1.

Problem, question, vision

The CISSP (Certified Information Systems Security Professional) certification is one of the most
valuable certifications in the field of cybersecurity. The certification is issued by the non-profit
ISC2. It is intended to attest to the holder's knowledge, work experience and character. In order
to maintain the certification, an annual membership fee of approx. 50.- must be paid. A further
obligation is 40 hours of further training and the certification of these efforts.

In order to become CISSP certified, an examination must be passed. It is also necessary to

demonstrate 5 years of professional experience in at least two security domains. However,
many years of professional experience is not required to take the exam. It is possible to pass
the exam, then gain the professional experience and then obtain the certification. The status
you have during this time is called "ISC2 Associate". The same contribution and further training
obligations apply as for CISSP holders.

The aim of this paper is to document my preparation and experiences with the CISSP exam. My
formal experience report is intended to help students, colleagues and other interested parties
prepare for their own CISSP exam.

I chose the CISSP exam for two reasons. The most important reason is the breadth and quantity
of the exam content. Since I work with specific technical products in my everyday life, I want to
learn more domains of information and cyber security. In my opinion, it is not enough to be
familiar with just one or two niches to be good.

The second reason is the prominence of the CISSP certificate. In addition to personal
development, I also believe that the certification can contribute to my future professional and
financial development. I will have spent about three years in the same role by the time I
graduate with my Bachelor's degree. A reorientation could then be conceivable and the
certification will certainly be a help.
2. State of the practice
The CISSP exam costs a lot of time and money. In addition to the preparation and study time,
one exam attempt costs 660. A "Peace of Mind" voucher, which allows a second attempt within
two months at a reduced rate, costs an additional 175. (ISC2, 2024). Other costs for learning
resources may be added. I spent an additional 250.- on learning materials. For part-time
students and full-time workers, it is advisable to ask your employer whether they will contribute
to the costs.

The test format of the exam is "computer-adaptive" and multiple-choice (ISC2, 2024). Unlike
most exams, an answer does not give static points. Instead, an algorithm evaluates a
candidate's ability based on their answers. Depending on the assessment, a candidate receives
more difficult questions that are worth more points or easier questions that are worth fewer
points. If the algorithm is 95 per cent statistically certain that the candidate can no longer
achieve the minimum, the exam is cancelled. If the algorithm is equally certain that a candidate
will pass the exam, the exam is successfully terminated if 100 questions or more are answered.
A maximum of 150 questions is possible.

The exam has a maximum length of three hours. If the time runs out, an evaluation is made
based on the last 75 questions answered to determine whether a candidate passes. The
following unscientific diagram is intended to visualise the systems and a possible course of
events:

Illustration 1 Possible test procedure

Most of the resources for CISSP preparation are in English. However, it is also possible to take
the exam in German, Spanish, Chinese or Japanese.
3. Ideas and concepts
There are many resources that can be used for CISSP exam preparation. The goal of this section
is to provide a brief, superficial overview of potential tools.

Firstly, there are books. The best known of these is the "(ISC)2 CISSP Certified Information
Systems Security Professional Official Study Guide" (OSG) by Chapple & Stewart (2024). Other
books include "CISSP for Dummies", "Destination CISSP: A Concise Guide", "How to Think Like
a Manager" and "CISSP All-in-One Exam Guide".

Secondly, quizzes. The OSG has 20 questions after each chapter on the respective content. It
also has an official CISSP quiz learning app (Learnzapp) with over a thousand questions. There
are also other, additional providers of various question databases

The third is boot camps. These last a week and cost around 5000. For me, they were
uninteresting from the start due to the high costs and the format.

The fourth is Flashcards. Learnzapp also offers the functionality. However, there are also other
vendors who offer these in various formats. Of course, it is also possible to create your own.

The fifth is online videos. There are many videos on YouTube that deal with the certification.
These cover both the content and the exam format itself.

Sixthly, forums and communities. There is the official ISC2 forum, a CISSP subreddit, various
Discord channels and many other resources.

The seventh is mock exams. Again, there are many providers, including official resources from
ISC2 via Wiley Publishing. Quantum Exams (QE) and Gwen Betty's question database seemed
to be particularly popular.
4. Methods
I opted for the following resources. Thanks to my employer, price was not a decisive criterion
and, where necessary, I was able to buy the resources that I thought would add the most value.

1. CISSP-certified colleague (Merci *)

2. OSG + Official Quiz
3. Learnzapp
4. Quantum Exams
5. Self-created index cards
6. Destcert Discord Channel
7. CISSP Reddit
8. Youtube Video "50 hard CISSP questions"

Before I ever did any in-depth research, I spoke to a CISSP-certified colleague. I wanted to get to
know his experiences and learn about the challenges on a personal and professional level.

It was clear to me from the start that I not only wanted to pass the exam, but also to build up in-
depth knowledge. I am someone who likes to read a lot and can learn well from books. That's
why I opted for the OSG with the plan to read it all the way through. But I also wanted to
continuously monitor my learning progress. To do this, I also took the official quizzes and mock
exams.

I bought Learnzapp to be able to answer short questions in between or on the go. Effective
learning takes a lot of time and repetition. Active memorisation is one of the best ways to
promote deep learning effects. Using a mobile phone app for this lowers the inhibition
threshold and increases the frequency.

The last purchase was the application "Quantum Exams". I kept reading that the official mock
exams are not representative of the exam experience. As it is an extremely challenging exam
simulation, I used QE to fill this gap.

I used the open-source flashcard app "Anki" to memorise concepts. The algorithm of this app
supports effective memorisation of the content. Depending on the difficulty of the flashcards
(easy, medium, difficult), the algorithm adjusts the time interval in which the respective card is
shown. I found it a very practical tool in the past, which is why I used it again.

To understand content at a high level, it is not enough in my opinion just to read or memorise it.
Explaining and discussing something with others is necessary. That's why I joined the
"Cybersecurity Station" Discord Server. Discussing my approach, progress or even just
questions in the CISSP channel was a great help. Besides the people who are preparing for the
CISSP exam, there are also many experienced resources to help you. Some authors of well-
known learning resources were also represented. In between, I also skimmed the CISSP
subreddit, mainly to read exam experience reports.

But what I was still missing after the content was a tactical framework for tackling questions.
The video from the "Technical Institute of America", "50 CISSP Practice Questions, Master the
CISSP Mindset" was recommended online time and time again. So I decided to use this
resource to develop my general question strategy.
5. Realisation
The personal conversation with * gave me a good understanding of the difficulty. I adapted my
learning approach accordingly in order to be prepared. It also took away the worry of feeling
overwhelmed during the exam as I knew that he felt the same way and still passed with 100
questions.

From the very beginning, my goal was to build up my knowledge and complete the certification
in English. As I have a very good command of English (C2), I didn't have to worry about the
language barrier. Most of the resources are also in English, which makes learning even easier.
Furthermore, in my opinion, English is the language in which most of the discourse and
development takes place. Nevertheless, there were occasional moments when it was difficult
to understand the CISSP exam questions or when I had to look up rare technical terms.
However, as there were plenty of native speakers who reported similar problems, I didn't worry
about this.

I read the OSG completely in order to build up in-depth knowledge. It was over 1100 pages
divided into 21 chapters. Originally I had planned to read 2 chapters per week of the semester.
After the first seven weeks, I was well on schedule and only one chapter behind my plan. But
then I had a big motivation boost and read 3-4 chapters every week until the book was finished.
In the end, I was almost a month ahead of schedule.

Before each chapter, I briefly read the table of contents and skimmed the content. Then I read
in detail and with concentration. After each chapter, I answered 20 sample questions to
consolidate my knowledge and identify gaps in my knowledge. I also took chapter quizzes in
between with randomly selected questions. In the two weeks before the exam, I read the
glossary to find unfamiliar words and fill in the gaps in my knowledge. When I found them, I
looked them up. After each mock exam, I also wrote down the weak areas, looked them up in
the OSG and improved my knowledge in them.

Working through the amount of knowledge was exhausting. But the long period of time ensured
that it never became too much at once. On work days, I often read early in the morning, before
work, because I knew that I wouldn't have the energy after work.

I downloaded Learnzapp and used it on my mobile phone to actively repeat the knowledge I had
acquired. The question database is the same as in the OSG and the associated quiz, but I
wanted to reinforce my knowledge quickly and occasionally. I was able to make productive use
of times that are normally idle anyway, for example on public transport.

Next to the OSG, the most valuable resource was "Quantum Exams". I did four simulated test
runs. Every single one was exhausting and frustrating. But that's exactly how the CISSP exam
ended up being. The questions are very challenging, both in terms of content and wording. If you
can consistently achieve between 50/100 points in QE, then you will probably pass the exam
itself. After each simulated exam, I analysed my wrong answers to identify whether it was a
knowledge gap or whether I should pay closer attention to the question. This was a lengthy,
iterative process, but it helped me a lot. Last but not least, it prepared me well for the mental
stress of the actual exam. I highly recommend everyone to use QE. The fact that I achieved a
jump of 14 points between my first and last exam also boosted my self-confidence.
The following question from QE that I answered incorrectly is a good example of how it prepares
you for real CISSP questions.

Illustration 2 QE sample question

You have to identify the context of a question like this and recognise the keywords that
ultimately lead to different answers. The keywords here are "perimeter security", "unmanned
storage facility", "preventative controls", "their needs" and "MOST likely to recommend".

Answer 1 can quickly be identified as incorrect because of the keyword "perimeter security".
Biometric locks in the lifts and doors are security measures inside the building.

Answer 2 is conceivable, but also wrong. The most readily identified reason is the high cost of
perimeter security guards. For most organisations, these expenses would not be proportional.

I thought answer 3 was correct because barbed wire offers a simple, inexpensive solution for
securing a perimeter. And man-traps at the entrance are ideal for stopping or trapping people.
But this is wrong because of the keyword "unmanned storage facility". A mantrap adds little
value in a building where people are almost never inside.

Answer 4 is correct. Barbed wire offers a simple and inexpensive solution to secure the
perimeter. And biometric security at the entrance doors is the most suitable solution for a rarely
visited building. The respective explanations in QE as to why an answer is the correct one help
enormously with the follow-up.

I took two approaches with Anki: The first approach was when reading through the OSG, where I
created flashcards to learn new information. That went well at the beginning. But after a few
weeks I realised that it was disrupting my reading flow too much and at some point I simply
stopped doing it altogether out of convenience. In hindsight, I was trying to do too much as an
index card. Instead, I should have concentrated on the things that really needed to be
memorised. For example, the risk management framework. My second approach went better. I
specifically collected and implemented the information that needed to be memorised. This
often happened together with the follow-up to my QE exams. Most of the time, this type of
information was a process or a model where I used acronyms to better memorise all the
components.
Illustration 3 An index card with Anki and acronyms

The DestCert Discord channel was an extremely useful resource. I was able to ask questions
about my learning approach, ask for recommendations on learning resources and also discuss
specialised topics. Questions are often asked and explaining my thought process on the right
answer has not only helped the questioners, but me as well. I can recommend anyone to
become part of a community like this. What is particularly cool and happens quite often is that
a QE question is posted and the author, who is also a member of this Discord community,
explains and justifies the correct answer himself. The same thing also happens with other
learning resources.

The YouTube video "50 hard CISSP questions" helped me to develop a general tactic for the
questions in a very short time. The following are my maxims:

1. Read very carefully and identify keywords

2. Eliminate answers that are not
3. If you do one, don't do the other
4. Just answer the question (make no further assumptions)

On the one hand, the organised approach increased the quality of my answers. On the other
hand, it also boosted my self-confidence as I had a process to follow.

6. Evaluation and validation

Test experience
The day before the exam, I rested and only studied superficially, in short chunks. I went for a
relaxed jog, had a good meal and chatted to my sister in the evening. Then I went to bed early.
On the day of the exam, I arrived at the test centre about an hour before the test was due to take
place. The exam organiser was friendly and well organised, which reduced my stress levels.
After I had shown two forms of identification (ID card + passport), I was allowed to put my things
in the locker. My watch and mobile phone had to be switched off and also put inside. I then took
my ID with me and registered myself with a vein scanner.

I was allowed to take a locker key, soundproof earphones and a laminated sheet of paper with a
felt-tip pen inside. Before the exam, I quickly agreed to the non-disclosure agreement, which is
why I wasn't allowed to say anything about the questions themselves.

I had planned in advance to take a break after 60 questions if the time went well. As I still had
around 120 minutes left, I did this. In my opinion, it helps in stressful situations to get up, clear
your head and move around a bit. Nevertheless, time was running and I had to check out and
then check in with a vein scanner. It took about 10 minutes. It was the right decision for me, but
it would have been a bad choice if I was pressed for time.

From question 90 onwards, I became more nervous again. I still had more than enough time to
complete all 150 questions if necessary, but I was aware that it would be possible to pass the
exam immediately after question 100. In the end, with 70 minutes left, I did.

After the exam, there was another check-in with a vein scanner. I then received a printed sheet
of paper and a hearty congratulations from the exam organiser.

Overall, I was very satisfied with my planning and performance. The pre-defined question
strategies were good and so was my knowledge. My organisation the day before and the
morning of the exam allowed me to deliver my best possible form.

Validation
Overall, I am extremely satisfied with my process. I developed a sensible plan based on good
research. I then executed it well, both in the learning phase and in the exam itself. There were
times when I was behind my plan. But I managed to catch up and even work through the
material ahead of schedule.

I think it would be possible to pass the exam with less time and study effort. But because of the
high examination fees, I think it makes sense to invest too much rather than too little time. The
knowledge also helps me in my working life, so I don't regret the great effort.

I now have a much more holistic knowledge of information and cyber security. In addition to
subject areas that were not previously relevant either at university or at work, such as physical
security, I now also have a better understanding of the background to processes in my
company.

It also helps in my role as a security engineer and platform owner. I can express myself more
precisely, understand connections between complex systems better and can manage my
platform better.
7. Outlook
I was very pleased to pass the CISSP exam. I still need a bit more work experience to be
officially CISSP-certified, but that will come with time. To be prepared for this, I have already
registered as an "Associate of ISC2". When my 5 years of security work experience are
complete, I expect the recognition process to be quick and straightforward.

I will continue to use the learning methodology I have developed for similar certificates in the
future. I don't have any concrete plans yet, but I believe that lifelong learning is essential. Both
personally and professionally. At the same time, industry certificates offer a simple goal and a
practical way to demonstrate knowledge to employers.

I'm still not sure what I want to do next after completing my degree at [redacted]. I can imagine
a development in the direction of security officer or security architect. But I am firmly convinced
that the CISSP certification will be an advantage.
8. List of illustrations
Figure 1 Possible test procedure ............................................................................................. 4
Figure 2 QE sample question .................................................................................................. 8
Figure 3 An index card with Anki and acronyms ....................................................................... 9

9. Bibliography s

10. Bibliography
ISC2. (30. 11 2024). CISSP Computerised Adaptive Testing. Retrieved from ISC2:
https://www.isc2.org/certifications/cissp/cissp-cat

ISC2. (2. 11 2024). Acknowledgement. ISC2 CISSP receipt. Bern, Bern, Switzerland: ISC2.

Quantumexams. (19. 12 2024). Sample question Quantum Exams exam. Retrieved from
quantumexams.com: https://quantumexams.com