People frequently ask me how long to study for CISSP. Unfortunately it’s hard to give a set answer for that, but I can tell you how to figure out how long you need to study for it. That’s almost as good.
Don’t believe anyone who tells you they can get you ready in x number of days or weeks or even months. No one can know where you are relative to what you need to know to pass that test.
Get study questions
The first thing you need to do is assess where you are with some study questions. You can buy a book or use Google. Search for “CISSP study questions” and you’ll find hundreds of them. Here are some typical questions you’ll find in these collections:
Who should the CISO report to?
A. The CIO
B. The CEO
C. The Board of Directors
D. The CFO
Who should have the final say in the disaster recovery plan?
C. The CEO
D. Business Operations
One of my former employers minted a lot of CISSPs over the years, and the guy most directly responsible had an Access database full of these questions. He’d generate a test each week. Once you could score 90% on those mini-tests consistently, you were almost assuredly ready for the real thing.
That database is sadly lost to history, but looking at the stuff floating around on the various document sharing sites out there, most of those same questions are out there.
These questions are somewhat like the questions you’ll see on the real thing. Knowing the answers to questions like the two above, and a few hundred others, ensures you have the fundamental knowledge necessary to answer 50-60% of the questions correctly, maybe a bit more. If you’re like me, you’ll have to rely on your experience to get the 10-20% more you need in order to pass.
Read a book or two
I read the official CISSP CBK cover to cover before I even started taking tests. I read chapters on unfamiliar areas twice. With all due respect to the late Hal Tipton, it’s the hardest book I’ve ever had to read.
Once I started taking tests, I read chapters from CISSP for Dummies or from Shon Harris’ CISSP book covering areas that I still struggled with. I figured if I didn’t get it from the CISSP CBK the first or second time, I needed someone else’s explanation to understand it later. Don’t let the name CISSP for Dummies stop you. The author of that book and I crossed paths professionally very briefly. He’s the real deal.
I think you’ll need to read one book and parts of two others. You may choose to combine three books differently than I did. That’s OK. I also think you can get by with previous editions of at least one of the books.
What not to do
Many of the people who finished the test before I did just attended a boot camp the week before. I talked to some of them afterward. The ones who attended a boot camp and didn’t study said they didn’t think they got half the questions right.
I’ve talked to other CISSPs who attended bootcamps. Obviously they passed, since they’re CISSPs now. The difference is they studied on their own before, after, or both. A bootcamp will close some gaps. For example, I did not understand the concept of Bell-LaPadula until I saw an instructor explain it on a whiteboard. I used computer-based training instead of a bootcamp. Either is fine, and either can be helpful, but you can probably learn it on your own too. It just might take a bit longer.
How long I studied
I don’t know if telling you how long I studied is helpful, but it’s not something I consider a deep, dark secret either. I started studying about two years before I sat for the test. The first time, I studied for 4-5 months, not consecutively, and talked myself into complacency. Human beings are good at that.
Then my mentor quit. He talked the higher-ups into giving me the job, but the condition was I had six months to get CISSP. That was in late September. I spent October and November reading the CISSP CBK, for real this time. I finished the CISSP CBK over Thanksgiving weekend.
Then I started taking tests. I scheduled my test for January to give myself enough time to take the test a second time in April if needed. That first Saturday of taking a 300-question test was rough. The next morning, I had a hard time eating and drinking without dropping stuff, I was so frazzled. Maybe working your way up to 300 questions would be better.
The day before my test, I drove four hours to Chicago, took a 300-question test, went out for pizza, then came back and spent the evening listening to podcasts. Fun podcasts, not security stuff. After two months, I could score better than 90 percent on a sample test and still function as a human being, so that was good.
I passed. That’s almost all that matters. The other thing that matters is I’ve continued to learn since then.
Being a good CISSP
You didn’t ask, but I’ll say it anyway. I encounter a lot of CISSPs in the course of my work. Some put it in their e-mail signature and on their business card. Others don’t.
Some CISSPs are still learning long after they take the test and get their certificate. Those are the ones who are good to work with.
Other CISSPs will claim to be experts, and lean on their CISSP and one other certificate to back it up and tell you you’re wrong. That works more often than it should, but there’s always one problem you can’t bully your way through with your credentials, and that problem will become an anchor. Way back in 1986, my dad told me there’s always someone who knows something you don’t. That’s probably the most valuable thing he ever said to me. It seems not everyone’s dad tells them that.
The ones who are always learning get further in the end, and provide more value to their employer and colleagues in the process.