I recently completed what some consider the capstone of information security certification exams: the Certified Information Systems Security Professional (CISSP) examination.
Let's get the Amazon section out of the way. I ordered two books.
This one is the All in One resource. I felt like a lot of it was fairly obvious risk management-type information. That said, it was all completely relevant. You can get by without the AIO if you have sufficient background in risk management.
This is the 11th Hour CISSP book. It's kind of like the Cliffnotes version of the All in One. It's good to read this one as a quick refresher right before the exam. It's short and filled with high-density information. Whereas some books are conversational and filled with filler, this one cuts straight to the point and throws facts at you.
Alright, let's talk coursework. Don't do boot camps. Don't pay for special training.
First of all, I want to give the biggest shout-out in the world possible to Mike Chapple at www.certmike.com
Mike has numerous books and video courses in IT security, and his ability to educate is beyond question.
This is a direct link to Mike's LinkedIn Learning CISSP Preparation course by Mike. You'll need LinkedIn Premium to access it. It's worth it.
For my fellow military veterans, getting a free Premium account for some time is possible.
Anyway, I watched that series roughly twice. I skipped some lectures the second time because I felt I knew them.
Next, let's make a 100-day plan to watch one of the IT Dojo Daily CISSP Questions of the Day...each day, right? Or you can binge-watch them in a week as I did. Po-tay-to-po-tah-to.
Alright, that's your video learning. Don't spend money on other stuff.
Now let's consider the daily review. This test is very wide so you'll have to do regular reviews to get it all in your brain.
One reasonably famous resource is "The Sunflower PDF." You can download the latest version here. Open it, pick a part of it, and start memorizing. I had no method for this other than to digest as much of it as possible. You won't be able to fit it all in your brain, so aim to remember the general gist of each section.
However, my favorite daily review item is the PocketPrep CISSP exam app on mobile devices. You get a daily "Question of the Day" with an explanation and the ability to load "Quick 10" exams. You can knock out one of these in a few minutes. There's a detailed explanation for each question, which helps you learn the material. I essentially read the All In One book from this app.
I can't avoid mentioning the Boson exams. This is the practice test offered by Boson. Now I'm going to be completely honest... I didn't use this that much. I found that when I took the Boson exams, I scored 80%+ and didn't feel the need to devote time to them. Boson has excellent test software, though, and I will use it on every exam I take, which they offer practice tests for. Since I'm on a soapbox, I'm not a big fan of their lab software. There isn't an offering for the CISSP, but I've tried it out for other exams. I'd recommend setting up your own virtual machines for those (although it might require a bit of learning to get a domain controller and a few servers running smoothly.. then again, that's learning, too, right?).
Keep in mind that this exam is about RISK MANAGEMENT. Give the corporate answer every time. Be a manager, not a technician. You're a risk advisor. There's a lot of back and forth about the "100 questions" vs "125 questions" strategy, but honestly, I think that's a waste of energy. You get weighted questions and have to collect enough points to pass. If you're doing poorly, you'll usually have over 100 questions. If you get to 125 questions, there is a belief that you're probably barely passing or failing. Since statistics arent released by ISC2, who knows!
Kelly Handerhan says it better than me:
There are often a lot of questions about the experience requirement.
Take a look at this booklet from ISC2.
As of this posting, the experience requirement is:
Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four year college degree or regional equivalent or an additional credential from the (ISC)2 approved list will satisfy one year of the required experience. Education credit will only satisfy one year of experience.
That means you review that booklet and determine if you meet 2 of the 8 domains for at least 4 years (assuming you have an approved cert and, if you don't, here's one that's easy to get).
If you follow those study resources, I have no doubt you'll succeed on the CISSP examination. Once you get your congratulatory email, you must go through the CISSP Endorsement process to validate your experience. It's recommended to have another CISSP endorse you. Otherwise, it can take a bit longer to process your application.