Operating principle throughout: understand the why, not just the what. CISSP does not reward memory. It rewards judgment.
Starting with Structure: The Training Foundation
My CISSP journey began in May with a six-week course from InfosecTrain, covering all eight domains. A training course gives you a map. It introduces the terrain. It does not give you depth — and depth is what CISSP actually tests.
After the course, I moved straight into the Official (ISC)² CISSP CBK Study Guide and read it cover to cover, taking handwritten notes throughout. The handwriting was deliberate. It slows you down. It forces you to process rather than scan. If you are highlighting and moving on, you are not studying — you are performing the act of studying.
Taking the CC First — And Why That Was the Right Decision
Before sitting for CISSP, I wrote the CC exam in August. The Certified in Cybersecurity is also a CAT adaptive exam, and that was exactly the reason I took it.
If you have never sat a CAT adaptive exam before, the format itself can be disorienting. Questions shift in difficulty based on your responses. The exam does not behave like a fixed paper. If you walk into CISSP without having experienced that format, you are managing two unknowns at once — the content and the experience. The CC removed the second unknown.
The Second Pass — Domain Mapping and Real Depth
After clearing CC, I went back to the CBK for a second full read. The CBK is organised by chapters, not by CISSP domains. So I mapped chapters to domains manually — identified which portions of the book belonged to each domain and read them in sequence. After finishing each domain, I went straight to the Cybex domain-wise questions. This sequencing matters: you complete a domain while it is fresh, test yourself immediately, and find out exactly where your understanding is solid and where it is not.
Writing the Blog as Revision
Around this time I started writing a cybersecurity blog, summarising what I had studied in my own words. When you have to explain something clearly enough for someone else to understand, you very quickly discover the difference between what you actually know and what you only think you know. The blog became one of my most effective revision methods — not because I planned it that way, but because teaching forces clarity.
The CISM Pivot — An Unexpected Advantage
I had originally planned to sit for CISSP in November. Personal circumstances meant that did not happen. Rather than let months of preparation go stale, I sat for CISM instead. With about 15 additional days of focused preparation, I cleared it. What I did not fully anticipate was how much this would benefit my CISSP preparation. CISM goes deep into governance, risk management, and incident management — areas that map directly onto CISSP Domains 1, 2, and parts of Domain 3.
Discovering Pete Zerger and CISSP Last Mile
My exam was now scheduled for March. From January onward, the strategy shifted — less new content, more consolidation and practice. This is when I discovered Pete Zerger's material. His YouTube videos are genuinely useful, but the real find was his book, CISSP Last Mile. At around 500 pages, it is an efficient, well-structured summary of every major concept across all eight domains. I would strongly recommend it for anyone in the final two months of preparation.
After reading Last Mile, I created a final set of handwritten summary notes — around 50 pages — which became my primary revision reference in the last few weeks.
The Practice Exam Tools — What Each One Actually Does
For practice exams I used Boson, Quantum, and CertPreps. They are not interchangeable.
Boson is solid for concept reinforcement. The explanations are detailed and help you understand why an answer is correct, not just that it is. The difficulty is not quite at exam level, but it builds foundations well.
Quantum is the closest to the actual exam in terms of language and question style. It also has a CAT adaptive simulation mode, which is genuinely valuable for getting used to the format. Some of my Quantum tests ended at 100 questions, some at 125, some at 150 — which is exactly how the real exam behaves.
CertPreps is underrated and often overlooked. The questions are deliberately confusing. That is not a flaw — it is the point. Sitting with CertPreps trains you to slow down, read carefully, and resist the instinct to jump to an answer. That is precisely the skill the CISSP exam demands.
Resource Stack Summary
| Resource | Priority | Best Used For | Key Note |
|---|---|---|---|
| InfosecTrain Course | Must have | Getting the map | Gives breadth, not depth. Pair with CBK immediately after. |
| CBK Official Study Guide | Must have | Core knowledge | Read twice minimum. Map chapters to domains on second pass. |
| CC Exam | Must have | CAT format dry run | Also adaptive. Take before CISSP to experience the format. |
| Cybex Questions | Must have | Post-domain testing | Attempt immediately after completing each domain. |
| Pocket Prep | Recommended | Concept consolidation | Not exam-level difficulty. Best after 2 CBK passes. |
| CISSP Last Mile (Zerger) | Must have | Final synthesis | Best single resource for last 6–8 weeks. Covers all 8 domains efficiently. |
| Quantum | Must have | Exam simulation | Closest to actual exam language. Use CAT mode. |
| CertPreps | Recommended | Language conditioning | Deliberately tricky. Forces careful reading. 75–80% here is a good sign. |
| Boson | Recommended | Concept reinforcement | Not exam-level but excellent explanations of why answers are correct. |
| CISM Exam | Situational | Governance depth | If timeline slips, sit CISM. Deep overlap with Domains 1, 2, and 3. |
What "Think Like a Manager" Actually Means
You will hear this phrase constantly. But very few people explain what it actually means in practice. Let me give you a concrete example. Consider fire suppression in a data centre. You could memorise the difference between wet pipe, dry pipe, deluge, and pre-action systems. What will actually help is thinking like the person responsible for that data centre. You have two things to protect: expensive electronic equipment and human lives. Water destroys electronics. You cannot have it running freely unless absolutely necessary. So what do you actually do? You want the fastest possible detection and a system that does not release water unless multiple conditions are met. That is exactly what a pre-action system does. The name tells you: there is a required action before the water action. Once you understand why it exists, you will never confuse it with the alternatives again.
Language Is Everything
CISSP questions are precision instruments. A single word changes the answer. If a question uses the word veracity or accuracy, it is pointing to integrity. If a question asks what mechanism creates accountability, the answer is auditing and logging — not accountability itself. Read every single word. Do not infer what the question is probably asking.
Lifecycles and Step Cycles
Lifecycle sequences are not optional revision items. They are the structure around which a large proportion of CISSP questions are built. The exam will rarely ask you to define a lifecycle. It will place you inside a scenario, tell you what has already happened, and ask what comes next.
For the incident response lifecycle: Detect → Respond → Mitigate → Report → Remediate → Restore → Lessons Learned. The mnemonic does not give you the answer — it tells you where you are in the process.
The same principle applies to forensic evidence handling, the data lifecycle (Classify, Store, Use, Share, Archive, Destroy), and the SDLC. These sequences recur throughout the exam in different scenarios and must be internalised, not just recognised.
