Whether you’re planning a war or buying a house, you need a strategy. A plan of attack. The same goes for studying for the CISSP exam, you gotta have a study plan.
A reader asked me recently for a solid study plan. He is planning on taking the exam in 6 -7 months.
That’s plenty of time to study and ace the exam! Below are some of his questions along with some of my suggestions.
1. How many hours per day or week should be dedicated to studying for the CISSP?
This really varies at which stage you are at in your studies.
Month 1 and Month 2
Did you just receive a 1000-page Shon Harris Study Guide and have only read the first page? In this case, take it easy and take your time! There’s no need to just rush in and start memorizing everything on every page. The first two months of your studies you should start to familiarize yourself with the different domains and the materials contained within.
Read through the pages with leisure, without full intent on memorizing, because memorization will occur automatically later.
Try to dedicate at least 1 -2 hours per day browsing through the book, or a total of 10 hours per week. Remember, you’re not super focusing on material right now, you’re just getting a “feel” for the information. This is the time where you will decide if the exam is for you or not, whether you can maintain the dedication to go through with it.
Also, try not to take any practice exam questions just yet. I say this because your results won’t truly reflect your knowledge of the domains. You may even get discouraged or humbled by scoring a 60% on a domain you THOUGHT you knew really well! The truth is, you have to read a domain over and over and over again to get a “feel” for it.
Month 3 and Month 4
By now you should have fully committed to taking the exam, letting nothing else get in your way. This is a big part of the CISSP study process, your allegiance.
You’ve read through the entire study guide, you have started to take a few practice exam questions, and starting to know what is your strongest domain and what is your weakest domain.
Now, instead of spending 1-2 hours per day browsing the entire study guide, try to spend 1-2 hours on a particular domain, like Asset Security or Software Development Security. Don’t just focus on the chapters you are weak on just yet, try to devote 1-2 hours on each and every chapter.
Take some practice exam questions and see how you do, but don’t be discouraged by the results. If you get answers wrong, try to do research as to why it was wrong, and why the correct answer was right.
Month 5 and Month 6
The last few months are the most important. You want to really tell yourself “Hey, it’s been 5 months of studying, what domain am I doing really well on? And for what domain am I still weak?”
Now is when you should be churning out and trying to get at least a 80% on practice exam questions. Now is the time when you know your weakest domains, and you start to spend 1-2 hours per day on those chapters.
You should be doing more practice exam questions than reading. Your reading should be linked to what practice exam questions you got wrong. If you didn’t know what the Tranquility Principle is, time to read up on the Identity and Access Management domain. If you didn’t know what the Wassenaar Arrangement is, time to hit up the Security Engineering domain.
In these last few months you should be fairly confident of the material, but trust me, you’ll still get things wrong in practice exam questions, but you’ll feel less bad about it. You might’ve eliminated 2 answers, and had a 50% chance of getting the answer right. If this is the case, you’re on a good track to take the exam.
2. Which domains should we really focus and spend more time on?
This is a tough question, and I’ve asked this question many times during my studies. In my notes I had read somewhere on a CISSP forum that this was the breakdown:
1. Security and Risk Management
2. Identity and Access Management
3. Security Assessment and Testing
4. Communications and Network Security
5. Security Engineering
6. Software Development Security
7. Security Operations
8. Asset Security
If you want to know how these map to the old domains, click here!
The official answer would be “Study all the domains, because you just don’t know how many questions you are going to get from each domain.”
That’s the official answer.
The BEST strategy is to start studying the domain you are LEAST familiar with, for me it was the Software Development Security domain and the Security and Risk Management domain.
3. How many hours should we spend on each domain?
This depends on what kind of person you are.
Are you obssessive over a topic? Or can you detach and move onto the next topic?
If you are an obsessive person, then you are like me. You will decide to spend time on the Cryptography domain, and not only read it, but make sure you KNOW it. This means while reading a domain, you have your web browser open Googling terms and definitions on the Internet for extra knowledge. For example, while reading about general cryptography, I Googled “World War 2 Enigma Machine”. Study guides just barely mention the history of the Enigma machine, but the Internet has a whole history from inception, to how it was finally broken by Alan Turing in England. I even watched the movie “The Imitation Game” for further research, because I’m an obsessive person and want to know everything about a topic to be confident during the exam.
Side Note: I wrote a post about the “Top Secret” military classification label that talks about Alan Turing and the Enigma, if you want to check it out, click here:
Military Classification Labels: Top Secret
If you can detach from your chapters, then you are not an obsessive person. You can read the Cryptography domain through once, take the practice exams, and move onto the next chapter. You will most likely come back to the Cryptography domain in order to study it more at a later time.
Both of these strategies are good, so it’s difficult to say how much time you should time you should spend on a domain, it all depends on you!
Personally, I spent about 2-3 hours on each domain per week, with a total of about 24 hours per week for all the domains combined. This doesn’t just include reading the book, it includes writing about topics on this blog, watching videos, reading other sources, and discussing with my peers at work.
4. Any other helpful tactics or strategies for a strong study plan?
The blog reader who asked all the questions above is also starting a WhatsApp group. This is a FANTASTIC idea!
Why? Because sometimes you just can’t do it alone, and it helps to have others in the same boat as you. Working with others can give you motivation to keep up on your studies, and hold you accountable.
Starting and writing a blog about the CISSP topics helps too : )
Please let me know if you have any other questions, I will gladly answer them.
Thanks for reading!