduct yourself as per the (ISC)2 Code of Ethics


HELPFUL RESOURCES

The below resources have been vetted by the mods as being good resources for materials and study groups.

  • Certification Station Discord - "To bring subject matter experts, teachers, and students together in order to foster an environment of professional development and learning for all. From formal training provided by one of our resident professionals to ad-hoc training provided by fellow students to simple study and quiz sessions amongst peers, the opportunities for furthering your knowledge are endless."

/r/cissp

73,882 Subscribers

1

Tips to maintain concentration levels for 3 hours

Hi guys,

My exam's next Friday, and I took my first practice QE test yesterday—scored only 50%! Looking over it, I could've easily hit more than 60% if I could focus the whole time. I'm good for the first 45 questions, but after that, I totally tank (Reading a simple question 3 times). By question 80, I just want it to be over.

Given my limited time, could anyone please offer any advice or suggestions to help me improve my focus and concentration throughout the entire exam?

FYI I tried taking a break at Q 60 but I could not relax, all I could think of was getting back to the exam.

5 Comments
2024/12/20
18:28 UTC

3

My mind doesn't want to interpret "Governance" and "Risk Management"

My previous roles were in Security Operations only, I was never part of a GRC team. Although I have gained knowledge about compliance from the materials I studied, Risk Management (RM) and Governance are still a mystery to me even after months of reading and studying CISSP materials.

Governance : The most basic definition I found is "the way rules, decisions, and actions are managed in an organization." However, how can we implement or achieve governance, and how can this be measured ? What documents should be created as proof that we have good governance ?

Risk Management : I'm aware of the steps, approaches, and framework names, and I can correctly answer all associated CISSP questions. However, I have no idea how RM is done in real life. Does the GRC team create a CSV file with every possible risk and guess the likelihood of occurrence for each? I also wonder what "following a framework" means in this context. I checked NIST SP 800-53 which is a 500-page document, and I can't understand what following it means.

Can you please explain to an implementation-focused technical person how Governance and RM are concretely done ?

1 Comment
2024/12/20
16:01 UTC

8

Obligatory Passed at 100

Just wanted to thank this community for the resources, peace of mind and support along the way.

Background: around a decade in infosec across various domains. Have been putting this cert off for way too long.

Resources: Dest Cert Concise cover to cover 10/10

LearnZApp - used this for too long telling myself I was "studying" certainly not the only resource you can rely on, but decent for snack studying 7/10

Quantum Exams - bit the bullet last 2 weeks and grinded out practice test after practice test. Agree they are harder than the real thing, probably by design. Didnt agree with all the answers but its a fantastic resource. Note: I was consistently scoring in the high 50s, low 60s. Best result was 67. When I read average scores for QE that made me feel better, so dont worry too much if you feel you're scoring low. Resource will be even better with 1k questions and CAT - ty DarkHelmet - 10/10

50 questions on YT and Why You Will Pass - helpful in the lead up and free so recommend -8/10

Overall around 3 months of focused studying with a ramp up cram towards the end. It's a worthwhile process, felt there is a lot of knowledge I can apply to my day-to-day role. Good challenge to take an exam with my last being Sec+ almost a decade ago.

Exam stopped at 100, with 90 minutes left on the clock. Didn't feel comfortable during, as I felt CAT was feeding me a lot of questions from weak domains.

Thanks all, and good luck to all those scheduled soon!

15 Comments
2024/12/20
15:38 UTC

3

CISSP Crypto Dad Joke!

I've figured out why the CISSP questions are so difficult. They are written with a double Rot13 cipher!

1 Comment
2024/12/20
15:06 UTC

3

What Are Some Topics on the CISSP That You Found Especially Difficult to Understand?

Hi everyone,

I’m planning out new content for my YouTube channel and would love to hear from this community. What topics from the CISSP exam did you find especially difficult to understand or felt you needed more resources for?

Whether it’s specific security models, cryptography concepts, or tricky exam strategies, I’d really appreciate your input. I want to be able to provides value to others preparing for the exam and so wanted to get some ideas from those of you that have been through it or are going through it.

Thanks in advance for sharing your thoughts!

Best,

Steve

12 Comments
2024/12/20
14:47 UTC

3

I'm completely lost with Quantum Exams

I am using LearnZapp, 50 YouTube Questions, and Quantum Exams as my prep.

I studied intensely everything in LearnZapp to gain a baseline knowledge and I am at a 95% readiness, and I score consistently around 80% on all my practice exams.

The 50 YouTube questions I scored at 70% the first time taking it pausing the video.

Quantum Exams I am completely lost. Out of 50 questions, I only scored 10 correct. That would be a 20%.

With Quantum exams I am getting very confused, and I really need help. I feel like if I took the CISSP tomorrow I would 100% fail because of how I am interpreting the Quantum Exam questions.

26 Comments
2024/12/20
14:16 UTC

34

Passed the CISSP here is my story...

I have ADHD, and studying and taking tests have never been easy for me. I was recently diagnosed and am now taking medication to assist with this.

I started this journey after spending 15 years in IT, where I've worked as a sysadmin, engineer, architect, and recently, a manager. Through these roles, I've touched on various aspects of each domain. While I thought I knew quite a bit, going through the CISSP domains made me realize I probably only knew about 50% of the material.

Knowing I struggle with reading-based studying, I needed to find a resource I could watch instead. I signed up for Dest Cert's master class and got started. Some topics along the way were tedious, and I really had to motivate myself to keep going, especially with subjects like cryptography.

At the start of the course, I booked my exam for December 20th, thinking "How hard can a multiple-choice exam really be?" As I progressed through the course, I realized this wasn't going to be easy, and reading Reddit stories made me nervous.

I struggled to finish the class, with motivation lacking through the tedious topics. Booking the exam turned out to be a pro tip – it forced me to reach the end because I had a hard deadline.

With a week to go and having just finished the course, I started reviewing, and my brain was overwhelmed. The day before the exam, I worked on mindmaps from Dest Cert, feeling even more overwhelmed – there were so many topics, and I wasn't retaining the process steps well. I attempted 30 Qantum Exam questions and scored 50%. I went to bed thinking "Oh well."

The morning of the exam, I walked my dog, then crammed a few mindmaps I hadn't reviewed while driving to the testing center. My brain felt empty, like a black void.

As I started the exam, I encountered some challenging questions, but nothing too difficult. Then it got harder, and I found myself reading questions three times. Although there was substantial text, it mostly focused on finding the BEST answer. With 120 minutes remaining and only being on question 33, I knew I needed to speed up.

Around question 40, something changed – I felt more relaxed, and the questions seemed easier. With 36 minutes left, I reached question 99. I completed questions 100 and it kept going, 101... I started wondering if they were actually easy or if I was getting them wrong. At question 103, the exam ended with 33 minutes remaining.

Yay I passed!

Surprisingly, there weren't many questions about defense-in-depth layers, VPN types, or the OSI model levels, cryptographic stuff. I had feared having to recite orders and model steps, but it was more about selecting the best answer.

I sort of feel disappointed - the questions were really not like Quantum exams (QE was much harder) and felt all that studying trying cram different orders and methods of different things didn't really matter. Also "think like a CEO" advice didn't really come into play as much as expected.

Or maybe because I did cram and did go through everything and that is what allowed me to pass, but I feel the questions on the exam were not as comprehensive of all the subjects as they should of been.

My main tip is to read each question three times before looking at the answers. Determine what the question is actually asking by identify the key words.

However, the CISSP certification has made me a better security professional. I now understand more concepts than I did before and I'm certified member of the community.

Thanks all!

Tldr: passed at 103 with 33 minutes remaining - felt the exam wasn't as comprehensive of all the domains as it should have been.

18 Comments
2024/12/20
05:16 UTC

1

CPEs for CISSP

Does the ISC2 accept the CPEs earned through completion of free Cybrary courses? Has anyone ever reported Cybrary CPEs?

1 Comment
2024/12/20
05:08 UTC

19

Passed on 1st attempt - Key takeaways & study materials

I bought the Destination CISSP book back in April, but with work commitments piling up, I kept pushing off my study plans. It wasn’t until November that I decided to get serious and purchased Peace of Mind (POM) to hold myself accountable.

Here’s a breakdown of the resources I used and my approach:

Study Materials:

  1. Destination CISSP - Read this book three times. Honestly, it’s concise and gets straight to the point, which really worked for me.

  2. Learnzapp - Didn’t find much value in this one, personally.

  3. Quantum Exams (QE) - This was the game-changer for me. QE trained my mind to focus on keywords in the questions and helped me narrow down the right answers efficiently.

Key Takeaway: When it comes to the exam, don’t overthink it. Just answer the question. Focus on what the question is actually asking and use logical reasoning to eliminate distractors.

For those prepping for CISSP, trust your study process and don’t second-guess yourself too much during the exam. You’ve got this!

7 Comments
2024/12/20
04:08 UTC

29

Shoutout to DestCert!

Obligatory passed at a 100 post, but I did want to give a big shoutout to John, Rob and Lou from the DestCert team!!

Out of all the materials used, their program was hands down the best. Videos are engaging and detailed without being dry. Not cheap, and my company did pickup the tab, but if you have the means (or a corporate training budget) I can’t recommend them enough.

Happy Holiday to everyone still studying, you’ve got this!

9 Comments
2024/12/20
01:16 UTC

3

OSG OPTs any good?

I'm reading the OSG and studying the practice test questions. For those of you who have passed do you think these practice questions are good? tvm ia. DG

2 Comments
2024/12/20
00:01 UTC

14

Passed first attempt at 100 Q

I passed at 100 Q and had over 100 minutes remaining.
Now, I’m surprised I passed - and why was I so fast?

I started studying in August 2024 (study materials listed below). My plan was to go hardcore on my studies one week before the exam, cram as much as I could, and focus on my weak areas. However, life had other plans. Without going into too much detail, about two weeks before my exam date, a life event completely disrupted my routine and severely affected my mental health—it basically went out the window. As a result, I didn’t touch the study material at all during the two weeks leading up to the exam.

On exam day, I had to travel about two hours to reach the test center.
All I wanted was to finish the exam and get back home as soon as possible. I arrived early at the testing facility but wasn’t allowed to start until 30 minutes before my scheduled time. After what felt like waiting an eternity, I finally got to sit the exam. My anxiety was through the roof—caused more by the life event than the exam itself—and all I hoped for was that the exam would stop at 100 questions. Whether I passed or failed, I just wanted it to be over.

When answering the questions, I selected what I believed to be correct. If I had doubts, I might have read the question one more time at most, but then I moved on, remember, I wanted nothing more than out of there and to go back home.

The exam did stop at 100 questions, and my first thought was, "I couldn’t have done that badly, right?" I got the printout and... Congratulations!

Study Materials:

  • Destination Cert Masterclass: Watched the full class to kick off my studies. 10/10
  • Destination Cert Book: Read it twice. 10/10
  • OSG: Read up to around page 300, then set it aside.
  • YouTube: Technical Institute of America: 50 CISSP Practice Questions. 8/10
  • LearnZapp: 7/10
  • QuantumExams: I don’t want to rate this since it’s still very new and CAT isn't out, but I personally found the questions much harder than the actual exam.
8 Comments
2024/12/19
23:56 UTC

53

This test sucks

Passed at a 100 qs with 90+ minutes remaining. For background, I've been in cybersecurity for 5 years (mostly SOC and some compliance work). Also have an MS in cybersecurity and 8 other certs (CompTIA and SANS).

As others have said, the CISSP is not nearly as technical, as say, the CASP, which I passed earlier this year. But I also don't think it's "managerial" either IMO. I think it's in a murky gray area. None of the "think like a manager" things really helped me.

What it came down to was reading and re-reading the questions over the over again to figure out which answer applied the best.

I'm happy I passed (obviously), but I think it's kind of a crappy test and totally see why people fail.

Resources I used:

  1. Official Study Guide: as dull as it can be, it was still super useful in helping me shore up areas I didn't have direct experience with.

  2. PocketPrep: got through all 1000 questions, and then reattacked weak areas over and over until I had a 90%.

  3. "Inside Cloud and Security" videos on YouTube: Great as summaries and for convenient review.

20 Comments
2024/12/19
21:51 UTC

17

Passed at 101

To be fair still don’t understand how I passed. Didn’t feel good about any of my answers and was not surprised when it stopped at the 101, but very surprised that I got the provisional pass.

Best resources for me: Pete’s CISSP exam cram -YouTube Mike’s CISSP bootcamp - perceptio Mind map videos - YouTube

Exam prep questions -quantum exam by faaaar Pocket prep in the beginning

Good luck all

6 Comments
2024/12/19
20:09 UTC

30

Passed at 100 with 80 minutes remaining

Background: Over 10 years experience in IT and security. Passed the CCSP back in August and decided to go for the CISSP.

Materials: Mike Chaple LinkedIn Course, LearnZapp ( 77% readiness), destination certificatation mind maps,, 50 hard questions and Peter Zerger exam cram. I have also looked at Adam Gordon's question of the day.

For me the must useful tools were the Miike Chappel course and the LeanZapp. It helps that I am used to many of the concepts.

I don't like reading so I subscribed to Audible and got the OSG audio book that I listened to while commuting.

Exam Experience: It was brutal and at no point did I think that I will pass. From my experience, think like a manager is overrated and I found the exams to be more technical that I expected. For example several questions asking for technical details of protocols. Therefore, for those preparing please know the details and how protocols work.

7 Comments
2024/12/19
20:06 UTC

7

Additional memorization techniques for studying

All credit goes to u/neon___cactus for their original AMAZING post (Here's my collection of the memorization techniques and assistants I am using for the CISSP. Please share your techniques! : r/cissp). I used this to help prepare for and pass my own exam two days ago, and it was incredibly helpful. (My experience linked here: Passed at 100Q in 2 hours—my story (long post warning) : r/cissp)

So, I'm adding a few additional ones I modified/came up with that helped as well.

Hopefully this is helpful!

--

IDEAL (“Initiating Diagnosis Establishes Acts of Learning”)

  • Initiate
  • Diagnose
  • Establish
  • Act
  • Learn

Security Models

Quick, Cliff's Notes-version in concise form. The version from u/neon__cactus is great, but I used these to make sure I remembered everything.

  • Bell-LaPadula - Confidentiality. No Read Up, No Write Down. MAC. Simple, Star, Strong Star.
  • Biba - Integrity. No Read Down, No Write Up. MAC.
  • Clark-Wilson - Integrity. Focuses on subject/program/object access controls.
  • Brewer-Nash - Integrity. Prevents conflicts of interest. “Chinese Wall”.
  • Goguen-Meseguer - Integrity.
  • Harrison-Ruzzo-Ullmann - Focuses on assigning rights to subjects for accessing objects.
  • Sutherland - Prevents interference from subjects.
  • Graham-Denning - Provides 8 different actions for subjects: Create Subject, Create Object, Delete Subject, Delete Object, Read Access, Write Access, Transfer Access, Delete Access.

eDiscovery

Using visual storytelling helped me immensely for remembering all of these details. Give it a try!

  • Information Governance (librarian organizes everything on a shelf, ready for the detective; formatting all the information so it’s ready for the eDiscovery process)
  • Identification (detective searches the room for relevant info; searching for and identifying the relevant information needed for the case)
  • Preservation (he places the findings in a Vault to keep it safe; information must be protected from deletion or modification)
  • Collection (movers with a collection bin gather the files into one room; centralizing all the information in one place)
  • Processing (conveyor Belt removes irrelevant info while sending everything else on uninterrupted; removing irrelevant information is the first step to make the data manageable)
  • Review (a lawyer examines the files and stamps some as attorney-client privileged, and not available for use in the investigation; attorneys remove information that is privileged and ensure the rest is usable)
  • Analysis (a scientist does deep analysis with a microscope in a lab; delving deeper into the data to connect the dots)
  • Production (the detective hands the briefcase with all findings to the lawyer; information is officially turned over to opposing counsel)
  • Presentation (lawyer presents it in a courtroom slideshow to the jury; showing the information in court)

Privacy by Design (PbD) ("People Prefer Privacy For Every Visual Respect")

Use a visual story for this one, too!

  • Proactive, not Reactive (firefighter standing by with a hose before a fire starts; privacy anticipates issues and doesn’t wait for a breach)
  • Privacy as the Default Setting (smartphone with all privacy settings turned on automatically; privacy is built-in and automatic—users don’t have to enable it)
  • Privacy Embedded into Design (blueprint for a building with privacy walls drawn into the plan; privacy is integrated from the start, not added as an afterthought)
  • Full Functionality; No Trade-Offs (hybrid car that offers both great fuel economy and performance; don't sacrifice features for privacy)
  • End-to-End Security (package being secured with tamper-proof seals at every stage of shipping; data is protected from the moment it’s collected until it’s no longer needed)
  • Visibility and Transparency (clear glass house where you can see everything inside; privacy practices are visible, auditable, and verifiable)
  • Respect for User Privacy (friendly guide handing a visitor a simple map to navigate privacy controls; privacy solutions are user-friendly and prioritize the individual’s rights)

Secure Design Principles (“The Little Dog Sure Failed So Keep Zero Trust Privacy Shared”)

  • Threat Modeling (security guard studying a map of a building, identifying potential threats like hidden doors or weak points; identify risks and plan for them)
  • Least Privilege (vault with a tiny key that only allows access to a specific drawer—minimal access is given; give users only the minimum access they need)
  • Defense in Depth (castle with multiple walls, each with a different security feature (moat, guards, cameras, etc.); multiple layers of security keep assets safe)
  • Secure Defaults (locked door with a sign that says, 'Secure settings by default—no one can enter unless allowed'; default settings are secure so nothing is left open to attack)
  • Fail Securely (blast door in the Enterprise's engineering bay keeps a warp core breach from killing people outside the door; if things fail, they fail in a secure way)
  • Separation of Duties (team of people working together to build a tower, but each person has their own task—no one person is in charge of everything; divide duties to prevent any one person from having too much control)
  • Keep It Simple (simple puzzle with only a few pieces, making it easy to solve; avoid unnecessary complexity)
  • Zero Trust (checkpoints and hallways in a secure facility where every visitor, regardless of who they are, must show their ID and credentials before entering--and agree to have them continually scanned as they move through the facility; everyone is untrusted by default, so verify everyone)
  • Trust but Verify (police officer who checks every driver’s license at a checkpoint, even if they trust the drivers to be honest; trust users, but always verify their activity)
  • Privacy by Design (blueprint for a house, where privacy walls are planned out right from the start; design privacy into the system from the beginning)
  • Shared Responsibility (a cloud provider and a customer shaking hands and agreeing on shared responsibilities; both parties have shared security roles)

Business Impact Analysis ("PILAR")

Another visual story: imagine you're building a pillar ("PILAR") to hold up your organization, with each step relating to a critical action:

  • Prioritize (decide what’s most important—your foundation stones—to ensure the pillar is stable; select the largest and strongest stones first)
  • Identify Risk (as you start building, you spot potential cracks in some of the stones; you quickly notice which parts of your structure are at risk)
  • Likelihood Assessment (you calculate the probability of these cracks growing; you check the cracks and assign a probability of getting worse)
  • Analyze Impact (you imagine what would happen if the pillar failed—a collapse of the structure; you picture your building shaking and decide you must address these issues now to avoid disaster)
  • Resource Prioritization (you allocate your best resources to fix the cracks and strengthen the pillar)

XSS vs. CSRF

XSS

  • Imagine a magician (attacker) sneaking a trick script into a browser (user’s browser).
  • The script is a puppet master controlling the browser session: it steals cookies, shows fake pop-ups, and spies on everything you do.
  • Remember: The magician targets the user's browser to execute the trick.

CSRF

  • Picture a forged letter (request) being slipped into a mailroom (web server).
  • The letter looks like it’s from a trusted employee (authenticated user), so the server processes it without suspicion.
  • Remember: The forged letter manipulates the server’s trust.

--

As u/neon___cactus said in their post, please add your own methods in the comments.

Thanks so much for reading and contributing, everyone!

1 Comment
2024/12/19
18:54 UTC

29

Passed at Question 100 with 40mins remaining

Hello Everyone!

I just wanted to share that I provisionally passed CISSP this week on my first attempt.

100 questions and 40 minutes remaining (not a native English speaker and slow test taker). I studied for 5 months (2 months intensively).

Background about me: I have a degree in Electronics Engineering and a total of 10 years of experience in IT, a combination of Networking, Security, and Cloud (mostly Operations). I decided to push for CISSP way back in 2019, but COVID happened, and lockdowns and all meant I wasn’t able to focus on studying. Fast forward to August 2024, I decided to push and become CISSP-certified.

my old post 6 years ago:
https://www.reddit.com/r/cissp/comments/azivbl/is_it_possible_to_pass_the_cissp_exam_in_2_months/

Prep and journey

Hardest part of me is the switch of mindset from a technical person to CISSP. I used up my first 2 months in prep learning the scope, topics on each domains and mindset. I thought, changing mindset is one of the most difficult part for me.

3rd month, I focused on each domains deep dive, i identified which domain is my weakest and most comfortable (my weakest was 1 and 8 and comfortable were 4 and 7 others are on par). One thing for sure while learning/studying CISSP is that most of my company's management team has started to make sense on their decisions, how they run things, bcp, audit etc. before, i didn't understood it, just blindly follow what is instructed to me. Gaining these knowledge from studying alone is super beneficial.

Here are some of my resources:

Quantum Exam - This is a game changer. If I had to choose between Peace of Mind and QE, definitely QE (but I ended up buying both, lol, though I bought POM first).

LearnApp - Bought a 3-month subscription; exam readiness was 55%, but I didn’t complete this since I used it mostly for flashcards. I focused on QE.

Mike Chapple’s OSG and LinkedIn Learning materials.

Thor’s Udemy and Practice Questions.

Luke Ahmed’s book and study notes.

Kelly’s “Why You Will Pass the CISSP Exam.”

Pete’s Exam Cram + Addendum (I was lucky enough to join his last live 100 Questions) + Last Mile.

Prabh’s coffee shots and snacks.

Prashant Mohan’s Memory Palace.

Destination Cert - MindMaps (printed these) and Concise Guide Book.

50 CISSP Hard Questions.

Exam Experience:

IT WAS BRUTAL! CAT WAS BRUTAL, but yeah, it’s doable. Early on in the exam, I felt exhausted, mentally and physically drained. At question 25, I felt like I just wanted to end this exam and move on. I already thought about which topics I was weak in and needed to study because CAT was a mofo that can smell your weakness. Please hydrate, make sure you're on your best shape.

Exam questions were vague and crazy. QE is the closest practice question I did in terms of wording. I did thousands of practice questions, and none of them—nada, null, zero—was repeated. Also, try not to JUST memorize the process/steps. Understand and learn it by heart and JUST ANSWER THE QUESTION!

Lastly, you will never know when you’re ready. There’s no indicator of exam readiness. Go back to your notes and mind maps and see if things are making sense. If you’re able to explain the RMF, Incident Response, DRP, and BCP (and many more), you’re on the right track. Be open minded The exam is not just about knowing how things work; it’s about how you apply them in a scenario, testing if you really understand it.

You can do it!!

edit: added my reddit post 6years ago

15 Comments
2024/12/19
17:32 UTC

0

Thoughts on Percipio for studying?

Has anyone used Percipio to study for CISSP? Was it enough to pass or do they fall short? I have free access to Percipio modules through my work. They have a channel for CISSP. I just started watching the videos. I've used Percipio to study for Pentest+, Cloud+, and Security+; their modules were all I needed to pass those. I also have Linux+ and A+ certs.

10 Comments
2024/12/19
16:31 UTC

5

QE for other exams?

I posted this in here because it seems to be where Quantum Exams is discussed the most. Does anyone know if there are plans to add other exams to QE? I already hold CISSP, but have not yet got to CCSP, which I anticipate. Would be curious to know if there are plans to develop material for other exams, even if only ISC2.

5 Comments
2024/12/19
15:55 UTC

21

After much reflection...I will like to say this......

After all comments received yesterday, when i posted my failed 3rd attempt, someone messaged to offer to write the exam for me....I told them no of course but be careful out here.

I appreciate all your word of encouragement and everything and I hope I can do better next time.

For anyone taking this exam, please do review the materials from different sources as I can tell you some of the exam questions I saw are almost not in OSG, Concise destination guide or any practice exam I did thousands of but figured these words are in CBK.

If you've only used video to prepare please reconsider going through different sources and this advice align with Luke ; how to think like a manager " I watched his video 2 days to my exam. If you have not look at different Preparation guides and your exam is close I will suggest to reschedule - I should have done this myself.

Knowing the material is different from the wording of the exam. Exam is worded in a way that you would questions yourself.

I'm convinced that isc2 use algorithm to pick questions from different sources there is as per my exam there are way too many questions that seems new to me.

Please take this advice and thank me later. Bye for now.

23 Comments
2024/12/19
10:37 UTC

0

Login help. Not getting any emails from ISC2

As I check my gmail I seem to have created an account in 2021 to attend a ransomware training. I have credentials saved in my password manager and obviously those does not work now and prompts me to:

https://preview.redd.it/o2hhvn0alr7e1.png?width=798&format=png&auto=webp&s=61275cb4d1688000f134a45b390f1113d2317621

I attempted to "Forgot Password" multiple times, yet I do not get any email from ISC2 (checked spam and everywhere). I also see that there are two different login panels, Login and Login | SSO. The former throws above error and later errors out with the message Your access is disabled. Contact your site administrator. I see that were was SSO/Login related changed happened in 2022 which I did not follow most likely.

I presume the only way to get hold of my account is contact and seek help ISC2 admin. But how do I do that when I am not getting any emails email to my email which was used for ISC2.

What has happened to my account and what's the process to get it back? Help me out here.

P.S. Dont have any filter email rules with isc2.org

1 Comment
2024/12/19
08:40 UTC

2

how much technical details?

Hi friends,
I was wondering if we have to get into the technical details for numerous topics :

Kerberos working and architecture (how tickets are generated)

SQL queries?

ACL?

IP headers?

IP addressing and subnets?

4 Comments
2024/12/19
08:05 UTC

3

Taking the ISSAP tomorrow!

Passed my CISSP three years ago and wanted to reach out for any insight or what to expect...

Had a boot camp about a month ago, but remember very little.

Thoughts?

4 Comments
2024/12/18
23:25 UTC

23

Passed at 122 with 3min left!

Just passed the test! So glad I’m done with this. been studying since august and all the hard work payed off! Im going to be honest I thought I failed for sure plus my time management was horrible lol. It stopped me with about 3min left and I was at 122 questions lol. God is good, I’m off to celebrate with the fam. Thank you all for your guidance and support I really appreciate it, below you’ll find my study resources.

Pete Zerger 10/10

Dest Cert 9/10

OSG 8/10

Quantum 9/10

Boson 8/10

Cybrary Kelly henderhan 8/10

Pocket prep 7/10

13 Comments
2024/12/18
23:24 UTC

2

CASP vs CISSP difficulty?

Anyone have any opinions regarding CompTIA's CASP exam vs the ISC2 CISSP? Thank you in advance.

7 Comments
2024/12/18
23:16 UTC

86

Passed this morning at 100.

My preparation for this was all over the place. I had to hurry and schedule a date because my voucher would have expired at the end of this month. They had either last week or today so I chose today and just powered through Boson test questions, Destination Certification’s CISSP mind maps, and Pete Zerger’s videos. So glad to have accomplished this. I currently work as a SOC Manager so this is a huge win for me. Good luck to everyone who is going to be testing soon or down the road!

18 Comments
2024/12/18
21:28 UTC

141

Passed

I passed at 110 questions. I honestly thought I was doing horrible. So I was VERY happy to see the pass.

38 Comments
2024/12/18
20:26 UTC

15

Failed the 3rd time guys...

I need help please....my 2nd attempt was in August and study my heart out this time...used all recommended resources QE, concise destination guide and everything on YouTube but I found myself guessing throughout the exam as I was throw off with the wording of the questions.

Please help me with any resources you could help with....

48 Comments
2024/12/18
17:26 UTC

66

Passed at 100Q in 2 hours—my story (long post warning)

My background: 16 years in IT (network and security architecture/engineering) and 3 years in vendor-side cyber security presales engineering. My undergrad degree was a Bachelor’s in filmmaking and visual effects, so all my experience has been self-taught, certification-driven, and continuing education through various resources. No prior cyber security certs.

My preparation was very similar to others here (ratings at end of each line):

“Everyone has a plan until they get punched in the face.”

I stared at question 1 as Mike Tyson’s words echoed through the room. My entire body had sunk into a puddle on the floor. All my preparation, all my practice, all my memorization, all those long hours of study—had they somehow given me the wrong exam here?

How could I have prepared so hard and still feel like I’m staring at material I’ve never seen before? It didn’t make any sense. I stared at that first question for what must’ve been 3 minutes until Andrew Ramdayal’s words kickstarted my reasoning processes to pick the best answer. Worse than the shock and dismay over the stunned reality of question 1 was the prospect that I had 99 more questions like this, at a bare minimum. That was the worst feeling of all.

But, like many of us have done, I swallowed hard, tried to steady my shaking hands, and leaned forward to hone in on keywords, remembering to make no assumptions, and picking the best answer.

As I went, I used the on-screen calculator to assess how I was doing for time. 1.5 mins per question. 1.3 mins per question. 1.7 mins per question. This was nerve-wracking, but necessary to make sure I was keeping up with the clock.

Some questions—maybe 5 total—triggered an immediate response: “it’s definitely that answer, but let me re-read to confirm.” The other 95 might as well have been questions I’d never seen before.

I spent 18 months preparing off and on, and then got serious in the last 3 months after booking my exam date. The material on its own was difficult. But the exam was, by far, the hardest I’ve ever taken. 

“Why does this feel so impossible?” I thought as I stared at the endless march of ruthless assaults on my knowledge. Reflecting 12 hours later, I realized it was because this exam doesn’t test your knowledge of the domains in a direct recall sense. It tests your ability to apply that knowledge to scenarios that you cannot possibly prepare for ahead of time. 

At the end of the day, here’s what I learned—because taking this exam was a brutal “learning experience” in (1) how to master concepts far beyond most certification requirements, and (2) how to critically deconstruct concepts with the clock ticking down well beyond the material. And that, my friends, is why this certification is so prestigious: you cannot memorize your way through, you cannot brain dump your way through, and you cannot just “wing it.” 

  • Rote memorization of acronyms like RFM, SW-CMM, eDiscovery, and others won’t guarantee quick access to the correct answer and moving on. In the days leading up to the exam, I diligently practiced writing pages of memorized information repeatedly, convinced that my “photographic recall” of my study notes would enable me to ace any question they presented. Despite being repeatedly informed (and shown) that this exam was unlike any other I had taken, I approached it with the same mindset as any technical Cisco or Microsoft exam in the past. This approach, while undoubtedly detrimental, revealed the deep-rooted ingrained learning methods I had adopted. The countless hours and energy I invested in memorizing pages of ordered terms and their definitions would have been far more effective in reviewing concepts and comprehending scenarios to apply them effectively.
  • “Think like a manager” was mostly not helpful. While it can be an initial step towards approaching exam questions, especially for someone like me who has only ever taken highly technical exams, it shouldn’t be the sole or final tool used. Consider a scenario where you’re asked about an ongoing security incident. If you’ve detected it, should you immediately mitigate the situation or first confirm it with the IR team? This question has appeared in various practice question banks, and some answers suggest mitigating the situation, while others propose confirming it with the IR team. Ultimately, a manager may choose either approach. However, determining the correct course of action requires careful reading, comprehension of the context, and thorough examination of every word without filling in missing details. Only then can you make an informed choice and select the best answer. 
  • Taking a 5-day virtual boot camp was mostly not helpful. I took this about 3 months before my exam date (and before I had booked my exam). A lot of it was a review of concepts I had already studied, but it wasn’t without benefit: being able to ask an authorized CISSP instructor any question I wanted was really valuable. At the same time, there were students int hat class who had never opened the OSG or other resource and went on to take their exam on day 6—and failed. And it’s not hard to see why. This may be an unpopular opinion, but unless Quantum Exams comes up with a boot camp on how to think about answering questions, I would be very skeptical of any boot camp claiming a high pass rate without any other resources to bolster preparation. DISCLAIMER: my only boot camp was the official CISSP one, so I can’t speak to DestCert or others. This is purely my opinion.
  • I felt vastly unsure of my selection on most questions. You’ve probably heard people say that, statistically, you’re better off keeping the first answer you select than going back and changing it (most times the first selection is correct). I would challenge that assumption here, because (based on my experience) it’s not possible to simply “go with your gut” and choose an answer. I had to read, re-read, and re-read the question—sometimes even diagramming out what it was asking on the laminated sheet!—to make sure I understood what was being asked. 
  • There were terms and concepts I had absolutely never seen before. Yes, there are unscored “research” questions thrown in. But it’s also possible I didn’t recognize these because Dest CISSP was my primary resource and I didn’t read the OSG cover to cover. And having done that, I realized Dest CISSP may not have been as comprehensive a resource as I thought. I didn’t read the OSG cover to cover because Dest CISSP was so universally recommended in success stories. And maybe that’s because Dest CISSP gets you enough of the way there that you’ll pass with over 70% of the knowledge to avoid having to read the OSG. If I could go back and do it again, I would’ve read the OSG cover to cover, followed by Dest CISSP as a refresh/recap.
  • I felt utterly certain that I was going to fail, and I’m sure you will too. Recent posts here certainly confirm that I’m not alone. The difficulty of the questions varied for me, but it seemed to come in waves: a few easier ones followed by a significant number of challenging ones. I imagined having to face my family, friends, coworkers, and others who knew I was taking the exam to tell them I failed, but I had to push those thoughts aside. “Task at hand. Come on, task at hand. Focus.” Even now, I’m not entirely sure how I passed. I certainly didn’t feel like I had enough knowledge to pass—and yet, seeing “Congratulations” on the exam result page is the only verdict that truly matters to me.
  • Just answer the question. This advice has come up elsewhere, so I won’t rehash it all here. But don’t overcomplicate the scenario they’re asking about. Don’t imagine anything beyond what’s being asked. And don’t—DO NOT—apply your past vocational experience to inform your answer selection (this was the hardest part for me. I got twisted up into knots so many times bouncing back and forth between answers, thinking this was correct or that was correct, that I had to pause and say, “which of these is MORE correct given the question?” 
  • How do you climb a mountain? But putting one foot in front of the other. (High five to Dest Cert’s branding and materials—it’s true.) This was true for preparation, but even more so for the exam itself. Staring at the peak around question 100 when you’re at base camp on question 1 feels impossibly disheartening. But like many of us have seen (and with the exception of those superhuman who can study and pass in 7-14 days), this is not a sprint. It’s a marathon—one in which you take breaks to catch your breath, even. I took a 3 minute bio break about halfway through, and it was immensely valuable to clear my head, get my mindset right, and head back in to attack the remaining questions. When you’re staring down an impossible question, remember the approach so many here have prescribed: deconstruct the question, identify key words, and understand what’s being asked. Then, reach into your memory and pull out the concepts that apply, and try your best to pick the right answer. Yes, you will get some wrong. And that’s OK. But keep going.

So what do you do, if you’re preparing and haven’t yet sat for the exam? Don’t let my experience get you down. In the days before my exam date, I scoured Reddit searching for exam experiences—good and bad—and I wish I hadn’t done that, in retrospect. It psyched me out, making me second guess how prepared I was. 

The truth is that you will never be 100% prepared. There’s no possible way—unless you’re a biological LLM or Lt. Cmdr. Data—to store and then apply every concept in the OSG. But you can take this exam, and you can pass. If I can do it, you can do it too. 

My advice is:

  • Spend more time studying concepts and what/when/why they are applied in real-world scenarios over simply memorizing acronyms, block sizes, key lengths, and the names of the security models.
  • Use ChatGPT to help you study—I did this for acronym recall with a “memory palace” approach, and it was surprisingly successful. Supply it with knowledge about the topic you’re studying, and then ask it to quiz you, presenting similar choices with only the BEST answer being correct.
  • Above all else, use Quantum Exams. I hated every second of every question, but I pushed through. It’s the closest thing you have to being prepared for the mindset on exam day. I found the actual exam questions considerably more difficult than Quantum Exams, but I very likely would have failed if I had relied solely on LearnZapp and practice questions like it. If you can’t afford QE, look around your house and sell some stuff on eBay or Facebook Marketplace. Donate plasma. Seriously. Do what it takes. Yes, the price is high, but the cost of an exam retake is higher, not to mention the toll on your mental and emotional health with the prospect of having to do this all over again.
  • No one tool is a silver bullet, so don’t spend all your time trying to find one. Diversify and balance your efforts and your time. Round robin your resource selection so you have a consistent mix of information types. And limit your time reading pass/fail stories on Reddit (too late, I suppose, if you’ve already read this far).

Finally, my sincere and heartfelt thanks to:

Thank you again, everyone. Happy Holidays, Merry Christmas, Happy Hanukkah, and any others I’m forgetting. 

Wishing you the very best success as you study for and ace the exam!

--

EDIT: Thank you so much for the support and feedback, everyone. I so appreciate it. I'm adding links to the resources I used at the very top, in case they're useful for future CISSP candidates.

EDIT 2: Wow, my first ever awards! Thank you so much, kind friends! 🙏😁

EDIT 3: I posted some additional memorization and study techniques alongside the ones from u/neon___cactus: Additional memorization techniques for studying : r/cissp

33 Comments
2024/12/18
15:58 UTC

7

If I thought CISSP was tough, what will I think of CCSP and CISA?

Though I passed my first try, CISSP was very hard for me. With that in mind, what do you think I would probably think of the preparation and actual exam for CCSP (I have minimal direct cloud experience, but would qualify to sit the exam) or for CISA (no direct auditing experience but more interested in it than cloud)? I'd do a bootcamp for either one but want to minimize my outside prep (which was massive for CISSP). Any polite thoughts welcome :-)

16 Comments
2024/12/18
15:23 UTC

Back To Top